Professional Documents
Culture Documents
Joe_DiPietro@us.ibm.com
Guy Galil - guyga@il.ibm.com
2
2 2014 IBM Corporation
Reminder: Guardium Tech Talks
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Reports
Risk Model
Guardium Appliance
1. Use grdAPI to register application
(CLI)
Client 2. Save response which contains client secret
Application
create_datasource
-X POST https://10.10.9.239:8443/restAPI/datasource
POST = Create
URI - https://10.10.9.239:8443/restAPI/datasource
Parameters: (Values)
{
"ID": 20004,
Response =============== "Message": "ID=20004"
}
13 2014 IBM Corporation
Create a Datasource
[joe@ocean]$ curl -k --header "Authorization:Bearer bd9278f0-c02c-4efc-b4dc-
f861b7fc28e7" -i -H "Content-Type: application/json" -X POST -d
'{application:"Security
Assessment",host:10.10.9.252,name:"MSSQL_1",owner:admin,password:guardium,po
rt:1433,shared:"true",severity:MED,type:"MS SQL SERVER (DataDirect)",user:sa }'
https://10.10.9.239:8443/restAPI/datasource
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=52960A56AFBC5989CDC825BCEA5EEBA4; Path=/; Secure;
HttpOnly
X-UA-Compatible: IE=edge
X-FRAME-OPTIONS: SAMEORIGIN
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type,
Accept
Access-Control-Max-Age: 18000
Content-Type: application/json;charset=UTF-8
Content-Length: 43
Date: Wed, 12 Mar 2014 08:23:44 GMT
Server: SQL Guard
{
"ID": 20004,
"Message": "ID=20004"
}
[joe@ocean]$
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=B7C946314283B4D4542A1FE2368D6942; Path=/; Secure; HttpOnly
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 36
Date: Fri, 14 Mar 2014 14:28:27 GMT
Server: SQL Guard Successful Execution
of create group
{"ID":20009,"Message":"ID=20009\n"}
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=36ECFCEB5B3351FAC33950E96E5C79DA; Path=/; Secure; HttpOnly
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 40
Date: Fri, 14 Mar 2014 14:29:12 GMT
Successful Execution
Server: SQL Guard of create group member
{"ID":1003225,"Message":"ID=1003225\n"}
HTTP/1.1 200 OK
GET on resource
group_members_by_group_id = list
Set-Cookie: JSESSIONID=7E8023B5EF9273A39E4C5503C6DF550E; Path=/; Secure; HttpOnly
X-UA-Compatible: IE=edge
X-FRAME-OPTIONS: SAMEORIGIN
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: authorization, origin, X-Requested-With, Content-Type, Accept
Access-Control-Max-Age: 18000
Content-Type: application/json;charset=UTF-8
Content-Length: 220
Date: Fri, 14 Mar 2014 20:46:11 GMT
Server: SQL Guard
[
{
"group_id": 20000,
"group_description": "https://G91:8443/restAPI/group?desc=Application DB Users",
"group_members": [
{
"member": "App10"
} Successful execution
]
} listing members of group
] In JSON format
https://1010.9.239:8443/restAPI/restapi?resourceId=14
[joe@osprey ~]$ curl -k --header "Authorization:Bearer 1c2cf8e2-1e3f-496f-8e09-a5bddeefbdf9" -i -H
"Content-Type: application/json" -X GET https://9.70.148.214:8443/restAPI/restapi?resourceId=14
[
{
"parameterName": "desc",
"parameterType": "java.lang.String",
"isRequired": true
},
{
"parameterName": "member",
"parameterType": "java.lang.String",
"isRequired": true
},
{
"parameterName": "api_target_host",
"parameterType": "java.lang.String",
"isRequired": false
}
]
Configuration
Datasources
Groups
Reports
Policies
Server Risk
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian
40
40 2014 IBM Corporation
41 2014 IBM Corporation
RestAPI
Ability to programmatically access grdAPIs
Allows for easier integration with new technologies in the market
Example use case:
I want the ability to dynamically get a small amount of audit data for a certain IP
address without having to login to the Guardium GUI
I want to populate an existing group, so I can updated my policy to prevent
unauthorized access to sensitive information for users that have left the
company
I want to get a list of all users within a certain authorized access group
I want my application development team to help identify what sensitive tables to
monitor
I want to script access to grdAPIs without using expect scripting language
which requires me to code response text from the target system
The Guardium administrator must use a local CLI-authenticated session to generate a client
secret for the client application. The client secret is then used by the client application to
generate an access token associated with a valid Guardium user. An access token can be
revoked using the revokeOauthToken API function. A client id can be revoked (invalidating all
active tokens) using the revokeOauthClient API functions. The access token has an expiration
age assigned (current default is 3 hours). Subsequent API calls must specify the token and will
have the permissions as granted to the user associated with the token. Any requests after the
token expires will fail and the client application must generate a new token.
API functions getOAuthTokenExpirationTime and setOAuthTokenExpirationTime can be used
to display and modify the token expiration duration, this setting is global and affects all tokens.
These API functions are not exposed as REST APIs and can be invoked only through an
authenticated cli session by a user with admin role.
{"ID":20007,"Message":"ID=20007\n"}
This means the datasource was added successfully, and the ID for the datasource is 20007
{"ID":20007,"Message":"ID=20007\n"}
The message, {"ID":20007,"Message":"ID=20007\n"}, means it was successful