cyberark impact 2017 - rest for the rest of us
TRANSCRIPT
REST for the Rest of UsJoe Garcia, CISSP – Corporate Solutions Engineer
Kevin Ross – Corporate Solutions Engineer
► Think about all the repetitive tasks you do every day…
■ Creating safes
■ Onboarding accounts
■ Adding members to safes
■ Activating Users that never seem to remember their password
► What if there was a 1-click way for you to do all that?
► The REST API allows you to make that “1-click dream” come true.
► We’ve simplified it to make it more welcoming to non-developers.
► With Postman, it allows you to do it with little-to-no previous dev knowledge.
► Let me show you how…
Why should I care about the REST API?
What is a RESTful Web Service?
A RESTful Web Service helps developers easily automate CRUD of objects.
CRUD stands for:
Create (POST), Retrieve (GET), Update (PUT), Delete (DELETE)
A majority of what a developer does is deal with objects in that manner. Since
the founder of HTTP, Roy Fielding, has been a huge backer of REST from its
inception, he built HTTP with common CRUD operations already built-in.
This is awesome for us because it allows us to eventually automate ourselves
out of work! I call this an…
Joe’s last Automation Vacation – pre-CyberArk
Automation Vacation!
REST API Methods
POST
■ Create a new object: Add Account, Add Safe, Add Safe Member, Add User
GET
■ Retrieve an existing object: Get Account Details, List Safes, Get Safe Details
PUT
■ Update an existing object: Update Account Details, Update Safe, Update User
DELETE
■ Delete an existing object: Delete Account, Delete Safe, Delete User
>>>
>
Postman Live Documentation & Collection
Postman is an online tool that gives us the ability to provide you
with a pre-built testing environment for your CyberArk Web
Services.
Benefits include:
Live Documentation for commonly used languages
Available public collection for testing against live CyberArk Web Services
Code snippets for every available language (except PowerShell, inquire
within)
CyberArk Web Services SDK Documentation built into public collection
Available Online & Standalone for Windows
Let’s improve on something that exists already.
It should be an easily repeatable task.
Something we use a lot and would benefit most from our improvements.
What could we build in 30 minutes?
Well, 20 minutes now…
Phase 1:
Breakdown the O.G. PUU
CSV template was
complex!
I have to give “PasswordManager” as the CPMUser every time?
If the Folder is always “Root”, why do I have to keep telling it that?
At the end of the day, we took more time trying to figure that out than automating.
PUU did not like commas
or quotes!Actually, PUU couldn’t handle any special characters. (https:// = NOPE!)
You messed up a property?
You get half an account!
PUU uploaded accounts were not transactional (they wouldn’t back out at failure).
You’d get half of an account’s properties up until where the upload failed.
No good at being wrong!PUU would not know how to deal with conflicts. Let’s help it grow up a little and
mature. I’d hate to be that conflicted…
PACLI as the foundation of
PUU didn’t allow for
customer customization
The REST API opens up the possibilities since it is not limited to particular
languages.
Phase 2:
Plan our PUU on Steroids
Make the CSV template
straightforward and easy
CSV should have the following most commonly used columns:
ObjectName, Safe, Address, Username, Password, PlatformID,
DisableAutoMgmt, DisableAutoMgmtReason
PUU 2 should upload all
account properties, or none
at all
Using proper Try…Catch error handling, we can stop that from happening
anymore.
Fix whitespace issues to
allow proper PlatformID
name spacing
Now you don’t have to worry about improper spacing of “Windows Domain
Account”
More speed! If you can use this to improve your Hygiene Report, let’s make it fast!
Make the new PUU handle
special characters properly
Since we’re dealing with URI, we’ll use what is called URLEncoding to make sure
all special characters are properly replaced. (i.e. Windows Domain Account
becomes Windows%20Domain%20Account)
Prepare
Pre-Requisites
passwords.csv
Should be created and ready in the same directory.
Phase 3:
Build our PUU 2
Prepare Main
PowerShell Script
(.ps1)
I used Microsoft’s freeware Visual Studio Code (https://code.visualstudio.com)
Also, I referenced http://git.joeco.de for PowerShell functions that we’ll be using
► Functions will be created for each REST API call needed
■ Logon
■ Add Account
■ Logoff
► User Input will be entered first
■ Base URL (i.e. https://pvwa.cyberark.local)
■ API Username
■ API Password
■ Path to CSV File
► Import-CSV and enter each row value into an array variable
► Step through each row, adding the account that is listed on each.
Plan the Pieces of our PUU Puzzle
Functions First!
Receive User Input
PASREST-Logon & Import-CSV
Read Each Row & Add Account
PASREST-Logoff & Report Results
What it looks like put together
Phase 4:
?????? (The Testing Phase)
WE’LL DO IT
LIVE!
Phase 5:
PROFIT!!! (Not really…)
Visit http://git.joeco.de/PasswordUploadUtility-v2
to fork the PUU 2 repo and start down your own
path to Automation Superstardom!
► REST API Common Uses
■ Quickly onboard accounts after Hygiene Report
■ 1-Click Activate Users without needing PrivateArk Client
■ Quickly mirror your new DEV safe structure from PROD
► Attend these sessions
■ Coming Up Next: Conjuring DevSecOps in an Insecure World
■ Tomorrow @ 10:30am: A Practical Guide to CyberArk and Amazon Web Services
► Visit the Discovery Center
■ Customer Success Booth
■ DevSecOps Demo Station
► http://git.joeco.de/PasswordUploadUtility-v2
Key Takeaways and Where to Learn More