Upload
nguyenthuy
View
276
Download
2
Embed Size (px)
Citation preview
2 © 2014 IBM Corporation2
Logistics This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.
We’ll try to answer questions in the chat or address them atspeaker’s discretion.
– If we cannot answer your question, please do include your emailso we can get back to you.
When speaker pauses for questions:– We’ll go through existing questions in the chat
3 © 2014 IBM Corporation
Reminder: Guardium Tech Talks
Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Getting Started with InfoSphere GuardiumVulnerability Assessment
Speakers: Ian Schmidt and Louis Lam
Date &Time: Thursday, May 8th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1l9Abs3
4 © 2014 IBM Corporation
New!!! Regional user groups this year
For registration links, askyour IBM rep or visit theEvents Calendar on theInfoSphere Guardiumcommunity ondeveloperWorks.
5 © 2014 IBM Corporation
Agenda
The REST API – An Introduction
Use Cases and Examples
–Datasource & Group
–Reports
–Groups and Policy Install
–Risk Model
Security and Operational issues
6 © 2014 IBM Corporation
restAPI
What is REST?– A stateless architecture that runs over HTTP– REST = REpresentational State Transfer– http://en.wikipedia.org/wiki/Representational_state_transfer
Why expose information via REST?– Many newer applications use REST – Mobile, Social, applications that
automating business processes– Guardium has always tried to leverage existing infrastructure to help integrate
our products to make it easier to deploy and provide higher value for ourcustomers
How does it work?– Leverages existing technologies – HTTP, XML, etc– Unique Resource Indicators (URIs) - https://10.10.9.239:8443/restAPI/datasource
– REST has limited number of operations (GET, POST, PUT & DELETE = Verbs)
7 © 2014 IBM Corporation
Guardium’s Implementation of REST1. Register Application (only once) and get Client Secret2. Store Client Secret in secure place3. Request Access Token for authorization4. Store Access Token so grdAPI command
will be authenticated properly5. Use Access Tokens to submit GrdAPI commands
ClientApplication
1. Use grdAPI to register application
Guardium Appliance
(CLI)
(HTTPS with REST)
2. Save response which contains “client secret”
3. Send request for “Access Token” with client secret
4. Save response which contains “Access Token”
5. Send grdAPI with authorized “Access Token”
8 © 2014 IBM Corporation
Spreadsheet as a tool for restAPI
9 © 2014 IBM Corporation
Spreadsheet as a tool for restAPI
10 © 2014 IBM Corporation
REST with Guardium…
HTTP has a vocabulary of operations (request methods)– GET (pass parameters in the URL)– POST (pass parameters in JSON object)– PUT (pass parameters to change as JSON object)– DELETE (pass parameters as JSON object)
grdAPI’s list_datasourcename_by_name (parameters - ?name="MSSQL_1)
– -X GET https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"
create_datasource– -X POST https://10.10.9.239:8443/restAPI/datasource
update_datasource_by_name - JSON Object '{password:guardium}‘– -X PUT -d '{password:guardium, name:"MSSQL_1}‘
delete_datasource_by_id - JSON Object '{"id":20020}‘– -X DELETE -d '{"id":20020}‘
RestAPI vs GrdAPIGET = ListPOST = CreatePUT = UpdateDELETE = Delete
11 © 2014 IBM Corporation
List Datasource by name
curl -k --header "Authorization:Bearer 9f8e1b10-7e6d-4803-9812-1faab5d0a094" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"
GET = list Parameters to be passed in GET request: ?name="MSSQL_1“ REST Resource: restAPI/datasource This means: show me the details of datasource name: MSSQL_1
[{
"DatasourceId":"https://G91.ibm.com:8443/restAPI/datasource?id=20021",
"DatasourceTypeId": "4","Name": "MSSQL_1","Description": "null","Host": "10.10.9.252","Port": "1433","ServiceName": "","UserName": "sa","Password": "[B@7ad07ad0","PasswordStored": "true","DbName": "null",
"LastConnect": "null","Timestamp": "2014-03-11 13:09:36.0","ApplicationId": "8","Shared": "true","ConProperty": "null","OsUsername": "null","DbHomeDir": "null","CustomUrl": "null","Severity": "5","DbDriverId": "4","CompatibilityMode": "","DatasourceType": "MS SQL SERVER","ApplicationType": "SecurityAssessment"
}]
12 © 2014 IBM Corporation
Sample Java Code Snippet for Datasources
// Construct the URLURL url = new URL("
https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1");
HttpsURLConnection conn = null;try {
try {// Open the connectionconn = (HttpsURLConnection)
url.openConnection();
// Set the appropriate parametersconn.setUseCaches(false);conn.setDoInput(true);conn.setDoOutput(true);// use the GET method to list the datasourceconn.setRequestMethod("GET");
// Set access Token for authorizationconn.setRequestProperty("Authorization",
"Bearer "+ accessToken);} finally {//Read the results of listing the datasourceReader in = new BufferedReader(new
InputStreamReader(conn.getInputStream(), "UTF-8"));// Get reply back from the GuardiumStringBuffer sb = new StringBuffer();for (int c; (c = in.read()) >= 0; ) {sb = sb.append((char) c);}//Done with connectionconn.disconnect();JSONresults=sb.toString();}
13 © 2014 IBM Corporation
Create a Datasource
[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7" -i -H "Content-Type: application/json" -XPOST -d '{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,port:1433,shared:"true",severity:MED,type:"MS SQLSERVER (DataDirect)",user:sa }'https://10.10.9.239:8443/restAPI/datasource
POST = Create
URI - https://10.10.9.239:8443/restAPI/datasource
Parameters: (Values)
Response ===============
{"ID": 20004,"Message": "ID=20004"
}
14 © 2014 IBM Corporation
Create a Datasource
[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7" -i -H "Content-Type: application/json" -X POST -d'{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,port:1433,shared:"true",severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa }'https://10.10.9.239:8443/restAPI/datasource
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=52960A56AFBC5989CDC825BCEA5EEBA4; Path=/; Secure;
HttpOnlyX-UA-Compatible: IE=edgeX-FRAME-OPTIONS: SAMEORIGINAccess-Control-Allow-Methods: POST, GET, PUT, DELETEAccess-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type,
AcceptAccess-Control-Max-Age: 18000Content-Type: application/json;charset=UTF-8Content-Length: 43Date: Wed, 12 Mar 2014 08:23:44 GMTServer: SQL Guard
{"ID": 20004,"Message": "ID=20004"
}[joe@ocean]$
15 © 2014 IBM Corporation
Example of creating a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -XPOST -d '{desc:"Application DBUsers",type:USERS,appid:"Public",category:"applicationusers",classification:"PCI data",owner:"admin" }'https://10.10.9.239:8443/restAPI/group
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=B7C946314283B4D4542A1FE2368D6942; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Fri, 14 Mar 2014 14:28:27 GMTServer: SQL Guard
{"ID":20009,"Message":"ID=20009\n"}
Successful Executionof create group
16 © 2014 IBM Corporation
Example of adding a member to a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -XPOST -d '{desc:"Application DB Users",member:App10 }'https://10.10.9.239:8443/restAPI/group_member
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=36ECFCEB5B3351FAC33950E96E5C79DA; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 40Date: Fri, 14 Mar 2014 14:29:12 GMTServer: SQL Guard
{"ID":1003225,"Message":"ID=1003225\n"}
POST on resource“group_member” = create
Successful Executionof create group member
17 © 2014 IBM Corporation
List members of a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/group_members_by_group_id?id=20009
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=7E8023B5EF9273A39E4C5503C6DF550E; Path=/; Secure; HttpOnlyX-UA-Compatible: IE=edgeX-FRAME-OPTIONS: SAMEORIGINAccess-Control-Allow-Methods: POST, GET, PUT, DELETEAccess-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type, AcceptAccess-Control-Max-Age: 18000Content-Type: application/json;charset=UTF-8Content-Length: 220Date: Fri, 14 Mar 2014 20:46:11 GMTServer: SQL Guard
[{
"group_id": 20000,"group_description": "https://G91:8443/restAPI/group?desc=Application DB Users","group_members": [
{"member": "App10"
}]
}]
GET on resource“group_members_by_group_id” = list
Successful executionlisting members of group
In JSON format
18 © 2014 IBM Corporation
How to Get Help –
curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H "Content-Type: application/json" -X GEThttps://10.10.9.239:8443/restAPI/restapi
https://1010.9.239:8443/restAPI/restapi?resourceId=14
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H"Content-Type: application/json" -X GET https://9.70.148.214:8443/restAPI/restapi?resourceId=14
[{"parameterName": "desc","parameterType": "java.lang.String","isRequired": true
},{"parameterName": "member","parameterType": "java.lang.String","isRequired": true
},{"parameterName": "api_target_host","parameterType": "java.lang.String","isRequired": false
}]
19 © 2014 IBM Corporation
How to Get Help – Update Datasourcehttps://1010.9.239:8443/restAPI/restapi?resourceId=4
[root@q]# curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-f861b7fc28e7"https://9.70.148.214:8443/restAPI/restapi?resourceId=4
[{
"parameterName": "name","parameterType": "java.lang.String","isRequired": true
},{
"parameterName": "newName","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "description","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "port","parameterType": "java.lang.Integer","isRequired": false
},{
"parameterName": "serviceName","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "user","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "password","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "dbName","parameterType": "java.lang.String","isRequired": false
},
{"parameterName": "conProperty","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "dbInstanceDirectory","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "dbInstanceAccount","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "shared","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "customURL","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "severity","parameterType": "java.lang.String","isRequired": false
},{
"parameterName": "api_target_host","parameterType": "java.lang.String","isRequired": false
}]
20 © 2014 IBM Corporation
CustomApp
Audit Data Report forChanges to server IP
Rest API’s
Server IP &Authorized email
address
GrdAPI - to send applicationowner an email with report ofaudit data for their server IP
address
Applicationowner specifies
IP Address oftheir system
-- - - - - -- - - - - -- -- -- - - -
Integrate with Existing Business Processes
•Existing customer system needs to correlate “some”Guardium information or trigger a process within Guardium•Need an “industry” standard way to interact with Guardium(restAPI)
Note:Guardium has tremendous automation in theexisting GUI and tools.
21 © 2014 IBM Corporation
Use Cases
Configuration Datasources Groups Reports Policies Server Risk
22 © 2014 IBM Corporation
Configuration
Store these in a safe place!!!Guy will discuss in more details
23 © 2014 IBM Corporation
DataSources
24 © 2014 IBM Corporation
Groups
25 © 2014 IBM Corporation
List Group Members
26 © 2014 IBM Corporation
Reports
Use for getting “small” reports Submit audit process for large/bulk reports Good to integrate with other systems that need small information
without access to the GUI
27 © 2014 IBM Corporation
Failed Login Report
28 © 2014 IBM Corporation
Integrate with Application Team
Show groups Update groups Show report Email report
29 © 2014 IBM Corporation
Policy and Groups
Update groups Install policies
30 © 2014 IBM Corporation
Server Risk
31 © 2014 IBM Corporation
Server Risk…
32 © 2014 IBM Corporation
Integration With Other Dashboards
33 © 2014 IBM Corporation
Implementation Considerations - Guy
Security API and GUI considerations Roles and Permissions Implementation Notes
34 © 2014 IBM Corporation
Every Application Needs Good Security
Security – REST API security is multi-tiered:
– Communication must be secured with SSL toprevent access to access token or client secreton the wire
– The client secret must be secured. Anyone whohas the client key can use it to generate tokensand then execute api requests.
– Token generation requires a valid Guardiumuser/password.
• On each API request the permissions of the userassociated with the token are evaluated to verifythe user is allowed to execute the specificfunction.
35 © 2014 IBM Corporation
API functions are linked to Guardium modules/applications andspecified to roles the same way GUI modules are.
Roles and Permissions
36 © 2014 IBM Corporation
Policy Installation couldbe a different role than“admin” Good separation of
duties is available
37 © 2014 IBM Corporation
Implementation Notes
Consider the REST API when:– You want to do online system integration.
• External system trigger something in Guardium interactively
– You want to develop programs for specific use cases• Clients can be developed in the language of your choice• Generic programs like the one shown on this presentation are good to
demonstrate capabilities but are not a real implementation of theinterface.
– You want to do interactive system integration (not batchprocessing)
Do not use the REST API:– To rewrite Guardium functionality.
• If you can do it inside Guardium you should not do it throughREST API.
– For mass data offload• If you need to export high volumes of data to external systems don't
use REST API.
38 © 2014 IBM Corporation
Information, training, and community
Use the IBM InfoSphere Guardium REST API – developerWorks article InfoSphere Guardium YouTube Channel – includes overviews and
technical demos InfoSphere Guardium newsletter developerWorks forum (very active)Guardium DAM User Group on Linked-In (very active) Community on developerWorks (includes content and links to a
myriad of sources, articles, etc)Guardium Info Center
InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.
Send a note to [email protected] ifinterested.
39 © 2014 IBM Corporation
Reminder: Guardium Tech Talks
Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: Getting Started with InfoSphere GuardiumVulnerability Assessment
Speakers: Ian Schmidt and Louis Lam
Date &Time: Thursday, May 8th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1l9Abs3
40 © 2014 IBM Corporation40
GraciasMerci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish
41 © 2014 IBM Corporation
42 © 2014 IBM Corporation
RestAPI
Ability to programmatically access grdAPI’s Allows for easier integration with new technologies in the market Example use case:
– I want the ability to dynamically get a small amount of audit data for a certain IPaddress without having to login to the Guardium GUI
– I want to populate an existing group, so I can updated my policy to preventunauthorized access to sensitive information for users that have left thecompany
– I want to get a list of all users within a certain authorized access group– I want my application development team to help identify what sensitive tables to
monitor– I want to script access to grdAPI’s without using “expect” scripting language
which requires me to code response text from the target system
43 © 2014 IBM Corporation
RestAPI Overview
Registering as a client application with Guardium authorizationserver.
Request an access token with the client credentials, using the clientsecret we got from the previous phase.
Create a report with Server IP address using run time parameter Create an adhoc audit process with a report (grdAPI)
– grdapi create_ad_hoc_audit_and_run_once reportId=183isForReportRunOnce=true changeParIfExist=truetaskParameter="QUERY_FROM_DATE=2012-10-2300:00:00^^QUERY_TO_DATE=2013-11-2200:00:00^^HostnameLike=%^^SHOW_ALIASES=TRUE^^REMOTE_SOURCE=" processNamePar=joe1 [email protected]=1 includeUserReceiver=false api_target_host=< >
– Other details• How do you identify the report id (183)?• How do you look at the audit processes(joe1)?• Configuring the SMTP Gateway to email the report(to email to [email protected])
44 © 2014 IBM Corporation
RestAPI Overview Datasources
Registering as a client application with Guardium authorizationserver.
Request an access token with the client credentials, using the clientsecret we got from the previous phase.
Add a datasource Remove a datasource
The Guardium administrator must use a local CLI-authenticated session to generate a clientsecret for the client application. The client secret is then used by the client application togenerate an access token associated with a valid Guardium user. An access token can berevoked using the revokeOauthToken API function. A client id can be revoked (invalidating allactive tokens) using the revokeOauthClient API functions. The access token has an expirationage assigned (current default is 3 hours). Subsequent API calls must specify the token and willhave the permissions as granted to the user associated with the token. Any requests after thetoken expires will fail and the client application must generate a new token.API functions getOAuthTokenExpirationTime and setOAuthTokenExpirationTime can be usedto display and modify the token expiration duration, this setting is global and affects all tokens.These API functions are not exposed as REST APIs and can be invoked only through anauthenticated cli session by a user with admin role.
45 © 2014 IBM Corporation
RestAPI Overview for Datasources
Add a datasource with Rest APIThe syntax for all of the grdApi’s is to put all the parameters of the function after the “-d”. Here’s an example of how to add a datasource which takes parameters like:application, host, name, owner, password, etc
Request:
curl -k --header "Authorization:Bearer 80cdcfa3-e02e-4bd6-829a-6b656beaa90a" -i -H "Content-Type: application/json" -X POST-d '{application:"SecurityAssessment",host:10.10.9.252,name:"MSSQL252",owner:admin,password:"1qaz!QAZ",port:1433,shared:true,severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa}'https://10.10.9.248:8443/restAPI/datasource
Response:HTTP/1.1 200 OKSet-Cookie: JSESSIONID=8C90021B43CCAF324FD72D498B0D4C93; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Fri, 01 Nov 2013 23:59:38 GMTServer: SQL Guard
{"ID":20007,"Message":"ID=20007\n"}This means the datasource was added successfully, and the ID for the datasource is 20007
46 © 2014 IBM Corporation
Delete a datasource by ID=2007 with Rest API
Notice the “-X DELETE” section below in the command vs the POST in the previous command to create thedatasource.
Request:
curl -k --header "Authorization:Bearer 80cdcfa3-e02e-4bd6-829a-6b656beaa90a" -i -H "Content-Type: application/json" -X DELETE -d '{id:20007}'https://10.10.9.248:8443/restAPI/delete_datasource_by_id
Response:HTTP/1.1 200 OKSet-Cookie: JSESSIONID=354039539B475B50EBBFD00892A2F66A; Path=/; Secure; HttpOnlyContent-Type: application/json;charset=ISO-8859-1Content-Length: 36Date: Sat, 02 Nov 2013 00:09:27 GMTServer: SQL Guard
{"ID":20007,"Message":"ID=20007\n"}The message, {"ID":20007,"Message":"ID=20007\n"}, means it was successful
47 © 2014 IBM Corporation
Thank You