System Settings

The System Settings module can be used to update system properties such as SSL databases, date/time

class pyivia.core.systemsettings.SystemSettings

Object is used to manage system wide settings for Verify Identity Access

Variables:

• advanced_tuning – Create and manage Advanced Tuning Parameters.

• admin_settings – Manage settings for the LMI.

• configuration – Manage the staged pending changes for a deployment.

• date_time – Update the system date and time settings.

• dns – Update the DNS settings used by Verify Identity Access.

• file_downloads – Fetch files hosted by Verify Identity Access.

• first_steps – Complete the first steps of Verify Identity Access configuration and accept the EULA.

• hosts_file – Modify the host file used by Verify Identity Access (Appliance only).

• interfaces – Manage the networking interfaces used by Verify Identity Access (Appliance only).

• static_routes – Manage the networking gateway settings used by Verify Identity Access.

• fixpacks – Upload and apply Fixpacks generated by support.

• general – Set the General Networking properties like the system hostname.

• extensions – Upload and install Extensions form the IBM App-Xchange.

• licensing – Apply license codes to activate Verify Identity Access modules.

• restartshutdown – Manage the state of Verify Identity Access appliance.

• ssl_certificates – Create and manage the SSL databases used by Verify Identity Access components.

• cli_commands – Use the API interface to run CLI commands.

• snapshot – Manage the snapshot generation.

• cluster – Manage the cluster configuration (including database configuration).

• fips – Manage the fips settings for Verify Identity Access appliances.

• mgmt_authentication – Manage the authentication to the management interface.

• mgmt_authorization – Manage authorization to the management interface.

• container_mgmt – Manage containers deployed to a Verify Identity Access appliance.

Administrator Settings

class pyivia.core.system.adminsettings.AdminSettings(base_url, username, password)

get()

Get the current administrator configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(old_password=None, new_password=None, confirm_password=None, min_heap_size=None, max_heap_size=None, session_timeout=None, session_inactive_timeout=None, session_cache_purge=None, ba_session_timeout=None, http_port=None, https_port=None, sshd_port=None, sshd_client_alive=None, swap_size=None, min_threads=None, max_threads=None, max_pool_size=None, lmi_debugging_enabled=None, console_log_level=None, accept_client_certs=None, validate_client_cert_identity=None, exclude_csrf_checking=None, enabled_server_protocols=None, enabled_tls=[], log_max_files=None, log_max_size=None, http_proxy=None, https_proxy=None, login_header=None, login_msg=None, access_log_fmt=None, lmi_msg_timeout=None, valid_verify_domains=None)

Update the administrator settings.

Parameters:

• old_password (str, optional) – The old administrator password. Required if changing the password.

• new_password (str, optional) – The new administrator password. Required if changing the password.

• confirm_password (str) – Confirmation of the new administrator password. Required if changing the password.

• min_heap_size (int) – The minimum heap size, in megabytes, for the JVM.

• max_heap_size (int) – The minimum heap size, in megabytes, for the JVM.

• session_timeout (int) – The length of time, in minutes, that a session can remain idle before it is deleted (valid values: 0 - 720).

• session_inactive_timeout (int) – The length of time, in minutes, that a session can remain idle before it is deleted (valid values: -1 to 720).

• http_port (int) – The TCP port on which the LMI will listen.

• https_port (int) – The SSL port on which the LMI will listen. A default value of 443 is used.

• sshd_port (int, optional) – The port on which the SSH daemon will listen. A default value of 22 is used.

• sshd_client_alive (int) – The number of seconds that the server will wait before sending a null packet to the client.

• swap_size (int) – The amount of allocated swap space, in Megabytes.

• min_threads (int) – The minimum number of threads which will handle LMI requests. A default value of 6 is used.

• max_threads (int) – The maximum number of threads which will handle LMI requests. A default value of 6 is used.

• max_pool_size (int) – The maximum number of connections for the connection pool. The default value is 100.

• lmi_debugging_enabled (bool) – A boolean value which is used to control whether LMI debugging is enabled or not. By default debugging is disabled.

• console_log_level (bool) – The console messaging level of the LMI (valid values: INFO, AUDIT, WARNING, ERROR and OFF). A default value of OFF is used.

• accept_client_certs (bool) – A boolean value which is used to control whether SSL client certificates are accepted by the local management interface.

• validate_client_cert_identity (bool) – A boolean value which is used to control whether the subject DN contained within an SSL client certificate is validated against the user registry. By default validation is disabled.

• exclude_csrf_checking (str, optional) – A comma-separated string which lists the users for which CSRF checking should be disabled.

• enabled_server_protocols (str) – Specifies which secure protocols will be accepted when connecting to the LMI.

• enabled_tls (str) – List of Enabled TLS protocols for the local management interface in the format enabledTLS:[“TLSv1”, “TLSv1.1”, TLSv1.2”].

• log_max_files (int) – The maximum number of log files that are retained. The default value is 2.

• log_max_size (int) – The maximum size (in MB) that a log file can grow to before it is rolled over. The default value is 20.

• http_proxy (int) – The proxy (<host>:<port>) to be used for HTTP communication from the LMI.

• https_proxy (int) – The proxy (<host>:<port>) to be used for HTTPS communication from the LMI.

• login_header (str) – This is a customizable header that is displayed when accessing the login page in a web browser and after logging in via SSH.

• login_msg (str) – This is a customizable message that is displayed when accessing the login page in a web browser and after logging in via SSH.

• access_log_fmt (str) – The template string to use for the LMI access.log file.

• lmi_msg_timeout (int) – This is a timeout (in seconds) for notification messages that appear in the LMI.

• valid_verify_domains (str) – This is a space separated list of valid domains for IBM Security Verify.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Advanced Tuning Parameters

class pyivia.core.system.advancedtuning.AdvancedTuning(base_url, username, password)

create_parameter(key=None, value=None, comment=None)

Create a new Advanced Tuning Parameter

Parameters:

• key (str) – The name of the advanced tuning parameter.

• value (str) – The value of the advanced tuning parameter.

• comment (str, optional) – A description for the advanced tuning parameter.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created mechanism can be acess from the

response.id_from_location attribute

Return type:

Response

delete_parameter(atp_id=None)

Delete an Advanced Tuning Parameter.

Parameters:

atp_ip (str) – Unique id of the advanced tuning parameter.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list_parameters()

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_parameter(atp_id=None, key=None, value=None, comment=None)

Update an existing advanced tuning parameter

Parameters:

• atp_id (str) – Unique id of the advanced tuning parameter.

• key (str) – The name of the advanced tuning parameter.

• value (str) – The value of the advanced tuning parameter.

• comment (str, optional) – A description for the advanced tuning parameter.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

CLI Commands

class pyivia.core.system.clicommands.CLICommands(base_url, username, password)

run(command=None, input_array=None)

Run a pdadmin command.

Parameters:

• command (str) – The CLI command to run. The different levels of the command are separated by “/”.

• input_array (list of str) – An array of the user interaction responses required to run the cified response. This parameter is required if the specified CLI command requires user interaction.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Cluster

class pyivia.core.system.cluster.Cluster(base_url, username, password)

get_cluster()

Get the current cluster configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the cluster configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

set_config_db(embedded=None, db_type=None, port=None, host=None, secure=True, user=None, passwd=None, db_name=None, db_key_store=None, extra_config={})

Set the Configuration Database connection.

Parameters:

• embedded (bool) – A flag true/false indicating whether or not the Configuration database is embedded (true) or external (false).

• db_type (str) – The type of database that is being used. Valid values are db2, postgresql and oracle.

• port (int) – The port on which the external database server is listening.

• host (str) – The IP or hostname of the external database server.

• secure (bool, optional) – A flag true/false indicating whether or not the external database is secure.

• user (str) – The administrator name for the external database.

• passwd (str) – The administrator password for the external database.

• db_name (str) – The name of the external database.

• db_key_store (str) – The SSL Key Store which contains the trusted certificate of the Oracle DB requiring secure connectivity.

• extra_config (dict, optional) – External databases require different sets of parameters depending on the type of database. Any additional parameters can be added to a dictionary. Examples of extra_config include:

DB2
    {"cfgdb_db_alt": true,
     "cfgdb_db2_alt_address": "db2-bak.isam.ibm.com",
     "cfgdb_db2_alt_port": "50009"
    }

Oracle
    {"cfgdb_driver_type": "thin"}


Postgresql
    {"cfgdb_failover_servers": [
         {"address":"secondary.pg.ibm.com",
          "port":5432
          "order":1
         },
         {"address":"tertiary.pg.ibm.com",
          "port":5432
          "order":2
         }
        ]
    }

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

set_runtime_db(embedded=None, db_type=None, port=None, host=None, secure=True, user=None, passwd=None, db_name=None, db_key_store=None, extra_config={})

Set the High Volume Database connection

Parameters:

• embedded (bool) – A flag true/false indicating whether or not the Runtime database (HVDB) is embedded (true) or external (false).

• db_type (str) – The type of database that is being used. Valid values are db2, postgresql and oracle.

• port (int) – The port on which the external database server is listening.

• host (str) – The IP or hostname of the external database server.

• secure (bool) – A flag true/false indicating whether or not the external database is secure.

• user (str) – The administrator name for the external database.

• passwd (str) – The administrator password for the external database.

• db_name (str) – The name of the external database.

• db_key_store (str) – The SSL Key Store which contains the trusted certificate for the embedded Runtime database.

• extra_config (dict, optional) – External databases require different sets of parameters depending on the type of database. Any additional parameters can be added to a dictionary. Examples of extra_config include:

DB2
    {"cfgdb_db_alt": true,
     "cfgdb_db2_alt_address": "db2-bak.isam.ibm.com",
     "cfgdb_db2_alt_port": "50009"
    }

Oracle
    {"cfgdb_driver_type": "thin"}


Postgresql
    {"cfgdb_failover_servers": [
         {"address":"secondary.pg.ibm.com",
          "port":5432
          "order":1
         },
         {"address":"tertiary.pg.ibm.com",
          "port":5432
          "order":2
         }
        ]
    }

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_cluster(primary_master=None, dsc_external_clients=False, dsc_port=None, dsc_use_ssl=None, dsc_ssl_label=None, dsc_worker_threads=None, dsc_maximum_session_lifetime=None, dsc_client_grace_period=None, dsc_connection_idle_timeout=None, hvdb_embedded=None, hvdb_max_size=None, hvdb_db_type=None, hvdb_address=None, hvdb_port=None, hvdb_user=None, hvdb_password=None, hvdb_db_name=None, hvdb_db_secure=None, cfgdb_embedded=None, cfgdb_db_type=None, cfgdb_address=None, cfgdb_port=None, cfgdb_user=None, cfgdb_password=None, cfgdb_db_name=None, cfgdb_db_secure=None, first_port=None, cfgdb_fs=None, extra_config={})

Update the cluster configuration.

Parameters:

• primary_master (str) – The address (management interface) of the node that is acting as the primary master.

• dsc_external_clients (bool) – A flag true/false indicating whether clients that are external to the cluster will need to use the DSC.

• dsc_port (int, optional) – The port over which DSC communication will take place.

• dsc_use_ssl (bool, optional) – A flag true/false indicating whether or not SSL should be used when communicating with the DSC.

• dsc_ssl_label (str) – The name of the SSL certificate that will be presented to clients.

• dsc_worker_threads (int) – The number of worker threads that will be used.

• dsc_maximum_session_lifetime (int) – The maximum lifetime of sessions within the DSC.

• dsc_client_grace_period (int) – When a client is shut down we give the client a grace period (in seconds) to restart and register an interest in a session again before we remove the session from the session cache.

• dsc_connection_idle_timeout (int) – The maximum length of time that a connection from a client can remain idle before it is closed by the server.

• hvdb_embedded (bool) – A flag true/false indicating whether or not the Runtime database (HVDB) is embedded (true) or external (false).

• hvdb_max_size (int) – The percentage of currently available disk space which can be used for the embedded Runtime database. This option is only valid if hvdb_embedded is set to true.

• hvdb_db_type (str) – The type of database that is being used. Valid values are db2, postgresql and oracle.

• hvdb_address (str) – The IP or hostname of the external database server.

• hvdb_port (int) – The port on which the external database server is listening.

• hvdb_user (str) – The administrator name for the external database.

• hvdb_password (str) – The administrator password for the external database.

• hvdb_db_name (str) – The name of the external database.

• hvdb_db_secure (bool) – A flag true/false indicating whether or not the external database is secure.

• cfgdb_embedded (bool) – A flag true/false indicating whether or not the Configuration database is embedded (true) or external (false).

• cfgdb_db_type (str) – The type of database that is being used.

• cfgdb_address (str) – The IP or hostname of the external database server.

• cfgdb_port (int) – The port on which the external database server is listening.

• cfgdb_user (str) – The administrator name for the external database.

• cfgdb_password (str) – The administrator password for the external database.

• cfgdb_db_name (str) – The name of the external database.

• cfgdb_db_secure (bool) – A flag true/false indicating whether or not the external database is secure.

• first_port (int) – A port number that is the first in a range of 30 ports that will be reserved for use by the cluster web services.

• cfgdb_fs (str) – A flag true/false indicating whether to use the external Configuration database as an alternate method to share internal files among the cluster.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Configuration (deploy pending changes)

class pyivia.core.system.configuration.Configuration(base_url, username, password)

deploy_pending_changes()

Deploy the current set of pending changes. This may result in additional actions such as LMI restart or appliance restart.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the obligations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_pending_changes()

Get a list of the pending changes for the configured username.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the pending changes are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

revert_pending_changes()

Revert the current set of pending changes.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Container Management

class pyivia.core.system.containermanagement.ContainerManagement(base_url, username, password)

Object used to manage containers, images and volumes on a Verify Identity Access appliance.

Variables:

• volumes – Create and manage Volumes.

• images – Create and manage Images.

• registry – Create and manage Registry authentication configuration.

• deployments – Create and manage Deployments.

• metadata – Create and manage deployment Metadata.

• healthcheck – Check the health of deployed pods (containers).

Volumes

class pyivia.core.system.containers.volumes.Volumes(base_url, username, password)

create(name=None)

Create a volume which can be mounted to a container deployment.

Parameters:

name (str) – Name of the volume to be created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the created volume is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(volume_id=None)

Delete a container volume. A volume can only be removed if it is not in use by a container deployment.

Parameters:

volume_id (str) – Unique id of the volume to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful volume properties are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

export_volume(volume_id=None, exported_volume=None)

Export the files of a container volume mount.

Parameters:

• volume_id (str) – Unique id of the volume to export.

• exported_volume (str) – Local file to write exported volume to.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

import_volume(volume_id=None, volume=None)

Export the files of a container volume mount.

Parameters:

• volume_id (str) – Unique id of the volume the zip file should be imported to.

• volume (str) – Local archive (zip) to be uploaded as volume.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list()

Get a list of the configured container volumes as JSON.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful volume properties are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

Images

class pyivia.core.system.containers.images.Images(base_url, username, password)

create(image=None)

Pull a container image from a remote container registry.

Parameters:

image (str) – Name of the container image, eg. icr.io/ibmappgateway/ibm-application-gateway:23.04.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the created image reference is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(image_id=None)

Delete a image from the local cache. An image can only be removed if it is not in use by a container deployment.

Parameters:

image_id (str) – Unique identifier of the image being removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(image_id=None)

Get the detailed properties of a cached container image.

Parameters:

image_id (str) – Unique id of image to get details details for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the image properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get a list of detailed properties of a cached container images.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful image properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(image_id=None)

Request the latest hash of a container image, if the hash has changed then fetch the latest image and discard the old one.

Parameters:

image_id (str) – Unique identifier of the image being updated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the updated image reference is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Registry

class pyivia.core.system.containers.registry.Registry(base_url, username, password)

create(host=None, username=None, secret=None, proxy_host=None, proxy_port=None, proxy_user=None, proxy_pass=None, proxy_schema=None)

Create a credential for a user and container registry.

Parameters:

• host (str) – The address or domain name of the registry to authenticate to.

• username (str, optional) – The user to authenticate as.

• secret (str, optional) – The secret to authenticate with.

• proxy_host (str, optional) – An optional proxy to set when pulling images from this container registry.

• proxy_port (str, optional) – The port for the proxy. The default is 3128.

• proxy_user (str, optional) – The user to authenticate to the proxy with.

• proxy_pass (str, optional) – The password to authenticate to the proxy with. Must be provided if proxy_user is set.

• proxy_schema (str, optional) – The TCP schema to use. The default is http.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the created container registry reference is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(rgy_id=None)

Delete a credential for a user and container registry.

Parameters:

rgy_id (str) – The id of the registry credential to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(rgy_id=None)

Get the credential for known users of a container registry.

Parameters:

rgy_id (str) – Unique id for registry to get authentication details for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the container registry is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get all known credential for all container registries.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the container registry are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(rgy_id, host=None, username=None, secret=None, proxy_host=None, proxy_port=None, proxy_user=None, proxy_pass=None, proxy_schema=None)

Update the username/secret used to authenticate to a Container Registry. This will override any existing login configuration.

Parameters:

• rgy_id (str) – The id of the registry credential to be updated.

• host (str) – The address or domain name of the registry to authenticate to.

• username (str, optional) – The user to authenticate as.

• secret (str, optional) – The secret to authenticate with.

• proxy_host (str, optional) – An optional proxy to set when pulling images from this container registry.

• proxy_port (str, optional) – The port for the proxy. The default is 3128.

• proxy_user (str, optional) – The user to authenticate to the proxy with.

• proxy_pass (str, optional) – The password to authenticate to the proxy with. Must be provided if proxy_user is set.

• proxy_schema (str, optional) – The TCP schema to use. The default is http.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Metadata

class pyivia.core.system.containers.metadata.Metadata(base_url, username, password)

get(metadata_name=None)

Get the metadata properties for a managed container.

Parameters:

metadata_name (str) – Name of the container metadata document.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the image metadata is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get the metadata properties for all known managed containers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the image metadata is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Deployments

class pyivia.core.system.containers.deployments.Deployments(base_url, username, password)

create(name=None, image=None, type=None, ports=None, volumes=None, env=None, logging=None, command=None, args=None)

Create a new managed container deployment.

Parameters:

• name (str) – Name of the container deployment.

• image (str) – Container image to use.

• type (str) – Container deployment metadata type.

• ports (list of dict) – Mapping between container ports and host ports.

• volumes (list of dict) – Container volume mount properties.

• env (list of dict) – Container environment variable properties.

• logging (list of dict) – Container logfile rollover properties.

• command (str, optional) – An optional command from the metadata document to run instead of the container entrypoint.

• args (list of str) – An optional list of arguments to pass to the specified command.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the created deployment is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(deployment_id=None)

Delete a credential for a user and container registry.

Parameters:

deployment_id (str) – The id of the container deployment to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(deployment_id=None)

Get the deployment properties for a managed container.

Parameters:

deployment_id (str) – Unique id of the managed container.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the deployment properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get all known deployment properties for all managed containers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the deployment properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(deployment_id, operation=None, command=None, args=None)

Update the pod state of a managed container deployment.

Parameters:

• deployment_id (str) – The id of the container deployment.

• operation (str) – Should the container be stopped (“stop”) or started (“start”) or restarted (“restart”). Either “command” or “operation” property must be provided.

• command (str) – The name of the command from the metadata document to run. Either “command” or “operation” property must be provided.

• type (str) – Container deployment metadata type.

• args (list of str) – An optional list of arguments to pass to the specified command.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the output from the command is returned as JSON and can be accessed from the response.json attribute. Operations do not return JSON.

Return type:

Response

Health Check

class pyivia.core.system.containers.healthcheck.HealthCheck(base_url, username, password)

Class is responsible for managing authorization configuration to external container image registries.

get(deployment_id=None)

Get the health of a configured container as JSON.

Parameters:

deployment_id (str) – Unique id of the managed container.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the health check output is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get the health of all configured containers as JSON.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the health check output is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Date and Time

class pyivia.core.system.datetime.DateTime(base_url, username, password)

update(enable_ntp=True, ntp_servers=None, time_zone=None, date_time='0000-00-00 00:00:00')

Update the date/time settings of an appliance.

Parameters:

• enable_ntp (bool) – Should NTP be enabled.

• ntp_servers (str) – A comma-separated list of NTP server hostnames or IP addresses.

• time_zone (str) – The id of the timezone the appliance is operating in.

• date_time (str) – The current date and time, in the format “YYYY-MM-DD HH:mm:ss”

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the new date/time configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Domain Name Service (DNS)

class pyivia.core.system.dns.DNS(base_url, username, password)

get()

Get the current DNS configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the DNS configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(auto=True, auto_from_interface=None, primary_server=None, secondary_server=None, tertiary_server=None, search_domains=None)

Update the DNS configuration.

Parameters:

• auto (bool) – true if DNS should be auto configured via dhcp.

• auto_from_interface (str) – Uuid of interface whose dhcp will defined the dns settings.

• primary_server (str) – Primary DNS Server address.

• secondary_server (str) – Secondary DNS Server address.

• tertiary_server (str) – Tertiary DNS Server address.

• search_domains (str) – Comma-separated list of DNS search domains.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Docker (Snapshot Publishing)

class pyivia.core.system.docker.Docker(base_url, username, password)

publish()

Publish the current configuration snapshot.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the snapshot id is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

stop()

Stop the configuration container

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

File Downloads

class pyivia.core.system.filedownloads.FileDownloads(base_url, username, password)

get(file_path, recursive=None)

Get a file from the “File Downloads” directory of an appliance

Parameters:

• file_path (str) – The relative path of the file to be retrieved. To get the contents of a directory include the trailing ‘/’

• recursive (str, optional) – Return the contents of sub-directories as well. Valid values are ‘yes’ and ‘no’.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the files are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_directory(path, recursive=None)

Get the contents of a directory from the hosted files of a Verify Identity Access appliance.

Parameters:

• path (str) – The directory which contains the files to be downloaded.

• recursive (bool, optional) – Return files in sub-directories of the path specified. Default is False.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the file contents are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

First Steps

class pyivia.core.system.firststeps.FirstSteps(base_url, username, password)

get_setup_status()

Get the status of the appliance setup.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the current status is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_sla_status()

Get the SLA status.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the SLA status is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

set_setup_complete()

Complete the first steps setup process.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

set_sla_status(accept=True)

Accept the SLA.

Parameters:

accept (bool) – Accept the SLA

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Fixpacks

class pyivia.core.system.fixpacks.Fixpacks(base_url, username, password)

get_fips_mode()

Get the FIPS compliance mode of an appliance.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the FIPS settings is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

install_fixpack(file_path)

Install a signed fixpack.

Parameters:

file_path (str) – Absolute path to fixpack to be uploaded to an appliance.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list_fixpacks()

List the installed fixpacks.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the installed fixpacks are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

rollback_fixpack()

Roll back the most recently installed fixpack

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

FIPS

class pyivia.core.system.fips.FIPS(base_url, username, password)

get_settings()

Get the current FIPS configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the updated FIPS settings are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_settings(fips_enabled=None, tls_v10_enabled=None, tls_v11_enabled=None)

Enable FIPS compliance on a Verify Identity Access appliance.

Parameters:

• fips_enabled (bool) – Enable FIPS 140-2 Mode

• tls_v10_enabled (bool) – Allow TLS v1.0 for LMI sessions

• tls_v11_enabled (bool) – Allow TLS v1.1 for LMI sessions

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the updated FIPS settings are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

General Networking

class pyivia.core.system.general.General(base_url, username, password)

get()

Get General Network Configuration

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the system’s general networking properties are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_hostname(hostname)

Update the hostname for an appliance based deployment.

Parameters:

hostname (str) – System hostname.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Extensions

class pyivia.core.system.extensions.Extensions(base_url, username, password)

create_extension(ext_file=None, properties={}, third_party_packages=[])

Create a new extension by installing an extension archive from IBM App-Xchange.

Parameters:

• ext_file (str) – Path to file to upload as extension installer.

• properties (dict, optional) – Optional set of configuration properties required by extension. Properties will change depending on the extension installed. This data is likely supposed to be a serialized JSON string.

• third_party_packages (list of str) – List of file paths to be uploaded to the appliance during extension activation.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_extension(extension)

Delete an installed extension.

Parameters:

extension (str) – The identifier of the extension to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the installed extensions are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_extensions()

Get a list of the installed extensions.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the installed extensions are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_extension(ext_file=None, properties={})

Update an previously installed extension.

Parameters:

• ext_file (str) – Path to file to upload as extension installer.

• properties (dict, optional) – Optional set of configuration properties required by extension. Properties will change depending on the extension installed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Hosts File

class pyivia.core.system.hostsfile.HostsFile(base_url, username, password)

create_record(address, hostname_list)

Craete a new host record and add 0 or more host names

Parameters:

• address (str) – The host IP address to create.

• hostname_list (list of str) – list of host names to associate with address

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the new record is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_host_name(address=None, host_name=None)

Delete a host name from a host address.

Parameters:

• address (str) – The IP address of the host record.

• host_name (str) – The hostname of the host record.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_record(address=None)

Delete a host record (address and associated host names)

Parameters:

address (str) – The IP address of the host record.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_record(address)

Get a list of host names associated with an address

Parameters:

address (str) – The IP address of the host record.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the host records are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_records()

Get a list host addresses

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the host addresses are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_record(address, hostname=None)

Add a host file entry.

Parameters:

• address (str) – The IP address of the host record.

• hostname (str) – The hostname in the host record.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the new record is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Interfaces

class pyivia.core.system.interfaces.Interfaces(base_url, username, password)

create_address(interface_label, address=None, mask_or_prefix=None, enabled=True, allow_management=False, broadcast_address=None, override_subnet_checking=False)

Add a new address to an existing interface.

Parameters:

• interface_label (str) – Name of the existing interface to add a new address to

• address (str) – IPv4 address to add

• mask_or_prefix (str) – subnet mask or prefix. e.g. “255.255.255.0”, “24”.

• enabled (bool) – true to enabled this address, otherwise false.

• allow_management (bool) – true if this is the primary management address.

• broadcast_address (str) – Broadcast address on the subnet.

• override_subnet_checking (bool) – true to indicate that the check for overlapping subnets should not be executed. The default value of false is used if this data is not supplied.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the interface configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create_interface(name=None, comment=None, label=None, enabled=True, vlan_id=None, ipv4={}, ipv6={})

Create a new network interface

Parameters:

• name (str) – Name of the interface

• comment (str) – Comment to identify the interface object.

• label (str) – System label of the interface. e.g. “1.1”.

• enabled (bool) – true if the interface should be used, otherwise false.

• vlan_id (str) – vlan id of interface in range “0”..”4094”.

• ipv4 (dict) – ipv4 configuration of the interface

• ipv6 (dict) – ipv6 configuration of the interface

Example Request:

{
    "name"    : "Demo",
    "objType" : "interface",
    "label"   : "1.1",
    "enabled" : true,
    "bondingMode": "none",
    "ipv4"    : {
      "dhcp"      : {
        "enabled" : false,
        "allowManagement" : false,
        "providesDefaultRoute": false
      },
      "addresses" : [{
        "uuid"            : "1e107d3b-0748-4e02-96f7-581cb8655356",
        "objType"         : "ipv4Address",
        "address"         : "10.0.254.1",
        "maskOrPrefix"    : "24",
        "broadcastAddress": null,
        "allowManagement" : false,
        "isPrimary"       : false,
        "enabled"         : true
      }]
    },
    "ipv6"    : {
      "dhcp"      : {
        "enabled" : false,
        "allowManagement" : false
      },
      "addresses" : []
    }
}

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the interface is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_interface(uuid)

Delete a VLAN interface configuration

Parameters:

uuid (str) – Unique id of the interface to delete.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list_interfaces()

List all known interface properties.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the interfaces are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_interface(uuid, name=None, comment=None, enabled=True, vlan_id=0, bonding_mode=None, bonded_to=None, ipv4_address=None, ipv4_mask_or_prefix=None, ipv4_broadcast_address=None, ipv4_allow_management=False, ipv4_enabled=True, ipv4_dhcp_enabled=True, ipv4_dhcp_allow_management=False, ipv4_dhcp_default_route=False, ipv4_dhcp_route_metric=0, ipv4_override_subnet_checking=False, ipv6_address=None, ipv6_prefix_length=None, ipv6_allow_management=None, ipv6_enabled=None, ipv6_dhcp_enabled=False, ipv6_dhcp_allow_management=False)

Update the configuration of an existing interface

Parameters:

• uuid (str) – unique id of the object.

• name (str) – name of the object.

• comment (str, optional) – comment to identify the interface object.

• bool) (enabled) – true if the interface should be used, otherwise false.

• vlan_id (int) – optional vlan id of interface in range “0”..”4094”.

• bonding_mode (str) – none|slave|balance-rr|active-backup|balance-xor|broadcast|802.3ad|balance-tlb|balance-alb. Defaults to none if not provided.

• bonded_to (str) – Only required when bondingMode == ‘slave’. Set to UUID of interface bonded to.

• ipv4_address (str) – static address configuration details.

• ipv4_mask_or_prefix (str) – subnet mask or prefix. e.g. “255.255.255.0”, “24”.

• ipv4_broadcast_address (str) – broadcast address on the subnet.

• ipv4_allow_management (boolean) – true to allow management access on this address.

• ipv4_dhcp_default_route (boolean) – true if the dhcp configuration should specify a default route.

• ipv4_dhcp_route_metric (int) – optional default route metric if providesDefaultRoute is true.

• ipv4_override_subnet_checking (boolean) – true to indicate that the check for overlapping subnets should not be executed. The default value of false is used if this data is not supplied.

• ipv6_address (str) – IPv6 address value.

• ipv6_prefix_length (str) – prefix length in range “1”..”128”.

• ipv6_allow_management (bool) – true to allow management access on this address.

• ipv6_enabled (bool) – true to enabled this address, otherwise false.

• ipv6_dhcp_allow_management (bool) – true to allow management access on this address.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the updated interface is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Static Routes

class pyivia.core.system.staticroutes.StaticRoutes(base_url, username, password)

create_route(address=None, mask_or_prefix=None, enabled=True, gateway=None, interface_uuid=None, metric=0, comment=None, table=None)

Create a new networking route.

Parameters:

• address (str) – route address (ipv4 or ipv6) or keyword “default”

• mask_or_prefix (str) – optional mask or prefix of the address.

• enabled (bool) – true if the route should be used, otherwise false.

• gateway (str) – optional route gateway

• interface_uuid (str) – interface for the route. If not defined, the operating system will determine the correct interface.

• metric (int) – optional route metric

• comment (str, optional) – comment to identify the static route.

• table (str, optional) – “main” or uuid of address. If not defined “main” is assumed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created mechanism can be access from the response.id_from_location attribute

Return type:

Response

list_routes()

List the current networking routes.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the networking route configurations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_route(uuid, enabled=None, address=None, mask_or_prefix=None, gateway=None, interface_uuid=None, metric=0, r_comment=None, table=None)

Update a networking route configuration.

Parameters:

• uuid (str) – unique id of the static route to update

• enabled (bool) – true if the route should be used, otherwise false.

• address (str) – route address (ipv4 or ipv6) or keyword “default”

• mask_or_prefix (str) – optional mask or prefix of the address.

• gateway (str) – optional route gateway

• interface_uuid (str) – interface for the route. If not defined, the operating system will determine the correct interface.

• metric (int) – optional route metric

• comment (str, optional) – comment to identify the static route.

• table (str, optional) – “main” or uuid of address. If not defined “main” is assumed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the networking route configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Licensing

class pyivia.core.system.licensing.Licensing(base_url, username, password)

activate_module(code)

Apply a licensing code to activate a module.

Parameters:

code (str) – The new activation code.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_activated_module(module_id)

Get a specific active offering.

Parameters:

module_id (str) – ID of the specified Activation offering.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the active module configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_activated_modules()

Get a list of all of the active modules

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the active module configurations are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_activation_code(file_path)

Import an activation code from a file.

Parameters:

file_path (str) – Absolute path to file containing the activation code.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the active module is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

trial_activation(file_path)

Import a license certificate issued by https://isva-trial.verify.ibm.com/

Typically licenses are valid for 90 days.

Parameters:

file_path (str) – Absolute path to file containing the PEM encoded license certificate.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the active module is returned as HTML encoded JSON and can be accessed from the response.data attribute

Return type:

Response

Management Authorization

class pyivia.core.system.managementauthorization.ManagementAuthorization(base_url, username, password)

create_role(name=None, users=None, groups=None, features=None)

Create a new management authorization role

Parameters:

• name (str) – The name of the authorization role.

• users (list of dict) – The users who are included this role.

• groups (list of dict) – The groups whose members are included in this role.

• features (list of dict) – An array of features and the associated permission.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the created role is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_role(role=None)

Delete a management authorization role.

Parameters:

role (str) – The name of the authorization role.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

enable(enforce=False)

Enable role based authorization.

Parameters:

enforce (bool) – Is the authorization policy enabled and enforcing?

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_features()

Get a list of the authorization features

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of management authorization roles are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_features_for_user(user=None)

Get a list of the permitted features for a user.

Parameters:

user (str) – The username to get the authorization features for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful list of features is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_groups_for_role(role=None)

Get a list of groups for a given role.

Parameters:

role (str) – The name of the authorization role.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of groups is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_role(role=None)

Get a management authorization role.

Parameters:

role (str) – The name of the authorization role.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the management authorization role is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_roles()

Get a list of the current management authorization roles.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of roles are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_users_for_role(role=None)

Get a list of users for a given role.

Parameters:

role (str) – The name of the authorization role.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of users is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_role(name=None, users=None, groups=None, features=None)

Update a management authorization role

Parameters:

• name (str) – The name of the authorization role.

• users (list of dict) – The users who are included this role.

• groups (list of dict) – The groups whose members are included in this role.

• ( (features) – obj:list` of dict): An array of features and the associated permission.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the updated management authorization role is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Management Authentication

class pyivia.core.system.managementauthentication.ManagementAuthentication(base_url, username, password)

get()

Get the management authentication configuration

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the management authorization configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

test(username=None, password=None)

Test authenticate a username/password combination using the configured identity provider. THis is only valid for local or LDAP based authentication.

Parameters:

• username (str) – The username to authenticate with.

• password (str) – The password to authenticate with.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update(auth_type, ldap_host=None, ldap_port=None, enable_ssl=None, key_database=None, cert_label=None, user_attribute=None, group_member_attribute=None, base_dn=None, admin_group_dn=None, anon_bind=None, bind_dn=None, bind_password=None, ldap_debug=None, enable_usermapping=None, usermapping_script=None, enable_ssh_pubkey_auth=None, ssh_pubkey_auth_attribute=None, oidc_client_id=None, oidc_client_secret=None, oidc_discovery_endpoint=None, oidc_enable_pkce=None, oidc_enable_admin_group=None, oidc_group_claim=None, oidc_admin_group=None, oidc_user_claim=None, oidc_keystore=None, enable_tokenmapping=None, tokenmapping_script=None)

Update the management authorization roles configuration

Parameters:

• auth_type (str) – The type of management authorization to use. valid values are “local”, “remote” or “federation”.

• ldap_host (str, optional) – Specifies the name of the LDAP server. This parameter is required if auth_type is remote.

• ldap_port (int, optional) – Specifies the port over which to communicate with the LDAP server. This parameter is required if auth_type is remote.

• enable_ssl (bool, optional) – Specifies whether SSL is used when the system communicates with the LDAP server.

• key_database (str, optional) – Specifies the name of the key database file. This parameter is required if “enable_ssl” is set to true and auth_type is remote.

• cert_label (str, optional) – Specifies the name of the certificate within the Key database that is used if client authentication is requested by the LDAP server.

• user_attribute (str, optional) – Specifies the name of the LDAP attribute which holds the supplied authentication user name of the user. This parameter is required if auth_type is remote.

• group_member_attribute (str, optional) – Specifies the name of the LDAP attribute which is used to hold the members of a group. This parameter is required if auth_type is remote.

• base_dn (str, optional) – Specifies the base DN which is used to house all administrative users.

• admin_group_dn (str, optional) – Specifies the DN of the group to which all administrative users must belong.

• anon_bind (bool`, optional) – Specifies whether the LDAP user registry supports anonymous bind. If set to false, “bind_dn” and “bind_password” are required.

• bind_dn (str, optional) – Specifies the DN of the user which will be used to bind to the registry. This user must have read access to the directory. This parameter is required if anon_bind is false and auth_type is remote.

• bind_password (str, optional) – Specifies the password which is associated with the bind_dn. This parameter is required if anon_bind is false and auth_type is remote.

• ldap_debug (bool, optional) – Specifies whether the capturing of LDAP debugging information is enabled or not.

• enable_usermapping (bool, optional) – Specifies whether mapping of the incoming client certificate DN is enabled.

• usermapping_script (str, optional) – Specifies the javascript script that will map the incoming client certificate DN. The script will be passed a Map containing the certificate dn, rdns, principal, cert, san and the user_attribute, group_member_attribute and base_dn from this configuration. If not specified a default script is used. Only valid if auth_type is set to remote and enable_usermapping is true.

• enable_ssh_pubkey_auth (bool, optional) – Specifies whether or not users in the LDAP server can log in via SSH using SSH public key authentication. If this value is not provided, it will default to false.

• ssh_pubkey_auth_attribute (str, optional) – Specifies the name of the LDAP attribute which contains a user’s public key data. This field is required if SSH public key authentication is enabled.

• oidc_client_id (str, optional) – The OIDC Client Identifier. This field is required if auth_type is federation.

• oidc_client_secret (str, optional) – The OIDC Client Secret. This field is required if auth_type is federation.

• oidc_discovery_endpoint (str, optional) – The OIDC Discovery (well-known) endpoint. This field is required if auth_type is federation.

• oidc_enable_pkce (bool, optional) – Specifies whether the Public key Code Exchange extension is enforced. This field is required if auth_type is federation.

• oidc_enable_admin_group (bool, optional) – Specifies whether a user must be a member of a particular group to be considered an administrator user. This field is required if auth_type is federation.

• oidc_group_claim (str, optional) – The OIDC token claim to use as group membership. This claim can either be a String, or a list of Strings. The default value is “groups”.

• oidc_admin_group (str, optional) – The name of the group which a user must be a member of to be considered an administrator user. The default value is “adminGroup”.

• oidc_user_claim – (str, optional): Specifies the OIDC token claim to use as the username. The default value is “sub”.

• oidc_keystore (str, optional) – The SSL Truststore to verify connections the the OIDC OP. The default value if “lmi_trust_store”.

• enable_tokenmapping (bool, optional) – Specifies whether custom claim to identity mapping is performed using a JavaScript code fragment.

• tokenmapping_script (str, optional) – The custom JavaScript code fragment to map an identity token to a username/group membership.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the management authorization configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Restart and Shutdown

class pyivia.core.system.restartshutdown.RestartShutdown(base_url, username, password)

get_lmi_status()

Get the current status of the management interface.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the status of the management interface is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_runtime_status()

Get the status of the federated runtime server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the status of the runtime server is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

restart_lmi()

Restart the management interface.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

restart_runtime()

Restart the federated runtime server

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Runtime (High Volume) Database

class pyivia.core.system.runtimedb.RuntimeDb(base_url, username, password)

get_db()

Get the current database configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the database configuration is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

set_db(db_type=None, port=None, host=None, secure=True, user=None, passwd=None, db_name=None, extra_attrs={})

Set the High Volume (runtime) Database configuration.

Parameters:

• db_type (str) – The type of database that is being used. Valid values are db2, postgresql and oracle.

• port (int) – The port on which the external database server is listening.

• host (str) – The IP or hostname of the external database server.

• secure (bool) – A flag true/false indicating whether or not the external database is secure.

• user (str) – The administrator name for the external database.

• passwd (str) – The administrator password for the external database.

• db_name (str) – The name of the external database.

• extra_attrs (dict) – External databases require different sets of parameters depending on the type of database.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

SSL Certificates and Keystores

class pyivia.core.system.sslcertificates.SSLCertificates(base_url, username, password)

create_database(kdb_name, db_type=None, token_label=None, passcode=None, hsm_type=None, ip=None, port=None, kneti_hash=None, esn=None, secondary_ip=None, secondary_port=None, secondary_kneti_hash=None, secondary_esn=None, use_rfs=None, rfs=None, rfs_port=None, rfs_auth=None, update_zip=None, safenet_pw=None)

Create a SSL database

Parameters:

• kdb_name (str) – The new certificate database name that is used to uniquely identify the certificate database.

• db_type (str) – The type of the new certificate database. Valid options are “kdb” for local databases and “p11” for network databases.

• token_label (str) – The token label of the certificate database.

• passcode (str) – The passcode of the certificate database.

• hsm_type (str) – The type of network HSM device which is being used. Required if the database type is “p11”. Valid types are “ncipher” or “safenet”.

• ip (str) – The IP address of the module. Required if the database type is “p11”.

• port (int, optional) – The port of the module. Only valid if the hsm_type is “ncipher”.

• kneti_hash (str, optional) – The hash of the KNETI key. Only valid if the hsm_type is “ncipher”.

• esn (str, optional) – The Electronic Serial Number (ESN) of the module. Only valid if the hsm_type is “ncipher”.

• secondary_ip (str, optional) – The IP address of the secondary module. Only valid if the hsm_type is “ncipher”.

• secondary_port (int, optional) – The port of the secondary module. Only valid if the hsm_type is “ncipher”

• secondary_kneti_hash (str) – The hash of the secondary’s KNETI key. Only valid if the hsm_type is “ncipher”.

• secondary_esn (str, optional) – The Electronic Serial Number (ESN) of the secondary module. Only valid if the hsm_type is “ncipher”.

• use_rfs (bool, optional) – A flag indicating if an RFS will be used. Default is true. Only valid if the hsm_type is “ncipher”.

• rfs (str, optional) – The IP address of the Remote File System (RFS). Required if the hsm_type is “ncipher” and use_rfs is “true”.

• rfs_port (int, optional) – The port of the Remote File System (RFS). Only valid if the hsm_type is “ncipher”.

• rfs_auth (bool, optional) – Specifies whether KNETI authentication is used when connecting to the RFS.

• update_zip (str, optional) – A zip file containing local data to be uploaded from the device. Only valid if the hsm_type is “ncipher” and use_rfs is “false”.

• safenet_pw (str, optional) – The password of the SafeNet device admin account. Only valid if the HSM type is “safenet”.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the SSL database is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_database(kdb_id)

Get a SSL certificate database details

Parameters:

kdb_id (str) – Name of the certificate database.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the SSL database details are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_personal(kdb_id, label=None)

Get the X509 certificate from a personal certificate in a SSL database

Parameters:

• kdb_id (str) – Name of the certificate database.

• label (str) – Name of the personal certificate to retrieve.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the certificate is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_signer(kdb_id, label=None)

Get a X509 certificate from the list of signer certificates.

Parameters:

• kdb_id (str) – Name of the certificate database.

• ( (label) – obj;`str`): Name of the signer certificate.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the X509 certificate is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_database(kdb_file=None, sth_file=None)

Import a SSL database.

Parameters:

• kdb_file (str) – Path to KDB file to import. This file should either be in KDB or PKCS#12 format.

• sth_file (str) – Path to the corresponding stash file for the SSL database.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the SSL database is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_personal(kdb_id, file_path, password=None, label=None)

Import a personal certificate (private key & X509 certificate) into a SSL database

Parameters:

• kdb_id (str) – Name of the certificate database.

• file_path (str) – Absolute path to file containing #PKCS12 PKI

• password (str) – Password to unlock personal certificate

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

import_signer(kdb_id, file_path, label=None)

Import a X509 certificate into a SSL database

Parameters:

• kdb_id (str) – Name of the certificate database.

• file_path (str) – Absolute path to file containing PEM encoded certificate.

• label (str) – Alias for certificate in SSL database

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list_databases()

List the SSL databases

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the SSL databases are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

load_signer(kdb_id, server=None, port=None, label=None)

Load a X509 certificate from a TLS connection.

Parameters:

• kdb_id (str) – Name of the certificate database.

• server (str) – The name or address of the server which holds the server certificate.

• port (int) – The port over which the certificate request will be made to the server.

• label (str) – The label which will be used to identify the certificate within the key file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the loaded certificate is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

System Accounts

class pyivia.core.system.sysaccount.SysAccount(base_url, username, password)

add_user(group=None, user=None)

Add a user to a group

Parameters:

• group (str) – The name of the group the user will be added to.

• user (str) – The name of the user to be added to the group.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the updated group is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create_group(group=None)

Create a new management interface group

Parameters:

group (str) – The name of the group the user will be added to. The name can contain any ASCII characters but leading and trailing white space will be trimmed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the group is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create_user(user=None, password=None, groups=[])

Create a new management interface user

Parameters:

• user (str) – The name of the new user. The name can contain any ASCII characters but leading and trailing white space will be trimmed.

• password (str) – The password for the new user. This can contain any ASCII characters.

• groups (list of str) – A list of groups the new user will belong to.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the new user is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_group(group=None)

Delete a group from the management interface

Parameters:

group (str) – The name of the group to delete.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_user(user)

Delete a user from the management interface

Parameters:

user (str) – The name of the user to delete.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_group(group=None)

Get the details of a group

Parameters:

group (str) – The name of the group to list details for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the groups details are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_groups()

Get a list of the management interface groups

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of groups is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_user(user)

Get details of a particular user

Parameters:

user (str) – The name of the user to list details for.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the user’s details are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_users()

Get a list of all the current management interface user accounts.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the user accounts are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

remove_user(group=None, user=None)

Remove a user from a group.

Parameters:

• group (str) – The name of the group the user will be removed from.

• user (str) – The name of the user to be removed from the group.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_admin_password(old_password=None, password=None)

Update the password for the current user account.

Parameters:

• old_password (str) – The current password for the user.

• password (str) – The new password for the user. This can contain any ASCII characters.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_user(user, password=None)

Update the user’s password

Parameters:

• user (str) – The name of the user to change the password for.

• password (str) – The new password for the user. This can contain any ASCII characters.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Snapshot

class pyivia.core.system.snapshot.Snapshot(base_url, username, password)

apply(snapshot_id)

Apply a configuration snapshot.

Parameters:

snapshot_id (str) – The id of the snapshot to be applied.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete(snapshot_id)

Delete an existing configuration snapshot.

Parameters:

snapshot_id (str) – The id of the snapshot to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

download(snapshot_id, snapshot)

Download the given file to an appliance as a configuration snapshot.

Parameters:

• snapshot_id (str) – The id of the snapshot to be downloaded. Id should follow the naming convention ivia_<version>.<snapshot id>.snapshot

• snapshot (str) – Path to file to be imported as configuration snapshot file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

list()

Get a list of all known configuration snapshots.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the snapshot files are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

upload(snapshot)

Upload the given file to an appliance as a configuration snapshot. File should follow the naming convention ivia_<version>.<snapshot id>.snapshot

Parameters:

snapshot (str) – Path to file to be imported as configuration snapshot file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response