Ivanti Neurons for Zero Trust Access Use Case

This chapter of the document will provide code snippets for different API call which can help tenant admins to configure secure access policy. These steps involve authenticating the API then adding all required components including user and user rules and finally configure Secure Access Policy using all the other components.

Steps automated in example use case:

Preparing to Configure the System

This section explains how to prepare to configure the nZTA system using its REST API.

The following Python modules needs to be imported to enable the code snippets in this chapter:

Copy
import requests
import json

The following parameters are required to enable the code snippets in this chapter:

Copy
SSLCertverify = False
apiHeaders = {'Content-type': 'application/json', 'Accept': 'application/json'}
headers = {"Content-Type": "application/json"}
user_name = 'admin'
passwrd = 'admin_password'
api_version = 'api/v1/'
api = 'api/'
host_url = 'https://<tenant_domain_name>/'
cookies = {"DSID": ""}

You can use the following CURL command format uses the DSID to query the REST API server:

Copy
curl -v --cookie "DSID=<value>" <api_request_url>

Adding a ZTA Gateway

Adding a gateway involves multiple API calls, including getting city_id and using that to add the gateway. You can then get the gateway ID to enable gateway configuration.

Copy
def add_gateways():
    '''
    Get country code to get the city_id which is one of the parameters needed for adding gateway.
    '''
    get_country_code_url = host_url + api + "locations/countries"
    country_list = requests.get(get_country_code_url,cookies=cookies)
    country_list_json = country_list.json()
    country_id = "241"
    for country_details in country_list_json["items"]:
        if country_details["country"]["name"] == "United States":
            country_id = country_details["country"]["id"]
     # one we get the country ID use that ID to get the list of cities with respective ID, following request will illustrates process of getting city_id
    state_id = "3512"
    get_state_code_url = host_url + api + "locations/states?country="+str(country_id)
    state_code_json = requests.get(get_state_code_url,cookies=cookies)
    state_list_json = state_code_json.json()
    for state_details in state_list_json["items"]:
        #print state_details
        if state_details["state"]["name"] == "California":
            state_id = state_details["state"]["id"]
    # following api call is get the city id using country and state id which are retrived from previous two calls. This logic will filter for San Jose city to get the city_id
    get_city_code_url = host_url + api + "locations/cities?country="+str(country_id)+"&state="+str(state_id)
    city_list = requests.get(get_city_code_url,cookies=cookies)
    city_list_json = city_list.json()
    city_id="12631"
    for cities in city_list_json["items"]:
        if cities["city"]["name"] == "San Jose":
            city_id = cities["city"]["id"]
    # following step will help us add a gateway to Controller using API call
    input_gateways = {"name": "gw4","orchestration": {"type": "vsphere"}}
    gateway_location = {}
    gateway_location["city_id"] = city_id
    input_gateways["location"]=gateway_location
    # input_gateways variable input all the required parameters such as gateway name, orchestration type and city id for gateway api which is post method.
    request_uri = host_url + api + "gateways"
    output = requests.post(request_uri, data=json.dumps(input_gateways), cookies=cookies, headers=headers)
    status_code = output.status_code
    response_json = output.json()
    print response_json
    gateway_id=response_json["id"]
    input_data='{"service_account_id":None,"appliance_config":{"external_gateway":"192.168.114.251","external_ip_address":"192.168.14.11","external_subnet":"255.255.255.0","external_vlan":"-1","internal_fqdn":"","internal_gateway":"172.96.14.1","internal_ip_address":"172.96.14.60","internal_subnet":"255.255.255.0","internal_vlan":"-1","management_gateway":"172.96.14.1","management_ip_address":"172.96.14.61","management_subnet":"255.255.255.0","management_vlan":"-1","primary_dns":"142.21.0.15","private_domain_name":"psecure.net","secondary_dns":"8.8.8.8","dns_search_domain":"psecure.net","public_ip_address":"192.168.14.11",},"deployment_config":None,}'
    request_uri = request_uri + "/" + gateway_id + "/" + "orchestration"
    print request_uri
    output = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
    print output.json

Adding an Application

To add an application, use a policies/resources API call with the type set to "application". For example:

Copy
def add_application():
    input_data = {"type":"application","name":"app1","description":"app1","app_config":{"access_type":"application","name":"app1","resource":"https://www.intuit.com","resource_type":"url","bookmark_config":{"name":"app1","type":"web","description":"app1","launch_window":True,"url":"https://www.intuit.com","icon":""}}}
    add_application_url = host_url+api_version+"policies/resources"
    print add_application_url
    add_application_output = requests.post(add_application_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
    print add_application_output.text

Output for this code is below:

Copy
{
   "allow_delete": true,
   "app_config": {
      "access_type": "application",
      "bookmark_config": {
         "description": "app1",
         "icon": "",
         "id": "3ddf5e1b0d35d3f8ca8da7ded4f6f0a",
         "launch_window": true,
         "name": "app1",
         "type": "web",
         "url": "https://www.intuit.com"
      }
      "id": "4899a9fe06e64316a17891fff401bc6a",
      "name": "app1",
      "resource": "https://www.intuit.com",
      "resource_type": "url"
   }
   "description": "app1",
   "id": "4899a9fe06e64316a17891fff401bc6a",
   "name": "app1",
   "type": "application"
}

Adding a Device Rule and Policy

Create a device rule:

Copy
def create_device_rule():
    input_data = {
       "name":"device_rule_1",
       "description":"device_rule_1",
       "network_config": {
          "ip_address":"192.168.1.1",
          "netmask":"255.255.255.0",
          "mode":"allow"
       },
       "label":"moderate",
       "type":"network"
    }
    add_device_rule_url = host_url+api_version+"policies/device-policies/rules"
    add_device_rule_output = requests.post(add_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
    print add_device_rule_output.text

Create a device policy using the device rule:

Copy
def add_device_policy2_device_rule():
    input_data = {
       "name": "device_policy_1",
       "description": "device_policy_1"
    }
    add_policy_device_rule_url = host_url+api_version+"policies/device-policies/groups"
    add_policy_device_rule_output = requests.post(add_policy_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
    print add_policy_device_rule_output.text

Adding an Authentication Server

Create an authentication server:

Copy
def add_local_auth_server():
    input_data = {
       "name": "auth_server_1",
       "type": "Local",
       "local_config": {
          "users": []
       }
    }
    add_local_auth_server_url= host_url+api_version+"policies/auth-servers"
    add_local_auth_server_output = requests.post(add_local_auth_server_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
    print add_local_auth_server_output.text

Adding a Local User

Add a user to the local authentication server:

Copy
def add_user_AuthServers():
    #global auth_server_id
    # get list of auth servers
    auth_server_id = ""
    get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
    auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
    for server_details in json.loads(auth_servers.text)["auth_servers"]:
        if server_details["name"] == "auth_server_1":
            auth_server_id = server_details["id"]
# API call uses auth_server_id to update auth_server with new user details.
    input_data = {"name": "newuser1", "full_name": "newuser1", "password": "dana123"}
    request_uri = host_url + api_version + "policies/auth-servers" + "/" + auth_server_id + "/users"
    add_user_response = requests.post(request_uri,data=json.dumps(input_data),cookies=cookies, headers=headers)
    print add_user_response.text

Update the user authentication policy to use the auth server:

Copy
def update_user_auth_policy():
    input_payload = {
       "type": "sign_in"
    }
    auth_server_id = ""
    default_user_policies_uri = host_url + api_version + "policies/resources"
    get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
    # for this response we will get user_policy_id which for type sing in and realm ZTA users and update the primary_auth_server_id value with auth server ID.
    # get the Auth server ID with name auth_server_1, this auth server we added in previous steps.
    get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
    auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
    for server_details in json.loads(auth_servers.text)["auth_servers"]:
        if server_details["name"] == "auth_server_1":
            auth_server_id = server_details["id"]
    # now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
    for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
        if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
            request_uri = default_user_policies_uri + "/" + user_policy_details["id"]
            input_data = user_policy_details
            input_data["sign_in_config"]["primary_auth_server_id"] = auth_server_id
            update_user_policy_details_output = requests.put(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
            print update_user_policy_details_output.text

Adding a User Rule

Create a user rule:

Copy
def add_user_rule():
    input_data = {
       "name":"user_rule_1",
       "type":"username",
       "value":"user_rule_1",
       "attribute":"is"
    }
    request_uri = host_url + api_version + "policies/role-mapping-rules"
    output_add_user_rule = requests.post(request_uri, data=json.dumps(intput_data), cookies=cookies, headers=headers)
    print output_add_user_rule.text

The output of this code is below:

Copy
{
   "attribute": "is",
   "id": "8970619481ba470c82c114a20bee3a07",
   "name": "user_rule_1",
   "type": "username",
   "value": "user_rule_1"
}

Adding a User Rule to a Group

Create a user group of type User Signin Policy, and add the above user rule to the group:

Copy
def add_user_group():
    input_payload = {
       "type": "sign_in"
    }
    auth_server_id = ""
    default_user_policies_uri = host_url + api_version + "policies/resources"
    get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
    user_policy_id = ""
    # now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
    for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
        if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
           user_policy_id = user_policy_details["id"]
    input_data = {
       "name":"user_group_1",
       "sign_in_policy_id":"",
       "description":"user_group_1",
       "rules":[]
    }
    input_data["sign_in_policy_id"] = user_policy_id
    request_uri = host_url + api_version + "policies/user-rule-groups"
    output_add_user_rule = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
    print output_add_user_rule.text

The output of this code is below:

Copy
{
   "allow_delete": true,
   "description": "user_group_1",
   "id": "3e99edd4e5534ca6a322a404e8c26d4a",
   "name": "user_group_1",
   "role_config": {
      "id": "612dc9de1e5148748a378742a5d2311e",
      "name": "user_group_1",
      "redirect_url": "/user",
      "type"L "user"
   }
   "role_id": "612dc9de1e5148748a378742a5d2311e",
   "sign_in_config": {
      "id": "21ff78e93fda4b0c86e7af96dfa75680",
      "policy_type": "user",
      "primary_auth_server_config": {
         "id": "0a867da874cd426cbe6acd2efba149ec",
         "name": "auth_server_1",
         "type": "Local"
      }
      "primary_auth_server_id": "0a867da874cd426cbe6acd2efba149ec",
      "realm": "ZTA Users",
      "url_pattern": "*/login/",
      "use_as_saml_idp": false
   }
   sign_in_policy_id": "21ff78e93fda4b0c86e7af96dfa75680"
}

Adding a Secure Access Policy

Finally, publish a secure access policy using all of the above:

Copy
def add_secure_access_policy():
    input_data = {
       "type":"application",
       "resource_type":"single",
       "user_rule_group_id":"",
       "gateway_type":"single",
       "gateway_id":"",
       "resource_id":"",
       "device_policy_id":""
    }
    # all values in following 4 lines derived from different API calls made in all previous examples
    input_data["user_rule_group_id"] = "3e99edd4e5534ca6a322a404e8c26d4a"
    input_data["gateway_id"] = "edb5fc9969304619b6cb976a2a6101e6"
    input_data["resource_id"] = "4899a9fe06e64316a17891fff401bc6a"
    input_data["device_policy_id"] = "e639512d55fb47e5940d9b8053916629"
    request_uri = host_url + api_version + "policies/secure-access-policies"
    output_add_secureaccess_policy = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
    print output_add_secureaccess_policy.text

The output of this code is below:

Copy
{
   "device_policy_config": {
      "name": "device_policy_1"
   }
   "device_policy_id": "e639512d55fb47e5940d9b8053916629",
   "gateway_id": "edb5fc9969304619b6cb976a2a6101e6",
   "gateway_type": "single",
   "id": "1b87430b470a44cda082fb638fa87ae2",
   "resource_config": {
      "name": "app1"
   }
   "resource_id": "4899a9fe06e64316a17891fff401bc6a",
   "resource_type": "single",
   "type": "application",
   "user_rule_group_config": {
      "name": "user_group_1",
      "role_config": {
         "id": "612dc9de1e5148748a378742a5d2311e",
         "name": "user_group_1",
         "redirect_url": "/user",
         "type": "user"
      }
   }
   "user_rule_group_id": "3e99edd4e5534ca6a322a404e8c26d4a"
}