WebSEAL Reverse Proxy Settings

The Web Settings module can be used to configure the Web Reverse Proxy and associated junctions as well as configure integrations with the Runtime Server’s user registry and policy server.

class pyivia.core.websettings.WebSettings

Object used to manage WebSEAL configuration endpoints

Variables:

dsc_admin – Manage the Distributed Session Cache.
policy_administration – Manage the policy server.
reverse_proxy – Create and manage WebSEAL instances.
runtime_component – Create and manage the user registry and policy server configuration files.
http_transform – Create and manage XSLT and LUA HTTP transformation rules.
fsso – Create and manage Form Single Sign-On rules.
client_cert_mapping – Create Client X509 Certificate authentication mapping rules.
jct_mapping – Create Junction Mapping rules.
url_mapping – Create URL Mapping rules.
user_mapping – Create User Mapping rules.
kerberos – Create and manage KERBEROS federated user registries.
password_strength – Create Password Strength Rules.
rsa – Configure RSA OTP integration
api_access_control – Create and manage API Gateway integrations.
ratelimit – Create Rate Limiting rules.

API Access Control

The API Access Control module is used to configure WebSEAL instances which can be used as API Gateways

class pyivia.core.web.api_access_control.APIAccessControl(base_url, username, password)

Class is responsible for WebSEAL API Access Control endpoints.

Variables:

cors – Manage the Cross Origin Remote Scripting configuration.
policies – Manage the API Access Control authorization policies.
resource_server – Manage the API Gateway Reverse Proxy instances.
utilities – Use helper functions for managing reverse proxy instances.
document_root – Manage the static document root of an API Gateway.
authz_server – Manage the authorization (policy) server of an API Gateway instance.

Authorization Server

class pyivia.core.web.apiac.authorization_server.AuthorizationServer(base_url, username, password)

add_configuration_stanza(instance, stanza=None)

Add a stanza to the properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to modify.
stanza (str) – The stanza to add.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

add_configuration_stanza_entry(instance, stanza=None, entries=[])

Add an entry to the configuration properties file of an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to modify.
stanza (str) – The stanza to modify.
entries (list of dict) –
List of entries to add to the stanza. Dictionary is in the format:
```
[
    {"entryName": "value"},
    {"anotherEntryName": "theValue"}
]
```

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

create_server(inst_name, hostname=None, auth_port=None, admin_port=None, domain=None, admin_id=None, admin_pwd=None, addresses=[], ssl=None, ssl_port=None, keyfile=None, keyfile_label=None)

Create new API authorization server.

Parameters:

inst_name (str) – Name of the instance to be created.
hostname (str) – The host name of the local host. This name is used when constructing the authorization server name.
auth_port (int) – The port on which authorization requests will be received.
admin_port (int) – The port on which Verify Identity Access authorization server administration requests will be received.
domain (str) – The Verify Identity Access authorization server domain.
admin_id (str, optional) – The Verify Identity Access authorization server’s administrator name. This parameter is optional and will be set to “sec_master” if not specified.
admin_pwd (str) – The Verify Identity Access authorization server’s administrator password.
addresses (list of str) – A list of local addresses on which the authorization server will listen for requests.
ssl (str) – Whether or not to enable SSL between the Verify Identity Access authorization server and the LDAP server. “yes” | “no”.
ssl_port (int) – The SSL port on which the LDAP server will be contacted.
keyfile (str) – The name of the keyfile that will be used when communicating with the LDAP server over SSL.
keyfile_label (str) – The label of the certificate within the keyfile to use.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_configuration_stanza(instance, stanza=None)

Delete a stanza from the properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to modify.
stanza (str) – The stanza to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_configuration_stanza_entry(instance, stanza=None, entry_id=None, value=None)

Remove an entry from a stanza properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to modify.
stanza (str) – The stanza to modify.
entry_id (str) – The entry to remove.
value (str) – The value of the configuration entry to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_server(inst_name, admin_id=None, admin_pwd=None, operation='unconfigure', force=None)

Delete a configured API Authorization Server.

Parameters:

inst_name (str) – Name of the authorization server to update.
admin_id (str) – The Verify Identity Access authorization server’s administrator name.
admin_pwd (str) – Secret to authenticate as admin_id.
operation (str) – A flag that is used to indicate the operation to perform. Accepted value is “unconfigure”.
force (str) – Whether or not to force the unconfiguration of the instance in the event the policy server is unreachable. “yes” | “no”

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_configuration_stanza_entry(instance, stanza=None, entry_id=None)

Get the value of an entry in a stanza properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to return.
stanza (str) – The stanza to get.
entry_id (str) – The entry to get.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful then the entry value is returned as JSON and is available in the response.json property.

Return type:

Response

list_configuration_stanza(instance)

Get a list of stanza’s from the properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful then the list of stanza are returned as JSON and is available in the response.json property.

Return type:

Response

list_servers()

Get a list of all the configured API Authorization Servers.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful a list of the configured API Authorization Servers is returned as JSON and can be accessed from the response.json property.

Return type:

Response

update_configuration_stanza_entry(instance, stanza=None, entry_id=None, value=None)

Update an entry in a stanza properties file for an API Authorization Server.

Parameters:

instance (str) – The API Authorization server instance to modify.
stanza (str) – The stanza to modify.
entry_id (str) – The entry to be updated.
value (str) – The new value of the configuration entry.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_server(inst_name, admin_id=None, admin_pwd=None, operation='renew')

Update an API authorization server. This can be used to update the certificate used to communicate with the Verify Identity Access authorization server.

Parameters:

inst_name (str) – Name of the authorization server to update.
admin_id (str) – The Verify Identity Access authorization server’s administrator name.
admin_pwd (str) – Secret to authenticate as admin_id.
operation (str) – A flag that is used to indicate the operation to perform. This value is set to “renew” for the renew operation.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Cross Origin Remote Scripting

class pyivia.core.web.apiac.cors.CORS(base_url, username, password)

create(name=None, allowed_origins=[], allow_credentials=None, exposed_headers=[], handle_preflight=None, allowed_methods=[], allowed_headers=[], max_age=None)

Create a CORS policy

Parameters:

name (str) – The name of the CORS policy.
allowed_origins (list of str) – An array of origins which are allowed to make cross origin requests to this resource.
allow_credentials (bool) – Controls whether or not the Access-Control-Allow-Credentials header will be set.
exposed_headers (bool) – Controls the values populated in the Access-Control-Expose-Headers header.
handle_preflight (bool) – Controls whether or not the Reverse Proxy will handle pre-flight requests.
allowed_methods (list of str) – HTTP methods permitted in pre-flight requests and the subsequent Access-Control-Allow-Methods header.
allowed_headers (list of str) – Names of HTTP headers permitted in pre-flight requests and the subsequent Access-Control-Allow-Headers header.
max_age (int) – Set the Access-Control-Max-Age header added to pre-flight requests.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete(name=None)

Delete an existing CORS policy.

Parameters:

name (str) – The name of the CORS policy to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(name=None)

Get a configured CORS policy.

Parameters:

name (str) – The name of the CORS policy.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the CORS policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

List the configured CORS policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the CORS policies are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(name, allowed_origins=[], allow_credentials=None, exposed_headers=[], handle_preflight=None, allowed_methods=[], allowed_headers=[], max_age=None)

Update an existing CORS policy.

Parameters:

name (str) – The name of the CORS policy.
allowed_origins (list of str) – An array of origins which are allowed to make cross origin requests to this resource.
allow_credentials (bool) – Controls whether or not the Access-Control-Allow-Credentials header will be set.
headers (exposed) – Controls the values populated in the Access-Control-Expose-Headers header.
handle_preflight (bool) – Controls whether or not the Reverse Proxy will handle pre-flight requests.
allowed_methods (list of str) – HTTP methods permitted in pre-flight requests and the subsequent Access-Control-Allow-Methods header.
allowed_headers (list of str) – Names of HTTP headers permitted in pre-flight requests and the subsequent Access-Control-Allow-Headers header.
max_age (int) – Set the Access-Control-Max-Age header added to pre-flight requests.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Document Root

class pyivia.core.web.apiac.document_root.DocumentRoot(base_url, username, password)

create(instance, file_name=None, file_type=None, contents=None)

Create a new file or directory in the API Access Control document root.

Parameters:

instance (str) – The name of the WebSEAL instance being configured.
file_name (str) – Name of new file or directory.
file_type (str) – Type of file. Either “file” or “dir”.
contents (str) – If file_type == "file" this is the contents of the new file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

get(instance, name=None)

Get a file or directory from the API Access Control document root

Parameters:

instance (str) – The name of the WebSEAL instance being configured.
name (str) – Name of file or directory.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the file or directory is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list(instance)

Get a list of all of the files and directories in the API Access Control document root.

Parameters:

instance (str) – The name of the WebSEAL instance being configured.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the files are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

rename(instance, name=None, new_name=None, file_type=None)

Rename a file or directory in the API Access Control document root.

Parameters:

instance (str) – The name of the WebSEAL instance being configured.
name (str) – Name of the existing file or directory.
new_name (str) – New name of the file or directory.
file_type (str) – File type being modified.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update(instance, name=None, file_type=None, contents=None)

Update an existing file in the API Access Control document root.

Parameters:

instance (str) – The name of the WebSEAL instance being configured.
file_name (str) – Name of new file or directory.
file_type (str) – Type of file. Either “file” or “dir”.
contents (str) – If file_type == "file" this is the contents of the new file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the file is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

Policies

class pyivia.core.web.apiac.policies.Policies(base_url, username, password)

create(name=None, groups=[], attributes=[])

Create a new API Access Control policy.

Parameters:

name (str) – name of new policy to be created.
groups (list of str) – The groups referenced by this policy.
attributes (list of str) – The attribute matches referenced by this policy.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute

Return type:

Response

delete(name=None)

Delete an API Access Control policy.

Parameters:

name (str) – Name of policy to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(name=None)

Get an API Access Control policy.

Parameters:

name (str) – Name of policy to be returned.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

List all of the configured API Access Control policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update(name, groups=[], attributes=[])

Update a API Access Control policy.

Parameters:

name (str) – Name of the API Access Control policy to be updated.
groups (list of str) – The groups referenced by this policy.
attributes (list of str) – The attribute matches referenced by this policy.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Resources

class pyivia.core.web.apiac.resource_server.ResourceServer(base_url, username, password)

create_resource(instance, resource_server, server_type='standard', method=None, path=None, name=None, policy_type=None, policy_name=None, static_response_headers=None, rate_limiting_policy=None, url_aliases=None, documentation_content_type=None, documentation_file=None)

Create a new API Access Control Resource.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.
method (str) – The HTTP action for this resource.
path (str) – The URI path for this resource. This is a full server relative path including the junction point.
name (str) – A description for this resource.
policy_type (str) – The type of Policy. The valid values are unauthenticated, anyauthenticated, none, default or custom.
policy_name (str) – The name of the custom policy if the type is custom.
static_response_headers (list of dict) –
A list of header names and values that should be added to the HTTP response. The expected format of the headers list is:
```
{"name":"CORS-Header","value":"static_value"}
```
rate_limiting_policy (str) – The name of the rate limiting policy that has been set for this resource.
url_aliases (list of str) – A list of aliases that all map to the path of this resource.
documentation_content_type (str) – The value of the accept header that will trigger a documentation response.
documentation_file (str) – The name and path of the documentation file to respond with, relative to the junction root.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

create_server(instance, server_hostname=None, junction_point=None, junction_type=None, policy_type=None, policy_name=None, authentication_type=None, oauth_introspection_transport=None, oauth_introspection_proxy=None, oauth_introspection_auth_method=None, oauth_introspection_endpoint=None, oauth_introspection_client_id=None, oauth_introspection_client_secret=None, oauth_introspection_client_id_hdr=None, oauth_introspection_token_type_hint=None, oauth_introspection_mapped_id=None, oauth_introspection_external_user=None, oauth_introspection_response_attributes=None, static_response_headers=None, jwt_header_name=None, jwt_certificate=None, jwt_claims=None, description=None, junction_hard_limit=None, junction_soft_limit=None, basic_auth_mode=None, tfim_sso=None, remote_http_header=None, stateful_junction=None, http2_junction=None, http2_proxy=None, sni_name=None, preserve_cookie=None, cookie_include_path=None, transparent_path_junction=None, mutual_auth=None, insert_ltpa_cookies=None, insert_session_cookies=None, request_encoding=None, enable_basic_auth=None, key_label=None, gso_resource_group=None, junction_cookie_javascript_block=None, client_ip_http=None, version_two_cookies=None, ltpa_keyfile=None, authz_rules=None, fsso_config_file=None, username=None, password=None, server_uuid=None, server_port=None, virtual_hostname=None, server_dn=None, server_cn=None, local_ip=None, query_contents=None, case_sensitive_url=None, windows_style_url=None, ltpa_keyfile_password=None, https_port=None, http_port=None, proxy_hostname=None, proxy_port=None, sms_environment=None, vhost_label=None, force=None, delegation_support=None, scripting_support=None)

Create a new API Access Control resource server.

Parameters:

instance (str) – Name of WebSEAL Reverse Proxy instance being configured.
server_hostname (str) – The DNS host name or IP address of the target back-end server.
junction_point (str) – Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.
junction_type (str) – Type of junction.
policy_type (str) – The type of the policy.
policy_name (str) – The name of the custom policy if the type is custom.
authentication_type (str) – The type of Oauth authentication. The valid values are default or oauth.
oauth_introspection_transport (str) – The transport type.
oauth_introspection_proxy (str) – The proxy, if any, used to reach the introspection endpoint.
oauth_introspection_auth_method (str) – The method for passing the authentication data to the introspection endpoint.
oauth_introspection_endpoint (str) – This is the introspection endpoint which will be called to handle the token introspection.
oauth_introspection_client_id (str) – The client identifier which is used for OAuth introspection authentication.
oauth_introspection_client_secret (str) – The client secret which is used for OAuth introspection authentication.
oauth_introspection_client_id_hdr (str) – The name of the HTTP header which contains the client identifier which is used to authenticate to the introspection endpoint.
oauth_introspection_token_type_hint (str) – A hint about the type of the token submitted for introspection.
oauth_introspection_mapped_id (str) – A formatted string which is used to construct the Verify Identity Access principal name from elements of the introspection response.
oauth_introspection_external_user (bool) – A boolean which is used to indicate whether the mapped identity should correspond to a known Verify Identity Access identity or not.
oauth_introspection_response_attributes (list of dict) –
A list of rules indicating which parts of the json response should be added to the credential. eg:
```
{
     "pos":1,
     "action":"put",
     "attribute":"givenName"
}
```
static_response_headers (list of dict) –
A list of header names and values that should be added to the HTTP response. eg:
```
{
    "name":"HeaderName",
    "value":"HeaderValue"
}
```
jwt_header_name (str) – The name of the HTTP header that will contain the JWT.
jwt_certificate (str) – The label of the personal certificate that will sign the JWT.
jwt_claims (list of dict) – The list of claims to add to the JWT.
description (str, optional) – An optional description for this junction.
junction_hard_limit (str) – Defines the hard limit percentage for consumption of worker threads. Valid value is an integer from “0” to “100”.
junction_soft_limit (str) – Defines the soft limit percentage for consumption of worker threads.
basic_auth_mode (str) – Defines how the Reverse Proxy server passes client identity information in HTTP basic authentication (BA) headers to the back-end server.
tfim_sso (str) – Enables IBM Security Federated Identity Manager single sign-on.
remote_http_header (str) – Controls the insertion of Verify Identity Access specific client identity information in HTTP headers across the junction.
stateful_junction (str) – Specifies whether the junction supports stateful applications.
http2_junction (str) – Specifies whether the junction supports the HTTP/2 protocol.
http2_proxy (str) – Specifies whether the junction proxy support the HTTP/2 protocol.
sni_name (str) – The server name indicator (SNI) to send to TLS junction servers.
preserve_cookie (str) – Specifies whether modifications of the names of non-domain cookies are to be made.
cookie_include_path (str) – Specifies whether script generated server-relative URLs are included in cookies for junction identification.
transparent_path_junction (str) – Specifies whether a transparent path junction is created.
mutual_auth (str) – Specifies whether to enforce mutual authentication between a front-end Reverse Proxy server and a back-end Reverse Proxy server over SSL.
insert_ltpa_cookies (str) – Controls whether LTPA cookies are passed to the junctioned Web server.
insert_session_cookies (str) – Controls whether to send the session cookie to the junctioned Web server.
request_encoding (str) – Specifies the encoding to use when the system generates HTTP headers for junctions.
enable_basic_auth (str) – Specifies whether to use BA header information to authenticate to back-end server.
key_label (str) – The key label for the client-side certificate that is used when the system authenticates to the junctioned Web server.
gso_resource_group (str) – The name of the GSO resource or resource group.
junction_cookie_javascript_block (str) – Controls the junction cookie JavaScript block.
client_ip_http (str) – Specifies whether to insert the IP address of the incoming request into an HTTP header for transmission to the junctioned Web server.
version_two_cookies (str) – Specifies whether LTPA version 2 cookies (LtpaToken2) are used.
ltpa_keyfile (str) – Location of the key file that is used to encrypt the LTPA cookie data.
authz_rules (str) – Specifies whether to allow denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header (AM_AZN_FAILURE) across the junction.
fsso_config_file (str) – The name of the configuration file that is used for forms based single sign-on.
username (str) – The Reverse Proxy user name.
password (str) – The Reverse Proxy password.
server_uuid (str) – Specifies the UUID that will be used to identify the junctioned Web server.
server_port (int) – TCP port of the back-end third-party server.
virtual_hostname (str) – Virtual host name that is used for the junctioned Web server.
server_dn (str) – Specifies the distinguished name of the junctioned Web server.
server_cn (str) – Specifies the common name, or subject alternative name, of the junctioned Web server.
local_ip (str) – Specifies the local IP address that the Reverse Proxy uses when the system communicates with the target back-end server.
query_contents (str) – Provides the Reverse Proxy with the correct name of the query_contents program file and where to find the file.
case_sensitive_url (str) – Specifies whether the Reverse Proxy server treats URLs as case sensitive.
windows_style_url (str) – Specifies whether Windows style URLs are supported.
ltpa_keyfile_password (str) – Password for the key file that is used to encrypt LTPA cookie data.
https_port (int) – HTTPS port of the back-end third-party server.
http_port (int) – HTTP port of the back-end third-party server.
proxy_hostname (str) – The DNS host name or IP address of the proxy server.
proxy_port (int) – The TCP port of the proxy server.
sms_environment (str) – Only applicable for virtual junctions. Specifies the replica set that sessions on the virtual junction are managed under.
vhost_label (str) – Only applicable for virtual junctions. Causes a second virtual junction to share the protected object space with the initial virtual junction.
force (str) – Specifies whether to overwrite an existing junction of the same name.
delegation_support (str) – Indicates single sign-on from a front-end Reverse Proxy server to a back-end Reverse Proxy server.
scripting_support (str) – Supplies junction identification in a cookie to handle script-generated server-relative URLs.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_resource(instance=None, resource_server=None, resource_name=None, server_type='standard')

Delete an API Access Control Resources from a given server.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.
resource_name (str) – The name of the API Access Control Resource.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_server(instance=None, resource_server=None)

Delete an existing API Access Control Resource Server.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_resource(instance=None, resource_server=None, resource_name=None, server_type='standard')

Retrieve an API Access Control Resources from a given server.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.
resource_name (str) – The name of the API Access Control Resource.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the resource is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_server(instance=None, resource_server=None, server_type='standard')

Get an existing API Access Control Resource Server.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the resource server is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_resources(instance=None, resource_server=None, server_type='standard')

Retrieve a list of all API Access Control Resources for a given server.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the resources are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_server(instance=None)

Retrieve a list of all API Access Control Resource Servers

Parameters:

instance (str) – The name of the Reverse Proxy Instance.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the resource servers are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_resource(instance, resource_server, resource_name=None, server_type='standard', method=None, path=None, name=None, policy_type=None, policy_name=None, static_response_headers=None, rate_limiting_policy=None, url_aliases=None, documentation_content_type=None, documentation_file=None)

Update an API Access Control Resource.

Parameters:

instance (str) – The name of the Reverse Proxy Instance.
resource_server (str) – The name of the API Access Control Resource Server.
server_type (str) – The type of the specified resource server junction. Valid values are vhj for a virtual junction or standard for a standard junction. Defaults to standard if not specified.
resource_name (str) – The name of the API Access Control Resource.
method (str) – The HTTP action for this resource.
path (str) – The URI path for this resource. This is a full server relative path including the junction point.
name (str) – A description for this resource.
policy_type (str) – The type of Policy. The valid values are unauthenticated, anyauthenticated, none, default or custom.
policy_name (str) – The name of the custom policy if the type is custom.
static_response_headers (list of dict) –
A list of header names and values that should be added to the HTTP response. The expected format of the headers list is:
```
{"name":"CORS-Header","value":"static_value"}
```
rate_limiting_policy (str) – The name of the rate limiting policy that has been set for this resource.
url_aliases (list of str) – A list of aliases that all map to the path of this resource.
documentation_content_type (str) – The value of the accept header that will trigger a documentation response.
documentation_file (str) – The name and path of the documentation file to respond with, relative to the junction root.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_server(instance, resource_server, server_type='standard', server_hostname=None, junction_point=None, junction_type=None, policy_type=None, policy_name=None, authentication_type=None, authentication_oauth_introspection=None, static_response_headers=None, jwt_header_name=None, jwt_certificate=None, jwt_claims=None, description=None, junction_hard_limit=None, junction_soft_limit=None, basic_auth_mode=None, tfim_sso=None, remote_http_header=None, stateful_junction=None, http2_junction=None, sni_name=None, preserve_cookie=None, cookie_include_path=None, transparent_path_junction=None, mutual_auth=None, insert_ltpa_cookies=None, insert_session_cookies=None, request_encoding=None, enable_basic_auth=None, key_label=None, gso_resource_group=None, junction_cookie_javascript_block=None, client_ip_http=None, version_two_cookies=None, ltpa_keyfile=None, authz_rules=None, fsso_config_file=None, username=None, password=None, server_uuid=None, server_port=None, virtual_hostname=None, server_dn=None, server_cn=None, local_ip=None, query_contents=None, case_sensitive_url=None, windows_style_url=None, ltpa_keyfile_password=None, https_port=None, http_port=None, proxy_hostname=None, proxy_port=None, sms_environment=None, vhost_label=None, force=None, delegation_support=None, scripting_support=None)

Update an existing API Access Control resource server.

Parameters:

instance (str) – Name of WebSEAL Reverse Proxy instance being configured.
resource_server (str) – The name of the API Access Control Resource Server.
server_hostname (str) – The DNS host name or IP address of the target back-end server.
junction_point (str) – Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.
junction_type (str) – Type of junction.
policy_type (str) – The type of the policy.
policy_name (str) – The name of the custom policy if the type is custom.
authentication_type (str) – The type of Oauth authentication. The valid values are default or oauth.
oauth_introspection_transport (str) – The transport type.
oauth_introspection_proxy (str) – The proxy, if any, used to reach the introspection endpoint.
oauth_introspection_auth_method (str) – The method for passing the authentication data to the introspection endpoint.
oauth_introspection_endpoint (str) – This is the introspection endpoint which will be called to handle the token introspection.
oauth_introspection_client_id (str) – The client identifier which is used for OAuth introspection authentication.
oauth_introspection_client_secret (str) – The client secret which is used for OAuth introspection authentication.
oauth_introspection_client_id_hdr (str) – The name of the HTTP header which contains the client identifier which is used to authenticate to the introspection endpoint.
oauth_introspection_token_type_hint (str) – A hint about the type of the token submitted for introspection.
oauth_introspection_mapped_id (str) – A formatted string which is used to construct the Verify Identity Access principal name from elements of the introspection response.
oauth_introspection_external_user (bool) – A boolean which is used to indicate whether the mapped identity should correspond to a known Verify Identity Access identity or not.
oauth_introspection_response_attributes (list of dict) –
A list of rules indicating which parts of the json response should be added to the credential. eg:
```
{"pos":1,"action":"put","attribute":"givenName"}
```
static_response_headers (list of dict) –
A list of header names and values that should be added to the HTTP response. eg:
```
{"name":"HeaderName","value":"HeaderValue"}
```
jwt_header_name (str) – The name of the HTTP header that will contain the JWT.
jwt_certificate (str) – The label of the personal certificate that will sign the JWT.
jwt_claims (list of dict) – The list of claims to add to the JWT.
description (str, optional) – An optional description for this junction.
junction_hard_limit (str) – Defines the hard limit percentage for consumption of worker threads. Valid value is an integer from “0” to “100”.
junction_soft_limit (str) – Defines the soft limit percentage for consumption of worker threads.
basic_auth_mode (str) – Defines how the Reverse Proxy server passes client identity information in HTTP basic authentication (BA) headers to the back-end server.
tfim_sso (str) – Enables IBM Security Federated Identity Manager single sign-on.
remote_http_header (str) – Controls the insertion of Verify Identity Access specific client identity information in HTTP headers across the junction.
stateful_junction (str) – Specifies whether the junction supports stateful applications.
http2_junction (str) – Specifies whether the junction supports the HTTP/2 protocol.
http2_proxy (str) – Specifies whether the junction proxy support the HTTP/2 protocol.
sni_name (str) – The server name indicator (SNI) to send to TLS junction servers.
preserve_cookie (str) – Specifies whether modifications of the names of non-domain cookies are to be made.
cookie_include_path (str) – Specifies whether script generated server-relative URLs are included in cookies for junction identification.
transparent_path_junction (str) – Specifies whether a transparent path junction is created.
mutual_auth (str) – Specifies whether to enforce mutual authentication between a front-end Reverse Proxy server and a back-end Reverse Proxy server over SSL.
insert_ltpa_cookies (str) – Controls whether LTPA cookies are passed to the junctioned Web server.
insert_session_cookies (str) – Controls whether to send the session cookie to the junctioned Web server.
request_encoding (str) – Specifies the encoding to use when the system generates HTTP headers for junctions.
enable_basic_auth (str) – Specifies whether to use BA header information to authenticate to back-end server.
key_label (str) – The key label for the client-side certificate that is used when the system authenticates to the junctioned Web server.
gso_resource_group (str) – The name of the GSO resource or resource group.
junction_cookie_javascript_block (str) – Controls the junction cookie JavaScript block.
client_ip_http (str) – Specifies whether to insert the IP address of the incoming request into an HTTP header for transmission to the junctioned Web server.
version_two_cookies (str) – Specifies whether LTPA version 2 cookies (LtpaToken2) are used.
ltpa_keyfile (str) – Location of the key file that is used to encrypt the LTPA cookie data.
authz_rules (str) – Specifies whether to allow denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header (AM_AZN_FAILURE) across the junction.
fsso_config_file (str) – The name of the configuration file that is used for forms based single sign-on.
username (str) – The Reverse Proxy user name.
password (str) – The Reverse Proxy password.
server_uuid (str) – Specifies the UUID that will be used to identify the junctioned Web server.
server_port (int) – TCP port of the back-end third-party server.
virtual_hostname (str) – Virtual host name that is used for the junctioned Web server.
server_dn (str) – Specifies the distinguished name of the junctioned Web server.
server_cn (str) – Specifies the common name, or subject alternative name, of the junctioned Web server.
local_ip (str) – Specifies the local IP address that the Reverse Proxy uses when the system communicates with the target back-end server.
query_contents (str) – Provides the Reverse Proxy with the correct name of the query_contents program file and where to find the file.
case_sensitive_url (str) – Specifies whether the Reverse Proxy server treats URLs as case sensitive.
windows_style_url (str) – Specifies whether Windows style URLs are supported.
ltpa_keyfile_password (str) – Password for the key file that is used to encrypt LTPA cookie data.
https_port (int) – HTTPS port of the back-end third-party server.
http_port (int) – HTTP port of the back-end third-party server.
proxy_hostname (str) – The DNS host name or IP address of the proxy server.
proxy_port (int) – The TCP port of the proxy server.
sms_environment (str) – Only applicable for virtual junctions. Specifies the replica set that sessions on the virtual junction are managed under.
vhost_label (str) – Only applicable for virtual junctions. Causes a second virtual junction to share the protected object space with the initial virtual junction.
force (str) – Specifies whether to overwrite an existing junction of the same name.
delegation_support (str) – Indicates single sign-on from a front-end Reverse Proxy server to a back-end Reverse Proxy server.
scripting_support (str) – Supplies junction identification in a cookie to handle script-generated server-relative URLs.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Utilities

class pyivia.core.web.apiac.utilities.Utilities(base_url, username, password)

delete_credential()

Delete the cached Verify Identity Access administrator credential.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_credential()

Retrieve the stored Verify Identity Access credentials.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of credentials is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_groups()

Retrieve a list of all Verify Identity Access groups.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the list of groups is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

store_credential(admin_id=None, admin_pwd=None, admin_domain=None)

Cache a admin Verify Identity Access administrator credential.

Parameters:

admin_id (str) – The Verify Identity Access administrator username.
admin_pwd (str) – The Verify Identity Access administrator password.
admin_domain (str) – The Verify Identity Access domain. If not specified the default value of “Default” will be used.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Client Certificate Mapping

class pyivia.core.web.clientcertmapping.ClientCertMapping(base_url, username, password)

create_rule(name=None, content=None)

Create a new client certificate mapping

Parameters:

name (str) – The name of the client certificate mapping rule
content (str) – XLST rule to be applied for certificate to user mapping

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_rule(rule_id=None)

Delete an existing certificate mapping rule

Parameters:

rule_id (str) – The id of the certificate mapping rule to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_rule(rule_id)

Get a configured user certificate mapping.

Parameters:

rule_id (str) – The id of the user certificate mapping to return

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the XLST rule is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_template()

Get the Client Cert CDAS template mapping rule

Parameters:

template_id (str) – The id of the template rule to return

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the XLST rule is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_rules()

Return a list of all of the configured user certificate mapping rules.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the XLST rules are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_rule(rule_id=None, content=None)

Update a client certificate mapping

Parameters:

rule_id (str) – The id of the certificate mapping rule to update
content (str) – The new XLST rule to be uploaded

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Distributed Session Cache

class pyivia.core.web.dscadmin.DSCAdmin(base_url, username, password)

list_replica_sets()

List the replica sets in the DSC server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the DSC replicas are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_servers(replica_set)

List the servers (WebSEALs) for a replica set.

Parameters:

replica_set (str) – The replica set to list servers for

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the DSC replica servers are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list_user_sessions(replica_set, user_name_pattern, max_results)

List user sessions in a replica set.

Parameters:

replica_set (str) – The replica set to query
user_name_pattern (str) – The regex pattern used to search for user sessions
max_results (str) – Maximum number of sessions to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the DSC replica servers are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

terminate_session(replica_set, session)

Terminate a specific session.

Parameters:

replica_set (str) – The replica set the session is stored in
session (str) – The session identifier

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

terminate_user_sessions(replica_set, user_name)

Terminate all sessions for the specified user.

Parameters:

replica_set (str) – The replica set the session is stored in
user_name (str) – The user who’s session’s should be invalidated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

Form Single Sign-On

class pyivia.core.web.fsso.FSSO(base_url, username, password)

create(name=None, fsso_config_data=None)

Create a Federated Single Sign On configuration.

Parameters:

name (str) – The name of the FSSO config.
fsso_config_data (str) – The serialized FSSO configuration data.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created FSSO config can be accessed from the response.id_from_location attribute.

Return type:

Response

delete(fsso_id=None)

Update a Federated Single Sign On configuration.

Parameters:

fsso_id (str) – The name of the FSSO config.
fsso_config_data (str) – The serialized FSSO configuration data.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get(fsso_id)

Get a FSSO configuration.

Parameters:

fsso_id (str) – The id of the FSSO config to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the FSSO configuration is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list()

Return list of all FSSO configurations.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the FSSO configurations are returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

update(fsso_id=None, fsso_config_data=None)

Update a Federated Single Sign On configuration.

Parameters:

fsso_id (str) – The name of the FSSO config.
fsso_config_data (str) – The serialized FSSO configuration data.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

HTTP Transformations

class pyivia.core.web.httptransform.HTTPTransform(base_url, username, password)

create(name=None, template=None, contents=None)

Create a new HTTP transformation rule.

Parameters:

name (str) – The name of the HTTP Transform rule to be created.
template (str) – The HTTP Transformation template to build the rule from.
contents (str) – The serialized XLST rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute.

Return type:

Response

delete(rule_id=None)

Delete a new HTTP transformation rule.

Parameters:

rule_id (str) – The id of the HTTP Transform rule to be removed.
contents (str) – The serialized XLST rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

get(rule_id=None)

Get a HTTP transformation rule based on a rule id.

Parameters:

rule_id (str) – The id of the HTTP transformation rule to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

If the request is successful the HTTP transformation rule is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

list()

Get a list of the HTTP transformation rules currently configured.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the HTTP transformation rules are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(rule_id, content=None)

Update a new HTTP transformation rule.

Parameters:

rule_id (str) – The id of the HTTP Transform rule to be updated.
contents (str) – The serialized XLST rule.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created obligation can be accessed from the response.id_from_location attribute.

Return type:

Response

Junction Mapping

class pyivia.core.web.junctionmapping.JunctionMapping(base_url, username, password)

create(name=None, jmt_config_data=None)

Create a WebSEAL Junction mapping rule.

Parameters:

name (str) – The name of the junction mapping rule to be created
jmt_config_data (str) – contents of junction mapping table

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created junction mapping can be accessed from the response.id_from_location attribute

Return type:

Response

delete(rule_id=None)

Delete a WebSEAL Junction mapping rule.

Parameters:

rule_id (str) – The unique id of the junction mapping rule to be deleted

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(rule_id)

Get a WebSEAL Junction mapping rule.

Parameters:

rule_id (str) – The unique id of the junction mapping rule to be returned

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the junction mapping rule is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_template()

Get the JMT configuration file template

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the junction mapping rule template is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get a list of the configured WebSEAL Junction mapping rules.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the junction mapping rules are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(rule_id=None, jmt_config_data=None)

Update a WebSEAL Junction mapping rule.

Parameters:

rule_id (str) – The unique id of the junction mapping rule to be modified
jmt_config_data (str) – contents of junction mapping table

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Kerberos

class pyivia.core.web.kerberos.Kerberos(base_url, username, password)

combine_keytab(new_name=None, keytab_files=[])

Combine a list of keytab files into a single keytab

Parameters:

new_name (str) – The new name of the combined keytab file.
keytab_files (list of str) – List of existing keytab files to combine.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the new keytab file id returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create(section_id=None, subsection=None, name=None, value=None)

Create a kerberos configuration property or subsection

Parameters:

section_id (str) – The name of the section/subsection where the new subsection/property will be created
subsection (str, optional) – Name of new subsection to create. Required if creating a new subsection
name (str, optional) – Name of new property to add to section/subsection. Required if creating a new property
value (str, optional) – Value of new property to add to section/subsection. Required if creating a new property

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(section_id=None)

Delete a kerberos configuration property or section

Parameters:

section_id (str) – The name of the section/property to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute.

Return type:

Response

delete_keytab(keytab_id=None)

Delete a Kerberos keyfile.

Parameters:

keytab_id (str) – The ID of the keytab to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(section_id=None)

Get a kerberos configuration property

Parameters:

section_id (str) – The name of the section/subsection where the new subsection/property will be created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos property is returned as JSON and can be accessed from the response.json attribute.

Return type:

Response

import_keytab(keytab_file=None)

Import a Kerberos keyfile.

Parameters:

keytab_file (str) – Fully qualified path to the Kerberos keyfile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the mapping keytab file id is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_keytab()

List all of the configured keytab files.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the keytab files are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

test(username=None, password=None)

Test the Kerberos authentication of a web service principal using rest API.

Parameters:

username (str) – The user to test authentication with
password (str) – The password to test authentication with

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update(section_id=None, value=None)

Update a kerberos configuration property

Parameters:

section_id (str) – The name of the section/subsection where the property will be updated
value (str) – Value of new property to add to section/subsection. Required if creating a new property

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Password Strength Rules

class pyivia.core.web.passwordstrength.PasswordStrength(base_url, username, password)

create(name=None, content=None)

Create a Password Strength rule.

Parameters:

name (str) – The name of the rule to be created.
content (str) – The contents of the password rule in plaintext format.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(name=None)

Delete a Password Strength rule.

Parameters:

name (str) – The name of the rule to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get(name=None)

Get a Password Strength rule.

Parameters:

name (str) – The name of the rule to be updated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Return a list of the names of the configured password strength rules.

Parameters:

name (str) – The name of the rule to be updated.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(name=None, new_name=None, content=None)

Update a Password Strength rule. This can be used to update a password strength file name or modify the contents of a rule.

Parameters:

name (str) – The name of the rule to be updated.
new_name (str, optional) – The new name of the password rule file.
content (str, optional) – The new contents of the password rule in plaintext format.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the kerberos subsection/property is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Policy Administration

class pyivia.core.web.policyadmin.PolicyAdmin(base_url, username, password)

execute(admin_id, admin_pwd, commands)

Execute a command using the pdadmin command line utility on a Verify Identity Access Appliance or Container.

Parameters:

admin_id (str) – The user to authenticate to the policy directory with.
admin_pwd (str) – The password to authenticate to the policy directory with.
commands (list of str) – A list of commands to run with the pdadmin tool.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the stdout and stderr from the completed commands is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

Rate Limiting

class pyivia.core.web.ratelimit.RateLimit(base_url, username, password)

create(name=None, content=None)

Update an existing JavaScript mapping rule with new contents

Parameters:

name (str) – Name of the rate limiting policy to be created.
content (str) – The rate limiting policy to be created.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete(rlimit_id=None)

Delete the specified rate limiting policy if it exists.

Parameters:

rlimit_id (str) – The id of the policy to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(rlimit_id)

Get a rate limiting policy.

Parameters:

rlimit_id (str) – The unique id of the policy to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the rate limiting policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

List the rate limiting policies.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the rate limiting policies are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(rlimit_id=None, content=None)

Update an existing rate limiting policy with new contents

Parameters:

rlimit_id (str) – The id of the rule to be updated.
content (str) – The new rate limiting policy contents.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Reverse Proxy

class pyivia.core.web.reverseproxy.ReverseProxy(base_url, username, password)

add_configuration_stanza(webseal_id, stanza_id)

Add a configuration stanza with the RESTful web service

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance.
stanza_id (str) – The name of the resource stanza entry.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created stanza is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

add_configuration_stanza_entry(webseal_id, stanza_id, entry_name, value)

Add a configuration entry to a stanza.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
stanza_id (str) – The name of the resource stanza entry.
entry_name (str) – Name of the configuration entry to add.
value (str) – Value of the configuration entry to add.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the configuration entry id is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

configure_aac(webseal_id, junction=None, reuse_certs=False, reuse_acls=False, runtime_hostname=None, runtime_port=None, runtime_username=None, runtime_password=None)

Configure a WebSEAL instance to use the Federated runtime server for Advanced Access Control and Context Based Authorization decisions.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
junction (str) – Junction point to create.
reuse_certs (bool, optional) – If the SSL certificate has already been saved, this flag indicates that the certificate should be reused instead of overwritten. Default is false.
reuse_acls (str) – A flag to indicate that any existing ACLs with the same name should be reused. If they are not reused, they will be replaced. Default is false .
runtime_hostname (str) – The hostname of the runtime server.
runtime_port (str) – The port of the runtime server. Must be the SSL port.
runtime_username (str) – The username used to authenticate with the runtime server.
runtime_password (str) – The password used to authenticate with the runtime server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

configure_fed(webseal_id, federation_id=None, reuse_certs=False, reuse_acls=False, runtime_hostname=None, runtime_port=None, runtime_username=None, runtime_password=None)

Configure a WebSEAL instance to use the Federated runtime server to perform STS functions for federated identity partners.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
federation_id (str) – The UUID which identifies the federation.
reuse_certs (bool, optional) – If the SSL certificate has already been saved, this flag indicates that the certificate should be reused instead of overwritten. Default is false.
reuse_acls (bool, optional) – A flag to indicate that any existing ACLs with the same name should be reused. If they are not reused, they will be replaced. Default is false .
runtime_hostname (str) – The hostname of the runtime server.
runtime_port (str) – The port of the runtime server. Must be the SSL port.
runtime_username (str) – The username used to authenticate with the runtime server.
runtime_password (str) – The password used to authenticate with the runtime server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

configure_mmfa(webseal_id, lmi_hostname=None, lmi_port=None, lmi_username=None, lmi_password=None, runtime_hostname=None, runtime_port=None, runtime_username=None, runtime_password=None, reuse_certs=None, reuse_acls=None, reuse_pops=None, channel=None)

Configure a WebSEAL instance to use the Federated runtime server for Mobile Multi-Factor Authentication.

Parameters:

webseal_id (str) – The name of the WebSEAL instance to act on.
lmi_hostname (str) – The hostname of the LMI service.
lmi_port (str) – The port of the LMI service.
lmi_username (str) – The username used to authenticate with the LMI service.
lmi_password (str) – The password used to authenticate with the LMI service.
runtime_hostname (str) – The hostname of the runtime service.
runtime_port (str) – The port of the runtime service.
runtime_username (str) – The username used to authenticate with the runtime service.
runtime_password (str) – The password used to authenticate with the runtime service.
reuse_certs (bool, optional) – Should WebSEAL try to import the SSL certificate of the runtime service.
reuse_acls (bool, optional) – Should WebSEAL reuse ACLS with the same name.
reuse_pops (bool, optional) – Should WebSEAL reuse POPs with the same name.
channel (str) – Supports multi channel configuration, absence configures single channel. Valid channel values: browser, mobile.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

configure_verify_gateway(webseal_id, mmfa=None, junction=None)

Configure a WebSEAL instance to act as a gateway to an IBM Verify Identity tenant.

Parameters:

webseal_id (str) – The name of the WebSEAL instance to act on.
mmfa (bool) – A flag indicating whether the MMFA endpoints should also be mapped.
junction (str) – AAC junction point to include in the HTTP Transformation rules.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

create_instance(inst_name=None, host=None, admin_id=None, admin_pwd=None, ssl_yn=None, key_file=None, cert_label=None, ssl_port=None, http_yn=None, http_port=None, https_yn=None, https_port=None, nw_interface_yn=None, ip_address=None, listening_port=None, domain=None)

Create a new WebSEAL Reverse Proxy instance.

Parameters:

inst_name (str) – Name of the WebSEAL instance.
host (str) – The host name that is used by the Verify Identity Access policy server to contact the appliance.
admin_id (str) – The Verify Identity Access policy server’s administrator name.
admin_pwd (str) – The Verify Identity Access policy server’s administrator password.
ssl_yn (str) – Specifies whether to enable SSL communication between the instance and the LDAP server. “yes” || “no”.
key_file (str, optional) – The file that contains the LDAP SSL certificate.
cert_label (str, optional) – The LDAP client certificate label.
ssl_port (str, optional) – The port number through which to communicate with the LDAP server.
http_yn (str) – Specifies whether to accept user requests across the HTTP protocol.
http_port (str, optional) – The port to listen for HTTP requests.
https_yn (str) – Specifies whether to accept user requests across the HTTPS protocol
https_port (str, optional) – The port to listen for HTTPS requests.
nw_interface_yn (str) – Specifies whether to use a logical network interface for the instance.
ip_address (str, optional) – The IP address for the logical interface.
listening_port (str) – This is the listening port through which the instance communicates with the Verify Identity Access policy server.
domain (str) – The Verify Identity Access policy server’s domain.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the reverse proxy instance id is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

create_junction(webseal_id, server_hostname=None, junction_point=None, junction_type=None, description=None, basic_auth_mode=None, tfim_sso=None, stateful_junction=None, preserve_cookie=None, cookie_include_path=None, transparent_path_junction=None, mutual_auth=None, insert_ltpa_cookies=None, insert_session_cookies=None, request_encoding=None, enable_basic_auth=None, key_label=None, gso_resource_group=None, junction_cookie_javascript_block=None, client_ip_http=None, version_two_cookies=None, ltpa_keyfile=None, authz_rules=None, fsso_config_file=None, username=None, password=None, server_uuid=None, virtual_hostname=None, server_dn=None, server_cn=None, local_ip=None, query_contents=None, case_sensitive_url=None, windows_style_url=None, ltpa_keyfile_password=None, proxy_hostname=None, sms_environment=None, vhost_label=None, force=None, delegation_support=None, scripting_support=None, junction_hard_limit=None, junction_soft_limit=None, server_port=None, https_port=None, http_port=None, proxy_port=None, remote_http_header=None)

Create a standard or virtual WebSEAL junction.

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
server_hostname (str) – The DNS host name or IP address of the target back-end server.
junction_point (str) – Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.
junction_type (str) – Type of junction. The value is one of: tcp, ssl, tcpproxy, sslproxy, mutual.
description (str, optional) – An optional description for this junction.
basic_auth_mode (str) – Defines how the Reverse Proxy server passes client identity information in HTTP basic authentication (BA) headers to the back-end server.
tfim_sso (str) – Enables IBM Security Federated Identity Manager single sign-on (SSO) for the junction. Valid value is “yes” or “no”.
stateful_junction (str, optional) – Specifies whether the junction supports stateful applications.
preserve_cookie (str) – Specifies whether modifications of the names of non-domain cookies are to be made.
cookie_include_path (str, optional) – Specifies whether script generated server-relative URLs are included in cookies for junction identification.
transparent_path_junction (str, optional) – Specifies whether a transparent path junction is created. Valid value is “yes” or “no”.
mutual_auth (str, optional) – Specifies whether to enforce mutual authentication between a front-end Reverse Proxy server and a back-end Reverse Proxy server over SSL.
insert_ltpa_cookies (str, optional) – Controls whether LTPA cookies are passed to the junctioned Web server. Valid value is “yes” or “no”.
insert_session_cookies (str) – Controls whether to send the session cookie to the junctioned Web server.
request_encoding (str, optional) – Specifies the encoding to use when the system generates HTTP headers for junctions.
enable_basic_auth (str, optional) – Specifies whether to use BA header information to authenticate to back-end server.
key_label (str, optional) – The key label for the client-side certificate that is used when the system authenticates to the junctioned Web server.
gso_resource_group (str, optional) – The name of the GSO resource or resource group.
junction_cookie_javascript_block (str, optional) – Controls the junction cookie JavaScript block.
client_ip_http (str, optional) – Specifies whether to insert the IP address of the incoming request into an HTTP header for transmission to the junctioned Web server.
version_two_cookies (str, optional) – Specifies whether LTPA version 2 cookies (LtpaToken2) are used.
ltpa_keyfile (str, optional) – Location of the key file that is used to encrypt the LTPA cookie data.
authz_rules (str, optional) – Specifies whether to allow denied requests and failure reason information from authorization rules to be sent in the Boolean Rule header (AM_AZN_FAILURE) across the junction.
fsso_config_file (str, optional) – The name of the configuration file that is used for forms based single sign-on.
username (str, optional) – The Reverse Proxy user name to send BA header information to the back-end server.
password (str, optional) – The Reverse Proxy password to send BA header information to the back-end server.
server_uuid (str, optional) – Specifies the UUID that will be used to identify the junctioned Web server.
virtual_hostname (str, optional) – Virtual host name that is used for the junctioned Web server.
server_dn (str, optional) – Specifies the distinguished name of the junctioned Web server.
server_cn (str, optional) – Specifies the common name, or subject alternative name, of the junctioned Web server.
local_ip (str, optional) – Specifies the local IP address that the Reverse Proxy uses when the system communicates with the target back-end server.
query_contents (str, optional) – Provides the Reverse Proxy with the correct name of the query_contents program file and where to find the file.
case_sensitive_url (str, optional) – Specifies whether the Reverse Proxy server treats URLs as case sensitive.
windows_style_url (str, optional) – Specifies whether Windows style URLs are supported.
ltpa_keyfile_password (str, optional) – Password for the key file that is used to encrypt LTPA cookie data.
proxy_hostname (str, optional) – The DNS host name or IP address of the proxy server.
sms_environment (str, optional) – Only applicable for virtual junctions. Specifies the replica set that sessions on the virtual junction are managed under.
vhost_label (str) – Only applicable for virtual junctions. Causes a second virtual junction to share the protected object space with the initial virtual junction.
force (str) – Specifies whether to overwrite an existing junction of the same name.
delegation_support (str) – This option is valid only with junctions that were created with the type of ssl or sslproxy.
scripting_support (str) – Supplies junction identification in a cookie to handle script-generated server-relative URLs.
junction_hard_limit (str) – Defines the hard limit percentage for consumption of worker threads.
junction_soft_limit (str) – Defines the soft limit percentage for consumption of worker threads.
server_port (str, optional) – TCP port of the back-end third-party server.
https_port (str) – HTTPS port of the back-end third-party server.
http_port (str) – HTTP port of the back-end third-party server.
proxy_port (str) – The TCP port of the proxy server.
remote_http_header (str) – Controls the insertion of Verify Identity Access specific client identity information in HTTP headers across the junction.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created instance is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete_configuration_stanza(webseal_id, stanza_id)

Remove a configuration stanza if it exists.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
stanza_id (str) – The name of the resource stanza entry.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_configuration_stanza_entry(webseal_id, stanza_id, entry_name, value=None)

Remove a configuration entry from a stanza. If a value is specified only an entry which matches the value will be removed.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
stanza_id (str) – The name of the resource stanza entry.
entry_name (str) – Name of the configuration entry to add.
value (str) – Value of the configuration entry to add.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_instance(webseal_id, admin_id, admin_pwd)

Delete the specified WebSEAL Reverse Proxy if it exists.

Parameters:

webseal_id (str) – The id of the WebSEAL instance to be removed.
admin_id (str) – The Verify Identity Access policy server’s administrator name.
admin_pwd (str) – The Verify Identity Access policy server’s administrator password.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_junction(webseal_id, junction_point)

Remove a junction from a WebSEAL Reverse Proxy instance.

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
junction_point (str) – Name of the location in the Reverse Proxy namespace where the root of the back-end application server namespace is mounted.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_configuration_stanza_entry(webseal_id, stanza_id, entry_name)

Return the value of a configuration entry as JSON.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
stanza_id (str) – The name of the resource stanza entry.
entry_name (str) – Name of the configuration entry to fetch

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the configuration entry value is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_wga_defaults()

Return the list of valid default WebSEAL instance configuration values.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the state of all instances is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_management_root_file(webseal_id, page_id, file_path)

Import a singe file into a WebSEAL management root file system.

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
page_id (str) – Path to the file to be updated in the management root file system.
file_path (str) – File to be uploaded to the management root file system.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the uploaded file is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

import_management_root_files(webseal_id, file_path)

Import a zip file into the management root of a WebSEAL reverse proxy instance. File path should be an absolute URL

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
file_path (str) – Zip file to be imported to the management root.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the created file is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_instances()

List the state of all configured WebSEAL Reverse Proxy instances.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the state of all instances is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list_junctions(webseal_id, detailed='false')

List the configured Standard and Virtual junctions. if the detailed=true query parameter is set on Verify Access 10.0.4.0 and newer, detailed junction configuration in addition to the id and type attributes are returned.

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
detailed (str, optional) – Return detailed junction configuration.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful a list id and type of configured junctions is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

restart_instance(webseal_id)

Restart a WebSEAL Reverse Proxy. This will cause a brief service outage.

Parameters:

webseal_id (str) – The WebSEAL instance which will be restarted.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_configuration_stanza_entry(webseal_id, stanza_id, entry_name, value)

Update a configuration stanza entry value. If it does not exist it will be created.

Parameters:

webseal_id (str) – Name of the WebSEAL instance to act on, which is a unique name that identifies the instance
stanza_id (str) – The name of the resource stanza entry.
entry_name (str) – Name of the configuration entry to add.
value (str) – Value of the configuration entry to add.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_management_root_file(webseal_id, page_id, contents)

Update the contents of a management root file of a WebSEAL instance.

Parameters:

webseal_id (str) – The Reverse Proxy instance name.
page_id (str) – Path to the file to be updated in the management root file system.
contents (str) – Serialized contents of the updated management root file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the id of the updated file is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

RSA Security Token

class pyivia.core.web.rsa.RSA(base_url, username, password)

create(server_config_file=None, server_options_file=None)

Configure WebSEAL to use a RSA token server for authentication.

Parameters:

server_config_file (str) – Full path to RSA SecurID toke server configuration file.
server_options_file (str, optional) – Full path to the server configuration options file to upload.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete()

Delete the RSA SecurID configuration

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_node_secret()

Delete the local secret for the RSA token server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get()

Get the RSA configuration file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the rate limiting policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

test(username=None, password=None)

Test the RSA SecurID configuration.

Parameters:

username (str) – The username to authenticate as
password (str) – The passcode of the user to authenticate with

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

Runtime Component

class pyivia.core.web.runtimecomponent.RuntimeComponent(base_url, username, password)

configure(ps_mode=None, user_registry=None, admin_password=None, ldap_password=None, admin_cert_lifetime=None, ssl_compliance=None, ldap_host=None, ldap_port=None, isam_domain=None, ldap_dn=None, ldap_suffix=None, ldap_ssl_db=None, ldap_ssl_label=None, isam_host=None, isam_port=None)

Configure the reverse proxy runtime component, including the policy server and user registry.

Parameters:

ps_mode (str) – The mode for the policy server. Valid values are local and remote.
user_registry (str) – The type of user registry to be configured against. Valid values are local, ldap
admin_password (str) – The security administrator’s password (also known as sec_master).
ldap_password (str, optional) – The password for the DN. If the ps_mode is local and the user registry is remote, this field is required.
admin_cert_lifetime (str, optional) – The lifetime in days for the SSL server certificate. If ps_mode is local, this field is required.
ssl_compliance (str) – Specifies whether SSL is compliant with any additional computer security standard.
ldap_host (str) – The name of the LDAP server.
ldap_port (str) – The port to be used when the system communicates with the LDAP server.
isam_domain (str) – The Security Verify Identity Access domain name. This field is required unless ps_mode is local and user_registry is local.
ldap_dn (str) – The DN that is used when the system contacts the user registry.
ldap_suffix (str) – The LDAP suffix that is used to hold the Security Verify Identity Access secAuthority data.
ldap_ssl_db (str) – The key file (no path information is required) that contains the certificate that is used to communicate with the user registry. If no keyfile is provided, the SSL is not used when the system communicates with the user registry.
ldap_ssl_label (str, optional) – The label of the SSL certificate that is used when the system communicates with the user registry. This option is only valid if the ldap_ssl_db option is provided.
isam_host (str) – The name of the host that hosts the Security Verify Identity Access policy server.
isam_port (str, optional) – The port over which communication with the Security Verify Identity Access policy server takes place. If ps_mode is remote, this field is required.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

create_configuration_file_entry(resource=None, stanza=None, entries=None)

Create a new stanza or entry in a runtime component configuration file.

Parameters:

resource (str) – The configuration file to modify. For example: ldap.conf, pd.conf, instance.conf
stanza (str) – The name of the resource stanza entry.
entries (list of list, optional) –
Entry name and value in the format of key value pairs. If this property is not supplied then the stanza is created instead. Format of list is:
```
[
  ["entryName", "entryValue"],
  ["anotherName", "theValue"]
]
```

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

create_federated_user_registry(_id, hostname=None, port=None, bind_dn=None, bind_pwd=None, ignore_if_down=None, use_ssl=None, client_cert_label=None, suffix=[])

Add a federated LDAP server to the user registry for use as basic or full Verify Identity Access users.

Parameters:

_id (str) – The identifier of the federated LDAP server.
hostname (str) – The hostname or address of the LDAP server.
port (str) – The port that the LDAP server is listening on.
bind_dn (str) – The Distinguished Name to bind to the LDAP server as to perform admin operations.
bind_pwd (str) – The secret to authenticate as the bind_dn user.
ignore_if_down (bool, optional) – Whether the server will continue to operate using the other configured federated registries if this user registry is unavailable.
use_ssl (bool) – Whether or not SSL is used to communicate with the directory.
client_cert_label (str, optional) – The client certificate to use when communicating with the directory using SSL. Only valid if use_ssl is true.

suffix (list of dict) –

List of suffixes to use, eg:

[
 {"id": "dc=ibm,dc=com"},
 {"id": "o=ibm"}
]

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_configuration_file_entry(resource=None, stanza=None, entry=None, value=None)

Delete a stanza or entry in a runtime component configuration file.

Parameters:

resource (str) – The configuration file to modify. For example: ldap.conf, pd.conf, instance.conf
stanza (str) – The name of the resource stanza entry.
entry (str, optional) – The entry name to be removed. If not supplied then the entire stanza is removed.
value (str, optional) – The entry value to be removed. This must be set if the entry property is supplied.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete_federated_user_registry(_id)

Remove a configured federated user registry

Parameters:

_id (str) – The identifier of the federated user registry to remove.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get_status()

Get the status of the runtime server.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the rate limiting policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update_configuration_file_entry(resource=None, stanza=None, entries=None)

Update a stanza entry in a runtime component configuration file.

Parameters:

resource (str) – The configuration file to modify. For example: ldap.conf, pd.conf, instance.conf
stanza (str) – The name of the resource stanza entry.
entries (list of list) –
Entry name and value in the format of key value pairs. If this property is not supplied then the stanza is created instead. Format of list is:
```
[
  ["entryName", "entryValue"],
  ["anotherName", "theValue"]
]
```

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

update_embedded_ldap_password(password)

Change the admin password on the embedded LDAP server.

Parameters:

password (str) – The new administrator password.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

URL Mapping

class pyivia.core.web.urlmapping.URLMapping(base_url, username, password)

create(name=None, dynurl_config_data=None)

Create a new URL mapping policy

Parameters:

name (str) – The name of the new URL mapping rule.
dynurl_config_data (str) – The serialized contents of the new policy file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

delete(rule_id=None)

Delete a URL mapping policy.

Parameters:

rule_id (str) – The unique id of the URL mapping rule to be removed.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(rule_id)

Get a URL mapping policy.

Parameters:

rule_id (str) – The unique id of the policy to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the URL mapping policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_template()

Get the template URL mapping policy.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the template URL mapping policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get a list of template URL mapping policy files.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the URL mapping policy files are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(rule_id=None, dynurl_config_data=None)

Update a URL mapping policy file with new contents

Parameters:

rule_id (str) – The unique id of the new URL mapping rule.
dynurl_config_data (str) – The serialized contents of the new policy file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

User Mapping

class pyivia.core.web.usermapping.UserMapping(base_url, username, password)

create(name=None, dynurl_config_data=None)

Create a new user mapping policy file.

Parameters:

name (str) – The name of the new policy.
content (str) – The serialized policy contents

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the user mapping policy id is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

delete(rule_id=None)

Delete a user mapping policy file.

Parameters:

rule_id (str) – The id of the policy to be removed

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response

get(rule_id)

Get a rate limiting policy.

Parameters:

rule_id (str) – The unique id of the policy to return.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the user mapping policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

get_template()

Get the template user mapping policy file.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the template user mapping policy is returned as JSON and can be accessed from the response.json attribute

Return type:

Response

list()

Get a list of the user mapping policy files.

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

If the request is successful the user mapping policy file names are returned as JSON and can be accessed from the response.json attribute

Return type:

Response

update(_id=None, dynurl_config_data=None)

Update a new user mapping policy file.

Parameters:

name (str) – The name of the new policy.
content (str) – The new serialized policy contents

Returns:

The response from verify identity access.

Success can be checked by examining the response.success boolean attribute

Return type:

Response