IBM Security Verify

 View Only
  • 1.  ISAM ACLs in pdadmin

    Posted Wed August 17, 2022 09:33 AM
    Hi, we need to export a list of ACLs and their group memberships not using pdadmin or Web Portal Manager. The exported group list will be used for auditing purposes. Is there a way that we can do this?

    Else, is there a way we can install pdadmin on a different machine then configure it to connect to a policy server?


    ------------------------------
    Macquarie IAM
    ------------------------------


  • 2.  RE: ISAM ACLs in pdadmin

    Posted Wed August 17, 2022 04:28 PM

    If you don't want to use pdadmin or WPM I believe that your only other options would be to use the pdadmin interface of the LMI (which is simply a Web Service wrapper for pdadmin commands), or the Java administrative interface (https://www.ibm.com/docs/en/sva/10.0.4?topic=reference-introduction-administration-api).

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 3.  RE: ISAM ACLs in pdadmin

    InnerCircle
    Posted Thu August 18, 2022 10:15 AM
    As Scott mentioned use the pdadmin via the LMI REST API if you don't want to code something up in java.  I use it with Python for a ton of stuff.  The only issue is having the parse the raw output but you would have to do that if you were using raw pdadmin commands anyway.

    https://www.ibm.com/docs/api/v1/content/SSPREK_10.0.4/com.ibm.isva.doc/develop/rapi/docker/Running_pdadmin_commands.xml

    There is unfortunately no way to pull acl info via the REST API without using raw pdadmin commands (sent via the REST API) to the LMI, so you have to parse that output, but with Python, it's not bad.  I just put an idea ISAM-I-1117 in for this as I was thinking about it, because I've wanted this for a long while as it would make coding things for reporting easier if the REST API would output the ACL info in a JSON format.

    On a side note, you can install the pdadmin binary on another machine if you have an older copy of it.  For example if you have it from the old ISAM8 appliance you can grab the installer files for pdadmin and the PDRTE and configure it against your remote policy server and use the old pdadmin binary.  It's not recommended obviously, but it can be done and still works against v10.0.3.1 (I assume it will still work against v10.0.4.0, I just haven't got there yet on our virtual appliances).  The reason it's best to use the REST API is because if you ever go containers, there is no pdmgrd exposed on 7135/tcp, so at that point you have to use the REST API (unless you shell into the config container).

    ------------------------------
    Matt Jenkins
    ------------------------------