RESTAPI Presentation V3

Guardium RESTapi
Joe_DiPietro@us.ibm.com
Guy Galil - guyga@il.ibm.com
2014 IBM Corporation

Logistics
This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
Well post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
Well try to answer questions in the chat or address them at
speakers discretion.
If we cannot answer your question, please do include your email
so we can get back to you.
When speaker pauses for questions:
Well go through existing questions in the chat
2
2 2014 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk: Getting Started with InfoSphere Guardium

Vulnerability Assessment
Speakers: Ian Schmidt and Louis Lam
Date &Time: Thursday, May 8th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1l9Abs3
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.

New!!! Regional user groups this year
For registration links, ask

your IBM rep or visit the
Events Calendar on the
InfoSphere Guardium
community on
developerWorks.

Agenda
The REST API An Introduction
Use Cases and Examples
Datasource & Group
Reports
Groups and Policy Install
Risk Model
Security and Operational issues

restAPI
What is REST?
A stateless architecture that runs over HTTP
REST = REpresentational State Transfer
http://en.wikipedia.org/wiki/Representational_state_transfer
Why expose information via REST?

Many newer applications use REST Mobile, Social, applications that
automating business processes
Guardium has always tried to leverage existing infrastructure to help integrate
our products to make it easier to deploy and provide higher value for our
customers
How does it work?

Leverages existing technologies HTTP, XML, etc
Unique Resource Indicators (URIs) - https://10.10.9.239:8443/restAPI/datasource
REST has limited number of operations (GET, POST, PUT & DELETE = Verbs)

Guardiums Implementation of REST
1. Register Application (only once) and get Client Secret
2. Store Client Secret in secure place
3. Request Access Token for authorization
4. Store Access Token so grdAPI command
will be authenticated properly
5. Use Access Tokens to submit GrdAPI commands
Guardium Appliance
1. Use grdAPI to register application
(CLI)
Client 2. Save response which contains client secret
Application
3. Send request for Access Token with client secret
4. Save response which contains Access Token (HTTPS with REST)
5. Send grdAPI with authorized Access Token

Spreadsheet as a tool for restAPI

Spreadsheet as a tool for restAPI

REST with Guardium
HTTP has a vocabulary of operations (request methods)
GET (pass parameters in the URL)
POST (pass parameters in JSON object) RestAPI vs GrdAPI
PUT (pass parameters to change as JSON object) GET = List
DELETE (pass parameters as JSON object) POST = Create
PUT = Update
DELETE = Delete
grdAPIs
list_datasourcename_by_name (parameters - ?name="MSSQL_1)
-X GET https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"
create_datasource
-X POST https://10.10.9.239:8443/restAPI/datasource
update_datasource_by_name - JSON Object '{password:guardium}

-X PUT -d '{password:guardium, name:"MSSQL_1}
delete_datasource_by_id - JSON Object '{"id":20020}

-X DELETE -d '{"id":20020}

List Datasource by name
curl -k --header "Authorization:Bearer 9f8e1b10-7e6d-4803-9812-
1faab5d0a094" -i -H "Content-Type: application/json" -X GET
https://10.10.9.239:8443/restAPI/datasource/?name="MSSQL_1"
GET = list
Parameters to be passed in GET request: ?name="MSSQL_1
REST Resource: restAPI/datasource
This means: show me the details of datasource name: MSSQL_1
[ "LastConnect": "null",
{ "Timestamp": "2014-03-11 13:09:36.0",
"DatasourceId": "ApplicationId": "8",
"https://G91.ibm.com:8443/restAPI/datasource?id=20021", "Shared": "true",
"DatasourceTypeId": "4", "ConProperty": "null",
"Name": "MSSQL_1", "OsUsername": "null",
"Description": "null", "DbHomeDir": "null",
"Host": "10.10.9.252", "CustomUrl": "null",
"Port": "1433", "Severity": "5",
"ServiceName": "", "DbDriverId": "4",
"UserName": "sa", "CompatibilityMode": "",
"Password": "[B@7ad07ad0", "DatasourceType": "MS SQL SERVER",
"PasswordStored": "true", "ApplicationType": "SecurityAssessment"
"DbName": "null", }
]

Sample Java Code Snippet for Datasources
// Construct the URL // Set access Token for authorization

URL url = new URL(" conn.setRequestProperty("Authorization",
https://10.10.9.239:8443/restAPI/datasour "Bearer "
ce/?name="MSSQL_1"); + accessToken);
HttpsURLConnection conn = null; } finally {
try { //Read the results of listing the datasource
Reader in = new BufferedReader(new
try { InputStreamReader(
// Open the connection conn.getInputStream(), "UTF-8"));
conn = (HttpsURLConnection) // Get reply back from the Guardium
url.openConnection(); StringBuffer sb = new StringBuffer();
for (int c; (c = in.read()) >= 0; ) {
// Set the appropriate parameters sb = sb.append((char) c);
conn.setUseCaches(false); }
conn.setDoInput(true); //Done with connection
conn.setDoOutput(true); conn.disconnect();
// use the GET method to list the datasource JSONresults=sb.toString();
conn.setRequestMethod("GET"); }

Create a Datasource
[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-
4efc-b4dc-f861b7fc28e7" -i -H "Content-Type: application/json" -X
POST -d '{application:"Security
Assessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,passw
ord:guardium,port:1433,shared:"true",severity:MED,type:"MS SQL
SERVER (DataDirect)",user:sa }'
https://10.10.9.239:8443/restAPI/datasource
POST = Create
URI - https://10.10.9.239:8443/restAPI/datasource
Parameters: (Values)
{
"ID": 20004,
Response =============== "Message": "ID=20004"
}
Create a Datasource
[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-
f861b7fc28e7" -i -H "Content-Type: application/json" -X POST -d
'{application:"Security
Assessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,po
rt:1433,shared:"true",severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa }'
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=52960A56AFBC5989CDC825BCEA5EEBA4; Path=/; Secure;
HttpOnly
X-UA-Compatible: IE=edge
X-FRAME-OPTIONS: SAMEORIGIN
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type,
Accept
Access-Control-Max-Age: 18000
Content-Type: application/json;charset=UTF-8
Content-Length: 43
Date: Wed, 12 Mar 2014 08:23:44 GMT
Server: SQL Guard
{
"ID": 20004,
"Message": "ID=20004"
}
[joe@ocean]$

Example of creating a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-

4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -X
POST -d '{desc:"Application DB
Users",type:USERS,appid:"Public",category:"application
users",classification:"PCI data",owner:"admin" }'
https://10.10.9.239:8443/restAPI/group
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=B7C946314283B4D4542A1FE2368D6942; Path=/; Secure; HttpOnly
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 36
Date: Fri, 14 Mar 2014 14:28:27 GMT
Server: SQL Guard Successful Execution
of create group
{"ID":20009,"Message":"ID=20009\n"}

Example of adding a member to a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-

4d98-960a-5d69ed8111c5" -i -H "Content-Type: application/json" -X
POST -d '{desc:"Application DB Users",member:App10 }'
https://10.10.9.239:8443/restAPI/group_member
POST on resource
group_member = create
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=36ECFCEB5B3351FAC33950E96E5C79DA; Path=/; Secure; HttpOnly
Content-Length: 40
Date: Fri, 14 Mar 2014 14:29:12 GMT
Successful Execution
Server: SQL Guard of create group member
{"ID":1003225,"Message":"ID=1003225\n"}

List members of a group through REST
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-
a5bddeefbdf9" -i -H "Content-Type: application/json" -X GET
https://10.10.9.239:8443/restAPI/group_members_by_group_id?id=20009
HTTP/1.1 200 OK
GET on resource
group_members_by_group_id = list
Set-Cookie: JSESSIONID=7E8023B5EF9273A39E4C5503C6DF550E; Path=/; Secure; HttpOnly
X-UA-Compatible: IE=edge
X-FRAME-OPTIONS: SAMEORIGIN
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type, Accept
Access-Control-Max-Age: 18000
Content-Type: application/json;charset=UTF-8
Content-Length: 220
Date: Fri, 14 Mar 2014 20:46:11 GMT
Server: SQL Guard
[
{
"group_id": 20000,
"group_description": "https://G91:8443/restAPI/group?desc=Application DB Users",
"group_members": [
{
"member": "App10"
} Successful execution
]
} listing members of group
] In JSON format

How to Get Help
curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -
H "Content-Type: application/json" -X GET
https://10.10.9.239:8443/restAPI/restapi
https://1010.9.239:8443/restAPI/restapi?resourceId=14
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H
"Content-Type: application/json" -X GET https://9.70.148.214:8443/restAPI/restapi?resourceId=14
[
{
"parameterName": "desc",
"parameterType": "java.lang.String",
"isRequired": true
},
{
"parameterName": "member",
"isRequired": true
},
{
"parameterName": "api_target_host",
"isRequired": false
}
]

How to Get Help Update Datasource
https://1010.9.239:8443/restAPI/restapi?resourceId=4
[root@q]# curl -k --header "Authorization:Bearer bd9278f0-c02c- {
4efc-b4dc-f861b7fc28e7" "parameterName": "conProperty",
https://9.70.148.214:8443/restAPI/restapi?resourceId=4 "parameterType": "java.lang.String",
[ "isRequired": false
{ },
"parameterName": "name", {
"parameterType": "java.lang.String", "parameterName": "dbInstanceDirectory",
"isRequired": true "parameterType": "java.lang.String",
}, "isRequired": false
{ },
"parameterName": "newName", {
"parameterType": "java.lang.String", "parameterName": "dbInstanceAccount",
"isRequired": false "parameterType": "java.lang.String",
{ },
"parameterName": "description", {
"parameterType": "java.lang.String", "parameterName": "shared",
{ },
"parameterName": "port", {
"parameterType": "java.lang.Integer", "parameterName": "customURL",
{ },
"parameterName": "serviceName", {
"parameterType": "java.lang.String", "parameterName": "severity",
{ },
"parameterName": "user", {
"parameterType": "java.lang.String", "parameterName": "api_target_host",
{ }
"parameterName": "password", ]
"isRequired": false
},
{
"parameterName": "dbName",
"isRequired": false
},
Integrate with Existing Business Processes
Existing customer system needs to correlate some
Audit Data Report for
Guardium information or trigger a process within Guardium
Changes to server IP
Need an industry standard way to interact with Guardium
(restAPI)
Custom Rest APIs

App
Application
Server IP &
owner specifies
Authorized email
IP Address of
address
their system
-- - - - - -
- -----
- -- -- - - -
GrdAPI - to send application

owner an email with report of
Note: audit data for their server IP
Guardium has tremendous automation in the address
existing GUI and tools.
Use Cases
Configuration
Datasources
Groups
Reports
Policies
Server Risk

Configuration
Store these in a safe place!!!

Guy will discuss in more details

DataSources

Groups

List Group Members

Reports
Use for getting small reports
Submit audit process for large/bulk reports
Good to integrate with other systems that need small information
without access to the GUI

Failed Login Report

Integrate with Application Team
Show groups
Update groups
Show report
Email report

Policy and Groups
Update groups
Install policies

Server Risk

Server Risk

Integration With Other Dashboards

Implementation Considerations - Guy
Security
API and GUI considerations
Roles and Permissions
Implementation Notes

Every Application Needs Good Security
Security REST API security is multi-

tiered:
Communication must be secured with SSL to
prevent access to access token or client secret
on the wire
The client secret must be secured. Anyone who
has the client key can use it to generate tokens
and then execute api requests.
Token generation requires a valid Guardium
user/password.
On each API request the permissions of the user
associated with the token are evaluated to verify
the user is allowed to execute the specific
function.

Roles and Permissions
API functions are linked to Guardium modules/applications and
specified to roles the same way GUI modules are.

Policy Installation could
be a different role than
admin
Good separation of
duties is available

Implementation Notes
Consider the REST API when:
You want to do online system integration.
External system trigger something in Guardium interactively
You want to develop programs for specific use cases

Clients can be developed in the language of your choice
Generic programs like the one shown on this presentation are good to
demonstrate capabilities but are not a real implementation of the
interface.
You want to do interactive system integration (not batch

processing)
Do not use the REST API:

To rewrite Guardium functionality.
If you can do it inside Guardium you should not do it through
REST API.
For mass data offload
If you need to export high volumes of data to external systems don't
use REST API.
Information, training, and community
Use the IBM InfoSphere Guardium REST API developerWorks article

InfoSphere Guardium YouTube Channel includes overviews and
technical demos
InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a
myriad of sources, articles, etc)
Guardium Info Center
InfoSphere Guardium Virtual User Group.

Open, technical discussions with other users.
Send a note to bamealm@us.ibm.com if
interested.

Reminder: Guardium Tech Talks
Next tech talk: Getting Started with InfoSphere Guardium

Vulnerability Assessment
Speakers: Ian Schmidt and Louis Lam
Date &Time: Thursday, May 8th, 2014
11:30 AM Eastern Time (60 minutes)
Register here: http://bit.ly/1l9Abs3
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.

Dzikuj
Polish
Traditional Chinese
Thai
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian
40
RestAPI
Ability to programmatically access grdAPIs
Allows for easier integration with new technologies in the market
Example use case:
I want the ability to dynamically get a small amount of audit data for a certain IP
address without having to login to the Guardium GUI
I want to populate an existing group, so I can updated my policy to prevent
unauthorized access to sensitive information for users that have left the
company
I want to get a list of all users within a certain authorized access group
I want my application development team to help identify what sensitive tables to
monitor
I want to script access to grdAPIs without using expect scripting language
which requires me to code response text from the target system

RestAPI Overview
Registering as a client application with Guardium authorization
server.
Request an access token with the client credentials, using the client
secret we got from the previous phase.
Create a report with Server IP address using run time parameter
Create an adhoc audit process with a report (grdAPI)
grdapi create_ad_hoc_audit_and_run_once reportId=183
isForReportRunOnce=true changeParIfExist=true
taskParameter="QUERY_FROM_DATE=2012-10-23
00:00:00^^QUERY_TO_DATE=2013-11-22
00:00:00^^HostnameLike=%^^SHOW_ALIASES=TRUE^^REMOTE_SOURCE
=" processNamePar=joe1 sendToEmails=jdipietr@us.ibm.com
emailContentType=1 includeUserReceiver=false api_target_host=< >
Other details
How do you identify the report id (183)?
How do you look at the audit processes(joe1)?
Configuring the SMTP Gateway to email the report(to email to jdipietr@us.ibm.com)

RestAPI Overview Datasources
Registering as a client application with Guardium authorization
server.
Request an access token with the client credentials, using the client
secret we got from the previous phase.
Add a datasource
Remove a datasource
The Guardium administrator must use a local CLI-authenticated session to generate a client
secret for the client application. The client secret is then used by the client application to
generate an access token associated with a valid Guardium user. An access token can be
revoked using the revokeOauthToken API function. A client id can be revoked (invalidating all
active tokens) using the revokeOauthClient API functions. The access token has an expiration
age assigned (current default is 3 hours). Subsequent API calls must specify the token and will
have the permissions as granted to the user associated with the token. Any requests after the
token expires will fail and the client application must generate a new token.
API functions getOAuthTokenExpirationTime and setOAuthTokenExpirationTime can be used
to display and modify the token expiration duration, this setting is global and affects all tokens.
These API functions are not exposed as REST APIs and can be invoked only through an
authenticated cli session by a user with admin role.

RestAPI Overview for Datasources
Add a datasource with Rest API
The syntax for all of the grdApis is to put all the parameters of the function after the -d. Heres an example of how to add a datasource which takes parameters like:
application, host, name, owner, password, etc
Request:
curl -k --header "Authorization:Bearer 80cdcfa3-e02e-4bd6-829a-

6b656beaa90a" -i -H "Content-Type: application/json" -X POST
-d '{application:"Security
Assessment",host:10.10.9.252,name:"MSSQL252",owner:admi
n,password:"1qaz!QAZ",port:1433,shared:true,severity:MED,ty
pe:"MS SQL SERVER (DataDirect)",user:sa}'
Response:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=8C90021B43CCAF324FD72D498B0D4C93; Path=/; Secure; HttpOnly
Content-Length: 36
Date: Fri, 01 Nov 2013 23:59:38 GMT
Server: SQL Guard
{"ID":20007,"Message":"ID=20007\n"}
This means the datasource was added successfully, and the ID for the datasource is 20007

Delete a datasource by ID=2007 with Rest API
Notice the -X DELETE section below in the command vs the POST in the previous command to create the
datasource.
Request:
curl -k --header "Authorization:Bearer 80cdcfa3-
e02e-4bd6-829a-6b656beaa90a" -i -H "Content-
Type: application/json" -X DELETE -d '{id:20007}'
https://10.10.9.248:8443/restAPI/delete_datasourc
e_by_id
Response:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=354039539B475B50EBBFD00892A2F66A; Path=/; Secure; HttpOnly
Content-Length: 36
Date: Sat, 02 Nov 2013 00:09:27 GMT
Server: SQL Guard
{"ID":20007,"Message":"ID=20007\n"}
The message, {"ID":20007,"Message":"ID=20007\n"}, means it was successful

Thank You

RESTAPI Presentation V3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RESTAPI Presentation V3

Uploaded by

Copyright:

Available Formats

Guardium RESTapi

2014 IBM Corporation

Next tech talk: Getting Started with InfoSphere Guardium

3 2014 IBM Corporation

For registration links, ask

4 2014 IBM Corporation

Use Cases and Examples

Datasource & Group

Groups and Policy Install

Security and Operational issues

5 2014 IBM Corporation

Why expose information via REST?

How does it work?

6 2014 IBM Corporation

3. Send request for Access Token with client secret

4. Save response which contains Access Token (HTTPS with REST)

5. Send grdAPI with authorized Access Token

7 2014 IBM Corporation

8 2014 IBM Corporation

9 2014 IBM Corporation

update_datasource_by_name - JSON Object '{password:guardium}

delete_datasource_by_id - JSON Object '{"id":20020}

10 2014 IBM Corporation

11 2014 IBM Corporation

// Construct the URL // Set access Token for authorization

12 2014 IBM Corporation

14 2014 IBM Corporation

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-

15 2014 IBM Corporation

[joe@osprey ~]$ curl -k --header "Authorization:Bearer 211684bf-404d-

16 2014 IBM Corporation

17 2014 IBM Corporation

18 2014 IBM Corporation

Custom Rest APIs

GrdAPI - to send application

21 2014 IBM Corporation

Store these in a safe place!!!

22 2014 IBM Corporation

23 2014 IBM Corporation

24 2014 IBM Corporation

25 2014 IBM Corporation

26 2014 IBM Corporation

27 2014 IBM Corporation

28 2014 IBM Corporation

29 2014 IBM Corporation

30 2014 IBM Corporation

31 2014 IBM Corporation

32 2014 IBM Corporation

33 2014 IBM Corporation

Security REST API security is multi-

34 2014 IBM Corporation

35 2014 IBM Corporation

36 2014 IBM Corporation

You want to develop programs for specific use cases

You want to do interactive system integration (not batch

Do not use the REST API:

Use the IBM InfoSphere Guardium REST API developerWorks article

InfoSphere Guardium Virtual User Group.

38 2014 IBM Corporation

Next tech talk: Getting Started with InfoSphere Guardium

39 2014 IBM Corporation

42 2014 IBM Corporation

43 2014 IBM Corporation

44 2014 IBM Corporation