REST API create linux target account - SSH2_PUBLIC_KEY
search cancel

REST API create linux target account - SSH2_PUBLIC_KEY

book

Article ID: 190503

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

How to create an UNIX target account which can make use of SSH_PUBLIC_KEY protocol.

Environment

Release : 3.2

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

This is an sample for creating an TargetAccount for UNIX hosts using SSH_PUBLIC_KEY protocol.

Resolution

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=bc4fcfca-bdd8-47da-91e8-b91d7d62fc39&CommunityKey=3e91a086-c7b2-4bd0-9f8d-3493ed834111&tab=digestviewer#bmbc4fcfca-bdd8-47da-91e8-b91d7d62fc39


The above Community Discussion can be used to understand how to create the TargetAccount, below is an example of the same in detail.

Steps:
1. Identify the TargetDevice 'id'
2. Identify the TargetApplication 'id'
3. Create the TargetAccount with the required protocol type, in here we would show an example, only for step3.
NOTE: The Private Key and Public Key have to be base64 encoded before they can be used for creating the TargetAccount using REST API

Be default, the following is the template for creating an TargetAccount.

{
    "accountName":null,
    "aliasNames":null,
    "attributes":null,
    "cacheBehavior":null,
    "cacheDuration":null,
    "description1":null,
    "description2":null,
    "password":null,
    "passwordViewPolicyId":null,
    "privileged":null,
    "synchronize":null,
    "useAliasNameParameter":null
}

The parameter "attributes" is where we need to provide all the details with respect to the SSH2_PUBLIC_KEY_AUTH, the list of parameters that are accepted in the REST API for the "attributes" are listed in the product documentation in the CLI part - UNIX Target Account CLI Parameters

For example below are the accepted parameters under the "attributes", while using with REST API, remove 'Attribute' and use the part after the dot.
Attribute.keyOptions
Attribute.publicKey
Attribute.passphrase
Attribute.protocol
Attribute.passwordChangeMethod
Attribute.verifyThroughOtherAccount
Attribute.useOtherAccountToChangePassword
Attribute.otherAccount

Attribute privateKey is not mentioned in the CLI documentation, it's mentioned in the REST API documentation.

Below is an example of how the template should look like with all the attributes in place.

{
    "accountName":null,
    "aliasNames":null,
    "attributes":  {
  "keyOptions":null,
  "publicKey":null,
"privateKey":nul,
  "passphrase":null,
  "protocol":null,
  "passwordChangeMethod":null,
  "verifyThroughOtherAccount":null,
  "useOtherAccountToChangePassword":null,
  "otherAccount":null},
    "cacheBehavior":null,
    "cacheDuration":null,
    "description1":null,
    "description2":null,
    "password":null,
    "passwordViewPolicyId":null,
    "privileged":null,
    "synchronize":null,
    "useAliasNameParameter":null
}

============

Actually executed example.

{
 "accountName":"sshkeyaccount",
 "aliasNames":"f",
 "attributes":{
 "protocol":"SSH2_PUBLIC_KEY_AUTH",
 "keyOptions":null,
 "verifyThroughOtherAccount":"false",
 "discoveryAllowed":"f",
 "publicKey":"c3NoL..........mV0Cg==",
 "passphrase":"",
 "privateKey":"LS0tL..........S0tCg==",
 "otherAccount":null,
 "descriptor2":null,
 "discoveryGlobal":"f",
 "descriptor1":null,
 "extensionType":"unixII",
 "useOtherAccountToChangePassword":"false"},
 "cacheBehavior":null,
 "cacheDuration":null,
 "description1":"ssh2",
 "description2":"user",
 "password":"LS0tL..........LS0tCg==",
 "passwordViewPolicyId":null,
 "privileged":"t",
 "synchronize":"f",
 "useAliasNameParameter":null
}