UNIX Target Application External API Attributes

capam344
This topic describes the required and supported Attributes used when adding or updating a UNIX (aka UNIXII) Target Application using the External API.
2
UNIX Target Application External API Attributes
To add or update a UNIX Target application using the External API, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
extensionType
Required
Default Value
Valid Values
no
N/A
unixII
sshPort
The port that is used to connect to the UNIX host using SSH.
Required
Default Value
Valid Values
no
22
0-65535
sshSessionTimeout
When using the SSH communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required
Default Value
Valid Values
no
5000
1000-99999
sshKeyPairPolicyID
Specifies the SSH Key Policy ID which controls how keys are generated; that is, the key type (RSA or DSA) and length.
Required
Default Value
Valid Values
no
N/A
0-9
sshStrictHostKeyCheckingEnabled
Enables or disables strict host key checking. When enabled, a connection gets established after Credential Manager compares the public key from the remote host to the public key stored in the
sshKnownHostKey
attribute. If the keys do not match, then the connection attempt is canceled.
Required
Default Value
Valid Values
no
false
true, false
sshKnownHostKey
Contains the base-64 encoded public host key that is associated with the target server.
Required
Default Value
Valid Values
yes if
sshStrictHostKeyCheckingEnabled
is true
N/A
a base-64 encoded SSH public host key
sshKnownHostKeyFingerprint
Contains the fingerprint of the public host key that is contained in the
sshKnownHostKey
attribute. The fingerprint is for display purposes only. It allows the user to easily compare one key with another. The fingerprint that is specified must correspond to the specified public host key.
Required
Default Value
Valid Values
no
N/A
a public key fingerprint
sshUseDefaultCiphers
Specifies whether the default ciphers should be used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientCiphersList
Specifies the list of ciphers to accept on the inbound data stream from the remote host. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshClientToServerCiphersList
Specifies the list of ciphers to use on the outbound data stream to the remote host. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshDetectCiphersList
Specifies the list of ciphers to detect when connecting to the remote host. Credential Manager does not use ciphers that are unavailable even if they are specified to use as inbound and/or outbound ciphers. Ciphers are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCiphers
is false
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
A comma-separated list containing one or more of the following values: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-ctr, arcfour, arcfour128, arcfour256. Do not use spaces in the list.
sshUseDefaultHashes
Specifies whether the default hashes should be used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientHashesList
Specifies the list of hashes to accept on the inbound data stream from the remote host. Hashes are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultHashes
is false
hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list.
sshClientToServerHashesList
Specifies the list of hashes to accept on the outbound data stream from the remote host. Hashes are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultHashes
is false
hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
A comma-separated list containing one or more of the following values: hmac-md5,hmac-sha1, hmac-sha1-96, hmac-md5-96. Do not use spaces in the list.
sshUseDefaultKeyExchangeAlgorithms
Specifies whether the default key exchange methods are used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshKeyExchangeAlgorithmsList
Specifies the list of key exchange methods to use when connecting to the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultKeyExchangeAlgorithms
is false
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
A comma-separated list containing one or more of the following values: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1. Do not use spaces in the list.
sshUseDefaultCompressionAlgorithms
Specifies whether the default compression methods are used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerToClientCompressionAlgorithmsList
Specifies the list of compression methods to accept on the inbound data stream from the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
yes if
sshUseDefaultCompressionAlgorithms
is false
N/A. Do not use compression
comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list.
sshClientToServerCompressionAlgorithmsList
Specifies the list of compression methods to use on the outbound data stream from the remote host. Methods are listed in order of priority.
Required
Default Value
Valid Values
Yes if
sshUseDefaultCompressionAlgorithms
is false
N/A (do not use compression)
A comma-separated list containing one or more of the following values: zlib, [email protected]. Do not use spaces in the list.
sshUseDefaultServerHostKeyAlgorithms
Specifies whether the default host key types should be accepted used when Credential Manager makes an SSH connection to the remote host.
Required
Default Value
Valid Values
no
true
true, false
sshServerHostKeyAlgorithmsList
Specifies the list of host key types to accept when Credential Manager connects to the remote host.
Required
Default Value
Valid Values
yes if
sshUseDefaultServerHostKeyAlgorithms
is false
ssh-rsa,ssh-dss
A comma-separated list containing one or more of the following values: ssh-rsa, ssh-dss. Do not use spaces in the list.
telnetSessionTimeout
When using the Telnet communication channel, specifies the amount of time in milliseconds that Credential Manager should wait for the remote host to respond.
Required
Default Value
Valid Values
no
5000
1000-99999
telnetPort
The port that is used to connect to the UNIX host using Telnet.
Required
Default Value
Valid Values
no
23
0-65536
scriptTimeout
Specifies the amount of time in milliseconds that Credential Manager waits to receive some expected input from the remote host.
Required
Default Value
Valid Values
no
5000
5000-59999
unixVariant
Specifies the type of UNIX system that is installed on the target server.
Required
Default Value
Valid Values
no
GENERIC
AIX, GENERIC, HPUX, LINUX, SOLARIS or OTHER.
useUpdateScriptType
Specifies whether the default, revised, or replacement update script should be used. If a revised script is required, use the default script and contact CA Services.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
revisedUpdateScriptFilename
Specifies the name of the file containing the revised update script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
N/A
a file name
useVerifyScriptType
Specifies whether the default, revised or replacement verify that script should be used. If a revised script is required, use the default script and contact CA Services.
Required
Default Value
Valid Values
no
'DEFAULT'
'DEFAULT', 'REVISED' or 'REPLACEMENT'
revisedVerifyScriptFilename
Specifies the name of the file containing the revised verify script. The contents of the file is used as the revised script. We recommend that you use the default script and contact CA Services if a revised script is required.
Required
Default Value
Valid Values
no
N/A
a file name
userNameEntryPrompt
A regular expression that matches the prompt of the remote host when it requests a user name.
Required
Default Value
Valid Values
no
(?si).*?(login|username):.*?
valid regular expression syntax
passwordEntryPrompt
A regular expression that matches the prompt of the remote host when it requests a password.
Required
Default Value
Valid Values
no
(?si)(.*?password(\sfor|:).*?)
valid regular expression syntax
passwordConfirmationPrompt
A regular expression that matches the prompt from the remote host when it requests that a password be confirmed.
Required
Default Value
Valid Values
no
AIX: (?si).*?new password.*?
All other platforms: (?si).*?password:.*?)
valid regular expression syntax
passwordChangePrompt
A regular expression that matches the prompt of  the remote host when it requests that a password be changed because it has expired.
Required
Default Value
Valid Values
no
(?si).*?change your password.*?
valid regular expression syntax
changePasswordCommand
The command on the remote host that is used to change a password.
Required
Default Value
Valid Values
no
passwd
depends on remote host
elevatePrivilegeCommand
The command on the remote host that is used to elevate the user's level of privilege.
Required
Default Value
Valid Values
no
sudo
depends on remote host
substituteUserCommand
The command on the remote host that is used to act as another user.
Required
Default Value
Valid Values
no
su
depends on remote host
echoCommand
The command on the remote host that is used to repeat a sequence of characters to the standard output; that is, the console.
Required
Default Value
Valid Values
no
echo
depends on remote host
patternMatchingCommand
The command on the remote host that prints lines matching a pattern.
Required
Default Value
Valid Values
no
grep
depends on remote host
policyManagementCommand
The command on the remote host that is used to manage policy.
Required
Default Value
Valid Values
no
AIX: pwdadm
All other platforms: N/A
depends on remote host
whoAmICommand
The command on the remote host that is used to retrieve the effective ID of the currently logged-in user.
Required
Default Value
Valid Values
no
whoami
depends on remote host
changeFilePermissionsCommand
The command on the remote host that is used to alter the permissions on a file.
Required
Default Value
Valid Values
no
chmod
depends on remote host
UNIX Target Account External API Attributes
To add a UNIX target account that uses the target connector, use the following properties as members of the "attributes" associative array included in the 'body' parameter of the REST call:
useOtherAccountToChangePassword
Specifies whether to use the target account or a different account when updating the target account.
Required
Default Value
Valid Values
yes
false
true, false
otherAccount
Specifies which other account to use when updating the target account.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is true.
N/A
a valid target account ID.
verifyThroughOtherAccount
Specifies whether the credentials of a second target account are used to authenticate to the remote host when verifying the target account.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is true.
false
true, false
passwordChangeMethod
Specifies which method to use when updating passwords. You might need to select a method that enables the authenticated user to obtain greater privileges without being impacted by policies at the remote host, such as the minimum length of time between password updates.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is false.
DO_NOT_USE_SUDO
DO_NOT_USE_SUDO, USE_SUDO, IS_ROOT_ACCOUNT, USE_AUTHENTICATED_SUDO
protocol
Specifies the protocol to use for communicating with the remote host.
Required
Default Value
Valid Values
yes if
useOtherAccountToChangePassword
is false
SSH2_PASSWORD_AUTH
SSH2_PASSWORD_AUTH, SSH2_PUBLIC_KEY_AUTH, TELNET
passphrase
The passphrase that protects the private key.
Required
Default Value
Valid Values
no
N/A
a string
publicKey
Specifies the public key that corresponds to the target account private key. The private key is stored as its password.
Required
Default Value
Valid Values
yes if the select protocol is
SSH2_PUBLIC_KEY_AUTH
N/A
an OpenSSH-formatted public key
keyOptions
Specifies a list of comma-separated option specifications from the authorized_keys file format that is described in the OpenSSH documentation.
Required
Default Value
Valid Values
no
N/A
comma-separated list of OpenSSH key options
UNIX (UNIXII) Target Application External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications { "applicationName": "UnixApp", "applicationType": "unixII", "description1": "sample descriptor1", "description2": "sample descriptor2", "attributes": { "passwordEntryPrompt": "", "sshSessionTimeout": "", "echoCommand": "", "telnetSessionTimeout": "", "useUpdateScriptType": "DEFAULT", "substituteUserCommand": "", "acctDiscGidValue": "", "acctDiscUidRangeLow": "", "acctDiscGidRangeLow": "", "sshUseDefaultKeyExchangeAlgorithms": "true", "sshKeyPairPolicyID": "", "acctDiscUidValue": "", "passwordConfirmationPrompt": "", "changeFilePermissionsCommand": "", "sshPort": "", "changePasswordCommand": "", "useVerifyScriptType": "DEFAULT", "sshServerToClientCiphersList": "", "elevatePrivilegeCommand": "", "sshKnownHostKey": "", "sshKnownHostKeyFingerprint": "", "exitStatusOfLastCommand": "", "sshServerToClientCompressionAlgorithmsList": "", "extensionType": "unixII", "systemInfoCommand": "", "patternMatchingCommand": "", "acctDiscGidRangeHigh": "", "acctDiscGidType": "", "sshDetectCiphersList": "", "sshClientToServerCiphersList": "", "sshClientToServerCompressionAlgorithmsList": "", "passwordChangePrompt": "", "acctDiscUidType": "", "acctDiscUidRangeHigh": "", "sshUseDefaultCiphers": "true", "sshServerHostKeyAlgorithmsList": "", "userNameEntryPrompt": "", "sshUseDefaultHashes": "true", "unixVariant": "GENERIC", "whoAmICommand": "", "telnetPort": "", "sshKeyExchangeAlgorithmsList": "", "policyManagementCommand": "", "sshUseDefaultCompressionAlgorithms": "true", "acctDiscUseUid": "f", "sshUseDefaultServerHostKeyAlgorithms": "true", "scriptTimeout": "", "sshClientToServerHashesList": "", "sshServerToClientHashesList": "", "sshStrictHostKeyCheckingEnabled": "false", "acctDiscUseGid": "false" }, "passwordCompositionPolicyId": null }
UNIX (UNIXII) Target Account External API Example
POST /api.php/v1/devices.json/{deviceId}/targetApplications/{applicationId}/targetAccounts { "accountName":"UnixAcc", "attributes": { "keyOptions": "", "verifyThroughOtherAccount": "false", "discoveryAllowed": "f", "privateKey": "", "protocol": "SSH2_PASSWORD_AUTH", "otherAccount": "", "descriptor2": "", "discoveryGlobal": "f", "descriptor1": "", "useOtherAccountToChangePassword": "false", "passwordChangeMethod": "DO_NOT_USE_SUDO" }, "cacheBehavior":"useCacheFirst", "cacheDuration":"30", "password":"sample", "passwordViewPolicyId":1000, "privileged":"t", "synchronize":"f", "useAliasNameParameter":"f" }