IBM Security Secret Server APIs—Support Webinar

Grey Thrashergthrashe@us.ibm.com

IBM VIP Rewards is a way to engage with and recognize the ways that you, the client, add value to IBM.

Complete fun challenges and get rewarded for interacting with IBM, learning new technologies and sharing your knowledge.

Announcing IBM VIP RewardsEngage. Earn points. Get Rewards.

Learn more…ibm.biz/vip-rewards

Join IBM VIP Rewards for Security…

ibm.biz/JoinIBMVIPRewards-Security

IBM Security Learning Academy

• Courses• Videos • Hands-on Labs • Live Events• Badges

Learning at no cost.

New content published daily.

http://ibm.biz/ISSS-LearningAcademy

• Presenter:

Grey Thrasher - Identity Support Technical Lead

• Panelists:

Daryl Romano - Identity Support

Jensen Toma - Identity Support

Gary Sedler - Identity Support

Mohammad Khan - Identity Support

Panel

• Introduction• REST• SDK• Demo• Q/A

Agenda

Introduction

Introduction• API: Application Programming Interface

- Provides a way for customers/vendors to create custom scripts/applications/etc that can interact with an application.

• IBM Security Secret Server API Options:

- Java, SOAP, REST, SDK

• Objects/Activities available in the APIs:- Authentication- Secrets- Folders- Users- Reports- Launchers…

IntroductionWeb Services must be enabled in ISSS

REST

• Overview• Coding• Troubleshooting• Documentation

What is REST?

REpresentational State Transfer

• Every Service is identified by a URI• Uses standard HTTP methods for CRUD:

• POST• GET• PUT• DELETE

• Stateless: Each request is independent• Request Data is typically JSON,

x-www-form-urlencoded and/or query parameters• Response Data is typically JSON

😴

Coding/Usage:• Authentication: returns Token to be used in all other requests

POST: https://ss/SecretServer/oauth2/tokenHeaders: Content-Type: application/x-www-form-urlencodedBody: username, password, grant_type=password

• Get Secret:

GET: https://ss/SecretServer/api/v1/secrets/<secretID>Authorization: Bearer <token>Headers: Accept: application/json

• Add Secret Permission:

POST: https://ss/SecretServer/api/v1/secrets-permissionsAuthorization: Bearer <token>Headers:

Accept: application/jsonContent-Type: application/json

Body:{

“secretId” : 15,“userId” : 12,“secretAccessId” : null,“secretAccessName” : “View”

}

{"id": 12,"name": "SDK Test","secretTemplateId": 2,"folderId": 7,"active": true,"items": [{"itemId": 53,"fileAttachmentId": null,"filename": null,"itemValue": "fooserver","fieldId": 60,"fieldName": "Resource","slug": "resource","fieldDescription": "The URL or location where information is being secured.","isFile": false,"isNotes": false,"isPassword": false},{"itemId": 54,"fileAttachmentId": null,"filename": null,"itemValue": "sdktest","fieldId": 61,"fieldName": "Username","slug": "username","fieldDescription": "The name assocated with the password.","isFile": false,"isNotes": false,"isPassword": false},{"itemId": 55,"fileAttachmentId": null,"filename": null,"itemValue": "#5r5^(h^jLzK","fieldId": 7,"fieldName": "Password","slug": "password","fieldDescription": "The password used to access information.","isFile": false,"isNotes": false,"isPassword": true},{"itemId": 56,"fileAttachmentId": null,"filename": null,"itemValue": "This is a test secret to use with SDK","fieldId": 8,"fieldName": "Notes","slug": "notes","fieldDescription": "Any comments or additional information for the secret.","isFile": false,"isNotes": true,"isPassword": false}],"launcherConnectAsSecretId": -1,"checkOutMinutesRemaining": 0,"checkedOut": false,"checkOutUserDisplayName": "","checkOutUserId": -1,"isRestricted": false,"isOutOfSync": false,"outOfSyncReason": "","autoChangeEnabled": false,"autoChangeNextPassword": null,"requiresApprovalForAccess": false,"requiresComment": false,"checkOutEnabled": false,"checkOutIntervalMinutes": -1,"checkOutChangePasswordEnabled": false,"accessRequestWorkflowMapId": -1,"proxyEnabled": true,"sessionRecordingEnabled": false,"restrictSshCommands": false,"allowOwnersUnrestrictedSshCommands": false,"isDoubleLock": false,"doubleLockId": -1,"enableInheritPermissions": false,"passwordTypeWebScriptId": -1,"siteId": 1,"enableInheritSecretPolicy": true,"secretPolicyId": -1,"lastHeartBeatStatus": "Pending","lastHeartBeatCheck": "0001-01-01T00:00:00","failedPasswordChangeAttempts": 0,"lastPasswordChangeAttempt": "0001-01-01T00:00:00","secretTemplateName": "Password","responseCodes": []}

{"access_token": "AgLlj_5QYUil….","token_type": "bearer","expires_in": 1200}

Coding: Node.js var express = require('express');var request = require('request');var router = express.Router();

router.post('/', (req, res) => {console.log("login.js: in login...");

var username = req.body.username;var password = req.body.password;

//auth to SSconst options = {

method: "POST",url: process.env.SS_URL + "/oauth2/token",headers: {

'cache-control': 'no-cache’,'Content-Type': 'application/x-www-form-urlencoded’

},form: {username: username,password: password,grant_type: 'password’}

};

//trust self-signed certprocess.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;

request(options, (error, response, body) => {if(error){

throw new Error(error);res.send("Login failed: " + error);

} else {const jsonBody = JSON.parse(body);console.log(JSON.stringify(jsonBody));if(jsonBody.hasOwnProperty("error")){

console.log("login error: " + jsonBody.error);res.send('<p><strong>Login Failed...please try again: </strong><a href="/">Login</a></p>’);

} else {req.session.sstoken = jsonBody.access_token;console.log("login.js: login success. here's the token: " + jsonBody.access_token);req.session.save();res.redirect('./menu’);

}}

});});

module.exports = router;

Define the data for the call to /oauth2/token to authenticate

Execute the call to /oauth2/token to authenticate and save the Token to the Session

Authentication

Coding: Node.js

Define the data for the pass to /api/v1/secrets

Execute the call to /api/v1/secrets to retrieve all Secrets and pass to the client

Get Secrets var express = require('express');var request = require('request');var router = express.Router();

router.get('/', (req, res) => {

//auth to SSconst options = {method: "GET",url: process.env.SS_URL + "/api/v1/secrets",headers: {

'cache-control': 'no-cache’,'Accept': 'application/json’,'Authorization': 'Bearer ' + req.session.sstoken}

};

//trust self-signed certprocess.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;

request(options, (error, response, body) => {if(error){

throw new Error(error);res.send("Login failed: " + error);

} else {const jsonBody = JSON.parse(body);console.log("JSON Body from menu.js: " + body);res.render('./menu',{app_title: process.env.APP_TITLE, secrets: jsonBody.records, ssurl: process.env.SS_URL});

}});

});

module.exports = router;

Troubleshooting

• Server:

• IIS (C:\inetpub\logs\) and SS logs (C:\inetpub\wwwroot\SecretServer\log\)

• Audit logs for associated Object (e.g. Secret > Audit)

• Client:

• Catch/Print errors

Documentation

• REST APIs: Can access docs locally via SS console > Help > Secret Server REST API Guide:example: https://<SecretServer>/SecretServer/Documents/restapi/

• REST Web Services API Guide:https://www.ibm.com/support/pages/node/1136272

• Getting Started with the REST API –• PowerShell:

https://www.ibm.com/support/pages/node/1136266• Perl:• https://www.ibm.com/support/pages/node/1136260

SDK (tss)

• Overview• Coding• Troubleshooting• Documentation

What is the SDK?

• Command line utility to Get Secret data• Does not require username/password at runtime• Uses “Application Users”• Does not provide full API capabilities (e.g. cannot get Folders, etc).• Can be used by applications to retrieve auth token to then make

direct API calls

SDK Configuration

• Create Application User:- Admin > Users > Create New- Enter details, and click ”Advanced”- Select the “Application Account”- Save

• Admin > All > SDK Client Management- Client Onboarding > “+Rule”- Enter:

• Rule Name• IP Address(es) or CIDR notation• Select the Application Account• Require this generated onboarding key

- Save

SDK Usage• Initialization:

tss init –u https://ss/SecretServer -r <rulename> -k <onboarding key>

• Status:tss status

• Remove configuration:tss remove

• Retrieve Token:tss token

• Get Secret:tss secret –s <secretID> -f <field slug> -o <output file> -ad

• Version:tss version

SDK Usage

./tss secret -s 12 –ad

{"resource":"fooserver","username":"sdktest","password":"#5r5^(h^jLzK","notes":"This is a test secret to use with SDK"}

./tss secret -s 12 -f notes

This is a test secret to use with SDK

SDK Usage (in a Python script)

import subprocessimport jsonsecret = None

secret = subprocess.check_output([”./tss secret -s 12 -ad"],shell=True)jsonSec = json.loads(secret)

print(jsonSec["username"])print(jsonSec["password"])

python sdkTest.pysdktest#5r5^(h^jLzK

Troubleshooting

• Server:

• IIS (C:\inetpub\logs\) and SS logs (C:\inetpub\wwwroot\SecretServer\log\)

• Admin > SDK Client Mgmt > Audit

• Client:

• -v | --verbose: output verbose errors.

• -i | --interactive: prompts for data entry (in case command syntax is in question)

Documentation

• SDK Scripting Tool Usage:https://www.ibm.com/support/pages/sdk-ibm-security-secret-server-scripting-tool-devops-%E2%80%93-guide-use

• SDK Client Downloads:https://www.ibm.com/support/pages/sdk-secret-server-scripting-tool-devops

Demo

• REST- cURL- Postman- Node.js

• SDK (tss)- Initialize- Get Secrets

• Combining SDK and REST

Demo / Hands-on• cURL- Get Auth Token

curl -k -H "Accept: application/json" –H “Content-Type: x-www-forms-urlencoded” -d "username=admin&password=test&grant_type=password" -X POST https://ss/SecretServer/oauth2/token

- Get Secret Datacurl -k -H "Accept: application/json" -H "Authorization: Bearer AgLlj_5QYUilF6-sclepH…" https://ss/SecretServer/api/v1/secrets/12

• Postman- Download/install Postman ( https://getpostman.com )- Create an Environment- Create a Collection- Get Auth Token- Get Secret Data

• Node.js

Examples

• GitHub:https://github.com/gthrasher/SecretServer

• Applications/Scripts can leverage IBM Security Secret Server (ISSS) APIs

• ISSS REST APIs are portable/powerful

• ISSS SDK is great for automation

Summary

Questions for the panel

Ask the panelists a question now

Enter your question in the Q&A area

To ask a question after this presentation:

You are encouraged to ask follow-up questions in the Support forums: https://www.ibm.com/mysupport/s/forumshome

IBM Secret Server Support forum:http://ibm.biz/SecretServer-SupportForum

28

For more information• IBM Secret Server Support Forum: http://ibm.biz/SecretServer-SupportForum• IBM Secret Server Security Learning Academy: http://ibm.biz/ISSS-LearningAcademy

• IBM Knowledge Center for IBM Secret Server: https://www.ibm.com/support/knowledgecenter/SSWHLP

• IBM Secret Server Support: https://ibm.biz/SecretServerSupportUseful links:

Get started with IBM Security Support IBM SupportSign up for My Notifications IBM Security Community

Follow us:

www.youtube.com/user/IBMSecuritySupport twitter.com/askibmsecurity http://ibm.biz/ISCS-LinkedIn

29

© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.All names and references for organizations and other business institutions used in this deliverable’s scenarios are fictional. Any match with real organizations or institutions is coincidental.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Follow us:

securitylearningacademy.com

ibm.biz/JoinIBMVIPRewards-Security

youtube/user/IBMSecuritySupport

@AskIBMSecurity

ibm.biz/IBMSecurityClientSuccess-LinkedIn

securityintelligence.com

xforce.ibmcloud.com

ibm.com/security/community

Thank you