Cisco Target Connector External API Configuration

capam344
This topic describes the required and supported Attributes used when adding or updating a Cisco Target application and target accounts using the External API.
2
Cisco Target Application External API Attributes
To add or update a Cisco Target application using the External API, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
sshPort
The port that is used to connect to the UNIX host using SSH.
Required
Default Value
Valid Values
no
22
0-65535
sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required
Default Value
Valid Values
no
5000
1000-99999
sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled, Credential Manager compares the public key that is received from the remote host when making a connection to the public key stored in the
sshKnownHostKey
attribute. If the keys do not match, then the connection attempt is canceled.
Required
Default Value
Valid Values
no
false
true, false
sshKnownHostKey
Contains the base-64 encoded public host key that is associated with the target server.
Required
Default Value
Valid Values
yes if
sshStrictHostKeyCheckingEnabled
is true
N/A
a base-64 encoded SSH public host key
sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key that is contained in the
sshKnownHostKey
attribute. The fingerprint is used for display purposes only to allow the user to compare one key with another. The fingerprint that is specified must correspond to the specified public host key.
Required
Default Value
Valid Values
no
N/A
a public key fingerprint
sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does not attempt to use ciphers that are unavailable even if they are specified to use as inbound and outbound ciphers. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultHashes
is false
hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list.
sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultHashes
is false
hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list.
sshUseDefaultKeyExchangeAlgorithms
Specifies whether to use the default key exchange methods when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
hKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultKeyExchangeAlgorithms
is false
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
A comma-separated list containing one or more of the following values: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1. Do not use spaces in the list.
sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods should be used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCompressionAlgorithms
is false
N/A (do not use compression)
comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list.
sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
Yes if
sshUseDefaultCompressionAlgorithms
is false
N/A (do not use compression)
A comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list.
sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Required
Default Value
Valid Values
yes if
sshUseDefaultServerHostKeyAlgorithms
is false
ssh-rsa,ssh-dss
A comma-separated list containing one or more of the following values: ssh-rsa, ssh-dss. Do not use spaces in the list.
telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required
Default Value
Valid Values
no
5000
1000-99999
telnetPort
The port that is used to connect to the UNIX host using Telnet.
Required
Default Value
Valid Values
no
23
0-65536
ciscoVariant
Specifies the type of Cisco system that is installed on the target server.
Required
Default Value
Valid Values
no
IOS_12_4
IOS_10_0, IOS_12_4 or ASA_IOS_7_0_1.
scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected input from the remote host.
Required
Default Value
Valid Values
no
5000
5000-59999
useUpdateScriptType
Specifies whether the default, revised or replacement update script should be used. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
N/A
a file name
useVerifyScriptType
Specifies whether the default, revised, or replacement verify script should be used. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
N/A
a file name
userNameEntryPrompt
A regular expression that matches the prompt that is produced by the remote host when it requests a user name.
Required
Default Value
Valid Values
no
(?si).*?(login|username):.*?
valid regular expression syntax
passwordEntryPrompt
A regular expression that matches the prompt that is produced by the remote host when it requests a password.
Required
Default Value
Valid Values
no
(?si)(.*?password(\sfor|:).*?)
valid regular expression syntax
passwordConfirmationPrompt
A regular expression that matches the remote host prompt that is produced when the host requests a password confirmation.
Required
Default Value
Valid Values
no
AIX: (?si).*?new password.*?
All other platforms: (?si).*?password:.*?)
valid regular expression syntax
passwordChangePrompt
A regular expression that matches the prompt produced by the remote host when it requests that a password be changed because it has expired.
Required
Default Value
Valid Values
no
(?si).*?change your password.*?
valid regular expression syntax
Cisco Target Account External API Attributes
To add a Cisco target account that uses the target connector, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Required
Default Value
Valid Values
yes
false
true, false
otherAccount
Specifies which other account to use when updating the target account.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is true.
N/A
a valid target account ID.
protocol
Specifies the protocol to use for communicating with the remote host.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is false
SSH2_PASSWORD_AUTH
SSH2_PASSWORD_AUTH, TELNET
pwType
The credential type; whether it pertains to a user or privileged (or "enable") account.
Required
Default Value
Valid Values
yes
user
user, privileged
useOtherPrivilegedAccount
Required
Default Value
Valid Values
yes
false
true, false
otherPrivilegedAccount
Required
Default Value
Valid Values
no
N/A
a valid target account ID
changeAuxLoginPassword
Required
Default Value
Valid Values
no
N/A
true, false
changeConsoleLoginPassword
Required
Default Value
Valid Values
yes
N/A
true, false
changeVtyLoginPassword
Required
Default Value
Valid Values
no
N/A
true, false
numVTYPorts
Required
Default Value
Valid Values
yes if
changeVtyLoginPassword
is true
N/A
1-15
Cisco Target Application External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications { "applicationName": "CiscoApp", "applicationType": "CiscoSSH", "description1": "sample descriptor1", "description2": "sample descriptor2", "attributes": { "sshSessionTimeout": "", "instance": "", "passwordEntryPrompt": "", "sshDetectCiphersList": "", "sshClientToServerCiphersList": "", "sshClientToServerCompressionAlgorithmsList": "", "passwordChangePrompt": "", "telnetSessionTimeout": "", "useUpdateScriptType": "DEFAULT", "sshServerHostKeyAlgorithmsList": "", "sshUseDefaultCiphers": "true", "userNameEntryPrompt": "", "sshUseDefaultHashes": "true", "sshKeyExchangeAlgorithmsList": "", "telnetPort": "", "sslEnabled": "", "sshUseDefaultKeyExchangeAlgorithms": "true", "passwordConfirmationPrompt": "", "sshPort": "", "ciscoVariant": "IOS_12_4", "sshServerToClientCiphersList": "", "useVerifyScriptType": "DEFAULT", "sshKnownHostKey": "", "sshKnownHostKeyFingerprint": "", "sshUseDefaultCompressionAlgorithms": "true", "sslPort": "", "sshUseDefaultServerHostKeyAlgorithms": "true", "scriptTimeout": "", "mbean": "", "sshClientToServerHashesList": "", "port": "", "sshServerToClientHashesList": "", "sshServerToClientCompressionAlgorithmsList": "", "sshStrictHostKeyCheckingEnabled": "false" }, "passwordCompositionPolicyId": null }
Cisco Target Account External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts { "accountName":"CiscoAcc", "attributes": { "verifyThroughOtherAccount": "", "changeConsoleLoginPassword": "false", "useOtherPrivilegedAccount": "false", "discoveryAllowed": "f", "changeAuxLoginPassword": "false", "changeVtyLoginPassword": "false", "pwType": "user", "protocol": "SSH2_PASSWORD_AUTH", "otherAccount": "", "descriptor2": "", "discoveryGlobal": "f", "descriptor1": "", "useOtherAccountToChangePassword": "false", "numVTYPorts": "1", "otherPrivilegedAccount": "-1" }, "cacheBehavior":"useCacheFirst", "cacheDuration":"30", "password":"sample", "passwordViewPolicyId":1000, "privileged":"t", "synchronize":"f", "useAliasNameParameter":"f" }
"useOtherAccountToChangePassword": "false" false/true values only "changeConsoleLoginPassword": "false" false/true values only "useOtherPrivilegedAccount": "false" false/true values only "changeAuxLoginPassword": "false", false/true values only "changeVtyLoginPassword": "false", false/true values only