Ivanti Neurons for Zero Trust Access Use Case
This chapter of the document will provide code snippets for different API call which can help tenant admins to configure secure access policy. These steps involve authenticating the API then adding all required components including user and user rules and finally configure Secure Access Policy using all the other components.
Steps automated in example use case:
- Preparing to configure the nZTA system, see Preparing to Configure the System.
- Adding a gateway, see Adding a ZTA Gateway.
- Adding an application, see Adding an Application.
- Adding a device rule and device policy, see Adding a Device Rule and Policy.
- Adding an auth server, see Adding an Authentication Server.
- Adding a user (local user), see Adding a Local User.
- Adding a user rule, see Adding a User Rule.
- Adding a user rule to a group, see Adding a User Rule.
- Adding a secure access policy, see Adding a Secure Access Policy.
Preparing to Configure the System
This section explains how to prepare to configure the nZTA system using its REST API.
The following Python modules needs to be imported to enable the code snippets in this chapter:
Copy
import requests
import jsonThe following parameters are required to enable the code snippets in this chapter:
Copy
SSLCertverify = False
apiHeaders = {'Content-type': 'application/json', 'Accept': 'application/json'}
headers = {"Content-Type": "application/json"}
user_name = 'admin'
passwrd = 'admin_password'
api_version = 'api/v1/'
api = 'api/'
host_url = 'https://<tenant_domain_name>/'
cookies = {"DSID": ""}You can use the following CURL command format uses the DSID to query the REST API server:
Copy
curl -v --cookie "DSID=<value>" <api_request_url>Adding a ZTA Gateway
Adding a gateway involves multiple API calls, including getting
city_id and using that to add the gateway. You can then get
the gateway ID to enable gateway configuration.
Copy
def add_gateways():
'''
Get country code to get the city_id which is one of the parameters needed for adding gateway.
'''
get_country_code_url = host_url + api + "locations/countries"
country_list = requests.get(get_country_code_url,cookies=cookies)
country_list_json = country_list.json()
country_id = "241"
for country_details in country_list_json["items"]:
if country_details["country"]["name"] == "United States":
country_id = country_details["country"]["id"]
# one we get the country ID use that ID to get the list of cities with respective ID, following request will illustrates process of getting city_id
state_id = "3512"
get_state_code_url = host_url + api + "locations/states?country="+str(country_id)
state_code_json = requests.get(get_state_code_url,cookies=cookies)
state_list_json = state_code_json.json()
for state_details in state_list_json["items"]:
#print state_details
if state_details["state"]["name"] == "California":
state_id = state_details["state"]["id"]
# following api call is get the city id using country and state id which are retrived from previous two calls. This logic will filter for San Jose city to get the city_id
get_city_code_url = host_url + api + "locations/cities?country="+str(country_id)+"&state="+str(state_id)
city_list = requests.get(get_city_code_url,cookies=cookies)
city_list_json = city_list.json()
city_id="12631"
for cities in city_list_json["items"]:
if cities["city"]["name"] == "San Jose":
city_id = cities["city"]["id"]
# following step will help us add a gateway to Controller using API call
input_gateways = {"name": "gw4","orchestration": {"type": "vsphere"}}
gateway_location = {}
gateway_location["city_id"] = city_id
input_gateways["location"]=gateway_location
# input_gateways variable input all the required parameters such as gateway name, orchestration type and city id for gateway api which is post method.
request_uri = host_url + api + "gateways"
output = requests.post(request_uri, data=json.dumps(input_gateways), cookies=cookies, headers=headers)
status_code = output.status_code
response_json = output.json()
print response_json
gateway_id=response_json["id"]
input_data='{"service_account_id":None,"appliance_config":{"external_gateway":"192.168.114.251","external_ip_address":"192.168.14.11","external_subnet":"255.255.255.0","external_vlan":"-1","internal_fqdn":"","internal_gateway":"172.96.14.1","internal_ip_address":"172.96.14.60","internal_subnet":"255.255.255.0","internal_vlan":"-1","management_gateway":"172.96.14.1","management_ip_address":"172.96.14.61","management_subnet":"255.255.255.0","management_vlan":"-1","primary_dns":"142.21.0.15","private_domain_name":"psecure.net","secondary_dns":"8.8.8.8","dns_search_domain":"psecure.net","public_ip_address":"192.168.14.11",},"deployment_config":None,}'
request_uri = request_uri + "/" + gateway_id + "/" + "orchestration"
print request_uri
output = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output.jsonAdding an Application
To add an application, use a policies/resources API call with the type set to "application". For example:
Copy
def add_application():
input_data = {"type":"application","name":"app1","description":"app1","app_config":{"access_type":"application","name":"app1","resource":"https://www.intuit.com","resource_type":"url","bookmark_config":{"name":"app1","type":"web","description":"app1","launch_window":True,"url":"https://www.intuit.com","icon":""}}}
add_application_url = host_url+api_version+"policies/resources"
print add_application_url
add_application_output = requests.post(add_application_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_application_output.textOutput for this code is below:
Copy
{
"allow_delete": true,
"app_config": {
"access_type": "application",
"bookmark_config": {
"description": "app1",
"icon": "",
"id": "3ddf5e1b0d35d3f8ca8da7ded4f6f0a",
"launch_window": true,
"name": "app1",
"type": "web",
"url": "https://www.intuit.com"
}
"id": "4899a9fe06e64316a17891fff401bc6a",
"name": "app1",
"resource": "https://www.intuit.com",
"resource_type": "url"
}
"description": "app1",
"id": "4899a9fe06e64316a17891fff401bc6a",
"name": "app1",
"type": "application"
}Adding a Device Rule and Policy
Create a device rule:
Copy
def create_device_rule():
input_data = {
"name":"device_rule_1",
"description":"device_rule_1",
"network_config": {
"ip_address":"192.168.1.1",
"netmask":"255.255.255.0",
"mode":"allow"
},
"label":"moderate",
"type":"network"
}
add_device_rule_url = host_url+api_version+"policies/device-policies/rules"
add_device_rule_output = requests.post(add_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_device_rule_output.textCreate a device policy using the device rule:
Copy
def add_device_policy2_device_rule():
input_data = {
"name": "device_policy_1",
"description": "device_policy_1"
}
add_policy_device_rule_url = host_url+api_version+"policies/device-policies/groups"
add_policy_device_rule_output = requests.post(add_policy_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_policy_device_rule_output.textAdding an Authentication Server
Create an authentication server:
Copy
def add_local_auth_server():
input_data = {
"name": "auth_server_1",
"type": "Local",
"local_config": {
"users": []
}
}
add_local_auth_server_url= host_url+api_version+"policies/auth-servers"
add_local_auth_server_output = requests.post(add_local_auth_server_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_local_auth_server_output.textAdding a Local User
Add a user to the local authentication server:
Copy
def add_user_AuthServers():
#global auth_server_id
# get list of auth servers
auth_server_id = ""
get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
for server_details in json.loads(auth_servers.text)["auth_servers"]:
if server_details["name"] == "auth_server_1":
auth_server_id = server_details["id"]
# API call uses auth_server_id to update auth_server with new user details.
input_data = {"name": "newuser1", "full_name": "newuser1", "password": "dana123"}
request_uri = host_url + api_version + "policies/auth-servers" + "/" + auth_server_id + "/users"
add_user_response = requests.post(request_uri,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_user_response.textUpdate the user authentication policy to use the auth server:
Copy
def update_user_auth_policy():
input_payload = {
"type": "sign_in"
}
auth_server_id = ""
default_user_policies_uri = host_url + api_version + "policies/resources"
get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
# for this response we will get user_policy_id which for type sing in and realm ZTA users and update the primary_auth_server_id value with auth server ID.
# get the Auth server ID with name auth_server_1, this auth server we added in previous steps.
get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
for server_details in json.loads(auth_servers.text)["auth_servers"]:
if server_details["name"] == "auth_server_1":
auth_server_id = server_details["id"]
# now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
request_uri = default_user_policies_uri + "/" + user_policy_details["id"]
input_data = user_policy_details
input_data["sign_in_config"]["primary_auth_server_id"] = auth_server_id
update_user_policy_details_output = requests.put(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print update_user_policy_details_output.textAdding a User Rule
Create a user rule:
Copy
def add_user_rule():
input_data = {
"name":"user_rule_1",
"type":"username",
"value":"user_rule_1",
"attribute":"is"
}
request_uri = host_url + api_version + "policies/role-mapping-rules"
output_add_user_rule = requests.post(request_uri, data=json.dumps(intput_data), cookies=cookies, headers=headers)
print output_add_user_rule.textThe output of this code is below:
Copy
{
"attribute": "is",
"id": "8970619481ba470c82c114a20bee3a07",
"name": "user_rule_1",
"type": "username",
"value": "user_rule_1"
}Adding a User Rule to a Group
Create a user group of type User Signin Policy, and add the above user rule to the group:
Copy
def add_user_group():
input_payload = {
"type": "sign_in"
}
auth_server_id = ""
default_user_policies_uri = host_url + api_version + "policies/resources"
get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
user_policy_id = ""
# now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
user_policy_id = user_policy_details["id"]
input_data = {
"name":"user_group_1",
"sign_in_policy_id":"",
"description":"user_group_1",
"rules":[]
}
input_data["sign_in_policy_id"] = user_policy_id
request_uri = host_url + api_version + "policies/user-rule-groups"
output_add_user_rule = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output_add_user_rule.textThe output of this code is below:
Copy
{
"allow_delete": true,
"description": "user_group_1",
"id": "3e99edd4e5534ca6a322a404e8c26d4a",
"name": "user_group_1",
"role_config": {
"id": "612dc9de1e5148748a378742a5d2311e",
"name": "user_group_1",
"redirect_url": "/user",
"type"L "user"
}
"role_id": "612dc9de1e5148748a378742a5d2311e",
"sign_in_config": {
"id": "21ff78e93fda4b0c86e7af96dfa75680",
"policy_type": "user",
"primary_auth_server_config": {
"id": "0a867da874cd426cbe6acd2efba149ec",
"name": "auth_server_1",
"type": "Local"
}
"primary_auth_server_id": "0a867da874cd426cbe6acd2efba149ec",
"realm": "ZTA Users",
"url_pattern": "*/login/",
"use_as_saml_idp": false
}
sign_in_policy_id": "21ff78e93fda4b0c86e7af96dfa75680"
}Adding a Secure Access Policy
Finally, publish a secure access policy using all of the above:
Copy
def add_secure_access_policy():
input_data = {
"type":"application",
"resource_type":"single",
"user_rule_group_id":"",
"gateway_type":"single",
"gateway_id":"",
"resource_id":"",
"device_policy_id":""
}
# all values in following 4 lines derived from different API calls made in all previous examples
input_data["user_rule_group_id"] = "3e99edd4e5534ca6a322a404e8c26d4a"
input_data["gateway_id"] = "edb5fc9969304619b6cb976a2a6101e6"
input_data["resource_id"] = "4899a9fe06e64316a17891fff401bc6a"
input_data["device_policy_id"] = "e639512d55fb47e5940d9b8053916629"
request_uri = host_url + api_version + "policies/secure-access-policies"
output_add_secureaccess_policy = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output_add_secureaccess_policy.textThe output of this code is below:
Copy
{
"device_policy_config": {
"name": "device_policy_1"
}
"device_policy_id": "e639512d55fb47e5940d9b8053916629",
"gateway_id": "edb5fc9969304619b6cb976a2a6101e6",
"gateway_type": "single",
"id": "1b87430b470a44cda082fb638fa87ae2",
"resource_config": {
"name": "app1"
}
"resource_id": "4899a9fe06e64316a17891fff401bc6a",
"resource_type": "single",
"type": "application",
"user_rule_group_config": {
"name": "user_group_1",
"role_config": {
"id": "612dc9de1e5148748a378742a5d2311e",
"name": "user_group_1",
"redirect_url": "/user",
"type": "user"
}
}
"user_rule_group_id": "3e99edd4e5534ca6a322a404e8c26d4a"
}