By: Michael Haines (Senior Cloud Security Architect)
Orginally posted in the VMware vCloud Blog on 11/15/2011
In my last blog, I introduced a hypothetical situation using a Network and Security System Administrator at the company, “Example Systems,” in order to best describe how to get started with the vShield API. Their company intends to use vShield REST API to rapidly provision security and turn CodeNebulous' Tier-1 Application into a business offering to multiple organizations. The Network and Security System Administrator has already learned some basic principles about REST and the vShield API and is now ready to use Automation tools with vShield App for scalability through REST APIs.
The Network and Security System Administrator Begins to Work with the vShield App REST Firewall API
The Network and Security System Administrator is now ready to start configuring the vShield App Firewall rules. They have a choice to make with regards to how they want to configure the Firewall rules. The Network and Security System Administrator can choose either:
- Datacenter
- Cluster
- Portgroup or Network
With vShield App there will be 'Two' default rules (1 Layer3 , and 1 Layer2) which are configured at DC level. There are 'None' at Cluster and 'None' at Portgroup level.
Before the Network and Security System Administrator can start to use the vShield App REST API Firewall API they must:
1.Get and return vShield's App stat for a datacenter. This will provide them with the status of vShield App.
2.Provide the correct vShield Authorization.
- All vShield REST requests require authorization and which by default (in the product documentation) use the following basic authorization: Basic YWRtaW46ZGVmYXVsdA==
Where YWRtaW46ZGVmYXVsdA== represents the Base 64 encoding of the vShield Manager default login credentials which are admin:default
How the Network and Security System Administrator Determines the Datacenter Context Identifier
Before the Network and Security System Administrator can submit any requests to the vShield App Firewall there is a key piece of information that they are required to supply. But how are they going to obtain this information. The first task is for the Network and Security System Administrator to login to the Virtual Center as in this example (1)
Providing the Virtual Center Credentials
Once the Network and Security System Administrator has completed the above step they are asked for the Virtual Center 'username' and 'password'. But what is the username and password? Well the username can be obtained from the vShield Manager as in the following example. The Network and Security System Administrator goes to Settings and Reports (1) and the Administrators User Name is shown as denoted by (2).
The Network and Security System Administrator now Logs In
Once the Network and Security System Administrator has successfully logged in they will see the ManagedObjectReference:ServiceInstance.
Traversing the ManagedObjectReferenceServiceInstance
The Network and Security System Administrator has successfully logged in and is now presented with the following. They now select the 'content' URI as shown by (1).
Traversing the Data Object Type ServiceContent
After selecting the content property the Network and Security System Administrator now is presented with the ServiceInstance properties. Here the Network and Security System Administrator is looking for the rootFolder as in the example above (1) and on the rightmost side they should be seeing something like group-d1 (Datacenters) (2). The Network and Security System Administrator selects the group-d1 (Datacenters).
Getting the Datacenter ID
After the Network and Security System Administrator selects the group-d1 (Datacenters) they can see the ManagedObjectReference group-d1. The important piece of information they require is shown in the ManagedObjectReference:ManagedEntity[] as shown in the example above (1).
The vShield Manager View of the Datacenter
The Network and Security System Administrator can also see the reference to CORP within the vShield Manager as shown here (1)
Getting the State of vShield App (Basic)
To get the state of vShield App run the following command vShield-App-State.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Additionally, There is no REST call like firewall state. As soon as you install App on any of the ESX host, it configures to allow rules on the datacenter and publish them on the appliance. So default state is firewall on with everything allowed. The status call actually tells whether the rules are successfully published on the appliance.
Getting the State of vShield App (Advanced)
In this example, the Network and Security System Administrator wants to get the basic state of vShield App. To do this they issue the following request as in the above example (1).
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Getting the Status of vShield App (Advanced)
In this example, the Network and Security System Administrator wants to get the status of vShield App. To do this they issue the following request as in the above example (1).
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Getting the Complete vShield App Firewall Configuration (Basic)
To get the complete vShield App firewall configuration run the following command vShield-App-Current-Configuration.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Getting the Complete vShield App Firewall Configuration (Advanced)
In this example, the Network and Security System Administrator wants to get the complete vShield App Firewall configuration for the context datacenter-2 . To do this they issue the following request as in the above example (1).
Note: The above command must be executed on one line, so if you are experiencing any problems check for carrage returns and line breaks.
Special thanks to Kaushal Bansal, Sr MTS at VMware for all his help and support. In my next blog, I will introduce the Network and Security System Administrator to the RESTClient Firefox Extension. Make sure you catch the next installment in this series by following @vCloud and @VMwareSP on Twitter.