CA Single Sign-On - 12.8

14.0 12.52.02 12.52.01 12.51 12.8.03 12.8 12.7 12.6.01
English

Policy Object REST APIs

The product provides the following REST APIs for manipulating policy objects:
casso128
The product provides the following REST APIs for manipulating policy objects:
  •  
    Administrative Token API
     – Obtain a JSON Web Token (JWT) that is 
    required
     to access the Policy Data API and Policy Migration API.
  •  
    Policy Data API
     – Create, read, update, and delete objects (including federation entities, federation partnerships, and certificate services) in the policy store.
  •  
    Policy Migration API
     – Export and import specified subsets of the policy data in the policy store.
The 
CA Single Sign-On
 REST APIs accept and return JSON payloads and use standard HTTP status codes.
 
Note
CA Single Sign-On
 REST APIs only support the authentication of legacy administrators who are configured in the policy store.
 
This content includes the following sections:
 
 
 
2
 
 
Access the REST APIs and the REST API Interactive Reference Documentation
The REST APIs and the REST API interactive reference documentation are available from any server hosting the CA Single Sign-On Administrative UI.
Access the REST APIs
The REST APIs are available in the following location:
https://
adminui_host
:8443/
call_address
 
adminui_host 
 
Specifies the host name or IP address of the system that hosts your Administrative UI.
 
call_address
 
Specifies the address of a specific call. For example, 
/ca/api/sso/services
/login/v1/token 
.
 
Example address:
 https://adminui.example.com:8443/ca/api/sso/services/login/v1/token
Access the REST API Interactive Reference Documentation
This content provides an overview of the 
CA Single Sign-On
 REST APIs. For detailed information from which you can visualize and interact with the API resources, access the REST API interactive reference documentation in the following location:
https://
adminui_host
:8443/ca/api/sso/services/v1/api-doc/
You can also open the interactive reference documentation by clicking the 
REST APIs
 link at the bottom of the Administrative UI.
 For optimal performance, we recommend that you view the interactive reference documentation using the Google Chrome browser.
To view the API resources before you interact with them, see the REST API reference documentation.
Handle the Default Server Self-Signed Certificate
By default, the Administrative UI server uses a self-signed certificate to secure the SSL connection over which the Administrative UI, REST APIs, and interactive reference documentation are accessed. This self-signed certificate causes the following behavior until it is mitigated:
  • Causes a browser security warning when accessing the reference documentation in Google Chrome.
  • Prevents Chrome-based API development apps (such as Postman) from accessing the REST APIs.
  • Prevents Java applications from accessing the REST APIs.
The most secure way to handle these issues is to obtain and import a trusted certificate into the Administrative UI. If you cannot or do not want to obtain and import a trusted certificate, use the procedures in this section to configure Chrome and develop Java applications that accept or trust the self-signed certificate.
Configure Google Chrome to Accept or Trust the Self-Signed Certificate
To use the Chrome browser to access the REST API interactive reference documentation or to use a Chrome-based API development app (such as Postman) to access the APIs, configure Chrome to accept or to trust the self-signed certificate.
 
Configure Google Chrome to Accept the Self-Signed Certificate
 
  1. In Chrome, open the root URL for the server (for example 
    https://adminui.example.com:8443/
    ).
    A warning page appears, stating that “Your connection is not private.”
  2. Select 
    ADVANCED
     
  3. Select 
    Proceed to https://
    yourserver
    :
    port 
    (unsafe)
    . For example, "Proceed to https://adminui.example.com:8443 (unsafe).”
 
Configure Google Chrome to Trust the Self-Signed Certificate:
 
You can also configure the Chrome browser to trust the self-signed certificate by importing the certificate into the Chrome keystore.
The following example procedure shows how to import the self-signed certificate on Windows:
  1. In Chrome, open the root URL for the server (for example 
    https://adminui.example.com:8443/
    ).
    A warning page appears, stating that “Your connection is not private.”
  2. Enter 
    F12
     to access the developer tools
  3. On the 
    Security
     tab, select 
    View Certificate
    .
  4. On the 
    Details
     tab, select 
    Copy to File
     and Save the file
  5. In Chrome, open 
    chrome://settings/
    .
  6. Select 
    Show advanced settings
    .
  7. In the 
    HTTPS/SSL
     section, select 
    Manage Certificates
    .
  8. Import the self-signed certificate file that you saved in Step 4. to the 
    Trusted Root Certification Authorities
     certificate store.
  9. Restart Chrome.
Develop Applications That Accept or Trust the Self-Signed Certificate
By default, Java does not accept self-signed certificates when establishing an SSL connection. To develop Java applications that access the REST API, implement one of the following solutions:
  • Disable certificate validation (less secure)
  • Export the certificate from your browser and import it in your JVM truststore (to establish a chain of trust).
For more information, see the README.txt file that is provided with the Java Migration Sample Application.
Administrative Token API Overview
Each call to the Policy Data API and Policy Migration API requires a valid JWT token. Use the Administrative Token API to obtain that token.
The Administrative Token API provides a single call that receives the credentials (username and password) of a 
CA Single Sign-On
 Administrator in the Authorization header. If Basic authentication for that administrator account is successful, the API returns a JWT token containing a session ticket.
 The JWT token expires after 15 minutes after which it must be refreshed.
Construct the Authorization Value to Pass When Calling the Administrative Token API
To construct the authorization value to provide when calling the Administrative Token API, do the following steps:
  1. Combine the username and password with a single colon (:) symbol. For example:
    sso_admin:sso_password
  2. Encode this string using Base64. For the example in Step 1, Base64-encoding results in the following string: 
    c3NvX2FkbWluOnNzb19wYXNzd29yZA==
  3. Precede the encoded result with "Basic ". For example:
    Basic c3NvX2FkbWluK3Nzb19wYXNzd29yZA==
Obtain a JWT Token
 
POST
 
/ca/api/sso/services
/login/v1/token 
Returns a valid JWT token containing a session ticket in a JSON response body.
 
Example URL
https://adminui.example.com:8443/ca/api/sso/services/login/v1/token
 
Request Headers
Pass the authorization value that you constructed in an Authorization header. For example:
Basic c3NvX2FkbWluK3Nzb19wYXNzd29yZA==
Response Body
Returns a JSON response body containing a session ticket in JWT token format:
{
  "sessionkey: "
JWT_Token
"
}
Where 
JWT_Token
 is a valid session ticket in JWT token form.
Response example:
{
"sessionkey": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..XzXFIuc8hltEbTx2.mUe9UmyNwkUapkL2vMU86GsIIV2aYwRRmaZoGZpoHhX6d3a8vxXe7p4z_fwcFkm2jt1GvurR00wDSrm3gqGHjWRguP1ZHeoN_L_tkoYCIyS7zG_nClZEtjn4DL2C70wM87moAayJ7YTlz66oKVoNBl6qh5o425pejFc3dsefL0zNdAw6fvRySFEE-7j_FcjsnobTt5XT8RqTu--iYzKH9u2D7_yobQzbFF8ol1vAVNZpcZDrfTOoVMSbAI5RTo7Y9ux7GEcGEhNOOl3546j2ay3ikpaWUO14HUf9l5foU6s0IjZ1IWgX0cPwUJYGsWl4eupH6_fD6KdUtfQmfpwz_WPk2iWpdGJGE5JpeersJLCCcb98Rm3DREm_rXVH2p-XJaeQsHKHSxkZynTHIGBltn8e0xeD7FOirfUHWPzZPVQ5W_HdDETrALW8g-XmdQebxpUgtDpxeAEtjt4pw-sK25XiRzGmgwbV4lBiHKgrXeU0YlKtn1bUtsISRScDOcJEFB4niSrjgtrzsEg-riymdbst37H_tPUM1jIy3tGV.LZHHUgHm5fNIRK6JiCarqw"
}
Policy Data API
Use the Policy Data API to create, read. update, and delete 
CA Single Sign-On
 objects in your policy store.
 All calls to the Policy Data API require a valid token obtained from the Administrative Token API.
Obtain All the Objects in the Policy Store
 
GET
 
/ca/api/sso/services/
policy/v1 
Use this call to return all the objects in the policy store, organized by class.
 
Example URL
https://adminui.example.com:8443/ca/api/sso/services/policy/v1 
 
Request Headers
Authorization: 
Bearer 
JWT_Token
 
 
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Example:
Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..XzXFIuc8hltEbTx2.mUe9UmyNwkUapkL2vMU86GsIIV2aYwRRmaZoGZpoHhX6d3a8vxXe7p4z_fwcFkm2jt1GvurR00wDSrm3gqGHjWRguP1ZHeoN_L_tkoYCIyS7zG_nClZEtjn4DL2C70wM87moAayJ7YTlz66oKVoNBl6qh5o425pejFc3dsefL0zNdAw6fvRySFEE-7j_FcjsnobTt5XT8RqTu--iYzKH9u2D7_yobQzbFF8ol1vAVNZpcZDrfTOoVMSbAI5RTo7Y9ux7GEcGEhNOOl3546j2ay3ikpaWUO14HUf9l5foU6s0IjZ1IWgX0cPwUJYGsWl4eupH6_fD6KdUtfQmfpwz_WPk2iWpdGJGE5JpeersJLCCcb98Rm3DREm_rXVH2p-XJaeQsHKHSxkZynTHIGBltn8e0xeD7FOirfUHWPzZPVQ5W_HdDETrALW8g-XmdQebxpUgtDpxeAEtjt4pw-sK25XiRzGmgwbV4lBiHKgrXeU0YlKtn1bUtsISRScDOcJEFB4niSrjgtrzsEg-riymdbst37H_tPUM1jIy3tGV.LZHHUgHm5fNIRK6JiCarqw"
Response Body
Returns a JSON response body containing all the objects in your store, organized by class, such as the following:
  • SmAgents
  • SmAuthSchemes
  • SmDomains
  • SmUserDirectories
Obtain Objects of a Particular Class
 
GET
 
/ca/api/sso/services/
policy/v1/
Class_Name
 
 
 
Class_Name
 
 
Specifies the name of the object class, such as the following:
  • SmAgents
  • SmAuthSchemes
  • SmDomains
  • SmUserDirectories
By default, this call returns all objects of the specified class. For example:
 
https://adminui.example.com:8443/ca/api/sso/services/policy/v1/smdomains
 
Filter Results Using a Simple Wildcard
Append a wildcard specifier using an asterisk (*) as a wildcard character to return only matching objects. Examples:
 
https://adminui.example.com:8443/ca/api/sso/services/policy/v1/smdomains/
Fed
*
 
 https:// 
adminui.
example.com:8443/ca/api/sso/services/policy/v1/smauthschemes/*forms* 
Filter Results Using Advanced Expressions
Append filter expressions of the following form to return only objects that meet specific criteria.
?filter=
attribute operator value
 
 
attribute
 
 
Specifies the name of an object attribute. (Case insensitive). For example, (valid for SmDomains): Name, IdleTimeout, Desc.
 
 
operator
 
 
Specifies a logical operator that evaluates to true or false. Valid values: eq (=), ne (!=), startswith, endswith, contains, lt (<), le (<=), gt (>), ge (>=)
 
 
value
 
 
The value (an integer, Boolean, string, enumeration, or null) for which the expression evaluates to true. Quote strings using " (ASCII double-quote) or ' (ASCII apostrophe) characters.
Examples:
  • (enumeration): ?filter=Mode contains GlobalPoliciesApply
  • (boolean): ?filter=IsAffiliate = true
  • (string): ?filter=Name endswith 'abc'
  • (integer): ?filter=IdleTimout < 1000
  • (null): ?filter=desc != null
 Use Logical Operators (not, and, or)
You can use the logical operators (
not
and
or
) to elaborate your query. When combined, 
not
 has the highest precedence; 
or
 has the lowest precedence. Use parentheses to group options if expressions do not evaluate correctly due to rules of precedence.
 
Logical Operator Example 1
 
not Name contains 'a' and Name contains 'b'
Because 
not 
has a higher precedence than 
and
, this expression is parsed as 
(not (name contains 'a')) and (name contains 'b')
. If this is not the desired behavior, use parentheses. For example, 
not (Name contains 'a' and Name contains 'b')
.
 
Logical Operator Example 2
 
name contains 'a' or name contains 'b' and name contains 'c'
Because 
and 
has higher precedence than 
or
, this expression is parsed as name contains 'a' or (name contains 'b' and name contains 'c'). If this is not the desired behavior, use parentheses. For example, (name contains 'a' or name contains 'b') and name contains 'c'.
 
Advanced Expression Example URLs
:
https://example.com:8443/ca/api/sso/services/policy/v1/smdomains?filter=Mode contains GlobalPoliciesApply
https://example.com:8443/ca/api/sso/services/policy/v1/smdomains?filter=IsAffiliate=true
https://example.com:8443/ca/api/sso/services/policy/v1/smagents?filter=Name endswith 'abc'
https://example.com:8443/ca/api/sso/services/policy/v1/smrealms?filter=IdleTimeout<1000
https://example.com:8443/ca/api/sso/services/policy/v1/smauthschemes?filter=desc != null
https://example.com:8443/ca/api/sso/services/policy/v1/smpolicies?filter=not Name contains 'a' and Name contains 'b'
https://example.com:8443/ca/api/sso/services/policy/v1/smrealms?filter=name contains 'a' or name contains 'b' and name contains 'c'
Request Headers
Pass the following text in the Authorization header:
Bearer 
JWT_Token
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Response Body
Returns a JSON response body containing all the matching objects of the specified class type.
Obtain the Properties of a Specific Object
 
GET
 
https://
adminui_host
:8443 
/ca/api/sso/services/
policy/v1/objects/
XID
 
Use this call to obtain the properties of the specified object in the JSON response body.
 
Example URL:
 
 
https://
adminui.
example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::AgentConfig@21-f74cfb34-739e-4df8-8451-2318a5eee65d 
Request Headers
Pass the following text in the Authorization header:
Bearer 
JWT_Token
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Response Body
Returns a JSON response body containing object properties (as name/value pairs) and HATEAOS references to related objects (such as realms and policies for a domain object).
 
Note
: Only object properties that are 
set
 are returned.
Example response body
:
 
{
  "responseType": "object",
  "data": {
    "id": "CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5",
    "type": "SmDomain",
    "Name": "FedBackChannelBasicDomain",
    "Mode": [],
    "IsAffiliate": false,
    "HidingMask": [
      "GUI"
    ],
    "UserDirectoriesLink": [
      {
        "id": "CA.SM::UserDirectory@0e-f741be64-b38b-4d98-a431-b96548214981",
        "path": "/SmUserDirectories/FedBCCustomUserStore",
        "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-f741be64-b38b-4d98-a431-b96548214981",
        "desc": "Custom user store for Federation BackChannel communications"
      }
    ]
  },
  "links": {
    "self": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5"
    },
    "relatedobj": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5/relatedobj"
    },
    "children": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5/children"
    },
    "expanded": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5?op=expanded"
    },
    "usedby": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5/usedby"
    },
    "classinfo": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5/classinfo"
    },
    "editinfo": {
      "href": "https://adminui.example.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-2dc3c12c-8bf4-4d32-a1f7-f18e913233d5?op=editinfo"
    }
  }
}
Update the Properties of a Specified Object
 
PUT
 
/ca/api/sso/services/policy/v1/objects/
 
XID
 
 
Use this call to update the properties of the specified object.
 
Example URL
https
:// 
adminui.
example.com
 
:8443/ca/api/sso/services/policy/v1/objects/
 
CA.SM::AgentConfig@21-f74cfb34-739e-4df8-8451-2318a5eee65d
 
Request Headers
Pass the following text in the Authorization header:
Bearer 
JWT_Token
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Request Body
Provide a JSON response body containing updated object properties (as name/value pairs) and HATEAOS references to related objects (such as realms and policies for a domain object).
Response Body
Returns a JSON response body containing the updated object properties.
Delete a Specified Object
 
DELETE
 
/ca/api/sso/services/policy/v1/objects/
 
XID
 
 
Use this call to delete the specified object.
 
Example
 
URL
https://
adminui.
example.com 
:8443/ca/api/sso/services/policy/v1/objects/CA.SM::AgentConfig@21-f74cfb34-739e-4df8-8451-2318a5eee65d
 
Request Headers
Pass the following text in the Authorization header:
Bearer 
JWT_Token
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Request Body
None
Response Body
None.
Create an Object
 
POST
 
 
/ca/api/sso/services/policy/v1/
Class_Name
 
 
Use this call to create the specified object.
(
Class_Name
 is the object class)
 
Example URL
https://adminui.example.com:8443/ca/api/sso/services/policy/v1/smdomains
 
Headers
Pass the following text in the Authorization header:
Bearer 
JWT_Token
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Request Body
Provide a JSON request body containing a complete set of object properties (as name/value pairs) and HATEAOS references to related objects (such as realms and policies for a domain object).
Response Body
Returns a JSON response body containing the properties of the newly created object.
Obtain the Attributes and Metadata for a Particular Class
 
GET
 
/ca/api/sso/services/
policy/v1/classes/
Class_Name
 
Where 
Class_Name
 is the object class.
Use this call to return the attributes and metadata for a particular class.
 
Example URL
https://adminui.example.com:8443
/
ca/api/sso/services/policy/v1/classes/
Class_Name
 
 
Headers
Authorization: 
Bearer 
JWT_Token
 
 
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Response Body
Returns a JSON response body containing name value pairs that represent the attributes and metadata for a particular class.
Create, Read, Update, and Delete Federation Partnerships
You can manage federation partnerships of the SAML 2.0 protocol. They support the GET, POST, PUT, and DELETE HTTP methods. 
 
Note
: If the system is operating in the FIPS_ONLY mode, you must use only FIPS-approved certificates.
 
IdP->SP Partnership
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedSpPartnership
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedSpPartnership
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPPartnership
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/FedSPPartnership
 
 
 
 
SP Federation Partnership by Name:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPPartnerships/
partnership_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/FedSPPartnerships/
 
 
 
partnership_name
 
 
 
 
 
SP->IdP Partnership
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedIdPPartnership
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedIdPPartnership
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPPartnership
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/FedIdPPartnership
 
 
 
 
 
IdP Federation Partnership by Name:
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPPartnerships/
partnership_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
FedIdPPartnerships/
 
 
 
partnership_name
 
 
 
 
Create, Read. Update, and Delete Entities
You can create local and remote entities of the SAML 2.0 protocol. They support the GET, POST, PUT, and DELETE HTTP methods. 
 
IdP Local Entity
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedIdPLocal
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedIdPLocal
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPLocal
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/FedIdPLocal
 
 
 
IdP Local Entity by Name:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPLocal/
entity_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
FedIdPLocal/
 
 
 
entity_name
 
 
 
 
 
 
 
SP Local Entity
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedSPLocal
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedSPLocal
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPLocal
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/FedSPLocal
 
 
 
SP Local Entity by Name:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPLocal/
entity_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
FedSPLocal/
 
 
 
entity_name
 
 
 
 
 
 
 
IdP Remote Entity
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedIdPRemote
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedIdPRemote
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPRemote
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
 
 
 
FedIdPRemote
 
 
 
 
 
 
IdP Remote Entity by Name:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedIdPRemote/
entity_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
FedIdPRemote/
 
 
 
entity_name
 
 
 
 
 
 
 
SP Remote Entity
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedSPRemote
 
 
 
PUT
 
 
 
/ca/api/sso/services/policy/v1/FedSPRemote
 
 
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPRemote
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
 
 
 
FedSPRemote
 
 
 
 
 
 
SP Remote Entity by Name:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedSPRemote/
entity_name
 
 
 
 
DELETE
 
 
 
/ca/api/sso/services/policy/v1/
 
FedSPRemote/
 
 
 
entity_name
 
 
 
 
Create, Read, Update, and Delete Certificate Services
You can use REST APIs to manage certificates as follows:
 
GET
:
 
Exports public certificate content of a certificate that is identified by the alias in a URL.
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
To export a GET certificate by alias name, use the following format:
 
GET
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate/
aliasName
 
 
 
 
POST
: Imports a trusted certificate/trusted CA/trusted certificate - private key pair. You can import certificates as a single file such as PublicCertificate/TrustedCA/Certificate-Key-pair, or as an individual certificate and key data. Also, POST exports certificate/private key content of a trusted certificate/trusted CA/trusted certificate-private key pair in a specified format.
 
Supported formats
 
Import: PEM, DER in Base64 encoded format, PKCS12 in Base64 encoded format
Export: PEM, DER in Base64 encoded format, PKCS8 in Base64 encoded format, or PKCS12 in Base64 encoded format
 
Note
:
  • PKCS8 and PKCS12 formats need password.
  • PKCS8 can export only private key.
  • A password is required only if the private key is encrypted.
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
If you want to export a certificate in a specified format, you must use POST with body:
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
{
               "Alias":"
alias name
",
               "Format":"
certificate format
",
               "Password":"
password
"
}
 
Example: Import as TrustedCA
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
{
               "Alias":"
alias name
",
               "Format":"
certificate format
",
               "TYPE":"
trustedCA
"
"CertificateData":"
Base64encoded certificate data
"
}
Example: Import as Individual Certificate and Key data
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
{
               "Alias":"
alias name
",
               "Format":"
certificate format
",
               "TYPE":"
trustedCA
"
"Password":"
password
"
"CertificateData":"
Base64encoded certificate data
"
}
Example: Import single certificate
 
POST
 
 
 
/ca/api/sso/services/policy/v1/FedCertificate
 
 
{
               "Alias":"
alias name
",
               "Format":"
certificate format
",
               "Password":"password"
"CertificateData":"
Base64encoded certificate data
"
}
PUT
:
 
Updates the public certificate or alias name of a trusted certificate/trusted CA/trusted certificate - private key pair. You can use PEM, DER, and PKCS7 formats. DER and PKCS7 formats must be Base64 encoded.
 
PUT
 
 
/ca/api/sso/services/policy/v1/FedCertificate
/
aliasName
 
 
 
 
DELETE
: Deletes a trusted certificate/trusted CA/trusted certificate - private key pair.
 
DELETE
 
/ca/api/sso/services/policy/v1/
FedCertificate
/aliasName
Policy Migration API Overview
Use the Policy Migration API to do the following tasks with the data in your policy store:
  • Perform a granular export of a specified subset of your policy data
  • Import previously exported policy data
 All calls to the Policy Migration API require a valid token that is obtained from the Administrative Token API.
Export a Portion of Your Policy Data
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/deployment/export
 
 
Use this call to export a subset of policy data by specifying one or more root objects. Only those objects that do not have a parent class can be exported. For example, to export a realm object, you specify the parent domain for the realm.
 
Example URL
https://adminui.example.com:8443/api/sso/services/policy/v1/deployment/export 
 
Request Headers
Authorization: 
Bearer 
JWT_Token
 
 
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Example:
Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..XzXFIuc8hltEbTx2.mUe9UmyNwkUapkL2vMU86GsIIV2aYwRRmaZoGZpoHhX6d3a8vxXe7p4z_fwcFkm2jt1GvurR00wDSrm3gqGHjWRguP1ZHeoN_L_tkoYCIyS7zG_nClZEtjn4DL2C70wM87moAayJ7YTlz66oKVoNBl6qh5o425pejFc3dsefL0zNdAw6fvRySFEE-7j_FcjsnobTt5XT8RqTu--iYzKH9u2D7_yobQzbFF8ol1vAVNZpcZDrfTOoVMSbAI5RTo7Y9ux7GEcGEhNOOl3546j2ay3ikpaWUO14HUf9l5foU6s0IjZ1IWgX0cPwUJYGsWl4eupH6_fD6KdUtfQmfpwz_WPk2iWpdGJGE5JpeersJLCCcb98Rm3DREm_rXVH2p-XJaeQsHKHSxkZynTHIGBltn8e0xeD7FOirfUHWPzZPVQ5W_HdDETrALW8g-XmdQebxpUgtDpxeAEtjt4pw-sK25XiRzGmgwbV4lBiHKgrXeU0YlKtn1bUtsISRScDOcJEFB4niSrjgtrzsEg-riymdbst37H_tPUM1jIy3tGV.LZHHUgHm5fNIRK6JiCarqw"
Request Body
Provide a JSON request body containing the following parameters:
  •  
    mainObjectsMethod
     – Specifies how the policy data for explicitly exported objects behaves when imported. Use one of the following options:
    •  
      ADD
       – Only new policy data is added to the target policy store during import.
    •  
      OVERLAY
       – If the object already exists in the target store, it is updated with only the latest changes from the exported data during import.
    •  
      REPLACE
       – If the object already exists in the target store, it is overwritten with the exported data during import.
  • closureObjectsMethod
     – 
    Specifies how the system objects related to exported policy objects behave when imported. System objects that are related to a specified object are automatically included when an object is exported. For example, a referenced agent is also exported when a domain is exported. Use one of the following options:
    •  
      ADD 
      – Only new system objects are added to the target policy store during import.
    •  
      OVERLAY
       – If a related system object already exists in the target store, it is updated with only the latest changes from the exported data during import.
    •  
      REPLACE
       – If a related system object already exists in the target store, it is overwritten with the exported data during import.
  •  
    passPhrase
     – Specifies a passphrase to use to encrypt the export data. This passphrase must be at least eight characters long and must contain at least one digit, one uppercase, and one lowercase character. The passphrase can contain a space that is enclosed in quotes.
  •  
    suggestedFileName
     – Specifies a filename that is returned as an attachment in the Content-Disposition response header.
  •  
    objects – 
    Specifies an array of paths of root policy objects to export. Each specified object takes the following form:
    "path":"
    Policy_Data_API_object_reference
    "
     
    Where Policy_Data_API_object_reference
     is the same that would appear in a Policy Data API call to retrieve an object. For example, if the URL of a call to retrieve an object is 
     
    https://hostname
     
    :8443/ca/api/sso/services/policy/v1/smdomains/FedBackChannelBasicDomain, the path reference is "smdomains/FedBackChannelBasicDomain."
Example request body:
{
    "mainObjectsMethod":"ADD",
    "closureObjectsMethod":"ADD",
    "passPhrase":"PassPhrase",
    "suggestedFileName":"output.xml",
    "objects":[
        {"path":"SmDomains/FedBackChannelBasicDomain"},
        {"path":"smagenttypes/Web Agent"}
    ]
}
Content-Disposition Response Header
Returns (as an attachment) the name of a file to which the exported policy data can be saved. The suggestedFileName value from the request body specifies the filename.
Response Body
Returns a response body containing the policy data for the exported objects.
Import Policy Data
 
 
POST
 
 
 
/ca/api/sso/services/policy/v1/deployment/import
 
 
Use this call to import a previously exported subset of policy data.
 
Example URL
https://adminui.example.com:8443/api/sso/services/policy/v1/deployment/import 
 
Request Headers
Authorization: 
Bearer 
JWT_Token
 
 
Where 
JWT_Token
 is the JWT token that is obtained from the Administrative Token API.
Example:
Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..XzXFIuc8hltEbTx2.mUe9UmyNwkUapkL2vMU86GsIIV2aYwRRmaZoGZpoHhX6d3a8vxXe7p4z_fwcFkm2jt1GvurR00wDSrm3gqGHjWRguP1ZHeoN_L_tkoYCIyS7zG_nClZEtjn4DL2C70wM87moAayJ7YTlz66oKVoNBl6qh5o425pejFc3dsefL0zNdAw6fvRySFEE-7j_FcjsnobTt5XT8RqTu--iYzKH9u2D7_yobQzbFF8ol1vAVNZpcZDrfTOoVMSbAI5RTo7Y9ux7GEcGEhNOOl3546j2ay3ikpaWUO14HUf9l5foU6s0IjZ1IWgX0cPwUJYGsWl4eupH6_fD6KdUtfQmfpwz_WPk2iWpdGJGE5JpeersJLCCcb98Rm3DREm_rXVH2p-XJaeQsHKHSxkZynTHIGBltn8e0xeD7FOirfUHWPzZPVQ5W_HdDETrALW8g-XmdQebxpUgtDpxeAEtjt4pw-sK25XiRzGmgwbV4lBiHKgrXeU0YlKtn1bUtsISRScDOcJEFB4niSrjgtrzsEg-riymdbst37H_tPUM1jIy3tGV.LZHHUgHm5fNIRK6JiCarqw"
Request Body
Provide a request body containing the passphrase that is specified when the policy data was exported on one line, a return, and the policy data returned in the export call response body. For example:
Passphrase1
<?xml version="1.0" encoding="UTF-8"?>
<XPS xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
    xs:noNamespaceSchemaLocation="CA_SiteMinder_WAM-XPS2.xsd">
    <XPSVersion>1</XPSVersion>
    <HostInformation>BASKETVM14</HostInformation>
    <PolicyData IsDumpExport="false">
        … Export Data…
    </PolicyData>
</XPS>
Sample Applications
The 
CA Single Sign-On
 SDK kit includes the following sample Policy Data API applications:
  • JavaScript Policy Browser Sample
  • Java Migration Sample
For information about how to install the SDK, see Install the SDK.
JavaScript Policy Browser Sample Application
The JavaScript Policy Browser Sample Application uses calls to the Policy Data API to browse and update objects in the policy store using a Web browser.
After you install the SDK, the JavaScript Policy Browser Sample Application can be found in the following location:
SDK_Install_dir
\samples64\restapi\browser
For example (Windows):
C:\Program Files\CA\sdk\samples64\restapi\browser
Review the included README.txt file for more information.
Java Migration Sample Application
 The Java Migration Sample Application demonstrates how to migrate policy objects from one environment to another using calls to the Policy Data API or the Policy Migration API.
After you install the SDK, the Java Migration Sample Application can be found in the following location:
SDK_Install_dir
\samples64\restapi\basic
For example (Windows):
C:\Program Files\CA\sdk\samples64\restapi\basic
Review the included README.txt file for more information.
 
More information: