UNIX Target Application External API Attributes
capam344
This topic describes the required and supported Attributes used when adding or updating a UNIX (aka UNIXII) Target Application using the External API.
2
UNIX Target Application External API Attributes
To add or update a UNIX Target application using the External API, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
extensionType
Required | Default Value | Valid Values |
no | N/A | unixII |
sshPort
The port that is used to connect to the UNIX host using SSH.
Required | Default Value | Valid Values |
no | 22 | 0-65535 |
sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required | Default Value | Valid Values |
no | 5000 | 1000-99999 |
sshKeyPairPolicyID
Specifies the SSH Key Policy ID which controls how keys are generated; that is, the key type (RSA or DSA) and length.
Required | Default Value | Valid Values |
no | N/A | 0-9 |
sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled, a connection gets established after Credential Manager compares the public key from the remote host to the public key stored in the
sshKnownHostKey
attribute. If the keys do not match, then the connection attempt is canceled.Required | Default Value | Valid Values |
no | false | true, false |
sshKnownHostKey
Contains the base-64 encoded public host key that is associated with the target server.
Required | Default Value | Valid Values |
yes if sshStrictHostKeyCheckingEnabled is true | N/A | a base-64 encoded SSH public host key |
sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key that is contained in the
sshKnownHostKey
attribute. The fingerprint is for display purposes only. It allows the user to easily compare one key with another. The fingerprint that is specified must correspond to the specified public host key.Required | Default Value | Valid Values |
no | N/A | a public key fingerprint |
sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH connection to the remote host.
Required | Default Value | Valid Values |
no | true | true, false |
sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultCiphers is false | aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc | A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list. |
sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultCiphers is false | aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc | A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list. |
sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does not use ciphers that are unavailable even if they are specified to use as inbound and/or outbound ciphers. Ciphers are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultCiphers is false | aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc | A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list. |
sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH connection to the remote host.
Required | Default Value | Valid Values |
no | true | true, false |
sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultHashes is false | hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 | A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list. |
sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultHashes is false | hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 | A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list. |
sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods are used when Credential Manager makes an SSH connection to the remote host.
Required | Default Value | Valid Values |
no | true | true, false |
sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultKeyExchangeAlgorithms is false | diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 | A comma-separated list containing one or more of the following values: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1. Do not use spaces in the list. |
sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods are used when Credential Manager makes an SSH connection to the remote host.
Required | Default Value | Valid Values |
no | true | true, false |
sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote host. Methods are listed in order of priority.
Required | Default Value | Valid Values |
yes if sshUseDefaultCompressionAlgorithms is false | N/A. Do not use compression | comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list. |
sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host. Methods are listed in order of priority.
Required | Default Value | Valid Values |
Yes if sshUseDefaultCompressionAlgorithms is false | N/A (do not use compression) | A comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list. |
sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager makes an SSH connection to the remote host.
Required | Default Value | Valid Values |
no | true | true, false |
sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Required | Default Value | Valid Values |
yes if sshUseDefaultServerHostKeyAlgorithms is false | ssh-rsa,ssh-dss | A comma-separated list containing one or more of the following values: ssh-rsa, ssh-dss. Do not use spaces in the list. |
telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required | Default Value | Valid Values |
no | 5000 | 1000-99999 |
telnetPort
The port that is used to connect to the UNIX host using Telnet.
Required | Default Value | Valid Values |
no | 23 | 0-65536 |
scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected input from the remote host.
Required | Default Value | Valid Values |
no | 5000 | 5000-59999 |
unixVariant
Specifies the type of UNIX system that is installed on the target server.
Required | Default Value | Valid Values |
no | GENERIC | AIX, GENERIC, HPUX, LINUX, SOLARIS or OTHER. |
useUpdateScriptType
Specifies whether the default, revised, or replacement update script should be used. If a revised script is required, use the default script and contact CA Services.
Required | Default Value | Valid Values |
no | 'DEFAULT' | 'DEFAULT', 'REVISED' or 'REPLACEMENT' |
revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required | Default Value | Valid Values |
no | N/A | a file name |
useVerifyScriptType
Specifies whether the default, revised or replacement verify that script should be used. If a revised script is required, use the default script and contact CA Services.
Required | Default Value | Valid Values |
no | 'DEFAULT' | 'DEFAULT', 'REVISED' or 'REPLACEMENT' |
revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required | Default Value | Valid Values |
no | N/A | a file name |
userNameEntryPrompt
A regular expression that matches the prompt of the remote host when it requests a user name.
Required | Default Value | Valid Values |
no | (?si).*?(login|username):.*? | valid regular expression syntax |
passwordEntryPrompt
A regular expression that matches the prompt of the remote host when it requests a password.
Required | Default Value | Valid Values |
no | (?si)(.*?password(\sfor|:).*?) | valid regular expression syntax |
passwordConfirmationPrompt
A regular expression that matches the prompt from the remote host when it requests that a password be confirmed.
Required | Default Value | Valid Values |
no | AIX: (?si).*?new password.*? All other platforms: (?si).*?password:.*?) | valid regular expression syntax |
passwordChangePrompt
A regular expression that matches the prompt of the remote host when it requests that a password be changed because it has expired.
Required | Default Value | Valid Values |
no | (?si).*?change your password.*? | valid regular expression syntax |
changePasswordCommand
The command on the remote host that is used to change a password.
Required | Default Value | Valid Values |
no | passwd | depends on remote host |
elevatePrivilegeCommand
The command on the remote host that is used to elevate the user's level of privilege.
Required | Default Value | Valid Values |
no | sudo | depends on remote host |
substituteUserCommand
The command on the remote host that is used to act as another user.
Required | Default Value | Valid Values |
no | su | depends on remote host |
echoCommand
The command on the remote host that is used to repeat a sequence of characters to the standard output; that is, the console.
Required | Default Value | Valid Values |
no | echo | depends on remote host |
patternMatchingCommand
The command on the remote host that prints lines matching a pattern.
Required | Default Value | Valid Values |
no | grep | depends on remote host |
policyManagementCommand
The command on the remote host that is used to manage policy.
Required | Default Value | Valid Values |
no | AIX: pwdadm All other platforms: N/A | depends on remote host |
whoAmICommand
The command on the remote host that is used to retrieve the effective ID of the currently logged-in user.
Required | Default Value | Valid Values |
no | whoami | depends on remote host |
changeFilePermissionsCommand
The command on the remote host that is used to alter the permissions on a file.
Required | Default Value | Valid Values |
no | chmod | depends on remote host |
UNIX Target Account External API Attributes
To add a UNIX target account that uses the target connector, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Required | Default Value | Valid Values |
yes | false | true, false |
otherAccount
Specifies which other account to use when updating the target account.
Required | Default Value | Valid Values |
yes if useOtherAccountToChangePassword is true. | N/A | a valid target account ID. |
verifyThroughOtherAccount
Specifies whether the credentials of a second target account are used to authenticate to the remote host when verifying the target account.
Required | Default Value | Valid Values |
yes if useOtherAccountToChangePassword is true. | false | true, false |
passwordChangeMethod
Specifies which method to use when updating passwords. You might need to select a method that enables the authenticated user to obtain greater privileges without being impacted by policies at the remote host, such as the minimum length of time between password updates.
Required | Default Value | Valid Values |
yes if useOtherAccountToChangePassword is false. | DO_NOT_USE_SUDO | DO_NOT_USE_SUDO, USE_SUDO, IS_ROOT_ACCOUNT, USE_AUTHENTICATED_SUDO |
protocol
Specifies the protocol to use for communicating with the remote host.
Required | Default Value | Valid Values |
yes if useOtherAccountToChangePassword is false | SSH2_PASSWORD_AUTH | SSH2_PASSWORD_AUTH, SSH2_PUBLIC_KEY_AUTH, TELNET |
passphrase
The passphrase that protects the private key.
Required | Default Value | Valid Values |
no | N/A | a string |
publicKey
Specifies the public key that corresponds to the target account private key. The private key is stored as its password.
Required | Default Value | Valid Values |
yes if the select protocol is SSH2_PUBLIC_KEY_AUTH | N/A | an OpenSSH-formatted public key |
keyOptions
Specifies a list of comma-separated option specifications from the authorized_keys file format that is described in the OpenSSH documentation.
Required | Default Value | Valid Values |
no | N/A | comma-separated list of OpenSSH key options |
UNIX (UNIXII) Target Application External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications { "applicationName": "UnixApp", "applicationType": "unixII", "description1": "sample descriptor1", "description2": "sample descriptor2", "attributes": { "passwordEntryPrompt": "", "sshSessionTimeout": "", "echoCommand": "", "telnetSessionTimeout": "", "useUpdateScriptType": "DEFAULT", "substituteUserCommand": "", "acctDiscGidValue": "", "acctDiscUidRangeLow": "", "acctDiscGidRangeLow": "", "sshUseDefaultKeyExchangeAlgorithms": "true", "sshKeyPairPolicyID": "", "acctDiscUidValue": "", "passwordConfirmationPrompt": "", "changeFilePermissionsCommand": "", "sshPort": "", "changePasswordCommand": "", "useVerifyScriptType": "DEFAULT", "sshServerToClientCiphersList": "", "elevatePrivilegeCommand": "", "sshKnownHostKey": "", "sshKnownHostKeyFingerprint": "", "exitStatusOfLastCommand": "", "sshServerToClientCompressionAlgorithmsList": "", "extensionType": "unixII", "systemInfoCommand": "", "patternMatchingCommand": "", "acctDiscGidRangeHigh": "", "acctDiscGidType": "", "sshDetectCiphersList": "", "sshClientToServerCiphersList": "", "sshClientToServerCompressionAlgorithmsList": "", "passwordChangePrompt": "", "acctDiscUidType": "", "acctDiscUidRangeHigh": "", "sshUseDefaultCiphers": "true", "sshServerHostKeyAlgorithmsList": "", "userNameEntryPrompt": "", "sshUseDefaultHashes": "true", "unixVariant": "GENERIC", "whoAmICommand": "", "telnetPort": "", "sshKeyExchangeAlgorithmsList": "", "policyManagementCommand": "", "sshUseDefaultCompressionAlgorithms": "true", "acctDiscUseUid": "f", "sshUseDefaultServerHostKeyAlgorithms": "true", "scriptTimeout": "", "sshClientToServerHashesList": "", "sshServerToClientHashesList": "", "sshStrictHostKeyCheckingEnabled": "false", "acctDiscUseGid": "false" }, "passwordCompositionPolicyId": null }
UNIX (UNIXII) Target Account External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts { "accountName":"UnixAcc", "attributes": { "keyOptions": "", "verifyThroughOtherAccount": "false", "discoveryAllowed": "f", "privateKey": "", "protocol": "SSH2_PASSWORD_AUTH", "otherAccount": "", "descriptor2": "", "discoveryGlobal": "f", "descriptor1": "", "useOtherAccountToChangePassword": "false", "passwordChangeMethod": "DO_NOT_USE_SUDO" }, "cacheBehavior":"useCacheFirst", "cacheDuration":"30", "password":"sample", "passwordViewPolicyId":1000, "privileged":"t", "synchronize":"f", "useAliasNameParameter":"f" }