REST for the Rest of UsJoe Garcia, CISSP – Corporate Solutions Engineer

Kevin Ross – Corporate Solutions Engineer

► Think about all the repetitive tasks you do every day…

￭ Creating safes

￭ Onboarding accounts

￭ Adding members to safes

￭ Activating Users that never seem to remember their password

► What if there was a 1-click way for you to do all that?

► The REST API allows you to make that “1-click dream” come true.

► We’ve simplified it to make it more welcoming to non-developers.

► With Postman, it allows you to do it with little-to-no previous dev knowledge.

► Let me show you how…

Why should I care about the REST API?

What is a RESTful Web Service?

A RESTful Web Service helps developers easily automate CRUD of objects.

CRUD stands for:

Create (POST), Retrieve (GET), Update (PUT), Delete (DELETE)

A majority of what a developer does is deal with objects in that manner. Since

the founder of HTTP, Roy Fielding, has been a huge backer of REST from its

inception, he built HTTP with common CRUD operations already built-in.

This is awesome for us because it allows us to eventually automate ourselves

out of work! I call this an…

Joe’s last Automation Vacation – pre-CyberArk

Automation Vacation!

REST API Methods

POST

￭ Create a new object: Add Account, Add Safe, Add Safe Member, Add User

GET

￭ Retrieve an existing object: Get Account Details, List Safes, Get Safe Details

PUT

￭ Update an existing object: Update Account Details, Update Safe, Update User

DELETE

￭ Delete an existing object: Delete Account, Delete Safe, Delete User

>>>

>

Postman Live Documentation & Collection

Postman is an online tool that gives us the ability to provide you

with a pre-built testing environment for your CyberArk Web

Services.

Benefits include:

Live Documentation for commonly used languages

Available public collection for testing against live CyberArk Web Services

Code snippets for every available language (except PowerShell, inquire

within)

CyberArk Web Services SDK Documentation built into public collection

Available Online & Standalone for Windows

Let’s improve on something that exists already.

It should be an easily repeatable task.

Something we use a lot and would benefit most from our improvements.

What could we build in 30 minutes?

Well, 20 minutes now…

Phase 1:

Breakdown the O.G. PUU

CSV template was

complex!

I have to give “PasswordManager” as the CPMUser every time?

If the Folder is always “Root”, why do I have to keep telling it that?

At the end of the day, we took more time trying to figure that out than automating.

PUU did not like commas

or quotes!Actually, PUU couldn’t handle any special characters. (https:// = NOPE!)

You messed up a property?

You get half an account!

PUU uploaded accounts were not transactional (they wouldn’t back out at failure).

You’d get half of an account’s properties up until where the upload failed.

No good at being wrong!PUU would not know how to deal with conflicts. Let’s help it grow up a little and

mature. I’d hate to be that conflicted…

PACLI as the foundation of

PUU didn’t allow for

customer customization

The REST API opens up the possibilities since it is not limited to particular

languages.

Phase 2:

Plan our PUU on Steroids

Make the CSV template

straightforward and easy

CSV should have the following most commonly used columns:

ObjectName, Safe, Address, Username, Password, PlatformID,

DisableAutoMgmt, DisableAutoMgmtReason

PUU 2 should upload all

account properties, or none

at all

Using proper Try…Catch error handling, we can stop that from happening

anymore.

Fix whitespace issues to

allow proper PlatformID

name spacing

Now you don’t have to worry about improper spacing of “Windows Domain

Account”

More speed! If you can use this to improve your Hygiene Report, let’s make it fast!

Make the new PUU handle

special characters properly

Since we’re dealing with URI, we’ll use what is called URLEncoding to make sure

all special characters are properly replaced. (i.e. Windows Domain Account

becomes Windows%20Domain%20Account)

Prepare

Pre-Requisites

passwords.csv

Should be created and ready in the same directory.

Phase 3:

Build our PUU 2

Prepare Main

PowerShell Script

(.ps1)

I used Microsoft’s freeware Visual Studio Code (https://code.visualstudio.com)

Also, I referenced http://git.joeco.de for PowerShell functions that we’ll be using

► Functions will be created for each REST API call needed

￭ Logon

￭ Add Account

￭ Logoff

► User Input will be entered first

￭ Base URL (i.e. https://pvwa.cyberark.local)

￭ API Username

￭ API Password

￭ Path to CSV File

► Import-CSV and enter each row value into an array variable

► Step through each row, adding the account that is listed on each.

Plan the Pieces of our PUU Puzzle

Functions First!

Receive User Input

PASREST-Logon & Import-CSV

Read Each Row & Add Account

PASREST-Logoff & Report Results

What it looks like put together

Phase 4:

?????? (The Testing Phase)

WE’LL DO IT

LIVE!

Phase 5:

PROFIT!!! (Not really…)

Visit http://git.joeco.de/PasswordUploadUtility-v2

to fork the PUU 2 repo and start down your own

path to Automation Superstardom!

► REST API Common Uses

￭ Quickly onboard accounts after Hygiene Report

￭ 1-Click Activate Users without needing PrivateArk Client

￭ Quickly mirror your new DEV safe structure from PROD

► Attend these sessions

￭ Coming Up Next: Conjuring DevSecOps in an Insecure World

￭ Tomorrow @ 10:30am: A Practical Guide to CyberArk and Amazon Web Services

► Visit the Discovery Center

￭ Customer Success Booth

￭ DevSecOps Demo Station

► http://git.joeco.de/PasswordUploadUtility-v2

Key Takeaways and Where to Learn More