VMware vShield vShield 5.5 User guide

  • Hello! I am an AI chatbot trained to assist you with the VMware vShield vShield 5.5 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
vShield API Programming
Guide
vShield 5.5
vShield App 5.5
vShield Edge 5.5
vShield Endpoint 5.5
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000869-03
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
vShield API Programming Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3
Contents
AboutThisBook 11
1 OverviewofVMwarevShield 13
vShieldComponents 13
vShieldManager 13
vShieldApp 13
vShieldEdge 14
vShieldEndpoint 14
vShieldDataSecurity 14
CompatibilityBetweenDifferentRESTAPIVersions 14
RESTAPIVersion2.0invShield5.0 14
Multitenancy 15
AnIntroductiontoRESTAPIforvShieldUsers 15
HowRESTWorks 15
UsingthevShieldRESTAPI 16
PortsRequiredforvShieldRESTAPI 16
AbouttheRESTAPI 16
RESTfulWorkflowPatterns 17
ForMore
InformationAboutREST 17
2 vShieldManagerManagement 19
SynchronizingvShieldManagerwithvCenterServer,SSO,andDNS 19
QueryingvShieldManagerGlobalConfiguration 21
ResettingtheLocalAccountPassword 21
AddSecurityProfile 21
GetSecurityProfile 22
GetPasswordHintQuestions 22
ResetPassword 22
MonitoringvShieldManagerreachability 23
WorkingwithvShieldManagerSyslogServerConfiguration 23
ConfigurevShieldManagerSyslogServer 23
GetvShieldManagerSyslogServerConfiguration 23
DeletevShieldManager
SyslogServerConfiguration 23
QueryingvShieldManagerLogs 24
GetvShieldManagerSystemEvents 24
GetvShieldManagerAuditLogs 24
QueryingvShieldManagerTechSupportLog 24
UserManagement 24
GetInformationAboutaUser 25
CreateaLocalUseronvShieldManager 25
UpdateaLocalUserAccount 26
EnableorDisableaUserAccount 26
DeleteaUserAccount 26
RoleManagement 28
GetRolefor
aUser 28
GetRoleforavShieldManagerRoles 28
AddRoleandResourcesforaUser 29
ChangeUserRole 29
vShield API Programming Guide
4 VMware, Inc.
GetListofPossibleRoles 30
GetListofScopingObjects 30
DeleteUserRole 31
CreatingIPsetandMACsetContainers 31
ListIPsetsCreatedonaScope 31
CreateanIPsetonaScope 31
GetDetailsofanIPset 32
ModifyanExistingIPset 32
DeleteanIPset 32
ListMACsetsCreatedonaScope 33
CreateaMACsetonaScope 33
GetDetails
ofaMACset 33
ModifyanExistingMACset 34
DeleteaMACset 34
SecurityGroupScopeandMembers 34
ListSecurityGroupsCreatedonaScope 34
CreateSecurityGrouponaScope 35
GetMembersforaScope 35
GetSecurityGroupDetails 35
ModifyaSecurityGroup 36
DeleteaSecurityGroup 37
AddMembertoSecurityGroup 37
DeleteMemberfromSecurityGroup 37
TransportSet
forServices 37
WorkingwithServiceGroups 37
ListServiceGroupsonaScope 37
AddServiceGrouptoaScope 38
GetDetailsofaServiceGroup 40
ModifyServiceGroupDetails 40
DeleteServiceGroupfromScope 41
WorkingwithServices 41
ListServicesonaScope 41
AddServicetoaScope 41
GetDetailsofaService 43
ModifyServiceDetails 43
DeleteService
fromScope 43
WorkingwiththeMembersofaService 44
QueryServiceMembers 44
AddaMembertotheService 45
DeleteaMemberfromtheService 45
QueryingObjectIDs 45
QueryDatacenterMOID 45
QueryDatacenterID 45
QueryHostID 46
QueryPortgroupID 46
3 ESXHostPreparationforvShieldApp,vShieldEndpoint,andvShieldDataSecurity 47
InstallingLicensesforvShieldEdge,vShieldApp,andvShieldEndpoint 47
InstallingvShieldAppandvShieldEndpointServicesonanESXHost 47
InstallingvShieldDataSecurity 49
UpgradingvShieldDataSecurity 49
GettingtheInstallationStatusofvShieldServicesonanESXHost 50
UninstallingvShieldServicesfromanESXHost 50
UninstallingvShieldDataSecurity 50
VMware, Inc. 5
Contents
4 vShieldEdgeInstallationandUpgrade 51
InstallingavShieldEdge 51
RunningQueriesonallvShieldEdges 53
UpgradingvShieldEdge 55
DeletingavShieldEdge 55
5 vShieldEdgeManagement 57
RunningQueriesonaSpecificvShieldEdge 58
QueryvShieldEdgeDetails 58
QueryvShieldEdgeSummary 62
QueryingvShieldEdgeStatus 64
WorkingwithAppliances 66
QueryApplianceConfiguration 66
ModifyApplianceConfiguration 67
ChangeApplianceSize 67
ManageanAppliance 67
QueryAppliance 68
ModifyAppliance 68
DeleteAppliance 69
WorkingwithInterfaces 69
AddInterfaces 69
RetrieveInterfacesforavShieldEdge 70
DeleteInterfaces 71
ManageavShieldInterface 71
RetrieveInterface
withSpecificIndex 71
DeleteInterfaceConfiguration 71
ModifyanInterface 71
QueryInterfaceStatistics 72
QueryStatisticsforallInterfaces 72
QueryStatisticsforUplinkInterfaces 73
QueryStatisticsforInternalInterfaces 73
QueryDashboardStatistics 74
ConfiguringEdgeServices 74
ConfigureFirewall 75
AddFirewallConfiguration 75
QueryFirewallConfiguration 76
DeleteFirewallConfiguration 77
AppendFirewallRules78
AddaFirewallRuleAboveaSpecificRule 78
QuerySpecific
Rule 79
ModifyFirewallRule 79
DeleteaFirewallRule 80
ManageDefaultFirewallPolicy 80
QueryFirewallStatistics81
QueryFirewallStatisticsForaRule 81
ConfigureNAT 81
RetrieveNATRulesforavShieldEdge 82
DeleteallNATRules 83
AddaNATRuleaboveaSpecificRule 83
AppendNATRules84
ChangeaNATRule 84
DeleteaRule 84
ConfigureRouting 85
vShield API Programming Guide
6 VMware, Inc.
ConfigureStaticandDefaultRoutes 85
QueryStaticandDefaultRoutes 85
DeleteStaticandDefaultRoutes 86
ChangeStaticRoutes 86
AppendStaticRoutes 86
DeleteStaticRoutes 87
ConfigureDefaultRoutesforvShieldEdge 87
DeleteDefaultRoutes 87
ConfigureDNSServers 87
ConfigureDNS 87
RetrieveDNSConfiguration 88
DeleteDNSConfiguration 88
RetrieveDNSStatistics 89
ConfigureDHCP 89
QueryDHCPConfiguration 91
DeleteDHCPConfiguration 91
RetrieveDHCPLeaseInformation 92
AppendIPPooltoDHCPConfiguration 92
AppendStaticBindingtoDHCPConfiguration 92
DeleteDHCPPool 93
DeleteDHCPStaticBinding 93
ConfigureCertificates 93
WorkingwithCertificates 93
WorkingwithCertificateSigningRequests(CSRs) 94
WorkingwithCertificateRevocationList(CRL) 95
ConfigureIPSECVPN 96
RetrieveIPSecConfiguration 97
RetrieveIPSecStatistics 98
QueryTunnelTrafficStatistics 99
DeleteIPSecConfiguration 100
ManagingSSLVPN 100
EnableorDisable
SSLVPN 100
QuerySSLVPNDetails 100
ManageServerSettings100
ConfigurePrivateNetworks 101
ConfigureWebResource103
ConfigureUsers 105
ConfigureIPPool107
ConfigureNetworkExtensionClientParameters110
ConfigureNetworkExtensionClientInstallationPackage 110
ConfigurePortalLayouts 114
ConfigureAuthenticationParameters116
ConfigureSSLVPNAdvancedConfiguration 118
WorkingwithActiveClients119
ManageLogonandLogoffscripts
120
ReconfigureSSLVPN122
QuerySSLVPNConfiguration125
DeleteSSLVPNConfiguration 128
QuerySSLVPNStatistics 128
ConfigureLoadBalancer 129
QueryLoadBalancerConfiguration 131
QueryStatistics 132
DeleteLoadBalancerConfiguration 133
VMware, Inc. 7
Contents
ManageallBackendPools 133
ManageallVirtualServers 136
RetrieveLoadBalancerStatistics 138
EnableLayer4ModeforLoadBalancer 140
ConfigureHighAvailability(HA) 140
RetrieveHighAvailabilityConfiguration 141
DeleteHighAvailabilityConfiguration 141
ForceSyncingvShieldEdge 141
ConfiguringAdvancedOptionsforvShieldEdge 141
ChangeAESNISettingforavShieldEdge 141
ChangeFIPSSettingforavShieldEdge 142
Change
LoggingLevelforvShieldAppliance 142
ManageAutoConfigurationSettings 142
ModifyAutoConfigurationSettings 142
QueryAutoConfigurationSettings 142
ChangeTCPLooseSetting 143
ReplacingtheConfigurationofavShieldEdge 143
RedeployingvShieldEdgeAppliances 147
ManagingCLICredentialsandAccess 147
ChangeCLICredentials 147
ChangeCLIRemoteAccess 147
DebuggingandSupport 148
QueryTechnicalSupportLog 148
QueryvShieldEdgeServiceStatistics 148
6 WorkingwithVXLANVirtualWires 153
PreparingforVXLANVirtualWires 153
ConfiguringSwitches 154
PrepareSwitch 154
EditTeamingPolicy 154
QueryConfiguredSwitches 154
QueryConfiguredSwitchesonDatacenter 155
QuerySpecificSwitch 155
DeleteSwitch 156
WorkingwithClusterSwitchMappings 156
MapaClustertoaSwitch 156
QueryallClusterMappings 156
QueryMappingsbySwitch 157
QuerySpecificCluster 157
DeleteClusterSwtichMapping 158
WorkingwithEAMAgencies 158
InstallEAMAgency 158
Synchronize
AgencyState 159
ReplaceAgencyScope 159
QueryAgencybyCluster 159
QueryAgencyStatus 159
QueryAgencyIDforCluster 159
DeleteAgency 160
UninstallAgencyStatus 160
WorkingwithSegmentIDs 160
AddanewSegmentIDRange 160
QueryallSegmentIDRanges 161
QueryaSpecificSegmentIDRange 161
UpdateaSegmentIDRange 161
DeleteaSegmentIDRange 162
vShield API Programming Guide
8 VMware, Inc.
WorkingwithMulticastAddressRanges 162
AddanewMulticastAddressRange 162
QueryallMulticastAddressRanges 162
GetaSpecificMulticastAddressRange 163
UpdateaMulticastAddressRange 163
DeleteaMulticastAddressRange 163
WorkingwithNetworkScopes 163
CreateaNetworkScope 163
EditaNetworkScope 164
UpdateAttributesonaNetworkScope 164
QueryexistingNetworkScopes 164
Querya
SpecificNetworkScope 165
DeleteaNetworkScope 166
WorkingwithVirtualizedNetworks 166
CreateaVXLANVirtualWire 166
QueryallVXLANVirtualWiresonaNetworkScope 166
QueryallVXLANVirtualWiresonallNetworkScopes 167
QueryaSpecificVXLANVirtualWire 167
DeleteaVXLANVirtualWire 168
ManagingtheVXLANVirtualWireUDPPort 168
GetUDPPort 168
Update
UDPPort 168
QueryingAllocatedResources 168
TestingMulticastGroupConnectivity169
TestMulticastGroupConnectivityinaNetworkScope 169
TestMulticastGroupConnectivityinaVXLANVirtualWire 169
PerformingPingTest 170
7 vShieldAppManagement 171
ModifyingtheStateofaDatacenter 171
RetrieveDatacenterState 171
ModifyDatacenterState 172
ConfiguringFirewallRulesforvCenter 172
ConfiguringthevShieldAppFirewall 172
QueryFirewallConfiguration 172
AddaFirewallRule 178
ModifyaFirewallRule 180
DeleteaFirewallRule 182
ReverttoDefaultFirewallConfiguration 183
ConfiguringFailSafeModeforvShieldAppFirewall 183
ConfigureFailSafeModeforvShield
AppFirewall 183
QueryFailSafeModeConfigurationforvShieldAppFirewall 184
WorkingwithSpoofGuard 184
GetSpoofGuardSettingsatContextLevel 184
ReplaceSpoofGuardSettings 184
GetSpoofGuardIPSettings185
ChangeSpoofGuardIPSettings185
WorkingwithNamespaces 186
AddNamespaceinaDatacenter 186
GetNamespaceDetails 186
DeleteaNamespace 186
ShowNamespacesinaDatacenter 186
GettingFlowStatisticDetails 187
Get
FlowStatistics 187
GetFlowMetaData 189
VMware, Inc. 9
Contents
ExcludingVirtualMachinesfromvShieldAppProtection 190
AddaVirtualMachinetotheExclusionList 190
GetVirtualMachineExclusionList 190
DeleteaVirtualMachinefromExclusionList 191
ConfiguringSyslogServiceforavShieldApp 191
SynchronizingvShieldApp 192
QueryingvShieldAppTechnicalSupportLog 192
QueryingvShieldAppStatus 192
UpgradingvShieldApp 193
8 vShieldEndpointManagement 195
OverviewofSolutionRegistration 195
RegisteringaSolutionwithvShieldEndpointService 195
RegisteraVendor 196
RegisteraSolution 196
AltitudeofaSolution 196
IPAddressandPortforaSolution 196
ActivateaSolution 197
QueryingRegistrationStatusofvShieldEndpoint 197
GetVendorRegistration 197
GetSolutionRegistration 197
GetIPAddressofaSolution 198
GetActivationStatusofaSolution 198
QueryingActivated
SecurityVirtualMachinesforaSolution 198
QueryActivatedSecurityVirtualMachines 198
QueryActivationInformation 199
UnregisteringaSolutionwithvShieldEndpoint 199
UnregisteraVendor 199
UnregisteraSolution 199
UnsetIPAddress 199
DeactivateaSolution 200
StatusCodesandErrorSchema 200
ReturnStatusCodes 200
ErrorSchema 200
9 vShieldDataSecurityConfiguration 203
vShieldDataSecurityUserRoles 203
DefiningaDataSecurityPolicy 204
QueryRegulations 204
EnableaRegulation 204
QueryClassificationValue 205
ConfigureaCustomizedRegexasaClassificationValue 205
ViewtheListofExcludableAreas 205
ExcludeAreasfromPolicyInspection 206
SpecifySecurityGroupstobeScanned 207
QuerySecurityGroupsBeingScanned 207
ConfigureFileFilters 208
SavingandPublishingPolicies 209
QuerySaved
Policy 209
QueryPublishedPolicy 210
PublishtheUpdatedPolicy 210
DataSecurityScanning 210
Start,Pause,Resume,orStopaScanOperation 211
QueryStatusforaScanOperation 211
QueryingScanResults 211
vShield API Programming Guide
10 VMware, Inc.
GetListofVirtualMachinesBeingScanned 211
GetNumberofVirtualMachinesBeingScanned 212
GetSummaryInformationabouttheLastFiveScans 213
GetInformationforVirtualMachinesScannedDuringPreviousScan 213
RetrieveInformationAboutPreviousScanResults 213
GetXMLRepresentationofPolicyUsedforPreviousScan 213
QueryingViolationDetails 215
GetListofViolationCounts 215
Get
ListofViolatingFiles 216
GetListofViolatingFilesinCSVFormat 217
GetViolationsinEntireInventory 217
218
Appendix 219
vShieldManagerGlobalConfigurationSchema 219
ESXHostPreparationandUninstallationSchema 224
vShieldAppSchemas 225
vShieldAppConfigurationSchema 225
vShieldAppFirewallSchema 225
vShieldAppSpoofGuardSchema 228
vShieldAppNamespaceSchema 230
ErrorMessageSchema 231
VMware, Inc. 11
Thismanual,thevShieldAPIProgrammingGuide,describeshowtoinstall,configure,monitor,andmaintainthe
VMware
®
vShield™systembyusingRESTAPIrequests.Theinformationincludesstepbystepconfiguration
instructionsandexamples.
Intended Audience
ThismanualisintendedforanyonewhowantstouseRESTAPItoinstallorusevShieldinaVMwarevSphere
environment.Theinformationinthismanualiswrittenforexperiencedsystemadministratorswhoare
familiarwithvirtualmachinetechnology,virtualizeddatacenteroperations,andRESTAPIs.Thismanualalso
assumesfamiliarity
withvShield.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbacktodocfeedback@vmware.com.
vShield Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:
vShieldAdministrationGuide
vShieldQuickStartGuide
vShieldAPIProgrammingGuide,thisguide
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
About This Book
vShield API Programming Guide
12 VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 13
1
VMwarevShield™isasuiteofnetworkedgeandapplicationawarefirewallsbuiltforVMwarevCenterServer
integration.vShieldinspectsclientservercommunicationsandintervirtualmachinecommunicationsto
providedetailedtrafficanalyticsandapplicationawarefirewallprotection.Itisacriticalsecuritycomponent
toprotectvirtualizeddatacentersfromattacksand
misuse,andhelpsachievecompliancemandatedgoals.
Thischapterincludesthefollowingtopics:
“vShieldComponents”onpage 13
“CompatibilityBetweenDifferentRESTAPIVersionsonpage 14
“PortsRequiredforvShieldRESTAPI”onpage 16
“A n IntroductiontoRESTAPIforvShieldUsers”onpage 15
ThisguideassumesyouhaveadministratoraccesstotheentirevShieldsystem.Ifyouareunabletoaccessa
screenorperformaparticulartask,consultyourvShieldadministrator.
vShield Components
vShieldincludescomponentsandservicesessentialforprotectingvirtualmachinesinavirtualizeddatacenter.
vShieldcanbeconfiguredwithaWebbaseduserinterface,acommandlineinterface(CLI),oraRESTAPI.
TorunvShield,youneedonevShieldManagervirtualapplianceandatleastonevShieldApporvShield
Edge
virtualappliance.ThevShieldManagervirtualappliancecanrunonadifferentESXhostthanthevShieldApp
andvShieldEdgevirtualappliances.
vShield Manager
vShieldManageristhecentralizedmanagementcomponentofvShield.Youinstallitasavirtualapplianceby
deployinganOVAfromthevSphereClient.UsingvShieldManagersuserinterfaceorvSphereClientplugin,
youcaninstall,configure,andmaintainvShieldappliances.ThevShieldManageruserinterfaceleveragesthe
vSphereWeb
ServicesSDKtodisplaytabswithinthevSphereClientinventorypanel.Fordetailsaboutthe
userinterface,seethevShieldAdministrationGuide.
vShield App
AvShieldAppvirtualappliancemonitorsalltrafficintoandoutofanESXhost,andbetweenvirtualmachines
onthehost.vShieldAppprovidesapplicationawaretrafficanalysisandstatefulfirewallprotection,andit
regulatestrafficbasedonasetofrules,similartoanaccesscontrollist(ACL).
As
trafficpassesthroughavShieldApp,eachsessionheaderisinspectedtocatalogthedata.ThevShieldApp
createsaprofileforeachvirtualmachinedetailingtheoperatingsystem,applications,andportsusedfor
networkcommunication.Basedonthisinformation,thevShieldAppallowsephemeralportusebypermitting
dynamicprotocols
suchasFTPorRPCtopassthrough,whilemaintaininglockdownonports1024andhigher.
YoucannotprotecttheESXServiceConsole,ESXidirectconsoleuserinterface(DCUI),ortheVMkernelwith
vShieldAppbecausethesecomponentsarenotvirtualmachines.
Overview of VMware vShield
1
vShield API Programming Guide
14 VMware, Inc.
vShield Edge
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolateavirtualizednetwork,orvirtual
machinesinaportgroup,vDSportgroup,orCiscoNexus1000Vportgroup.YouinstallavShieldEdgeata
datacenterlevelandcanadduptoteninternaloruplinkinterfaces.ThevShield
Edgeconnectsisolated,stub
networkstoshared(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,and
LoadBalancing.CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenant
CloudenvironmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
vShield Endpoint
vShieldEndpointoffloadsantivirusandantimalwareagentprocessingtoadedicatedsecurevirtualappliance
deliveredbyVMwarepartners.Sincethesecurevirtualappliance(unlikeaguestvirtualmachine)doesnʹtgo
offline,itcancontinuouslyupdateantivirussignaturestherebygivinguninterruptedprotectiontothevirtual
machinesonthehost.Also,
newvirtualmachines(orexistingvirtualmachinesthatwentoffline)are
immediatelyprotectedwiththemostcurrentantivirussignatureswhentheycomeonline.
vShield Data Security
vShieldDataSecurityprovidesvisibilityintosensitivedatastoredwithinyourorganizationʹsvirtualizedand
cloudenvironments.BasedontheviolationsreportedbyvShieldDataSecurity,youcanensurethatsensitive
dataisadequatelyprotectedandassesscompliancewithregulationsaroundtheworld.
Compatibility Between Different REST API Versions
EachreleaseofthevShieldRESTAPIrepresentsanewversionoftheRESTAPIcodewithnewandchanged
features.IfyouarerunningapreviousversionofvShieldcomponentsoftware,youmightnotbeabletouse
allofthefeaturesofthelatestreleaseofthevShieldREST
API.
REST API Version 2.0 in vShield 5.0
Release5.0ofvShieldintroducesversion2.0oftheRESTAPI.ManyURLschangedfromversion1.0to2.0.
YoucandeterminetheAPIversionofavShieldcomponent(suchasEdgeorApp)withthefollowingexample
RESTcalls.IntheGETrequestsyntax,<vsm-ip>representstheIPaddressor
hostnameofvShieldManager.
Example 1-1. Determine the API version of the vShield Manager or vShield Endpoint
GET https://<vsm-ip>/api/versions
<versions>
<version value="2.1">
<module name="VshieldAppGlobal" baseUri="/api/2.1/app" version="2.1"/>
<module name="Flow" baseUri="/api/2.1/app/flow" version="2.1"/>
</version>
<version value="2.0">
<module name="Dlp" baseUri="/api/2.0/dlp" version="2.0"/>
<module name="Endpoint" baseUri="/api/2.0/endpointsecurity" version="2.0"/>
<module name="MACSet" baseUri="/api/2.0/services/macset" version="2.0"/>
<module name="SystemEvent" baseUri="/api/2.0/systemevent" version="2.0"/>
<module name="AuditLog" baseUri="/api/2.0/auditlog" version="2.0"/>
<module name="UserMgmt" baseUri="/api/2.0/services/usermgmt" version="2.0"/>
<module name="Application" baseUri="/api/2.0/services/application" version="2.0"/>
<module name="IPSet" baseUri="/api/2.0/services/ipset" version="2.0"/>
<module name="SyslogServer" baseUri="/api/2.0/services/syslog/config" version="2.0"/>
<module name="SecurityGroup" baseUri="/api/2.0/services/securitygroup" version="2.0"/>
NOTEvShieldAppandvApparenotthesamething.AvAppisagroupingofvirtualmachinesinvSphere,
forexampleamanagementapplianceandadatabaseapplianceworkingtogether.
CAUTIONTheRESTAPIsdescribedinthisdocumentcanchangeovertime.Atthispoint,vShielddoesnot
guaranteeforwardcompatibility.
VMware, Inc. 15
Chapter 1 Overview of VMware vShield
</version>
</versions>
Example 1-2. Determine the API version of a vShield App
GET https://<vsm-ip>/api/versions/app/<datacenter-id>
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/app" id="datacenter-21" name="app"/>
</version>
</versions>
Example 1-3. Determine the API version of a vShield Edge
GET https://<vsm-ip>/api/versions/edge/dvportgroup-63
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/networks" id="dvportgroup-63" name="edge"/>
</version>
</versions>
TheAPIversionforvShieldAppisgovernedbythestateofthedatacenterinrelationtoavShieldcomponent.
IfthedatacenterstateisinbackwardCompatiblemode,thenitsupportsonlyversion1.0RESTcalls.Ifthe
datacenterstateisinregularmode,thenitsupportsonly2.0RESTcalls.
TheseAPIversionsaremutually
exclusiveonlyoneRESTAPIversionissupportedatatime.
Table 11listscompatibilitybetweendifferentversionsoftheRESTAPI,vShieldManager,andthevShield
virtualappliances:vShieldApp,vShieldEndpoint,andvShieldEdge.
Multitenancy
InvShield5.0,thevShieldAppfirewallconfigurationsupportsmultitenancy.AsingleIPaddresscanshowup
inmultipleplacesinthenetwork(differentIPaddressnamespaces)associatedwithdifferentvirtualmachines.
Only2.0RESTAPIssupportmultitenancy.Inbackwardcompatibilitymode,vShield5.0supportstheoldAPIs
anddoesnot
enforceruleswithawarenessofmultitenancy.
Ifyouhavewrittenprogramsusing1.0RESTAPIs,youshouldreconsiderwhethertheirdesignworksas
intendedinthemultitenancyscenario.Ifnot,changeyourprogramstousetheAPI2.0calls.
An Introduction to REST API for vShield Users
REST,anacronymforRepresentationalStateTransfer,isatermthathasbeenwidelyemployedtodescribean
architecturalstylecharacteristicofprogramsthatrelyontheinherentpropertiesofhypermediatocreateand
modifythestateofanobjectthatisaccessibleataURL.
How REST Works
OnceaURLofsuchanobjectisknowntoaclient,theclientcanuseanHTTPGETrequesttodiscoverthe
propertiesoftheobject.ThesepropertiesaretypicallycommunicatedinastructureddocumentwithanHTTP
ContentTypeofXMLorJSON,thatprovidesarepresentationofthe
stateoftheobject.InaRESTfulworkflow,
documents(representationsofobjectstate)arepassedbackandforth(transferred)betweenaclientanda
Table 1-1. REST API Compatibility Matrix
REST API Version vShield Manager Version vShield Appliance Version Supported?
3.0 5.1 4.1 No
3.0 5.1 5.0 No
3.0 5.1 5.1 Yes
2.0 5.1 5.0 Yes
2.0 5.1 5.1 No
vShield API Programming Guide
16 VMware, Inc.
servicewiththeexplicitassumptionthatneitherpartyneedknowanythingaboutanentityotherthanwhatis
presentedinasinglerequestorresponse.TheURLsatwhichthesedocumentsareavailableareoften“sticky,”
inthattheypersistbeyondthelifetimeoftherequestorresponsethatincludesthem.
Theothercontentofthe
documentsisnominallyvaliduntiltheexpirationdatenotedintheHTTPExpiresheader.
Using the vShield REST API
YouhaveseveralchoicesforprogrammingthevShieldRESTAPI:usingFirefox,Chrome,orcurl.Tomake
XMLresponsesmorelegible,youcancopyandpastethemintoxmlcopyeditororpspad.
To use the REST API in Firefox
1 LocatetheRESTClientMozillaaddon,andaddittoFirefox.
2ClickTools>RESTClienttostartthe
addon.
3ClickLoginandenterthevShieldlogincredentials,whichthenappearencodedintheRequestHeader.
4 SelectamethodsuchasGET,POST,orPUT,andtypetheURLofaRESTAPI.Youmightbeaskedtoaccept
orignorethelackofSSLcertificate.ClickSend.
ResponseHeader,
ResponseBody,andRenderedHTMLappearinthebottomwindow.
To use the REST API in Chrome
1SearchtheWebtofindtheSimpleRESTClient,andaddittoChrome.
2Clickitsglobelikeicontostartitinatab.
3TheSimpleRESTClientprovidesnocertificatecheckinginterface,souseanotherChrometabtoaccept
orignorethelackofSSLcertificate.
4TypetheURLofaRESTAPI,andselectamethodsuchasGET,POST,orPUT.
5IntheHeadersfield,typethebasicauthorizationline,asintheImportantnoteabove.ClickSend.
Status,Headers,andDataappearintheResponsewindow.
To use the REST API in curl
1Install
curlifnotalreadyinstalled.
2InfrontoftheRESTURL,the‐koptionavoidscertificatechecking,andthe‐uoptionspecifiescredentials.
curl -k -u admin:default https://<vsm-ip>/api/2.0/services/usermgmt/user/admin
Ports Required for vShield REST API
ThevShieldManagerrequiresport443/TCPforRESTAPIrequests.
About the REST API
RESTAPIsuseHTTPrequests(oftensentbyscriptorhighlevellanguage)asawayofmakingidempotent
remoteprocedurecallsthatcreate,modify,ordeleteobjectsdefinedbytheAPI.ARESTAPIisdefinedbya
collectionofXMLdocumentsthatrepresenttheobjectsonwhichtheAPI
operates.TheHTTPoperations
themselvesaregenerictoallHTTPclients.TowriteaRESTfulclient,youshouldunderstandHTTPprotocol
andthesemanticsofstandardHTMLmarkup.ForvShieldRESTAPI,youmustknowthreethings:
ThesetofobjectsthattheAPIsupports,andwhattheyrepresent.Forexample,whatarevDCandOrg?
I
MPORTANTAllvShieldRESTrequestsrequireauthorization.ThedefaultvShieldManagerlogincredentials
areuseradminpassworddefault.Unlessyouchangedthese,youcanusethefollowingbasicauthorization,
whereYWRtaW46ZGVmYXVsdA==istheBase64encodingofthedefaultcredentialsadmin:default.
Authorization: Basic YWRtaW46ZGVmYXVsdA==
VMware, Inc. 17
Chapter 1 Overview of VMware vShield
HowtheAPIrepresentstheseobjects.Forinstance,whatistheXMLschemaforthevShieldEdgefirewall
ruleset?Whatdotheindividualelementsandattributesrepresent?
Howtheclientreferstoanobjectonwhichitwantstooperate.Forexample,whatisamanagedobjectID?
Toanswerthesequestions,youlookatvShieldAPIresourceschemas.TheseschemasdefineanumberofXML
types,manyofwhichareextendedbyothertypes.TheXMLelements
definedintheseschemas,alongwith
theirattributesandcompositionrules(minimumandmaximumnumberofelementsorattributes,orthe
prescribedhierarchywithwhichelementscanbenested)representthedatastructuresofvShieldobjects.A
clientcan“read”anobjectbymakinganHTTPGETrequesttotheobject’s
resourceURL.Aclientcan“write”
(createormodify)anobjectwithanHTTPPUTorPOSTrequestthatincludesaneworchangedXMLbody
documentfortheobject.UsuallyaclientcandeleteanobjectwithanHTTPDELETErequest.
Thisdocumentpresentsexamplerequestsandresponses,andprovides
referenceinformationontheXML
schemasthatdefinetherequestandresponsebodies.
RESTful Workflow Patterns
AllRESTfulworkflowsfallintoapatternthatincludesonlytwofundamentaloperations,whichyourepeatin
thisorderforaslongasnecessary.
MakeanHTTPrequest(GET,PUT,POST,orDELETE).Thetargetofthisrequestiseitherawellknown
URL(suchasvShieldManager)oralinkobtainedfromtheresponsetoapreviousrequest.Forexample,
aGETrequesttoanOrgURLreturnslinkstovDCobjectscontainedby
theOrg.
Examinetheresponse,whichcanbeanXMLdocumentoranHTTPresponsecode.Iftheresponseisan
XMLdocument,itmaycontainlinksorotherinformationaboutthestateofanobject.Iftheresponseis
anHTTPresponsecode,itindicateswhethertherequestsucceededorfailed,and
maybeaccompanied
byaURLthatpointstoalocationfromwhichadditionalinformationcanberetrieved.
For More Information About REST
ForacomprehensivediscussionofRESTfrombothclientandserverperspectives,seeRESTfulWebServicesby
LeonardRichardsonandSamRuby,published2007byOʹReillyMedia.
TherearealsomanysourcesofinformationaboutRESTontheWeb,including:
http://www.infoq.com/articles/restintroduction
http://www.infoq.com/articles/subbuallamarajurest
http://www.stucharlton.com/blog/archives/000141.html
vShield API Programming Guide
18 VMware, Inc.
VMware, Inc. 19
2
ThevShieldManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTP
toprovidedetailsonyourVMwareInfrastructureinventory.
Thechapterincludesthefollowingtopics:
“SynchronizingvShieldManagerwithvCenterServer, SSO,andDNS”onpage 19
“QueryingvShieldManagerGlobalConfiguration”onpage 21
“ResettingtheLocalAccountPasswordonpage 21
“MonitoringvShieldManagerreachability”onpage 23
“WorkingwithvShieldManagerSyslogServerConfiguration”onpage 23
“QueryingvShieldManagerLogs”onpage 24
“QueryingvShieldManagerTechSupportLog”onpage 24
“UserManagement”onpage 24
“RoleManagement”onpage 28
“CreatingIPsetandMACsetContainers”onpage 31
“SecurityGroupScopeandMembers”onpage 34
“TransportSetforServices”onpage 37
“QueryingObjectIDs”onpage 45
Synchronizing vShield Manager with vCenter Server, SSO, and DNS
YoucansynchronizethevShieldManagerwiththevCenterServer,addDNSserverstothevShieldManager
forIPaddressandhostnameresolution,configuretime,andzoneandaddanNTPserver.Synchronizingwith
vCenterServerenablesthevShieldManageruserinterfacetodisplayyourVMwareInfrastructureinventory,
andrequiresits
IPaddress(orURL)andadministratorlogincredentials.ForthevcInfoschema,andthednsInfo
schema,see“vShieldManagerGlobalConfigurationSchema”onpage 219.
Example 2-1. Synchronize the vShield Manager with vCenter server and SSO and identify DNS services
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
vShield Manager Management
2
IMPORTANTAllvShieldRESTrequestsrequireauthorization.See“UsingthevShieldRESTAPI”onpage 16
fordetailsaboutbasicauthorization.
vShield API Programming Guide
20 VMware, Inc.
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
<dnsInfo>
<primaryDns>10.112.192.1</primaryDns>
<secondaryDns>10.112.192.2</secondaryDns>
</dnsInfo>
</vsmGlobalConfig>
SpecifyingDNSinformationisoptional.YoucansynchronizevShieldManagerwithjustvCenterServer.
Example 2-2. Synchronize the vShield Manager with vCenter server and SSO
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
</vsmGlobalConfig>
Example 2-3. Synchronize the vShield Manager with vCenter Server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<vcInfo>
<ipAddress>10.112.196.22</ipAddress>
<userName>administrator</userName>
<password>123</password>
</vcInfo>
</vsmGlobalConfig>
Example 2-4. Configure NTP server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<
timeInfo>
<ntpServer>10.112.196.2</ntpServer>
/