Ivanti Connect Secure-Specific Configurations Using REST APIs

Monitoring NTP statusTo monitor NTP status:

Request

 

GET https://{{IP}}/api/v1/system/status/ntp

 

Response

 

{

"content-type": "application/json",

"content-length": "1129"

}

 

"{

"ntp-server-status": {

"192.48.105.15": {

"delay": "0.000",

"jitter": "0.000",

"offset": "0.000",

"pool": "64",

"reach": "0",

"refid": ".INIT.",

"remote NTP Server": "192.48.105.15",

"stratum": "16",

"type": "u",

"when": "-"

},

"209.115.181.108\": {

"delay": "0.000",

"jitter": "0.000",

"offset": "0.000",

"pool": "64",

"reach": "0",

"refid": ".INIT.",

"remote NTP Server": "209.115.181.108",

"stratum": "16",

"type": "u",

"when": "-"

},

"216.197.156.83": {

"delay": "0.000",

"jitter": "0.000",

"offset": "0.000",

"pool": "64",

"reach": "0",

"refid": ".INIT.",

"remote NTP Server": "216.197.156.83",

"stratum": "16",

"type": "u",

"when": "-"

},

"50.205.244.36": {

"delay": "0.000",

"jitter": "0.000",

"offset": "0.000",

"pool": "64",

"reach": "0",

"refid": ".INIT.",

"remote NTP Server": "50.205.244.36",

"stratum": "16",

"type": "u",

"when": "-"

} } }"

}

Toggling syslog fault tolerance setting

To toggle syslog fault tolerance settings:

Request

 

GET /api/v1/configuration/system/log/syslog-settings/syslog-setting/node1

 

Response

 

{

"content-type": "application/json",

"content-length": "197"

}

 

"{

"node": "node1",

"syslog-servers": {

"syslog-server": [

{

"communication-type": "tcp",

"fault-tolerant": "false",

"name": "10.96.119.200"

} ] } }"

}

 

Request

 

PUT /api/v1/configuration/system/log/syslog-settings/syslog-setting

 

"{

"node": "node1",

"syslog-servers": {

"syslog-server": [

{

"communication-type": "tcp",

"fault-tolerant": "true",

"name": "10.96.119.200"

} ] } }"

 

Response

 

{

"content-type": "application/json",

"content-length": "124"

}

 

"{

"result": {

"info": [

{

"message": "Operation succeeded without warning or error!"

}

] } }"

}

Toggling the telemetry settings

To toggle the telemetry settings:

Request

 

GET /api/v1/configuration/system/configuration/telemetry

 

Response

 

{

"content-type": "application/json",

"content-length": "62"

}

 

"{

"crash-analytics": "false",

"google-analytics": "true"

}"

}

 

Request

PUT /api/v1/configuration/system/configuration/telemetry

"{

"crash-analytics": "true",

"google-analytics": "true"

}"

 

Response

 

{

"content-type": "application/json",

"content-length": "124"

}

 

"{

"result": {

"info": [

{

"message": "Operation succeeded without warning or error!"

}

] } }"

}

Automatic version monitoring

To automate version monitoring:

Request

 

PUT /api/v1/configuration/system/maintenance/options

 

"{"automatic-version-monitoring": \"false\"}"

 

Response

 

{

"content-type": "application/json",

"content-length": "124"

}

 

"{

"result": {

"info": [

{

"message": "Operation succeeded without warning or error!"

} ] } }"

}

Enabling read-only mode for the administrator

To enable read-only mode for the adminstrator:

Request

 

GET /api/v1/configuration/system/configuration/telemetry

 

Response

{

content-type: application/json

content-length: 61

}

 

"{

"crash-analytics": "true",

"google-analytics": "true"

}"

 

Request

 

PUT /api/v1/configuration/system/configuration/telemetry

 

Response

 

Status: 403 forbidden

Mapping serial numbers to interfaces

To map serial numbers to interfaces:

From Release 9.1R14 onwards, you must mandatorily add "serial-number" attribute in JSON code for POST operations of certificates.

Request

GET /api/v1/configuration/system/configuration/certificates/device-certificates/device-certificate/{serial-number}

Host: 10.209.112.106

Authorization: Basic YWRtaW5kYjpkYW5hMTIz

Content-Type: application/json

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

"device-certificate": [ { "href": "/api/v1/configuration/system/configuration/certificates/device-certificates/device-certificate/0A%3A90%3A0D%3AD0%3AE6%3AAF%3AC8%3A7E", "serial-number": "0A:90:0D:D0:E6:AF:C8:7E" } ]

}

 

Request

PUT /api/v1/configuration/system/configuration/certificates/device-certificates/device-

certificate/24%3AEE%3AC8%3ABB%3A00%3A00%3A00%3A00%3A12%3A73

"{

"internal-ports": {

"internal-port": ["<Internal Port>"]

},

"serial-number": "24:EE:C8:BB:00:00:00:00:12:73"

}"

 

Response

{

"content-type": "application/json",

"content-length": "128"

}

"{

"result": {

"warnings": [

{

"message": "The configuration has been implicitly changed"

} ] } }"

}

Upgrading system software

To upgrade system software:

The REST API does not support two stage upgrade.

Request

POST /api/v1/system/maintenance/upgrade HTTP/1.1

Host: 10.204.51.219

Authorization: Basic YWRtaW4xOmRhbmExMjM=

Content-Type: multipart/form-data

{

KEY: file, VALUE: file name

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

Rolling back system software

To roll back system software:

Request

POST /api/v1/system/maintenance HTTP/1.1

Host: 10.204.51.219

Authorization: Basic YWRtaW4xOmRhbmExMjM=

Content-Type: application/json

{

"operation": "rollback"

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

"name" : "{ \"result\": { \"info\": [ { \"message\": \"Successfully triggered rollback\" } ] } }"

}

Enabling console password protection

To enable console password protection:

Request

POST /api/v1/system/maintenance/password-protection HTTP/1.1

Host: 10.209.112.106

Authorization: Basic YWRtaW5kYjpkYW5hMTIz

Content-Type: application/json

{

"operation": "enable"

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

"name" : "{ \"result\": { \"info\": [ { \"message\": \" Successfully enabled console password protection\" } ] } }"

}

Disabling console password protection

To disable console password protection:

Request

POST /api/v1/system/maintenance/password-protection HTTP/1.1

Host: 10.209.112.106

Authorization: Basic YWRtaW5kYjpkYW5hMTIz

Content-Type: application/json

{

"operation": "disable"

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

"name" : "{ \"result\": { \"info\": [ { \"message\": \" Successfully disabled console password protection\" } ] } }"

}

Creating a VLAN

To create a VLAN on a cluster node:

Request

POST /api/v1/configuration/system/network/vlans/Node88/vlan/ HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "arp-cache": {

        "arp-entry": []

    },

   "name": "vlan-int-1",

    "routes": {

        "route": []

    },

    "settings": {

        "default-gateway": "2.0.0.1",

        "default-vlan-interface": "false",

        "enable-ipv6": "enabled",

        "ip-address": "2.2.2.2",

        "ipv6-address": "fc00:7777:5678:5678::222",

        "ipv6-default-gateway": "fc00:7777:5678:5678::3",

        "ipv6-prefix-length": "64",

        "is-enabled": "enabled",

        "netmask": "255.0.0.0",

        "vlan-id": "2",

        "vlan-parent": "0"

    },

    "virtual-ports": {

        "virtual-port": []

    }

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

"result": {

"warnings": [

{

"message": "The configuration has been implicitly changed"

}

]

}

}

Deleting a VLAN

To delete a VLAN from cluster node:

Request

DELETE /api/v1/configuration/system/network/vlans/Node88/vlan/vlan-int-1 HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating a User Role

To create a user role:

Request

POST /api/v1/configuration/users/user-roles/user-role/ HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "name": "rest-userrole-4",

    "web": {

        "web-bookmarks": {

            "bookmark": [

   {

                    "auto-allow": "disable",

                    "description": "",

                    "name": "web-bm-1",

                    "new-window": "false",

                    "no-address-bar": "false",

                    "no-tool-bar": "false",

                    "parent": "--none--",

                    "standard": {

                        "url": "http://www.msn.com"

                    }

                }

            ]

        },

        "web-options": {

            "browsing-untrusted-sslsites": "true",

            "flash-content": "false",

            "hpxproxy-connection-timeout": "1800",

            "http-connection-timeout": "240",

            "java-applets": "true",

            "mask-hostname": "false",

            "persistent-cookies": "false",

            "rewrite-file-urls": "false",

            "rewrite-links-pdf": "false",

            "unrewritten-page-newwindow": "false",

            "user-add-bookmarks": "false",

            "user-enter-url": "false",

            "users-bypass-warnings": "false",

            "warn-certificate-issues": "true",

            "websocket-connection-timeout": "900"

        }

    }

}

Response

HTTP/1.1 201 CREATED

Content-Length: 122

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Fetching the User Login Statistics

To fetch the user login statistics:

Request

GET /api/v1/system/user-stats HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 200 OK

Content-Length: 169

Content-Type: application/json

{

"user-stats": {

  "allocated-user-count": "25",

  "current-user-count": "0",

  "max-active-user-count-24hrs": "1",

  "min-active-user-count-24hrs": "0"

        }

}

Updating the User Role Settings

To update the user role settings:

Request

PUT /api/v1/configuration/users/user-roles/user-role/rest-userrole-4 HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "name": "rest-userrole-4",

    "web": {

        "web-bookmarks": {

            "bookmark": [

                {

                    "auto-allow": "disable",

                    "description": "",

                    "name": "web-bm-1",

                    "new-window": "false",

                    "no-address-bar": "false",

                    "no-tool-bar": "false",

                    "parent": "--none--",

                    "standard": {

                        "url": "http://www.yahoo.com"

                    }

                }

            ]

        },

        "web-options": {

            "browsing-untrusted-sslsites": "true",

            "flash-content": "false",

            "hpxproxy-connection-timeout": "1800",

            "http-connection-timeout": "240",

            "java-applets": "true",

            "mask-hostname": "false",

            "persistent-cookies": "false",

            "rewrite-file-urls": "false",

            "rewrite-links-pdf": "false",

            "unrewritten-page-newwindow": "false",

            "user-add-bookmarks": "false",

            "user-enter-url": "false",

            "users-bypass-warnings": "false",

            "warn-certificate-issues": "true",

            "websocket-connection-timeout": "900"

        }

    }

}

        }

    }

}

Response

HTTP/1.1 200 OK

Content-Length: 122

Content-Type: application/json

{

"result": {

   "info": [

     {

       "message": "Operation succeed without warning or error!"

     }

  ]

}

}

Deleting a User Role

To delete a user role:

Request

DELETE /api/v1/configuration/users/user-roles/user-role/rest-userrole-4 HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating a User Realm

To create a user realm:

Request

POST /api/v1/configuration/users/user-realms/realm/ HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "accounting-server": "None",

    "authentication-group": "",

    "authentication-policy": {

        "browser": {

            "customized": "any-user-agent",

            "user-agent-patterns": {

                "user-agent-pattern": []

            }

        },

        "certificate": {

            "cert-key-value-pairs": {

                "cert-key-value-pair": []

            },

            "customized": "allow-all-users"

        },

        "host-checker": {

            "enforce-all-policies": "false",

            "enforce-policy-list": null,

            "evaluate-all-policies": "false",

            "evaluate-logic": "all-policies-must-succeed",

            "evaluate-policy-list": null

        },

        "limits": {

            "guaranteed-minimum": null,

            "limit-concurrent-users": "false",

            "max-sessions-per-user": "1",

            "maximum": null

        },

        "password": {

            "primary-password-expiration-warning-days": "14",

            "primary-password-management": "true",

            "primary-password-minimum-length": "4",

            "primary-password-restricted": "allow-passwords-of-minimum-length",

            "secondary-password-expiration-warning-days": "14",

            "secondary-password-management": "false",

            "secondary-password-minimum-length": "4",

            "secondary-password-restricted": "allow-passwords-of-minimum-length"

        },

        "source-ip": {

            "customized": "any-ip",

            "ips": {

                "ip": []

            }

        }

    },

    "authentication-server": "AD server",

    "description": "",

    "device-server": "None",

    "directory-server": "AD server",

    "dynamic-policy": {

        "dynamic-policy-evaluation": "false",

        "refresh-interval": "60",

        "refresh-policies": "false",

        "refresh-roles": "false"

    },

    "editing-description": "false",

    "inbound-ifmap-attributes": "false",

    "migration-sharing-type": "enable-session-migration",

    "name": "rest-user-realm",

    "role-mapping-rules": {

        "rule": [

            {

                "name": "rest-admin-rule",

                "roles": [

                    "test1"

                ],

                "stop-rules-processing": "false",

                "user-name": {

                    "test": "is",

                    "user-names": [

                        "user1"

                    ]

                }

            }

        ],

        "user-selects-role": "false",

        "user-selects-roleset": "false"

    },

    "secondary-authentication-settings": {

        "authentication-must-succeed": "true",

        "name": "-",

        "password-input": "user",

        "predefined-password": "",

        "predefined-user-name": "",

        "user-name-input": "user"

    },

    "session-migration": "false"

}

Response

HTTP/1.1 201 CREATED

Content-Length: 122

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Deleting a User Realm

To delete a user realm:

Request

DELETE /api/v1/configuration/users/user-realms/realm/rest-user-realm HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating a Resource Profile

To create a web resource profile:

Request

POST /api/v1/configuration/users/resource-profiles/web-profiles/web-profile/ HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "custom": {

        "bookmarks": {

            "bookmark": [

                {

                    "apply": "all",

                    "description": "",

                    "name": "web-resourceprofile",

                    "new-window": "false",

                    "no-address-bar": "false",

                    "no-tool-bar": "false",

                    "roles": null,

                    "url": "http://www.google.com"

                }

            ]

        },

        "client-authentication": [],

        "java-acl": [],

        "rewriting-options": {

            "ptp": [],

            "selective-rewriting": "false",

            "use-jsam": [],

            "use-wsam": []

        },

        "sso-basic-ntlm-kerberos": [],

        "sso-header": [],

        "sso-post": [],

        "url": "http://www.google.com",

        "web-compression": [],

        "webacl": [

            {

                "rules": {

                    "rule": [

                        {

                            "action": "allow",

                            "name": "Allow http://www.google.com:80/*",

                            "resource": "http://www.google.com:80/*"

                        }

                    ]

                }

            }

        ],

        "webcaching": []

    },

    "description": "",

    "name": "web-resourceprofile",

    "roles": [

        "rest-userrole-3"

    ]

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

    "result": {

        "warnings": [

            {

                "message": "The configuration has been implicitly changed"

            }

        ]

    }

}

Deleting a Resource Profile

To delete a web resource profile:

Request

DELETE /api/v1/configuration/users/resource-profiles/web-profiles/web-profile/web-resourceprofile HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating a Resource Policy

To create a web resource policy:

Request

POST /api/v1/configuration/users/resource-policies/web-policies/web-acls/web-acl/ HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

{

    "action": "allow",

    "apply": "selected",

    "description": "",

    "name": "web-acl-policy",

    "parent-type": "none",

    "resources": [

        "1.1.1.1:80,443/*"

    ],

    "roles": [

        "rest-userrole-1"

    ],

    "rules": {

        "rule": []

    }

}

Response

HTTP/1.1 201 CREATED

Content-Length: 122

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Fetching a Resource Policy

To fetch a web resource policy:

Request

GET /api/v1/configuration/users/resource-policies/web-policies/web-acls/web-acl/name=web-acl-policy,parent-type=none HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 200 OK

Content-Length: 245

Content-Type: application/json

{

  "action": "allow",

    "apply": "selected",

    "description": "",

    "name": "web-acl-policy",

    "parent-type": "none",

    "resources": [

        "1.1.1.1:80,443/*"

    ],

    "roles": [

        "rest-userrole-1"

    ],

    "rules": {

        "rule": []

    }

}

Deleting a Resource Policy

To delete a web resource policy:

Request

DELETE /api/v1/configuration/users/resource-policies/web-policies/web-acls/web-acl/name=web-acl-policy,parent-type=none HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating an AD Authentication Server

Request

POST /api/v1/configuration/authentication/auth-servers/auth-server HTTP/1.1

Host: 10.209.114.152

Authorization: Basic QmJYZlZ6eER2Tzhodjh4NzhlU28vU1NNZ0tHelJJUHhsbC9pdjcrZlRxcz06

Content-Type: application/json

{

    "ad": {

        "server-catalog": {

            "custom-variables": {

                "custom-variable": []

            },

            "expressions": {

                "custom-expression": []

            },

            "groups": {

                "ad-group": []

            }

        },

        "settings": {

            "additional-options": {

                "allow-trusted-domains": "false",

                "change-machine-password-after-every": "0",

                "enable-ntlm-protocol": "true",

                "enable-periodic-password-change-of-machine-account": "false",

                "kerberos": "true",

                "max-domain-connections": "5",

                "ntlm-protocol": "ntlmv2"

            },

            "container-name": "Computers",

            "domain": "TEST",

            "kerberos-realm": "TEST.SAQACERTSERV.COM",

            "nodenames": [

                {

                    "computer-name": "0332MWK0NRP111",

                    "machine-hardware-id": "0332MOGWK0NRP111S",

                    "node": "localhost2"

                }

            ],

           "password-cleartext": "'Ivanti1234$",

            "save-credentials": "true",

            "username": "Administrator"

        }

    },

    "logical-name": "",

    "name": "AD-Server",

    "user-record-sync": "false"

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

"result": {

"warnings": [

{

"message": "The configuration has been implicitly changed"

}

    ]

  }

}

Deleting an AD Authentication Server

Request

DELETE /api/v1/configuration/authentication/auth-servers/auth-server/AD-Server HTTP/1.1

Host: 10.209.114.152

Authorization: Basic QmJYZlZ6eER2Tzhodjh4NzhlU28vU1NNZ0tHelJJUHhsbC9pdjcrZlRxcz06

Content-Type: application/json

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Creating an LDAP Authentication Server

Request

POST /api/v1/configuration/authentication/auth-servers/auth-server HTTP/1.1

Host: 10.209.114.152

Authorization: Basic QmJYZlZ6eER2Tzhodjh4NzhlU28vU1NNZ0tHelJJUHhsbC9pdjcrZlRxcz06

Content-Type: application/json

{

    "ldap": {

        "server-catalog": {

            "attributes": {

                "user-attribute": [

                    {

                        "name": "cn"

                    },

                    {

                        "name": "department"

                    },

                    {

                        "name": "departmentNumber"

},

                    {

                        "name": "employeeNumber"

                    },

                    {

},

                    {

                        "name": "o"

                    },

                    {

                        "name": "ou"

                    },

                    {

                        "name": "sAMAccountName"

                    },

                    {

                        "name": "uid"

                    },

                    {

                        "name": "homeDirectory"

                    },

                    {

                        "name": "homeDrive"

                    },

                    {

"name": "wWWHomePage"

                    }

                ]

            },

            "custom-variables": {

                "custom-variable": []

            },

            "expressions": {

                "custom-expression": []

            },

            "groups": {

                "user-group": []

            }

        },

        "settings": {

            "admin-dn": "CN=Administrator,CN=Users,DC=test,DC=saqacertserv,DC=com",

            "admin-password-encrypted":

            }

"3u+UR6n8AgABAAAAQkYh+Te/ebXL7gSn+W6IEPOV2YFsaaikH2SVxkb8lTKzWhS1EPFlsNXBpuQP5sW

XfeOYfjmhQSRZ5DP/z9UhQ/l16DDne9/u7Lw67HyE/8Q=",

"attribute-to-update-at-server": "",

            "attribute-type": "type-integer",

            "attribute-value-to-update-at-server": "<LOGINTIMELDAP>",

            "authentication-required-to-search-ldap": "true",

            "backup-port-1": null,

            "backup-port-2": null,

"backup-server-1": "",

            "backup-server-2": "",

            "connection-timeout": "15",

            "connection-type": "plain",

            "enable-attribute-update-at-server": "false",

            "group-base-dn": "",

            "group-filter": "",

            "ldap-server-type": "active-directory",

            "meetings": {

                "email-address": "mail",

                "full-name": "displayname",

                "name-attribute-mapping": "",

                "user-name": "samaccountname"

  },

            "member-attribute": "",

            "nested-group-level": "0",

            "port": "389",

            "query-attribute": "",

            "reverse-group-search": "false",

            "search-timeout": "60",

            "server": "10.209.124.88",

            "server-catalog": "catalog",

            "test-user-dn": "",

            "user-base-dn": "DC=test,DC=saqacertserv,DC=com",

"user-filter": "samaccountname=<USER>",

            "validate-referral-cert": "verifyserverconfigured",

            "validate-server-cert": "false"

        }

    },

    "logical-name": "",

    "name": "LDAP-Server",

"user-record-sync": "false"

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

"result": {

"warnings": [

{

"message": "The configuration has been implicitly changed"

}

]

  }

}

Creating a Radius Server

Request

POST /api/v1/configuration/authentication/auth-servers/auth-server HTTP/1.1

Host: 10.209.114.152

Authorization: Basic

QmJYZlZ6eER2Tzhodjh4NzhlU28vU1NNZ0tHelJJUHhsbC9pdjcrZlRxcz06

Content-Type: application/json

{

    "logical-name": "",

    "name": "Radius-Server",

    "radius": {

        "server-catalog": {

            "attributes": {

                "user-attribute": []

  },

            "custom-variables": {

                "custom-variable": []

            },      

  "expressions": {

                "custom-expression": []

            }

        },

        "settings": {

            "accounting-port": "1813",

            "authenticate-with-tokens-onetimepassword": "false",

            "authentication-port": "1812",

            "backup-accounting-port": "1813",

            "backup-authentication-port": "1812",

            "backup-server": "10.209.126.179",

            "backup-shared-secret-encrypted": "3u+UR6n8AgABAAAA2Th1sUV9vXDS9gRdMt1yCB4Ol6tacMTwhWsTlIFd7Q4=",

            "custom-radius-rules": {

                "custom-radius-rule": []

            },

            "interim-update-interval": null,

            "load-balance-auth": "false",

            "nasid": "",

            "nasipaddr": "10.209.113.88",

            "process-radius-disconnect": "false",

            "retries": "0",

            "server": "10.209.126.179",

            "shared-secret-encrypted": "3u+UR6n8AgABAAAA2Th1sUV9vXDS9gRdMt1yCB4Ol6tacMTwhWsTlIFd7Q4=",

            "timeout": "30",

            "use-nc-assigned-ip": "false",

            "use-subsession-interim-update": "false",

            "user-name": "<USER>(<REALM>)[<ROLE SEP=\",\">]"

        }

    },

    "user-record-sync": "false"

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

"result": {

"warnings": [

{

"message": "The configuration has been implicitly changed"

   }

  ]

}

Modifying Radius Server Details

Request

PUT /api/v1/configuration/authentication/auth-servers/auth-server/Radius-Server HTTP/1.1

Host: 10.209.114.152

Authorization: Basic QmJYZlZ6eER2Tzhodjh4NzhlU28vU1NNZ0tHelJJUHhsbC9pdjcrZlRxcz06

Content-Type: application/json

{

    "name": "Radius-Server",

    "radius": {

        "settings": {

            "backup-accounting-port": "1814",

            "backup-authentication-port": "1816",

            "backup-server": "2.2.2.2"

        }

    }

   

}

Response

HTTP/1.1 200 OK

Content-Length: 128

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeeded without warning or error!"

            }

        ]

    }

}

Creating Sign-In-Policy

Request

POST /api/v1/configuration/authentication/signin/urls/access-urls/access-url/ HTTP/1.1

Host: 10.209.113.89

Authorization: Basic MEthMXM0MmJraHpjYms0WFZCZ29Xb3k1Nk5NL3JqaDBwQ05iTmFhUlh5ST06

Content-Type: application/json

{

    "description": "",

    "enabled": "true",

    "page": "Default Sign-In Page",

    "realm-select": "pick-list",

    "url-pattern": "test/url3/",

    "user": {

        "enable-new-ux-pages": "false",

        "meeting-url": "*/meeting/",

        "post-authentication-signin-notification-id": "None",

        "post-authentication-signin-notification-skip": "false",

        "pre-authentication-signin-notification-id": "None",

        "realms": [

            "Users"

        ]

    }

}

Response

HTTP/1.1 201 CREATED

Content-Length: 128

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeeded without warning or error!"

            }

        ]

    }

}

Deleting Sign-in-Policy

Request

DELETE /api/v1/configuration/authentication/signin/urls/access-urls/access-url/test%5C%2Furl3%5C%2F HTTP/1.1

Host: 10.209.113.89

Authorization: Basic MEthMXM0MmJraHpjYms0WFZCZ29Xb3k1Nk5NL3JqaDBwQ05iTmFhUlh5ST06

Cache-Control: no-cache

Response

HTTP/1.1 204 NO CONTENT

Content-Length: 0

Content-Type: application/json

Disabling Sign-in-URL

Request

PUT /api/v1/configuration/authentication/signin/urls/access-urls/access-url/test%5C%2Furl1%5C%2F/enabled HTTP/1.1

Host: 10.209.113.89

Authorization: Basic MEthMXM0MmJraHpjYms0WFZCZ29Xb3k1Nk5NL3JqaDBwQ05iTmFhUlh5ST06

Content-Type: application/json

{

    "enabled": "false"

}

Response

HTTP/1.1 200 OK

Content-Length: 128

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeeded without warning or error!"

            }

        ]

    }

}

Creating a Web Bookmark for a Role

To create a web bookmark for a role:

Request

POST /api/v1/configuration/users/user-roles/user-role/rest-userrole-1/web/web-bookmarks/bookmark HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

Content-Type: application/json

Cache-Control: no-cache

{

    "auto-allow": "disable",

    "description": "",

    "name": "webbm",

    "new-window": "false",

    "no-address-bar": "false",

    "no-tool-bar": "false",

    "parent": "--none--",

    "standard": {

        "url": "http://www.yahoo.com"

     }

}

Response

HTTP/1.1 201 CREATED

Content-Length: 122

Content-Type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Reordering

For re-ordering existing ordered elements in the configuration, a PUT API can be used with an 'order' suffix. This API can be used to reorder any ordered element in the configuration including role-mapping-rules, resource policies and ACLs.

Example: Reorder existing role-mapping-rules in a specific realm.

Request

PUT /api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/order HTTP/1.1

Host: 10.209.112.106

Authorization: Basic Y1VPZE1XZ1ZubVEvVnIrcWwrd3lJY3F0Y05WTGhDVkx1M0wrdk5YR3hzVT06

Content-Type: application/json

{

  "rule": [

    {

      "href": "/api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/rule3"

    },

    {

      "href": "/api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/rule1"

    }

  ]

}

Response

HTTP/1.1 200 OK

content-length: 122

content-type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Fetching the Resource with Multiple Identifiers

Example: Retrieve one of SNMP Trap server configured on Ivanti Connect Secure device

Request

GET /api/v1/configuration/system/log/snmp/localhost2/trap-servers/trap-server/ip=1.1.1.1,port=162 HTTP/1.1

Host: 10.209.112.106

Authorization: Basic T0o1dzVpK3g4U0dKV0d1TkJCdWlwVzREaUc0SjZvbkExMVljc0RtNU14bz06

Response

HTTP/1.1 200 OK

content-length: 65

content-type: application/json

{

    "community": "public",

    "ip": "1.1.1.1",

    "port": "162"

}

Updating Resource Identified Using Multiple Identifiers

Example: Updating the community string for specific SNMP trap server identified by IP and port

Request

PUT /api/v1/configuration/system/log/snmp/localhost2/trap-servers/trap-server/ip=1.1.1.1,port=162/community HTTP/1.1

Host: 10.209.112.106

Authorization: Basic T0o1dzVpK3g4U0dKV0d1TkJCdWlwVzREaUc0SjZvbkExMVljc0RtNU14bz06

Content-Type: application/json

{

    "community": "pulsesecure"

}

Response

HTTP/1.1 200 OK

content-length: 122

content-type: application/json

{

    "result": {

        "info": [

            {

                "message": "Operation succeed without warning or error!"

            }

        ]

    }

}

Fetching Active Number of HTML5 Sessions

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/stats

Example:

curl -k -u Tv6YQPETDVOxeO0LCkcOfWeQ5qeET2WStO8GbilIltA=: https://10.96.158.110/api/v1/stats

Response

content-type: application/json

{

  "active-advanced-html5-sessions": {

    "active-advanced-html5-sessions-rdp": 0,

    "active-advanced-html5-sessions-ssh": 0,

    "active-advanced-html5-sessions-telnet": 0,

    "active-advanced-html5-sessions-total": -2,

    "active-advanced-html5-sessions-vnc": 0

  },

  "active-basic-html5-sessions": {

    "active-basic-html5-sessions-rdp": 0,

    "active-basic-html5-sessions-ssh": 0,

    "active-basic-html5-sessions-telnet": 0,

    "active-basic-html5-sessions-total": 0

  },

  "cpu-load": {

    "average-cpu-load": "0.33",

    "dsagentd-load": "0.00",

    "is-cpu-overloaded": "false",

    "is-dsagentd-overloaded": "false"

  }

}

Fetching Active Number of Basic HTML5 Sessions

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/stats/active-basic-html5-sessions

Example:

curl -k -u Tv6YQPETDVOxeO0LCkcOfWeQ5qeET2WStO8GbilIltA=: https://10.96.158.110/api/v1/stats/ active-basic-html5-sessions

Response

content-type: application/json

{

  "active-basic-html5-sessions-rdp": 0,

  "active-basic-html5-sessions-ssh": 0,

  "active-basic-html5-sessions-telnet": 0,

  "active-basic-html5-sessions-total": 0

}

Fetching Active Number of Advanced HTML5 Sessions

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/stats/active-advanced-html5-sessions

Example:

curl -k -u Tv6YQPETDVOxeO0LCkcOfWeQ5qeET2WStO8GbilIltA=: https://10.96.158.110/api/v1/stats/

active-advanced-html5-sessions

Response

content-type: application/json

{

  "active-advanced-html5-sessions-rdp": 0,

  "active-advanced-html5-sessions-ssh": 0,

  "active-advanced-html5-sessions-telnet": 0,

  "active-advanced-html5-sessions-total": -2,

  "active-advanced-html5-sessions-vnc": 0

}

Updating Password in Clear Text

Example: Updating password of System Local User.

Request

PUT /api/v1/configuration/authentication/auth-servers/auth-server/System%20Local/local/users/user/user0001/password-cleartext HTTP/1.1

Host: 10.209.112.106

Authorization: Basic T0o1dzVpK3g4U0dKV0d1TkJCdWlwVzREaUc0SjZvbkExMVljc0RtNU14bz06

Content-Type: application/json

{

   "password-cleartext": "Psecure"

}

Response

HTTP/1.1 200 OK

content-length: 128

content-type: application/json

{

   "result": {

     "warnings": [

       {

          "message": "The configuration has been implicitly changed"

       }

     ]

   }

}

Applying Authcode and Downloading Licenses from PCLS on VA-SPE|PSA-V

In Ivanti Connect Secure 8.3R4|Ivanti Policy Secure 5.4R4, this REST API can be used to download the license key from PCLS and install on the Virtual Appliance.

Request

PUT /api/v1/license/auth-code HTTP/1.1

Host: 10.209.125.7

Authorization: Basic TnBDUk1veFFFQTJKZjM0S2ZxV2JKUlhRaDJaWGFrYnkvWVpTR3hhNTdmbz0=

Content-Length: 35

Content-Type: application/json

{

"auth-code":"<auth-code-to-apply>"

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

Content-Length: 191

{

"result": {

"info": [

{"message": "Installed new license key \"landmark utility prestige trip mayor diesel faucet summer prestige income heritage\""}

]

}

}

Applying License

Request

PUT /api/v1/license/license-key?action=install HTTP/1.1

Host: 10.209.125.7

Authorization: Basic TnBDUk1veFFFQTJKZjM0S2ZxV2JKUlhRaDJaWGFrYnkvWVpTR3hhNTdmbz0=

Content-Type: application/json

{

   "keys":[

     "key1",

     "key2",

     ….

   ]

}

Example:

{

   "keys":[

     "operation tree crayon holiday kingdom lasso doorway square dish modem gecko",

     "buffalo safety inch topaz banquet nitrogen garnish step recital wedge trace"

   ]

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

    "result": {

       "info": [

        {

          "message": "Installed licenses"

        }

       ]

    }

}

Deleting License

Request

PUT /api/v1/license/license-key?action=delete HTTP/1.1

Host: 10.209.125.7

Authorization: Basic TnBDUk1veFFFQTJKZjM0S2ZxV2JKUlhRaDJaWGFrYnkvWVpTR3hhNTdmbz0=

Content-Type: application/json

{

   "keys":[

      "key1",

      "key2",

      ….

   ]

}

Example:

{

   "keys":[

      "operation tree crayon holiday kingdom lasso doorway square dish modem gecko",

      "buffalo safety inch topaz banquet nitrogen garnish step recital wedge trace"

   ]

}

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

   "result": {

     "info": [

       {

          "message": "Deleted <number> licenses"

       }

     ]

   }

}

Getting License Clients

Request

GET /api/v1/license/license-clients HTTP/1.1

Host: 10.209.125.7

Authorization: Basic TnBDUk1veFFFQTJKZjM0S2ZxV2JKUlhRaDJaWGFrYnkvWVpTR3hhNTdmbz0=

Content-Type: application/json

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

  "license_clients": [

    {

      "feature_capacities": [

        {

          "feature_name": "add_user_count",

          "leased_value": 25

        },

        {

          "feature_name": "onboard",

          "leased_value": 0

        },

        {

          "feature_name": "embeddedrdpapplet",

          "leased_value": 0

        },

        {

          "feature_name": "vm_cores_leasable",

          "leased_value": 4

        },

        {

          "feature_name": "add_meeting_user_count",

          "leased_value": 0

        },

        {

          "feature_name": "cloudsecure_count",

          "leased_value": 0

        },

        {

          "feature_name": "named_user_count",

          "leased_value": 0

        },

        {

          "feature_name": "ueba",

          "leased_value": 0

        }

      ],

      "last_renewal": "Wed, 04 Dec 2019 06:32:26 GMT",

      "machine_id": "VASPH3944M9D8551S",

      "name": "va_spe_3_3_125_4"

    },

    {

      "feature_capacities": [

        {

          "feature_name": "add_user_count",

          "leased_value": 25

        },

        {

          "feature_name": "onboard",

          "leased_value": 0

        },

        {

          "feature_name": "embeddedrdpapplet",

          "leased_value": 0

        },

        {

          "feature_name": "vm_cores_leasable",

          "leased_value": 4

        },

        {

          "feature_name": "add_meeting_user_count",

          "leased_value": 0

        },

        {

          "feature_name": "cloudsecure_count",

          "leased_value": 0

        },

        {

          "feature_name": "named_user_count",

          "leased_value": 0

        },

        {

          "feature_name": "ueba",

          "leased_value": 0

        }

      ],

      "last_renewal": "Thu, 05 Dec 2019 13:45:31 GMT",

      "machine_id": "VASPHXVK2E117PM8S",

      "name": "va_spe_3_3_125_8"

    },

  ]

}

Getting License Report from License Server

Request

GET /api/v1/license/report HTTP/1.1

Host: 10.209.125.7

Authorization: Basic TnBDUk1veFFFQTJKZjM0S2ZxV2JKUlhRaDJaWGFrYnkvWVpTR3hhNTdmbz0=

Content-Type: application/json

Response

HTTP/1.1 200 OK

Content-Type: application/json

License Usage Report

{

"LicenseUsageReport": {

"MachineID": "VASPMMXXXXXXXX",

"build-number": "4762",

"cumulative-report": {…},

"granular-report": {…},

"cluster-granular-report": {…},

"time-stamp": "Mon Jan 13 20:04:40 2020",

"version": "9.1"

   }

}

 

Cumulative Report

https://<license-server>/api/v1/license/report/cumulative-report

{

"cumulative-report": {

"add-meeting-user-count": {

"Year":[

{

"Month": [

{

"Date": [

{

"Leased": "0",

"Maximum": "30",

       "id": "06"

}

{…},

{…},

{…},

{…}

       ]

"Leased": "0",  

"Maximum": "30",

"id": "Jan",

}

{…}

]

"id": "2020"

}

{…}

]

}

}

Granular Report

https://<license-server>/api/v1/license/report/granular-report

{

"license-client": [

{

"add-user-count": {

"Year": [

{

"Month": [

{               "Date": [

{…},

{…},

{…},

{…}

]

"Leased": "0",

"Maximum": "0",

"id": "Jan"

}          ],

"id": "2020"

}

]

},

"name": "PSA_V_10_209_125_101",

"software-version": "7.4"

},

{…}

}

 

Cluster Granular Report

https://<license-server>/api/v1/license/report/cluster-granular-report

{

"add-user-count": {

"Year": [

{

"Month": [

{

"Date": [

               {

"Leased": "40",

"Maximum": "21",

"client-node": "node63lc,node66lc",

"id": "24"

},

{                 "Leased": "40",

"Maximum": "1",

"client-node": "node63lc,node66lc",

"id": "25"

},

{

"Leased": "40",

"Maximum": "1",

"client-node": "node63lc,node66lc",

                "id": "26"

}

],

"Leased": "40",

"Maximum": "21",

"id": "Feb"

}

],

"id": "2020"

}

   ]

},

"cluster-name": "liccluster"

}

 

The following extensions of the API are supported:

1.    /api/v1/license/report – entire license report in JSON

2.    /api/v1/license/report/cumulative-report – The cumulative report.

•    Following trace-down options available here

i. /api/v1/license/report/cumulative-report/<license-feature-type>

ii.    /api/v1/license/report/cumulative-report/<license-feature-type>/<year>

iii.    /api/v1/license/report/cumulative-report/<license-feature-type>/<year>/<month>

iv.    /api/v1/license/report/cumulative-report/<license-feature-type>/<year>/<month>/<day>

3.    /api/v1/license/report/granular-report – License usage report per license client.

•    Following trace-down options available here

/api/v1/license/report/granular-report/<license-client>

ii.    /api/v1/license/report/granular-report/<license-client>/<add-user-count>

iii.    /api/v1/license/report/granular-report/<license-client>/<add-user-count>/<year>

iv.    /api/v1/license/report/granular-report/<license-client>/<add-user-count>/<year>/<month>

v.     /api/v1/license/report/granular-report/<license-client>/<add-user-count>/<year>/<month>/<day>

Example:

API - /api/v1/license/report/granular-report/node63lc/add-user-count/2020/Mar/20

{

"Leased": 40,

"Maximum": 14,

"id": "20"

}

4.    /api/v1/license/report/cluster-granular-report – License usage report per license client cluster.

•    Following trace-down options available here

i. /api/v1/license/report/cluster-granular-report/<license-client>

ii. /api/v1/license/report/cluster-granular-report/<license-client>/<add-user-count>

iii.    /api/v1/license/report/cluster-granular-report/<license-client>/<add-user-count>/<year>

iv.    /api/v1/license/report/cluster-granular-report/<license-client>/<add-user-count>/<year>/<month>

v.     /api/v1/license/report/cluster-granular-report/<license-client>/<add-user-count>/<year>/<month>/<day>

• Example:

API - /api/v1/license/report/cluster-granular-report/liccluster/add-user-count/2020/Mar/22

{

"Leased": 40,

"Maximum": 16,

"cluster-member": [

"node63lc",

"node66lc"

],

"id": "22"

}

Enabling/Disabling ICE License

Enabling ICE License

Content of ice_enable.json file:

more ice_enable.json

{

   "mode": "enabled"

}

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/license/ice -X PUT -H "Content-Type: application/json" -d @ice_enable.json

Example:

curl -k -u TVGJ9xV9XvuA1JDB1nPkjC5BilAQAhUMn2dPHLZgP/o=: https://10.209.125.4/api/v1/license/ice -X PUT -H "Content-Type: application/json" -d @ice_enable.json

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "info": [

      {

        "message": "ICE license is enabled"

      }

    ]

  }

}

Disabling ICE License

Content of ice_disable.json file:

more ice_disable.json

{

   "mode" : "disabled"

}

Request

curl -k -u TVGJ9xV9XvuA1JDB1nPkjC5BilAQAhUMn2dPHLZgP/o=: https://10.209.125.4/api/v1/license/ice -X PUT -H "Content-Type: application/json" -d @ice_disable.json

Response

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "info": [

      {

        "message": "ICE license is disabled"

      }

    ]

  }

}

Getting the Current Status of ICE License

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/license/ice

Example:

curl -k -u TVGJ9xV9XvuA1JDB1nPkjC5BilAQAhUMn2dPHLZgP/o=: https://10.209.125.4/api/v1/license/ice

Response

ICE License Enabled

HTTP/1.1 200 OK

Content-Type: application/json

{

"mode": "enabled"

}

ICE License Disabled

HTTP/1.1 200 OK

Content-Type: application/json

{

  "mode": "disabled"

}

Exporting TOTP Users from One Device to Another Device

Request

curl -k -u <api-key>: https://pcs-ip>/api/v1/totp/<TOTP-AUTH-SERVER-NAME>/users

NOTE: This API can be executed only on TOTP server configured as Local (and not Remote).

Example:

curl -k -u X1O3oczUMJbhI8ba3Ov0McD54QCwBgwpSHwOGUVu5Ck=: https://10.209.115.20/api/v1/totp/Google%20TOTP%20Auth%20Server/users

Response

HTTP/1.1 200 OK

Content-Length: 191

Content-Type: application/json

{

"users": "21ubWxSvAwABAAAAlx9igwcQok9s+MV0zg/b+oer3z7Kj0iXbVzJ+qDMiguTtWZaxnGHGTGQEcHD7BTMGjz1QYbO00zBF+6DGp2y/9pj+8Wf4SXTQbYIeDomT4w2Kl4oc1EZhFruWLWnll+58x2b0kxsURCb+P0It8K+msqFXBhOEDY7l0W4+P+A8UZaz6In/gMq8Qd766i7RN1oZ+hzHUMYJUB72tzIQ+CiA8tTv6aweC6TGy9/a9C6vVbLY0+ZUgGTffWzJxcoZbEbdwiCFoZyex5UWTUFIj0Z4XAPoZ4HTWZsxP5YwXcJpsnbOzCqW/dTB6WpYWYp6R+MUn2yu/hZeu7z1qVhXlr8bK5LifH/u6J76SpErL1eELh1bYF17DWPfo6xspG7rffhs2k9vPVB1oq2kud+42hPo6vZaMfcwaz9lKRrftIgAu2o3JBJfdNHrUTOu2+Y6Qmc0in6MfIBNNrVr9D6hdWmIdrNr7PXHa4uJoP+CAuOp3OamTox2sgmvE7YNjC0SlSPgyFfx0kfzCb2K3Mrcq1UuJUJLhK7L3lne4f1QiWKoZ8q8zluaV+eRSJHBez9Pjo+LzBpYwoXStduOC20FVY4+KCHDasufdAOCD/Lga4mFFE5ItAui18ObOfRtxLvoZUIuGS8w019mbRaNDlVa52sUzuZBClqx+4lueBCQYEUNrDrHVG0AzqUBbAeL+WV8VRJrxVW8sIlArqY8n29pD66BozsGKoxBqXSe/fZxEDu9ZqI4xfzSCCsfqTiv0LAM4p+cZekhcjvRwtuImNjX+qj7A=="

}

Importing TOTP Users from One Device to Another Device

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/totp/<TOTP-AUTH-SERVER-NAME>/users -H "Content-Type: application/json" -d @totp_users.json -X POST

NOTE: This API can be executed only on TOTP server configured as Local (and not Remote).

Example:

curl -k -u K7Z7xA54AKnv1++kcViamCCiUrEBgMSP+sHKar4EcKY=: https://10.209.125.4/api/v1/totp/TOTP_SERVER/users -H "Content-Type: application/json" -d @totp_users.json -X POST

{

"users": "21ubWxSvAwABAAAAlx9igwcQok9s+MV0zg/b+oer3z7Kj0iXbVzJ+qDMiguTtWZaxnGHGTGQEcHD7BTMGjz1QYbO00zBF+6DGp2y/9pj+8Wf4SXTQbYIeDomT4w2Kl4oc1EZhFruWLWnll+58x2b0kxsURCb+P0It8K+msqFXBhOEDY7l0W4+P+A8UZaz6In/gMq8Qd766i7RN1oZ+hzHUMYJUB72tzIQ+CiA8tTv6aweC6TGy9/a9C6vVbLY0+ZUgGTffWzJxcoZbEbdwiCFoZyex5UWTUFIj0Z4XAPoZ4HTWZsxP5YwXcJpsnbOzCqW/dTB6WpYWYp6R+MUn2yu/hZeu7z1qVhXlr8bK5LifH/u6J76SpErL1eELh1bYF17DWPfo6xspG7rffhs2k9vPVB1oq2kud+42hPo6vZaMfcwaz9lKRrftIgAu2o3JBJfdNHrUTOu2+Y6Qmc0in6MfIBNNrVr9D6hdWmIdrNr7PXHa4uJoP+CAuOp3OamTox2sgmvE7YNjC0SlSPgyFfx0kfzCb2K3Mrcq1UuJUJLhK7L3lne4f1QiWKoZ8q8zluaV+eRSJHBez9Pjo+LzBpYwoXStduOC20FVY4+KCHDasufdAOCD/Lga4mFFE5ItAui18ObOfRtxLvoZUIuGS8w019mbRaNDlVa52sUzuZBClqx+4lueBCQYEUNrDrHVG0AzqUBbAeL+WV8VRJrxVW8sIlArqY8n29pD66BozsGKoxBqXSe/fZxEDu9ZqI4xfzSCCsfqTiv0LAM4p+cZekhcjvRwtuImNjX+qj7A=="

}

Response

HTTP/1.1 200 OK

content-length →47

Content-Type: application/json

{

"message' => 'Successfully imported user data'

}

Resetting TOTP User

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/totp/<TOTP-AUTH-SERVER-NAME>/users/<totp-user>?operation=reset -X PUT

Example:

curl -k -u nNuALLLWajGujVF2yT4qyP4nYxy/nwXxBKp0CHu2AZQ=: https://3.3.125.4/api/v1/totp/TOTP_SERVER/users/qauser1001?operation=reset -X PUT

Response

Scenario: TOTP user reset

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "info": [

      {

        "message": "TOTP user 'qauser1001' under Authserver 'TOTP_SERVER' has been reset"

      }

    ]

  }

}

 

Scenario: TOTP user does not exist

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "errors": [

      {

        "message": "TOTP user 'qauser1001' is not present under Authserver 'TOTP_SERVER'"

      }

    ]

  }

}

Unlocking TOTP User

Request

curl -k -u <api-key>: https://<pcs-ip>/api/v1/totp/<TOTP-AUTH-SERVER-NAME>/users/<totp-user>?operation=unlock -X PUT

Example:

curl -k -u nNuALLLWajGujVF2yT4qyP4nYxy/nwXxBKp0CHu2AZQ=: https://3.3.125.4/api/v1/totp/TOTP_SERVER/users/qauser1001?operation=unlock -X PUT

Response

Scenario: TOTP user unlocked

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "info": [

     {

       "message": "TOTP user 'qauser1001' under Authserver 'TOTP_SERVER' has been unlocked"

     }

   ]

  }

}

Scenario: TOTP user cannot be unlocked

HTTP/1.1 200 OK

Content-Type: application/json

{

  "result": {

    "errors": [

      {

        "message": "Error: Only locked users can be unlocked"

      }

    ]

  }

}

VPN ACL creation

REQUEST:

PUT /api/v1/configuration/users/resource-policies/network-connect-policies/network-connect-acls

Host: xx.xxx.xxx.xxx

Authorization: Basic SkUyV1BaVjRjcGxleElRMnNiZXpYajE2dEVIUm9Oa05WWDdRWHh3MmpJZz06

Content-Type: text/html; charset=utf-8

{

"network-connect-acl": [

{

"action": "allow",

"apply": "all",

"description": "VPNACL",

"name": "VPNACL",

"resource": [

"*:*"

],

"resources-fqdn": null,

"resources-v6": null,

"roles": null,

"rules": {

"rule": []

}

}

]

}

RESPONSE:

HTTP/1.1 200 OK

Content-Length: 124

Content-Type: application/json

{

"result": {

"info": [

{

"message": "Operation succeeded without warning or error!"

}

]

}

}

 

REQUEST

GET /api/v1/configuration/users/resource-policies/network-connect-policies/network-connect-acls

Host: xx.xxx.xxx.xxx

Authorization: Basic SkUyV1BaVjRjcGxleElRMnNiZXpYajE2dEVIUm9Oa05WWDdRWHh3MmpJZz06

Content-Type: application/json

RESPONSE:

HTTP/1.1 200 OK

Content-Length: 205

Content-Type: application/json

{

"network-connect-acl": [

{

"href": "/api/v1/configuration/users/resource-policies/network-connect-policies/network-connect-acls/network-connect-acl/VPNACL",

"name": "VPNACL"

}

]

}

Sample Error Responses

400 BAD REQUEST

Request

PUT /api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/rule1 HTTP/1.1

Host: 10.209.112.106

Authorization: Basic Y1VPZE1XZ1ZubVEvVnIrcWwrd3lJY3F0Y05WTGhDVkx1M0wrdk5YR3hzVT06

Content-Type: application/json

{

    "name": "rule1",

    "roles": [

        "Users"

    ],

    "stop-rules-processing": "false",

    "user-name": {

        "test": "is",

        "user-names": [

            "*",

        ]

    }

}

Response

HTTP/1.1 400 BAD REQUEST

content-length: 92

content-type: application/json

{

"message": "The browser (or proxy) sent a request that this server could not understand."

}

Solution: Invalid JSON body content in Request. Please check if JSON is valid.

Request

PUT /api/v1/configuration/users/user-roles/user-role/rest-userrole-1 HTTP/1.1

Host: 10.209.113.88

Authorization: Basic MVhDbDJTSUhkV3ZjUkd6WXM1T1V3MU5wbHNmemJPbTJxSHI2NVZCdXp5bz06

{

    "name": "rest-userrole-1",

    "web": {

        "web-bookmarks": {

            "bookmark": [

                {

                    "auto-allow": "disable",

                    "description": "",

                    "name": "web-bm-1",

                    "new-window": "false",

                    "no-address-bar": "false",

                    "no-tool-bar": "false",

                    "parent": "--none--",

                    "standard": {

                        "url": "http://www.yahoo.com"

                    }

                }

            ]

        },

        "web-options": {

            "browsing-untrusted-sslsites": "true",

            "flash-content": "false",

            "hpxproxy-connection-timeout": "1800",

            "http-connection-timeout": "240",

            "java-applets": "true",

            "mask-hostname": "false",

            "persistent-cookies": "false",

            "rewrite-file-urls": "false",

            "rewrite-links-pdf": "false",

            "unrewritten-page-newwindow": "false",

            "user-add-bookmarks": "false",

            "user-enter-url": "false",

            "users-bypass-warnings": "false",

            "warn-certificate-issues": "true",

            "websocket-connection-timeout": "900"

        }

    }

}

Response

HTTP/1.1 400 BAD REQUEST

Content-Length: 99

Content-Type: application/json

{

    "result": {

        "errors": [

            {

                "message": "Accepts only JSON."

            }

        ]

    }

}

Include the "Content-Type" header in the request with a value "application/json" as used in the examples above.

403 Forbidden

Request

GET /api/v1/auth HTTP/1.1

Host: 10.209.112.106

Authorization: Basic YWRtaW5kYjpkYW5hMTIz

Content-Type: application/json

Response

HTTP/1.1 403 Forbidden

cache-control: no-store

connection: Keep-Alive

content-type: text/html; charset=utf-8

expires:-1

keep-alive: timeout=15

strict-transport-security →max-age=31536000

transfer-encoding: chunked

Solutions:

1.Make sure admin user used for authentication has "Allow access to REST APIs" option enabled frm admin UI

2.Admin Username and Password passed in Authorization header are correct

3.If api_key is available, use api_key value as username and password as empty in authorization header

404 NOT FOUND

Request

GET /api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule HTTP/1.1

Host: 10.209.112.106

Authorization: Basic Y1VPZE1XZ1ZubVEvVnIrcWwrd3lJY3F0Y05WTGhDVkx1M0wrdk5YR3hzVT06

Response

HTTP/1.1 404 NOT FOUND

content-length: 213

content-type: application/json

{

    "result": {

        "errors": [

            {

                "message": "Invalid resource path; use \"users/user-realms/realm/testRealm/role-mapping-rules/rule/<resource-id>\" to access a specific resource"

            }

        ]

    }

}

Solution: Resource-id should be passed in Resource path as shown in example below.

Request

GET /api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/rule1 HTTP/1.1

Host: 10.209.112.106

Authorization: Basic Y1VPZE1XZ1ZubVEvVnIrcWwrd3lJY3F0Y05WTGhDVkx1M0wrdk5YR3hzVT06

Response

HTTP/1.1 200 OK

content-length: 167

content-type: application/json

{

    "name": "rule1",

    "roles": [

        "Users"

    ],

    "stop-rules-processing": "false",

    "user-name": {

        "test": "is",

        "user-names": [

            "*"

        ]

    }

}

Solution: Invalid JSON body content in Request. Please check if JSON is valid.

422 UNPROCESSABLE ENTITY

Request

POST /api/v1/configuration/users/user-realms/realm/testRealm/role-mapping-rules/rule/ HTTP/1.1

Host: 10.209.112.106

Authorization: Basic Y1VPZE1XZ1ZubVEvVnIrcWwrd3lJY3F0Y05WTGhDVkx1M0wrdk5YR3hzVT06

Content-Type: application/json

{

    "name": "rule2",

    "roles": [

        "Users",

        "testRole1"

    ],

    "stop-rules-processing": "false",

    "user-name": {

        "test": "is",

        "user-names": [

            "user1"

        ]

    }

}

Response

HTTP/1.1 422 UNPROCESSABLE ENTITY

content-length: 368

content-type: application/json

{

    "result": {

        "errors": [

            {

                "message": "[/users/user-realms/realm[name=testRealm]/role-mapping-rules/rule[name=rule2]/roles] Invalid reference: no 'User Roles' object found with identifier 'testRole1'."

            },

            {

                "message": "Failed to resolve path references"

            },

            {

                "message": "Commit failed"

            }

        ]

    }

}

Solution: Make sure to have all the referenced resources are created first using POST call and then repeat.

Limitations

1.Configuration of large data objects is not qualified- ESAP, Ivanti Secure Access Client package, Custom Sign-in page, applets, and so on.

2.Resource names similar to resource tags e.g. vlans, roles, etc. should be avoided while creating new resources.