VMware vShield vShield 5.1 User guide

  • Hello! I am an AI chatbot trained to assist you with the VMware vShield vShield 5.1 User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
vShield API Programming Guide
vShield 5.1
vShield App 5.1
vShield Edge 5.1
vShield Endpoint 5.1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000869-02
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
vShield API Programming Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3
Contents
AboutThisBook 11
1 OverviewofVMwarevShield 13
vShieldComponents 13
vShieldManager 13
vShieldApp 13
vShieldEdge 14
vShieldEndpoint 14
vShieldDataSecurity 14
CompatibilityBetweenDifferentRESTAPIVersions 14
RESTAPIVersion2.0invShield5.0 14
Multitenancy 15
AnIntroductiontoRESTAPIforvShieldUsers 15
HowRESTWorks 15
UsingthevShieldRESTAPI 16
PortsRequiredforvShieldRESTAPI 16
AbouttheRESTAPI 16
RESTfulWorkflowPatterns 17
ForMore
InformationAboutREST 17
2 vShieldManagerManagement 19
SynchronizingvShieldManagerwithvCenterServer,SSO,andDNS 19
QueryingvShieldManagerGlobalConfiguration 21
ResettingtheLocalAccountPassword 21
AddSecurityProfile 21
GetSecurityProfile 22
GetPasswordHintQuestions 22
ResetPassword 22
MonitoringvShieldManagerreachability 23
WorkingwithvShieldManagerSyslogServerConfiguration 23
ConfigurevShieldManagerSyslogServer 23
GetvShieldManagerSyslogServerConfiguration 23
DeletevShieldManager
SyslogServerConfiguration 23
QueryingvShieldManagerLogs 24
GetvShieldManagerSystemEvents 24
GetvShieldManagerAuditLogs 24
QueryingvShieldManagerTechSupportLog 24
UserManagement 24
GetInformationAboutaUser 25
CreateaLocalUseronvShieldManager 25
UpdateaLocalUserAccount 26
EnableorDisableaUserAccount 26
DeleteaUserAccount 26
RoleManagement 28
GetRolefor
aUser 28
GetRoleforavShieldManagerRoles 28
AddRoleandResourcesforaUser 29
ChangeUserRole 29
vShield API Programming Guide
4 VMware, Inc.
GetListofPossibleRoles 30
GetListofScopingObjects 30
DeleteUserRole 31
CreatingIPsetandMACsetContainers 31
ListIPsetsCreatedonaScope 31
CreateanIPsetonaScope 31
GetDetailsofanIPset 32
ModifyanExistingIPset 32
DeleteanIPset 32
ListMACsetsCreatedonaScope 33
CreateaMACsetonaScope 33
GetDetails
ofaMACset 33
ModifyanExistingMACset 34
DeleteaMACset 34
SecurityGroupScopeandMembers 34
ListSecurityGroupsCreatedonaScope 34
CreateSecurityGrouponaScope 35
GetMembersforaScope 35
GetSecurityGroupDetails 35
ModifyaSecurityGroup 36
DeleteaSecurityGroup 37
AddMembertoSecurityGroup 37
DeleteMemberfromSecurityGroup 37
TransportSet
forServices 37
WorkingwithServiceGroups 37
ListServiceGroupsonaScope 37
AddServiceGrouptoaScope 38
GetDetailsofaServiceGroup 40
ModifyServiceGroupDetails 40
DeleteServiceGroupfromScope 41
WorkingwithServices 41
ListServicesonaScope 41
AddServicetoaScope 41
GetDetailsofaService 43
ModifyServiceDetails 43
DeleteService
fromScope 44
WorkingwiththeMembersofaService 44
QueryServiceMembers 44
AddaMembertotheService 45
DeleteaMemberfromtheService 45
QueryingObjectIDs 45
QueryDatacenterMOID 45
QueryDatacenterID 45
QueryHostID 46
QueryPortgroupID 46
3 ESXHostPreparationforvShieldApp,vShieldEndpoint,andvShieldDataSecurity 47
InstallingLicensesforvShieldEdge,vShieldApp,andvShieldEndpoint 47
InstallingvShieldAppandvShieldEndpointServicesonanESXHost 47
InstallingvShieldDataSecurity 49
UpgradingvShieldDataSecurity 49
GettingtheInstallationStatusofvShieldServicesonanESXHost 50
UninstallingvShieldServicesfromanESXHost 50
UninstallingvShieldDataSecurity 50
VMware, Inc. 5
Contents
4 vShieldEdgeInstallationandUpgrade 51
InstallingavShieldEdge 51
RunningQueriesonallvShieldEdges 53
UpgradingvShieldEdge 55
DeletingavShieldEdge 55
5 vShieldEdgeManagement 57
RunningQueriesonaSpecificvShieldEdge 58
QueryvShieldEdgeDetails 58
QueryvShieldEdgeSummary 62
QueryingvShieldEdgeStatus 64
WorkingwithAppliances 66
QueryApplianceConfiguration 66
ModifyApplianceConfiguration 67
ChangeApplianceSize 67
ManageanAppliance 68
QueryAppliance 68
ModifyAppliance 68
DeleteAppliance 69
WorkingwithInterfaces 69
AddInterfaces 69
RetrieveInterfacesforavShieldEdge 70
DeleteInterfaces 71
ManageavShieldInterface 71
RetrieveInterface
withSpecificIndex 71
DeleteInterfaceConfiguration 71
ModifyanInterface 71
QueryInterfaceStatistics 72
QueryStatisticsforallInterfaces 72
QueryStatisticsforUplinkInterfaces 73
QueryStatisticsforInternalInterfaces 74
QueryDashboardStatistics 74
ConfiguringEdgeServices 75
ConfigureFirewall 75
AddFirewallConfiguration 75
QueryFirewallConfiguration 76
DeleteFirewallConfiguration 78
AppendFirewallRules78
AddaFirewallRuleAboveaSpecificRule 79
QuerySpecific
Rule 80
ModifyFirewallRule 80
DeleteaFirewallRule 81
ManageDefaultFirewallPolicy 81
QueryFirewallStatistics81
QueryFirewallStatisticsForaRule 82
ConfigureNAT 82
RetrieveNATRulesforavShieldEdge 83
DeleteallNATRules 84
AddaNATRuleaboveaSpecificRule 84
AppendNATRules84
ChangeaNATRule 85
DeleteaRule 85
ConfigureRouting 85
vShield API Programming Guide
6 VMware, Inc.
ConfigureStaticandDefaultRoutes 85
QueryStaticandDefaultRoutes 86
DeleteStaticandDefaultRoutes 87
ChangeStaticRoutes 87
AppendStaticRoutes 87
DeleteStaticRoutes 88
ConfigureDefaultRoutesforvShieldEdge 88
DeleteDefaultRoutes 88
ConfigureDNSServers 88
ConfigureDNS 88
RetrieveDNSConfiguration 89
DeleteDNSConfiguration 89
RetrieveDNSStatistics 90
ConfigureDHCP 90
QueryDHCPConfiguration 92
DeleteDHCPConfiguration 93
RetrieveDHCPLeaseInformation 93
AppendIPPooltoDHCPConfiguration 93
AppendStaticBindingtoDHCPConfiguration 93
DeleteDHCPPool 94
DeleteDHCPStaticBinding 94
ConfigureCertificates 94
WorkingwithCertificates 94
WorkingwithCertificateSigningRequests(CSRs) 95
WorkingwithCertificateRevocationList(CRL) 96
ConfigureIPSECVPN 97
RetrieveIPSecConfiguration 98
RetrieveIPSecStatistics 99
QueryTunnelTrafficStatistics 100
DeleteIPSecConfiguration 101
ManagingSSLVPN 101
EnableorDisable
SSLVPN 101
QuerySSLVPNDetails 101
ManageServerSettings102
ConfigurePrivateNetworks 102
ConfigureWebResource105
ConfigureUsers 107
ConfigureIPPool109
ConfigureNetworkExtensionClientParameters111
ConfigureNetworkExtensionClientInstallationPackage 112
ConfigurePortalLayouts 116
ConfigureAuthenticationParameters118
ConfigureSSLVPNAdvancedConfiguration 120
WorkingwithActiveClients121
ManageLogonandLogoffscripts
122
ReconfigureSSLVPN124
QuerySSLVPNConfiguration128
DeleteSSLVPNConfiguration 131
QuerySSLVPNStatistics 131
ConfigureLoadBalancer 132
QueryLoadBalancerConfiguration 134
QueryStatistics 135
DeleteLoadBalancerConfiguration 136
VMware, Inc. 7
Contents
ManageallBackendPools 136
ManageallVirtualServers 139
RetrieveLoadBalancerStatistics 142
EnableLayer4ModeforLoadBalancer 143
ConfigureHighAvailability(HA) 143
RetrieveHighAvailabilityConfiguration 144
DeleteHighAvailabilityConfiguration 144
ForceSyncingvShieldEdge 144
ConfiguringAdvancedOptionsforvShieldEdge 145
ChangeAESNISettingforavShieldEdge 145
ChangeFIPSSettingforavShieldEdge 145
Change
LoggingLevelforvShieldAppliance 145
ManageAutoConfigurationSettings 145
ModifyAutoConfigurationSettings 145
QueryAutoConfigurationSettings 146
ChangeTCPLooseSetting 146
ReplacingtheConfigurationofavShieldEdge 146
RedeployingvShieldEdgeAppliances 150
ManagingCLICredentialsandAccess 150
ChangeCLICredentials 150
ChangeCLIRemoteAccess 151
DebuggingandSupport 151
QueryTechnicalSupportLog 151
QueryvShieldEdgeServiceStatistics 151
6 WorkingwithVXLANVirtualWires 155
PreparingforVXLANVirtualWires 155
ConfiguringSwitches 156
PrepareSwitch 156
QueryConfiguredSwitches 156
QueryConfiguredSwitchesonDatacenter 157
QuerySpecificSwitch 157
DeleteSwitch 157
WorkingwithClusterSwitchMappings 158
MapaClustertoaSwitch 158
QueryallClusterMappings 158
QueryMappingsbySwitch 159
QuerySpecificCluster 159
WorkingwithEAMAgencies 160
InstallEAMAgency 160
SynchronizeAgencyState 160
ReplaceAgencyScope 160
QueryAgency
byCluster 161
QueryAgencyStatus 161
QueryAgencyIDforCluster 161
DeleteAgency 161
UninstallAgencyStatus 161
WorkingwithSegmentIDs 162
AddanewSegmentIDRange 162
QueryallSegmentIDRanges 162
QueryaSpecificSegmentIDRange 162
UpdateaSegmentIDRange 163
DeleteaSegmentIDRange 163
WorkingwithMulticastAddressRanges 163
AddanewMulticastAddress
Range 163
vShield API Programming Guide
8 VMware, Inc.
QueryallMulticastAddressRanges 164
GetaSpecificMulticastAddressRange 164
UpdateaMulticastAddressRange 164
DeleteaMulticastAddressRange 165
WorkingwithNetworkScopes 165
CreateaNetworkScope 165
EditaNetworkScope 165
UpdateAttributesonaNetworkScope 166
QueryexistingNetworkScopes 166
QueryaSpecificNetworkScope 166
DeleteaNetworkScope 167
WorkingwithVirtualizedNetworks 167
Create
aVXLANVirtualWire 167
QueryallVXLANVirtualWiresonaNetworkScope 168
QueryallVXLANVirtualWiresonallNetworkScopes 168
QueryaSpecificVXLANVirtualWire 169
DeleteaVXLANVirtualWire 169
ManagingtheVXLANVirtualWireUDPPort 169
GetUDPPort 170
UpdateUDPPort 170
QueryingAllocatedResources 170
TestingMulticastGroupConnectivity170
Test
MulticastGroupConnectivityinaNetworkScope 170
TestMulticastGroupConnectivityinaVXLANVirtualWire 171
PerformingPingTest 171
7 vShieldAppManagement 173
ModifyingtheStateofaDatacenter 173
RetrieveDatacenterState 173
ModifyDatacenterState 174
ConfiguringFirewallRulesforvCenter 174
ConfiguringthevShieldAppFirewall 174
QueryFirewallConfiguration 174
AddaFirewallRule 180
ModifyaFirewallRule 182
DeleteaFirewallRule 184
ReverttoDefaultFirewallConfiguration 185
ConfiguringFailSafeModeforvShieldAppFirewall 185
ConfigureFailSafeModeforvShield
AppFirewall 185
QueryFailSafeModeConfigurationforvShieldAppFirewall 186
WorkingwithSpoofGuard 186
GetSpoofGuardSettingsatContextLevel 186
ReplaceSpoofGuardSettings 186
GetSpoofGuardIPSettings187
ChangeSpoofGuardIPSettings187
WorkingwithNamespaces 188
AddNamespaceinaDatacenter 188
GetNamespaceDetails 188
DeleteaNamespace 188
ShowNamespacesinaDatacenter 188
GettingFlowStatisticDetails 189
Get
FlowStatistics 189
GetFlowMetaData 191
ExcludingVirtualMachinesfromvShieldAppProtection 192
AddaVirtualMachinetotheExclusionList 192
VMware, Inc. 9
Contents
GetVirtualMachineExclusionList 192
DeleteaVirtualMachinefromExclusionList 193
ConfiguringSyslogServiceforavShieldApp 193
SynchronizingvShieldApp 194
QueryingvShieldAppTechnicalSupportLog 194
QueryingvShieldAppStatus 194
UpgradingvShieldApp 195
8 vShieldEndpointManagement 197
OverviewofSolutionRegistration 197
RegisteringaSolutionwithvShieldEndpointService 197
RegisteraVendor 198
RegisteraSolution 198
AltitudeofaSolution 198
IPAddressandPortforaSolution 198
ActivateaSolution 199
QueryingRegistrationStatusofvShieldEndpoint 199
GetVendorRegistration 199
GetSolutionRegistration 199
GetIPAddressofaSolution 200
GetActivationStatusofaSolution 200
QueryingActivated
SecurityVirtualMachinesforaSolution 200
QueryActivatedSecurityVirtualMachines 200
QueryActivationInformation 201
UnregisteringaSolutionwithvShieldEndpoint 201
UnregisteraVendor 201
UnregisteraSolution 201
UnsetIPAddress 201
DeactivateaSolution 202
StatusCodesandErrorSchema 202
ReturnStatusCodes 202
ErrorSchema 202
9 vShieldDataSecurityConfiguration 205
vShieldDataSecurityUserRoles 205
DefiningaDataSecurityPolicy 206
QueryRegulations 206
EnableaRegulation 206
QueryClassificationValue 207
ConfigureaCustomizedRegexasaClassificationValue 207
ViewtheListofExcludableAreas 207
ExcludeAreasfromPolicyInspection 208
SpecifySecurityGroupstobeScanned 209
QuerySecurityGroupsBeingScanned 209
ConfigureFileFilters 210
SavingandPublishingPolicies 211
QuerySaved
Policy 211
QueryPublishedPolicy 212
PublishtheUpdatedPolicy 212
DataSecurityScanning 212
Start,Pause,Resume,orStopaScanOperation 213
QueryStatusforaScanOperation 213
QueryingScanResults 213
GetListofVirtualMachinesBeingScanned 214
GetNumberofVirtualMachinesBeingScanned 214
vShield API Programming Guide
10 VMware, Inc.
GetSummaryInformationabouttheLastFiveScans 215
GetInformationforVirtualMachinesScannedDuringPreviousScan 215
RetrieveInformationAboutPreviousScanResults 215
GetXMLRepresentationofPolicyUsedforPreviousScan 215
QueryingViolationDetails 217
GetListofViolationCounts 217
GetListofViolatingFiles 218
GetListofViolatingFilesinCSVFormat 219
GetViolations
inEntireInventory 220
220
Appendix 221
vShieldManagerGlobalConfigurationSchema 221
ESXHostPreparationandUninstallationSchema 226
vShieldAppSchemas 227
vShieldAppConfigurationSchema 227
vShieldAppFirewallSchema 227
vShieldAppSpoofGuardSchema 230
vShieldAppNamespaceSchema 232
ErrorMessageSchema 233
VMware, Inc. 11
Thismanual,thevShieldAPIProgrammingGuide,describeshowtoinstall,configure,monitor,andmaintainthe
VMware
®
vShield™systembyusingRESTAPIrequests.Theinformationincludesstepbystepconfiguration
instructionsandexamples.
Intended Audience
ThismanualisintendedforanyonewhowantstouseRESTAPItoinstallorusevShieldinaVMwarevSphere
environment.Theinformationinthismanualiswrittenforexperiencedsystemadministratorswhoare
familiarwithvirtualmachinetechnology,virtualizeddatacenteroperations,andRESTAPIs.Thismanualalso
assumesfamiliarity
withvShield.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbacktodocfeedback@vmware.com.
vShield Documentation
ThefollowingdocumentscomprisethevShielddocumentationset:
vShieldAdministrationGuide
vShieldQuickStartGuide
vShieldAPIProgrammingGuide,thisguide
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
About This Book
vShield API Programming Guide
12 VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 13
1
VMwarevShield™isasuiteofnetworkedgeandapplicationawarefirewallsbuiltforVMwarevCenterServer
integration.vShieldinspectsclientservercommunicationsandintervirtualmachinecommunicationsto
providedetailedtrafficanalyticsandapplicationawarefirewallprotection.Itisacriticalsecuritycomponent
toprotectvirtualizeddatacentersfromattacksand
misuse,andhelpsachievecompliancemandatedgoals.
Thischapterincludesthefollowingtopics:
“vShieldComponents”onpage 13
“CompatibilityBetweenDifferentRESTAPIVersionsonpage 14
“PortsRequiredforvShieldRESTAPI”onpage 16
“A n IntroductiontoRESTAPIforvShieldUsers”onpage 15
ThisguideassumesyouhaveadministratoraccesstotheentirevShieldsystem.Ifyouareunabletoaccessa
screenorperformaparticulartask,consultyourvShieldadministrator.
vShield Components
vShieldincludescomponentsandservicesessentialforprotectingvirtualmachinesinavirtualizeddatacenter.
vShieldcanbeconfiguredwithaWebbaseduserinterface,acommandlineinterface(CLI),oraRESTAPI.
TorunvShield,youneedonevShieldManagervirtualapplianceandatleastonevShieldApporvShield
Edge
virtualappliance.ThevShieldManagervirtualappliancecanrunonadifferentESXhostthanthevShieldApp
andvShieldEdgevirtualappliances.
vShield Manager
vShieldManageristhecentralizedmanagementcomponentofvShield.Youinstallitasavirtualapplianceby
deployinganOVAfromthevSphereClient.UsingvShieldManagersuserinterfaceorvSphereClientplugin,
youcaninstall,configure,andmaintainvShieldappliances.ThevShieldManageruserinterfaceleveragesthe
vSphereWeb
ServicesSDKtodisplaytabswithinthevSphereClientinventorypanel.Fordetailsaboutthe
userinterface,seethevShieldAdministrationGuide.
vShield App
AvShieldAppvirtualappliancemonitorsalltrafficintoandoutofanESXhost,andbetweenvirtualmachines
onthehost.vShieldAppprovidesapplicationawaretrafficanalysisandstatefulfirewallprotection,andit
regulatestrafficbasedonasetofrules,similartoanaccesscontrollist(ACL).
As
trafficpassesthroughavShieldApp,eachsessionheaderisinspectedtocatalogthedata.ThevShieldApp
createsaprofileforeachvirtualmachinedetailingtheoperatingsystem,applications,andportsusedfor
networkcommunication.Basedonthisinformation,thevShieldAppallowsephemeralportusebypermitting
dynamicprotocols
suchasFTPorRPCtopassthrough,whilemaintaininglockdownonports1024andhigher.
YoucannotprotecttheESXServiceConsole,ESXidirectconsoleuserinterface(DCUI),ortheVMkernelwith
vShieldAppbecausethesecomponentsarenotvirtualmachines.
Overview of VMware vShield
1
vShield API Programming Guide
14 VMware, Inc.
vShield Edge
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolateavirtualizednetwork,orvirtual
machinesinaportgroup,vDSportgroup,orCiscoNexus1000Vportgroup.YouinstallavShieldEdgeata
datacenterlevelandcanadduptoteninternaloruplinkinterfaces.ThevShield
Edgeconnectsisolated,stub
networkstoshared(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,and
LoadBalancing.CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenant
CloudenvironmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
vShield Endpoint
vShieldEndpointoffloadsantivirusandantimalwareagentprocessingtoadedicatedsecurevirtual
appliancedeliveredbyVMwarepartners.Sincethesecurevirtualappliance(unlikeaguestvirtualmachine)
doesnʹtgooffline,itcancontinuouslyupdateantivirussignaturestherebygivinguninterruptedprotectionto
thevirtualmachinesonthehost.Also,
newvirtualmachines(orexistingvirtualmachinesthatwentoffline)
areimmediatelyprotectedwiththemostcurrentantivirussignatureswhentheycomeonline.
vShield Data Security
vShieldDataSecurityprovidesvisibilityintosensitivedatastoredwithinyourorganizationʹsvirtualizedand
cloudenvironments.BasedontheviolationsreportedbyvShieldDataSecurity,youcanensurethatsensitive
dataisadequatelyprotectedandassesscompliancewithregulationsaroundtheworld.
Compatibility Between Different REST API Versions
EachreleaseofthevShieldRESTAPIrepresentsanewversionoftheRESTAPIcodewithnewandchanged
features.IfyouarerunningapreviousversionofvShieldcomponentsoftware,youmightnotbeabletouse
allofthefeaturesofthelatestreleaseofthevShieldREST
API.
REST API Version 2.0 in vShield 5.0
Release5.0ofvShieldintroducesversion2.0oftheRESTAPI.ManyURLschangedfromversion1.0to2.0.
YoucandeterminetheAPIversionofavShieldcomponent(suchasEdgeorApp)withthefollowingexample
RESTcalls.IntheGETrequestsyntax,<vsm-ip>representstheIPaddressor
hostnameofvShieldManager.
Example 1-1. Determine the API version of the vShield Manager or vShield Endpoint
GET https://<vsm-ip>/api/versions
<versions>
<version value="2.1">
<module name="VshieldAppGlobal" baseUri="/api/2.1/app" version="2.1"/>
<module name="Flow" baseUri="/api/2.1/app/flow" version="2.1"/>
</version>
<version value="2.0">
<module name="Dlp" baseUri="/api/2.0/dlp" version="2.0"/>
<module name="Endpoint" baseUri="/api/2.0/endpointsecurity" version="2.0"/>
<module name="MACSet" baseUri="/api/2.0/services/macset" version="2.0"/>
<module name="SystemEvent" baseUri="/api/2.0/systemevent" version="2.0"/>
<module name="AuditLog" baseUri="/api/2.0/auditlog" version="2.0"/>
<module name="UserMgmt" baseUri="/api/2.0/services/usermgmt" version="2.0"/>
<module name="Application" baseUri="/api/2.0/services/application" version="2.0"/>
<module name="IPSet" baseUri="/api/2.0/services/ipset" version="2.0"/>
<module name="SyslogServer" baseUri="/api/2.0/services/syslog/config" version="2.0"/>
<module name="SecurityGroup" baseUri="/api/2.0/services/securitygroup" version="2.0"/>
NOTEvShieldAppandvApparenotthesamething.AvAppisagroupingofvirtualmachinesinvSphere,
forexampleamanagementapplianceandadatabaseapplianceworkingtogether.
CAUTIONTheRESTAPIsdescribedinthisdocumentcanchangeovertime.Atthispoint,vShielddoesnot
guaranteeforwardcompatibility.
VMware, Inc. 15
Chapter 1 Overview of VMware vShield
</version>
</versions>
Example 1-2. Determine the API version of a vShield App
GET https://<vsm-ip>/api/versions/app/<datacenter-id>
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/app" id="datacenter-21" name="app"/>
</version>
</versions>
Example 1-3. Determine the API version of a vShield Edge
GET https://<vsm-ip>/api/versions/edge/dvportgroup-63
<versions>
<version version="2.0">
<module version="2.0" baseUri="/api/2.0/networks" id="dvportgroup-63" name="edge"/>
</version>
</versions>
TheAPIversionforvShieldAppisgovernedbythestateofthedatacenterinrelationtoavShieldcomponent.
IfthedatacenterstateisinbackwardCompatiblemode,thenitsupportsonlyversion1.0RESTcalls.Ifthe
datacenterstateisinregularmode,thenitsupportsonly2.0RESTcalls.
TheseAPIversionsaremutually
exclusiveonlyoneRESTAPIversionissupportedatatime.
Table 11listscompatibilitybetweendifferentversionsoftheRESTAPI,vShieldManager,andthevShield
virtualappliances:vShieldApp,vShieldEndpoint,andvShieldEdge.
Multitenancy
InvShield5.0,thevShieldAppfirewallconfigurationsupportsmultitenancy.AsingleIPaddresscanshow
upinmultipleplacesinthenetwork(differentIPaddressnamespaces)associatedwithdifferentvirtual
machines.Only2.0RESTAPIssupportmultitenancy.Inbackwardcompatibilitymode,vShield5.0supports
theoldAPIsanddoesnot
enforceruleswithawarenessofmultitenancy.
Ifyouhavewrittenprogramsusing1.0RESTAPIs,youshouldreconsiderwhethertheirdesignworksas
intendedinthemultitenancyscenario.Ifnot,changeyourprogramstousetheAPI2.0calls.
An Introduction to REST API for vShield Users
REST,anacronymforRepresentationalStateTransfer,isatermthathasbeenwidelyemployedtodescribean
architecturalstylecharacteristicofprogramsthatrelyontheinherentpropertiesofhypermediatocreateand
modifythestateofanobjectthatisaccessibleataURL.
How REST Works
OnceaURLofsuchanobjectisknowntoaclient,theclientcanuseanHTTPGETrequesttodiscoverthe
propertiesoftheobject.ThesepropertiesaretypicallycommunicatedinastructureddocumentwithanHTTP
ContentTypeofXMLorJSON,thatprovidesarepresentationofthe
stateoftheobject.InaRESTfulworkflow,
documents(representationsofobjectstate)arepassedbackandforth(transferred)betweenaclientanda
Table 1-1. REST API Compatibility Matrix
REST API Version vShield Manager Version vShield Appliance Version Supported?
3.0 5.1 4.1 No
3.0 5.1 5.0 No
3.0 5.1 5.1 Yes
2.0 5.1 5.0 Yes
2.0 5.1 5.1 No
vShield API Programming Guide
16 VMware, Inc.
servicewiththeexplicitassumptionthatneitherpartyneedknowanythingaboutanentityotherthanwhatis
presentedinasinglerequestorresponse.TheURLsatwhichthesedocumentsareavailableareoften“sticky,”
inthattheypersistbeyondthelifetimeoftherequestorresponsethatincludesthem.
Theothercontentofthe
documentsisnominallyvaliduntiltheexpirationdatenotedintheHTTPExpiresheader.
Using the vShield REST API
YouhaveseveralchoicesforprogrammingthevShieldRESTAPI:usingFirefox,Chrome,orcurl.Tomake
XMLresponsesmorelegible,youcancopyandpastethemintoxmlcopyeditororpspad.
To use the REST API in Firefox
1 LocatetheRESTClientMozillaaddon,andaddittoFirefox.
2ClickTools>RESTClienttostartthe
addon.
3ClickLoginandenterthevShieldlogincredentials,whichthenappearencodedintheRequestHeader.
4 SelectamethodsuchasGET,POST,orPUT,andtypetheURLofaRESTAPI.Youmightbeaskedtoaccept
orignorethelackofSSLcertificate.ClickSend.
ResponseHeader,
ResponseBody,andRenderedHTMLappearinthebottomwindow.
To use the REST API in Chrome
1SearchtheWebtofindtheSimpleRESTClient,andaddittoChrome.
2Clickitsglobelikeicontostartitinatab.
3TheSimpleRESTClientprovidesnocertificatecheckinginterface,souseanotherChrometabtoaccept
orignorethelackofSSLcertificate.
4TypetheURLofaRESTAPI,andselectamethodsuchasGET,POST,orPUT.
5IntheHeadersfield,typethebasicauthorizationline,asintheImportantnoteabove.ClickSend.
Status,Headers,andDataappearintheResponsewindow.
To use the REST API in curl
1Install
curlifnotalreadyinstalled.
2InfrontoftheRESTURL,the‐koptionavoidscertificatechecking,andthe‐uoptionspecifiescredentials.
curl -k -u admin:default https://<vsm-ip>/api/2.0/services/usermgmt/user/admin
Ports Required for vShield REST API
ThevShieldManagerrequiresport443/TCPforRESTAPIrequests.
About the REST API
RESTAPIsuseHTTPrequests(oftensentbyscriptorhighlevellanguage)asawayofmakingidempotent
remoteprocedurecallsthatcreate,modify,ordeleteobjectsdefinedbytheAPI.ARESTAPIisdefinedbya
collectionofXMLdocumentsthatrepresenttheobjectsonwhichtheAPI
operates.TheHTTPoperations
themselvesaregenerictoallHTTPclients.TowriteaRESTfulclient,youshouldunderstandHTTPprotocol
andthesemanticsofstandardHTMLmarkup.ForvShieldRESTAPI,youmustknowthreethings:
ThesetofobjectsthattheAPIsupports,andwhattheyrepresent.Forexample,whatarevDCandOrg?
I
MPORTANTAllvShieldRESTrequestsrequireauthorization.ThedefaultvShieldManagerlogincredentials
areuseradminpassworddefault.Unlessyouchangedthese,youcanusethefollowingbasicauthorization,
whereYWRtaW46ZGVmYXVsdA==istheBase64encodingofthedefaultcredentialsadmin:default.
Authorization: Basic YWRtaW46ZGVmYXVsdA==
VMware, Inc. 17
Chapter 1 Overview of VMware vShield
HowtheAPIrepresentstheseobjects.Forinstance,whatistheXMLschemaforthevShieldEdgefirewall
ruleset?Whatdotheindividualelementsandattributesrepresent?
Howtheclientreferstoanobjectonwhichitwantstooperate.Forexample,whatisamanagedobjectID?
Toanswerthesequestions,youlookatvShieldAPIresourceschemas.TheseschemasdefineanumberofXML
types,manyofwhichareextendedbyothertypes.TheXMLelements
definedintheseschemas,alongwith
theirattributesandcompositionrules(minimumandmaximumnumberofelementsorattributes,orthe
prescribedhierarchywithwhichelementscanbenested)representthedatastructuresofvShieldobjects.A
clientcan“read”anobjectbymakinganHTTPGETrequesttotheobject’s
resourceURL.Aclientcan“write”
(createormodify)anobjectwithanHTTPPUTorPOSTrequestthatincludesaneworchangedXMLbody
documentfortheobject.UsuallyaclientcandeleteanobjectwithanHTTPDELETErequest.
Thisdocumentpresentsexamplerequestsandresponses,andprovides
referenceinformationontheXML
schemasthatdefinetherequestandresponsebodies.
RESTful Workflow Patterns
AllRESTfulworkflowsfallintoapatternthatincludesonlytwofundamentaloperations,whichyourepeatin
thisorderforaslongasnecessary.
MakeanHTTPrequest(GET,PUT,POST,orDELETE).Thetargetofthisrequestiseitherawellknown
URL(suchasvShieldManager)oralinkobtainedfromtheresponsetoapreviousrequest.Forexample,
aGETrequesttoanOrgURLreturnslinkstovDCobjectscontainedby
theOrg.
Examinetheresponse,whichcanbeanXMLdocumentoranHTTPresponsecode.Iftheresponseisan
XMLdocument,itmaycontainlinksorotherinformationaboutthestateofanobject.Iftheresponseis
anHTTPresponsecode,itindicateswhethertherequestsucceededorfailed,and
maybeaccompanied
byaURLthatpointstoalocationfromwhichadditionalinformationcanberetrieved.
For More Information About REST
ForacomprehensivediscussionofRESTfrombothclientandserverperspectives,seeRESTfulWebServicesby
LeonardRichardsonandSamRuby,published2007byOʹReillyMedia.
TherearealsomanysourcesofinformationaboutRESTontheWeb,including:
http://www.infoq.com/articles/restintroduction
http://www.infoq.com/articles/subbuallamarajurest
http://www.stucharlton.com/blog/archives/000141.html
vShield API Programming Guide
18 VMware, Inc.
VMware, Inc. 19
2
ThevShieldManagerrequirescommunicationwithyourvCenterServerandservicessuchasDNSandNTP
toprovidedetailsonyourVMwareInfrastructureinventory.
Thechapterincludesthefollowingtopics:
“SynchronizingvShieldManagerwithvCenterServer, SSO,andDNS”onpage 19
“QueryingvShieldManagerGlobalConfiguration”onpage 21
“ResettingtheLocalAccountPasswordonpage 21
“MonitoringvShieldManagerreachability”onpage 23
“WorkingwithvShieldManagerSyslogServerConfiguration”onpage 23
“QueryingvShieldManagerLogs”onpage 24
“QueryingvShieldManagerTechSupportLog”onpage 24
“UserManagement”onpage 24
“RoleManagement”onpage 28
“CreatingIPsetandMACsetContainers”onpage 31
“SecurityGroupScopeandMembers”onpage 34
“TransportSetforServices”onpage 37
“QueryingObjectIDs”onpage 45
Synchronizing vShield Manager with vCenter Server, SSO, and DNS
YoucansynchronizethevShieldManagerwiththevCenterServer,addDNSserverstothevShieldManager
forIPaddressandhostnameresolution,configuretime,andzoneandaddanNTPserver.Synchronizingwith
vCenterServerenablesthevShieldManageruserinterfacetodisplayyourVMwareInfrastructureinventory,
andrequiresits
IPaddress(orURL)andadministratorlogincredentials.ForthevcInfoschema,andthe
dnsInfoschema,see“vShieldManagerGlobalConfigurationSchema”onpage 221.
Example 2-1. Synchronize the vShield Manager with vCenter server and SSO and identify DNS services
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
vShield Manager Management
2
IMPORTANTAllvShieldRESTrequestsrequireauthorization.See“UsingthevShieldRESTAPI”onpage 16
fordetailsaboutbasicauthorization.
vShield API Programming Guide
20 VMware, Inc.
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
<dnsInfo>
<primaryDns>10.112.192.1</primaryDns>
<secondaryDns>10.112.192.2</secondaryDns>
</dnsInfo>
</vsmGlobalConfig>
SpecifyingDNSinformationisoptional.YoucansynchronizevShieldManagerwithjustvCenterServer.
Example 2-2. Synchronize the vShield Manager with vCenter server and SSO
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<ssoInfo>
<lookupServiceUrl>https://<SSO IP or Host name>:7444/lookupservice/sdk</lookupServiceUrl>
<ssoAdminUserName>admin@System-Domain</ssoAdminUserName>
<ssoAdminPassword></ssoAdminPassword>
</ssoInfo>
<vcInfo>
<ipAddress>VC_IP</ipAddress>
<userName>admin</userName>
<password></password>
</vcInfo>
</vsmGlobalConfig>
Example 2-3. Synchronize the vShield Manager with vCenter Server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<vcInfo>
<ipAddress>10.112.196.22</ipAddress>
<userName>administrator</userName>
<password>123</password>
</vcInfo>
</vsmGlobalConfig>
Example 2-4. Configure NTP server
Request:
POST https://<vsm-ip>/api/2.0/global/config
RequestBody:
<vsmGlobalConfig xmlns="vmware.vshield.edge.2.0">
<
timeInfo>
<ntpServer>10.112.196.2</ntpServer>
/