Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 3873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing HTTPS Certificate with API

Sire Williamson

I'm trying to automate the HTTPS certificate renewals for a half dozen dev environments using the XG API, and I've figured out how to update a certificate. 
I also know that I need to make sure that no rule is 'using' the certificate, in order to update it.
I've created a self signed certificate that is good for 40 years, which I use temporarily while updating the certificate I need to. My process is three steps.

1 Edit firewall rule to use template certificate.

2 Update 'real' certificate.

3 Edit rule to use 'real' certificate again.

I've got step 2 working with this xml

<Request APIVersion="1702.1">
    <Login>
        <Username>user</Username>
        <Password>pass</Password>
    </Login>
    <Set operation="update">
        <Certificate>
            <Action>UploadCertificate</Action>
            <Name>Cert_Name</Name>
            <CertificateFormat>pem</CertificateFormat>
            <CertificateFile>cert.pem</CertificateFile>
            <PrivateKeyFile>priv.key</PrivateKeyFile>
        </Certificate>
    </Set>
</Request>

The trouble is, the documentation for XG 17.1/.5 API does not clearly explain what the XML hierarchy is for editing/updating a rule. There is no explanation as to which items are attributes and which items are parameters. There is no indication of case sensitivity, and no explanation of weather 'required' fields are actually required for the update/edit you need to do. In fact, I can't even figure out if my "Set" element needs to have the operation attribute or not, and if so should it be "update" or "edit", or "Edit Firewall Rule". Lets just say, the documentation for the api is near useless.

I'm hoping I can find someone that can clearly explain what elements and attributes I need to use to change a rule to use a different certificate.

Here is what I have so far.

<Request APIVersion="1702.1">
<Login>
<Username>user</Username>
<Password>pass</Password>
</Login>
<Set operation="Edit">
<SecurityPolicy>
<Name>Dev_Http_Rule</Name>
<Status>1</Status>
<IPFamily>IPv4</IPFamily>
<Position>after</Position>
<After>
<Name>Other_Dev_Http_Rule</Name>
</After>
<PolicyType>HTTPBased</PolicyType>
<HTTPBasedPolicy>
<HostedAddress>#Port2</HostedAddress>
<HTTPS>1</HTTPS>
<RedirectHTTP>1</RedirectHTTP>
<ListenPort>443</ListenPort>
<HTTPSCertificate>Development_Template_Key</HTTPSCertificate>
<Domains>
<Domain>d1.com</Domain>
<Domain>d2.com</Domain>
<Domain>d3.com</Domain>
<Domain>d4.com</Domain>
</Domains>
<AllowFrom>
<Address>Any IPv4</Address>
</AllowFrom>
<AccessPaths>0</AccessPaths>
<Exceptions>0</Exceptions>
</HTTPBasedPolicy>
<Protection>Development Security</Protection>
<IntrusionPrevention>dmzpolicy</IntrusionPrevention>
<TrafficShapingPolicy>None</TrafficShapingPolicy>
<PassHostHeader>1</PassHostHeader>
</SecurityPolicy>
</Set>
</Request>

This is the error, with no meaning to me, that I am getting.

<Response APIVersion="1702.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<SecurityPolicy transactionid="">
<Status code="501">Configuration parameters validation failed.</Status>
<InvalidParams/>
</SecurityPolicy>
</Response>



This thread was automatically locked due to age.
Parents
  • +1

    First of all, you need to touch all elements of an objects, in case you want to update this object.

    Best way is to get all the configuration running via GET, put this one into a variable and change the needed information (like certificate). Afterwards POST this value into the XG.

    Thats how i would perform such a task. 

     

    Simply get all the WAF Rules, change the value, reload the content. 

     

    Do not use Edit, try Update. 

  • 0 in reply to LuCar Toni

    Thank you. 

    Getting the policy first was what I need to have to see the heirarchy. Still a little confusing though. But I got it figured out.

    Here is the working XML. 

    Still think SOPHOS should spend a little time making the API Document a little more reader friendly.

    1. curl -k my.sophis.xg:4444/.../APIController -F "reqxml=<./set_template_key.xml"
    2. curl -k my.sophis.xg:4444/.../APIController -F "reqxml=</path/update_cert.xml" -F "file=@/path/cert.pem;filename=cert.pem" -F "file=@/path/privkey.key;filename=priv.key"
    3. curl -k my.sophis.xg:4444/.../APIController -F "reqxml=<./set_development_key.xml"

    <Request APIVersion="1702.1">
    <Login>
    <Username>user</Username>
    <Password>pass</Password>
    </Login>
    <Set operation="update">
    <SecurityPolicy transactionid="">
    <Name>Dev Rule Name</Name>
    <IPFamily>IPv4</IPFamily>
    <Status>Enable</Status>
    <Position>After</Position>
    <PolicyType>HTTPBased</PolicyType>
    <After>
    <Name>Rule to place after</Name>
    </After>
    <HTTPBasedPolicy>
    <HostedAddress>#Port2</HostedAddress>
    <HTTPS>Enable</HTTPS>
    <ListenPort>443</ListenPort>
    <AccessPaths>
    <AccessPath>
    <Path></Path>
    <allowed_networks>Any IPv4</allowed_networks>
    <auth_profile/>
    <backend>Dev webserver</backend>
    </AccessPath>
    </AccessPaths>
    <Exceptions></Exceptions>
    <ProtocolSecurity>Dev Security</ProtocolSecurity>
    <CompressionSupport>Disable</CompressionSupport>
    <RewriteHTML>0</RewriteHTML>
    <PassHostHeader>Enable</PassHostHeader>
    <Domains>
    <Domain>devX.com</Domain>
    ...
    </Domains>
    <RewriteCookies>Enable</RewriteCookies>
    <Certificate>Dev Cert</Certificate>
    <RedirectHTTP>Enable</RedirectHTTP>
    </HTTPBasedPolicy>
    <IntrusionPrevention>dmzpolicy</IntrusionPrevention>
    <TrafficShapingPolicy>None</TrafficShapingPolicy>
    </SecurityPolicy>
    </Set>
    </Request>

  • 0 in reply to Sire Williamson

    I agree with Sire. Sophos should create proper docs on API.

    I strangle sometimes to perform certain tasks through API because a better documentation could help.

    Thanks for sharing your work, Sire.

  • 0 in reply to lferrara

    NP Iferrara. 
    Nothing worse then scowering the dark corners of the internet for answers, and finding that 1 guy that had the same question, but never bothered to follow up on if he found the solution or not. :)

  • 0 in reply to Sire Williamson

    Just to give you a Developer's perspective on this:

    The API is used by less than 1% of our customers, possibly less than 0.1%.  When doing development when we add something to the UI we also add it to the API and that can take 50% of the dev/test time for how to configure the feature.  It is extraordinarily expensive compared to how often it is used.  We continue to support it, but I don't think you will see fundamental changes to it especially if that is going to make the development time even higher.

  • 0 in reply to Michael Dunn

    No offense, but have you looked into WHY people don't use it? 
    It is a pretty powerful feature, but if a company has to assign 100 man hours to learning the syntax because the documentation is so confusing, they are obviously going to look at other ways of accomplishing what they need to. Automating certificate renewals is a pretty common need, even if you have as little as 20 certificates to manage.
    Cisco has a very verbose scripting language, but they also have good documentation available. I couldn't even give a number to the amount of network admins that use scripting to manage their workload. APIs make that very convenient. 

    So while I understand the need to justify the man hours to develop the documentation, you should include a CBA on how many more customers would use the API if it was easier to pick up and work with, and how many potential higher level customers would consider the XG if their Admins saw it as a robust alternative to Cisco.

  • 0 in reply to Sire Williamson

    It is hard to teach people API, if they are not familiar with Scripting in general.

    As for now, it is XML based and it is kinda straight forward. I can actually code this without Docs. 

    Because basically i "click" my object in Webadmin.

    Export the configuration made in Webadmin via "Import /export" in Administration and getting the EXACT thing, i need to push to the XG. 

     

    So you want to configure 500 Firewall rules? 

    Create one Rule, export it via function, looking into the  syntax of this XML File. 

    Edit the XML File, add the 499 Rules into the XML File via Script and pushing this File to the API.

    Done. 

     

    Depending how good you are with Python, Powershell, bash etc. 

     

    I am not saying, it is good, but for people with Scripting knowledge, you can actually quite easily figure out what to do. 

     

     

    But as michael said, most people are not doing it at all. They are not using scripting, who knows why. 

Reply
  • 0 in reply to Sire Williamson

    It is hard to teach people API, if they are not familiar with Scripting in general.

    As for now, it is XML based and it is kinda straight forward. I can actually code this without Docs. 

    Because basically i "click" my object in Webadmin.

    Export the configuration made in Webadmin via "Import /export" in Administration and getting the EXACT thing, i need to push to the XG. 

     

    So you want to configure 500 Firewall rules? 

    Create one Rule, export it via function, looking into the  syntax of this XML File. 

    Edit the XML File, add the 499 Rules into the XML File via Script and pushing this File to the API.

    Done. 

     

    Depending how good you are with Python, Powershell, bash etc. 

     

    I am not saying, it is good, but for people with Scripting knowledge, you can actually quite easily figure out what to do. 

     

     

    But as michael said, most people are not doing it at all. They are not using scripting, who knows why. 

Children
No Data