push_insights_trust

This command pushes a trust certificate from Guardium® Insights to Guardium Data Protection S-TAPs.

The certificate must be in PEM format and include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

The certificate chain that you paste needs to be downloaded (from the browser) from the Guardium Insights cluster that is targeted for S-TAP® migration. The certificate is not stored on the managed unit; but on the S-TAP host (database server).

Notes:
  • If you run this command from a central manager, you must specify the api_target_host parameter to target a managed unit (because central managers don't have S-TAPs). You can also run this command directly from a collector or stand-alone machine.
  • When you call this command as a GuardAPI, leave pemData blank, and follow the directions in the CLI to paste the entire certificate.
  • You can push certificates only for UNIX S-TAPs.
  • You can also add the Guardium Insights certificate from the Guardium Data Protection GUI. For more information, see the Send command under Linux®-UNIX: Configuring S-TAP in the S-TAP Control page.

This API is available in Guardium v11.4 and later.

REST API syntax

This API is available as a REST service with the PUT method. Call this API as follows:
PUT https://[Guardium hostname or IP address]:8443/restAPI/push_insights_trust

GuardAPI syntax

push_insights_trust parameter=value

Parameters

Parameter Value type Description
pemData String Required for REST API only. The certificate to send to the S-TAP hosts, in PEM format.
  • For a REST API, paste the trusted Guardium Insights certificate in, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.
  • For a GuardAPI, ignore this parameter. The CLI walks you through the required steps.
stapHost String Required. Specify the name of one or more S-TAP hosts, or specify all_unix_active to send the certificate to all active UNIX S-TAP hosts.For valid values, call push_insights_trust from the command line with --help=true.
api_target_host String
Specifies the target hosts where the API executes. Valid values:
  • all_managed: Run on all managed units but not the central manager
  • group:<group name>: Run on all managed units identified by <group name>
  • host name or IP address of a managed unit: Specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
Note: IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

Examples

The following GuardAPI example runs on a stand-alone machine with a certificate chain that includes two certificates. The pemData parameter is not specified in the command. Follow the directions in the CLI to paste the certificate data in.

vm01.mycompany.com> grdapi push_insights_trust stapHost=9.55.254.111

The response from the CLI is as follows (be sure to paste in the entire certificate):

Please paste your Certificate below in PEM encoded format including tags.
PEM encoded format should include the '-----BEGIN CERTIFICATE-----' and '-----END
CERTIFICATE-----' tags. The Certificate Authority (CA) Root and Intermediate
certificate(s) (if applicable) will also need to be pasted at this time for
validation purposes. Please ensure that all certificates are in PEM format and
include the aforementioned tags. When pasting multiple certificates, please make
sure that each certificate is pasted on a new line in the following order:

	-----BEGIN CERTIFICATE-----
	(End-Entity certificate)
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
	(Intermediate certificate(s) - if applicable)
	-----END CERTIFICATE-----
	-----BEGIN CERTIFICATE-----
	(Root certificate)
	-----END CERTIFICATE-----

Once done pasting your certificate(s), press ENTER followed by CTRL-D to continue.

-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQX+U115HoAr3cToMpY
...
0lzSjANBgkqhkf+9tfN60rPSFmUp0CDTrew==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIQC0/HN2U7x2OFsn4Df
...
rBXQ+JoCyEQhZK0cIhhTKG1uI7zK0Q=
-----END CERTIFICATE-----
ID=0
Insights data sent to active synchronized S-TAP hosts:
9.55.254.111
ok

The following REST API example includes the pemData parameter.

curl -k --header "Authorization:Bearer hV59gjW71nwY4dAWpNdLi7890" -i -H "Content-Type: application/json" -d '{stapHost:"dev-db01",pemData:"-----BEGIN CERTIFICATE-----\n
MIICyjDDAbICGGKT3Xa83UY2dPfGpXb7CoR4n7tRMA0GCSqGSIb3DQEBCwUAMDMx\n
. . .
tla+CH8jyicLx+J9FQri7K1YSiBXznlug61Hlc0AA1TrZOPvzIsPiPeV+iSalF7w\n
ojuBlgMxSOfbYVn6Rxcye+u7dJbO7TcUSFqtimmx55vmfc3/VwGXJcAqG6Jh7w==\n
-----END CERTIFICATE-----"}' -X PUT https://vm04.mycompany.com:8443/restAPI/push_insights_trust