Ivanti Neurons for Zero Trust Access Use Case¶
This chapter of the document will provide code snippets for different API call which can help tenant admins to configure secure access policy. These steps involve authenticating the API then adding all required components including user and user rules and finally configure Secure Access Policy using all the other components.
Steps automated in example use case:
Preparing to configure the nZTA system, see Preparing to Configure the System.
Adding a gateway, see Adding a ZTA Gateway.
Adding an application, see Adding an Application.
Adding a device rule and device policy, see Adding a Device Rule and Policy.
Adding an auth server, see Adding an Authentication Server.
Adding a user (local user), see Adding a Local User.
Adding a user rule, see Adding a User Rule.
Adding a user rule to a group, see Adding a User Rule.
Adding a secure access policy, see Adding a Secure Access Policy.
Preparing to Configure the System¶
This section explains how to prepare to configure the nZTA system using its REST API.
The following Python modules needs to be imported to enable the code snippets in this chapter:
import requests
import json
The following parameters are required to enable the code snippets in this chapter:
SSLCertverify = False
apiHeaders = {'Content-type': 'application/json', 'Accept': 'application/json'}
headers = {"Content-Type": "application/json"}
user_name = 'admin'
passwrd = 'admin_password'
api_version = 'api/v1/'
api = 'api/'
host_url = 'https://<tenant_domain_name>/'
cookies = {"DSID": ""}
You can use the following CURL command format uses the DSID to query the REST API server:
curl -v --cookie "DSID=<value>" <api_request_url>
Adding a ZTA Gateway¶
Adding a gateway involves multiple API calls, including getting city_id and using that to add the gateway. You can then get the gateway ID to enable gateway configuration.
def add_gateways():
'''
Get country code to get the city_id which is one of the parameters needed for adding gateway.
'''
get_country_code_url = host_url + api + "locations/countries"
country_list = requests.get(get_country_code_url,cookies=cookies)
country_list_json = country_list.json()
country_id = "241"
for country_details in country_list_json["items"]:
if country_details["country"]["name"] == "United States":
country_id = country_details["country"]["id"]
# one we get the country ID use that ID to get the list of cities with respective ID, following request will illustrates process of getting city_id
state_id = "3512"
get_state_code_url = host_url + api + "locations/states?country="+str(country_id)
state_code_json = requests.get(get_state_code_url,cookies=cookies)
state_list_json = state_code_json.json()
for state_details in state_list_json["items"]:
#print state_details
if state_details["state"]["name"] == "California":
state_id = state_details["state"]["id"]
# following api call is get the city id using country and state id which are retrived from previous two calls. This logic will filter for San Jose city to get the city_id
get_city_code_url = host_url + api + "locations/cities?country="+str(country_id)+"&state="+str(state_id)
city_list = requests.get(get_city_code_url,cookies=cookies)
city_list_json = city_list.json()
city_id="12631"
for cities in city_list_json["items"]:
if cities["city"]["name"] == "San Jose":
city_id = cities["city"]["id"]
# following step will help us add a gateway to Controller using API call
input_gateways = {"name": "gw4","orchestration": {"type": "vsphere"}}
gateway_location = {}
gateway_location["city_id"] = city_id
input_gateways["location"]=gateway_location
# input_gateways variable input all the required parameters such as gateway name, orchestration type and city id for gateway api which is post method.
request_uri = host_url + api + "gateways"
output = requests.post(request_uri, data=json.dumps(input_gateways), cookies=cookies, headers=headers)
status_code = output.status_code
response_json = output.json()
print response_json
gateway_id=response_json["id"]
input_data='{"service_account_id":None,"appliance_config":{"external_gateway":"192.168.114.251","external_ip_address":"192.168.14.11","external_subnet":"255.255.255.0","external_vlan":"-1","internal_fqdn":"","internal_gateway":"172.96.14.1","internal_ip_address":"172.96.14.60","internal_subnet":"255.255.255.0","internal_vlan":"-1","management_gateway":"172.96.14.1","management_ip_address":"172.96.14.61","management_subnet":"255.255.255.0","management_vlan":"-1","primary_dns":"142.21.0.15","private_domain_name":"psecure.net","secondary_dns":"8.8.8.8","dns_search_domain":"psecure.net","public_ip_address":"192.168.14.11",},"deployment_config":None,}'
request_uri = request_uri + "/" + gateway_id + "/" + "orchestration"
print request_uri
output = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output.json
Adding an Application¶
To add an application, use a policies/resources API call with the type set to “application”. For example:
def add_application():
input_data = {"type":"application","name":"app1","description":"app1","app_config":{"access_type":"application","name":"app1","resource":"https://www.intuit.com","resource_type":"url","bookmark_config":{"name":"app1","type":"web","description":"app1","launch_window":True,"url":"https://www.intuit.com","icon":""}}}
add_application_url = host_url+api_version+"policies/resources"
print add_application_url
add_application_output = requests.post(add_application_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_application_output.text
Output for this code is below:
{
"allow_delete": true,
"app_config": {
"access_type": "application",
"bookmark_config": {
"description": "app1",
"icon": "",
"id": "3ddf5e1b0d35d3f8ca8da7ded4f6f0a",
"launch_window": true,
"name": "app1",
"type": "web",
"url": "https://www.intuit.com"
}
"id": "4899a9fe06e64316a17891fff401bc6a",
"name": "app1",
"resource": "https://www.intuit.com",
"resource_type": "url"
}
"description": "app1",
"id": "4899a9fe06e64316a17891fff401bc6a",
"name": "app1",
"type": "application"
}
Adding a Device Rule and Policy¶
Create a device rule:
def create_device_rule():
input_data = {
"name":"device_rule_1",
"description":"device_rule_1",
"network_config": {
"ip_address":"192.168.1.1",
"netmask":"255.255.255.0",
"mode":"allow"
},
"label":"moderate",
"type":"network"
}
add_device_rule_url = host_url+api_version+"policies/device-policies/rules"
add_device_rule_output = requests.post(add_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_device_rule_output.text
Create a device policy using the device rule:
def add_device_policy2_device_rule():
input_data = {
"name": "device_policy_1",
"description": "device_policy_1"
}
add_policy_device_rule_url = host_url+api_version+"policies/device-policies/groups"
add_policy_device_rule_output = requests.post(add_policy_device_rule_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_policy_device_rule_output.text
Adding an Authentication Server¶
Create an authentication server:
def add_local_auth_server():
input_data = {
"name": "auth_server_1",
"type": "Local",
"local_config": {
"users": []
}
}
add_local_auth_server_url= host_url+api_version+"policies/auth-servers"
add_local_auth_server_output = requests.post(add_local_auth_server_url,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_local_auth_server_output.text
Adding a Local User¶
Add a user to the local authentication server:
def add_user_AuthServers():
#global auth_server_id
# get list of auth servers
auth_server_id = ""
get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
for server_details in json.loads(auth_servers.text)["auth_servers"]:
if server_details["name"] == "auth_server_1":
auth_server_id = server_details["id"]
# API call uses auth_server_id to update auth_server with new user details.
input_data = {"name": "newuser1", "full_name": "newuser1", "password": "dana123"}
request_uri = host_url + api_version + "policies/auth-servers" + "/" + auth_server_id + "/users"
add_user_response = requests.post(request_uri,data=json.dumps(input_data),cookies=cookies, headers=headers)
print add_user_response.text
Update the user authentication policy to use the auth server:
def update_user_auth_policy():
input_payload = {
"type": "sign_in"
}
auth_server_id = ""
default_user_policies_uri = host_url + api_version + "policies/resources"
get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
# for this response we will get user_policy_id which for type sing in and realm ZTA users and update the primary_auth_server_id value with auth server ID.
# get the Auth server ID with name auth_server_1, this auth server we added in previous steps.
get_authserver_request_uri = host_url + api_version + "policies/auth-servers"
auth_servers = requests.get(get_authserver_request_uri,cookies=cookies, headers=headers)
for server_details in json.loads(auth_servers.text)["auth_servers"]:
if server_details["name"] == "auth_server_1":
auth_server_id = server_details["id"]
# now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
request_uri = default_user_policies_uri + "/" + user_policy_details["id"]
input_data = user_policy_details
input_data["sign_in_config"]["primary_auth_server_id"] = auth_server_id
update_user_policy_details_output = requests.put(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print update_user_policy_details_output.text
Adding a User Rule¶
Create a user rule:
def add_user_rule():
input_data = {
"name":"user_rule_1",
"type":"username",
"value":"user_rule_1",
"attribute":"is"
}
request_uri = host_url + api_version + "policies/role-mapping-rules"
output_add_user_rule = requests.post(request_uri, data=json.dumps(intput_data), cookies=cookies, headers=headers)
print output_add_user_rule.text
The output of this code is below:
{
"attribute": "is",
"id": "8970619481ba470c82c114a20bee3a07",
"name": "user_rule_1",
"type": "username",
"value": "user_rule_1"
}
Adding a User Rule to a Group¶
Create a user group of type User Signin Policy, and add the above user rule to the group:
def add_user_group():
input_payload = {
"type": "sign_in"
}
auth_server_id = ""
default_user_policies_uri = host_url + api_version + "policies/resources"
get_default_user_policies_response = requests.get(default_user_policies_uri,params=input_payload,cookies=cookies)
user_policy_id = ""
# now update the input_payload for updating user signin policy primary_auth_server_id during the put call.
for user_policy_details in json.loads(get_default_user_policies_response.text)["items"]:
if user_policy_details["sign_in_config"]["realm"] == "ZTA Users":
user_policy_id = user_policy_details["id"]
input_data = {
"name":"user_group_1",
"sign_in_policy_id":"",
"description":"user_group_1",
"rules":[]
}
input_data["sign_in_policy_id"] = user_policy_id
request_uri = host_url + api_version + "policies/user-rule-groups"
output_add_user_rule = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output_add_user_rule.text
The output of this code is below:
{
"allow_delete": true,
"description": "user_group_1",
"id": "3e99edd4e5534ca6a322a404e8c26d4a",
"name": "user_group_1",
"role_config": {
"id": "612dc9de1e5148748a378742a5d2311e",
"name": "user_group_1",
"redirect_url": "/user",
"type"L "user"
}
"role_id": "612dc9de1e5148748a378742a5d2311e",
"sign_in_config": {
"id": "21ff78e93fda4b0c86e7af96dfa75680",
"policy_type": "user",
"primary_auth_server_config": {
"id": "0a867da874cd426cbe6acd2efba149ec",
"name": "auth_server_1",
"type": "Local"
}
"primary_auth_server_id": "0a867da874cd426cbe6acd2efba149ec",
"realm": "ZTA Users",
"url_pattern": "*/login/",
"use_as_saml_idp": false
}
sign_in_policy_id": "21ff78e93fda4b0c86e7af96dfa75680"
}
Adding a Secure Access Policy¶
Finally, publish a secure access policy using all of the above:
def add_secure_access_policy():
input_data = {
"type":"application",
"resource_type":"single",
"user_rule_group_id":"",
"gateway_type":"single",
"gateway_id":"",
"resource_id":"",
"device_policy_id":""
}
# all values in following 4 lines derived from different API calls made in all previous examples
input_data["user_rule_group_id"] = "3e99edd4e5534ca6a322a404e8c26d4a"
input_data["gateway_id"] = "edb5fc9969304619b6cb976a2a6101e6"
input_data["resource_id"] = "4899a9fe06e64316a17891fff401bc6a"
input_data["device_policy_id"] = "e639512d55fb47e5940d9b8053916629"
request_uri = host_url + api_version + "policies/secure-access-policies"
output_add_secureaccess_policy = requests.post(request_uri, data=json.dumps(input_data), cookies=cookies, headers=headers)
print output_add_secureaccess_policy.text
The output of this code is below:
{
"device_policy_config": {
"name": "device_policy_1"
}
"device_policy_id": "e639512d55fb47e5940d9b8053916629",
"gateway_id": "edb5fc9969304619b6cb976a2a6101e6",
"gateway_type": "single",
"id": "1b87430b470a44cda082fb638fa87ae2",
"resource_config": {
"name": "app1"
}
"resource_id": "4899a9fe06e64316a17891fff401bc6a",
"resource_type": "single",
"type": "application",
"user_rule_group_config": {
"name": "user_group_1",
"role_config": {
"id": "612dc9de1e5148748a378742a5d2311e",
"name": "user_group_1",
"redirect_url": "/user",
"type": "user"
}
}
"user_rule_group_id": "3e99edd4e5534ca6a322a404e8c26d4a"
}