What happens when a product manager likes to play around with Ruby/Python coding and other technical projects in the off hours
Monday, May 16, 2011
Working with VMware vShield REST API in perl
Here is an overview of how to use perl code to work with VMware's vShield API.
vShield App and Edge are two security products offered by VMware. vShield Edge has a broad range of functionality such as firewall, VPN, load balancing, NAT, and DHCP. vShield App is a NIC-level firewall for virtual machines.
We'll focus today on how to use the API to programatically make firewall rule changes. Here are some of the things you can do with the API:
Before we get into the API itself, let's look at what the firewall ruleset looks like. It's formatted as XML:
1.1.1.1/3210.1.1.1/32datacenter-2ANY1023High1ANY<
Application type="UNICAST">LDAP over SSL
636TCPALLOWdeny1020Low3ANYIMAP143TCP<
Action>ALLOW
false
Here are some notes about the XML configuration:
The API works mainly with container objects. A container can range from a datacenter or cluster all the way down to a port group or IP address.
Every container object must be listed in the <containerassociation> section.
Container objects have instance IDs. The instance ID is also referred to as the managed object ID (MOID)
Every firewall rule has its own ID as well as precedence and position fields.
If you want to edit a firewall ruleset, you must specify which ruleset you want. Every object has its own ruleset. So you could edit a ruleset at the datacenter level, cluster level, etc. all the way down to the port group level.
For simplicity let's work with the ruleset at the datacenter level because this will cover all VMs in that datacenter.
The first thing to do is get the object ID for the datacenter. If you don't already know this then you must look it up. There are two places you can find it:
Use the Managed Object Browser in vCenter Server, located at https://<vcenter IP>/mob, e.g., https://10.1.1.1/mob
Query your vCenter Server with the vSphere SDK
Either way you must have access to vCenter Server.
Here is some perl code to query vCenter. The code assumes that $dc_name is set to the name of your datacenter. You can find this name in the vSphere client.
use VMware::RunTime;
$ENV{'VI_SERVER'} = $vc_ip;
$ENV{'VI_USERNAME'} = $vc_user;
$ENV{'VI_PASSWORD'} = $vc_pass;
# read/validate options and connect to the server
Opts::add_options(%opts);
Opts::parse();
Opts::validate();
Util::connect();
$view = Vim::find_entity_views(view_type => 'Datacenter');
foreach $datacenter (@$view) {
if (lc($datacenter->{name}) eq lc($dc_name)) {
return $datacenter->{mo_ref}->{value};
}
}
return "Not_found";
Note that this code requires you include the .pm files from the perl SDK. You can find these in lib/VMware/share/VMware/ in the perl SDK tarball.
Once you have the object ID for your datacenter, you can use it to create the vShield URL that you will need to access the datacenter's firewall ruleset:
Note that this URL is to access the ruleset in vShield App. If you want to access the ruleset in vShield Edge instead, simply change the "zones" in the URL to "network". So the resulting vShield Edge URL looks like this:
$response now contains the XML ruleset. Copy it to a variable such as $ruleset and use your favorite XML library to work directly with each rule. I found that using XML::LibXML provides the best routines for both parsing and editing the XML.
This code iterates through each rule, loading the source address and protocol into variables.
my $parser = new XML::LibXML;
my $tree = $parser->parse_string($ruleset);
my $root = $tree->documentElement();
foreach my $rule_ref ($root->findnodes('RuleSet/Rule')) {
$rule_src = $rule_ref->findvalue('Source/@ref');
$rule_prot = $rule_ref->findvalue('Protocol');
}
Note that the source address is accessible as an attribute named "ref" in the source tag. XPath syntax uses '@' to access XML attributes.
The vShield API has certain restrictions when it comes to adding firewall rules. You can't just add a rule to the existing ruleset. Every time you update the ruleset with new rules, you replace all of the old rules.
The proper way to add a rule is to load the existing rules into memory as an XML tree, add the new rules to the tree, then post the updated tree back as the new ruleset.
This sample code illustrates how to add a new rule. Note that only a few of the fields are included here but every field in the rule is required, with the exception of Notes. You will get an error if you leave out a required field.
my $rule_ref = XML::LibXML::Element->new("Rule");
my $id_el = XML::LibXML::Element->new("ID");
$id_el->appendText("0");
my $src_el = XML::LibXML::Element->new("Source");
$src_el->setAttribute("ref", $src_ip);
$src_el->setAttribute("exclude", "false");
$rule_ref->addChild($id_el);
$rule_ref->addChild($src_el);
my $rule_root = $root->findnodes('RuleSet')->get_node(1);
$rule_root->addChild($rule_ref);
Here are some notes:
To add a new rule, specify an ID of 0. When vShield adds the new rule to the ruleset, it will automatically generate a new ID.
The Position field is required but you can set it to any value. I set it to a default of 50. vShield Manager rewrites this field every time you move rules around in the vShield GUI.
After you add the rule to the XML tree, you must also add a new container object for the IP addresses referenced by the rule:
my $contain_root = $root->findnodes('ContainerAssociation')->get_node(1);
my $contain_el = XML::LibXML::Element->new("Container");
$contain_el->setAttribute("id", $ip_addr);
my $ip_addr_el = XML::LibXML::Element->new("IPAddress");
$ip_addr_el->appendText($ip_addr);
$contain_el->addChild($ip_addr_el);
$contain_root->addChild($contain_el);
When you're done updating the XML tree, post the complete ruleset:
I think it's great that you worked this all out, but it doesn't seem very automated to me. Sorry to be critical (really, don't mean to be a jerk), but most people won't have the time to get into this level of detail. If they do, then these scripts will still have to be passed on through detailed knowledge transfer. I see this solving your problem, but I don't see it automating security configuration in general.
Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing more information. Regards vmware jobs in hyderabad.
What a amazing post shared here. I really love this website, I would like to say thanks for sharing such great post. I would like to say bundle of thanks for sharing. CWNA-107 vce
I have been following your post for a long time. I always found it very interesting and valuable. keep posting it is really helpful. Cloud Migration services
Thank you for the informative post about Security challenges in AWS , Found it useful . cloud migration services have now become secured and with no-risk
The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training
28 Comments:
I think it's great that you worked this all out, but it doesn't seem very automated to me. Sorry to be critical (really, don't mean to be a jerk), but most people won't have the time to get into this level of detail. If they do, then these scripts will still have to be passed on through detailed knowledge transfer. I see this solving your problem, but I don't see it automating security configuration in general.
Thank you so much for this nice post. This is very informative and helpful Earning Money Online
Nice post, I bookmark your blog because I found very good information on your blog, Thanks for sharing more information. Regards vmware jobs in hyderabad.
This is a newly written blog that is of interest to see
http://replicawatchperfect.blogspot.com/
What a amazing post shared here. I really love this website, I would like to say thanks for sharing such great post. I would like to say bundle of thanks for sharing.
CWNA-107 vce
PLC Training in Chennai | PLC Training Institute in Chennai | PLC Training Center in Chennai | PLC SCADA Training in Chennai | PLC SCADA DCS Training in Chennai | Best PLC Training in Chennai | Best PLC Training Institute in Chennai | PLC Training Centre in Chennai | Embedded System Training in Chennai | Embedded Training in Chennai | VLSI Training in Chennai | VLSI Training Institute in Chennai
PLC Training in Chennai | PLC Training Institute in Chennai | PLC Training Center in Chennai | PLC SCADA Training in Chennai | PLC SCADA DCS Training in Chennai | Best PLC Training in Chennai | Best PLC Training Institute in Chennai | PLC Training Centre in Chennai | PLC SCADA Training in Chennai | Automation Training Institute in Chennai | PLC Training in Kerala
Embedded Training in Chennai | Best Embedded Training in Chennai | Embedded System Training in Chennai | Embedded System Training Institute in Chennai | Best Embedded System Training Institute in Chennai | Embedded Course in Chennai | Embedded System Training Institutes in Chennai | Embedded System Training Center in Chennai | Best Embedded System Training in Chennai | Embedded Systems Training in Chennai | VLSI Training in Chennai | VLSI Training Institute in Chennai
VLSI Training in Chennai | Best VLSI Training in Chennai | VLSI Training Centres in Chennai | VLSI Courses in Chennai | VLSI Training Courses in Chennai | VLSI Training Institute in Chennai | VLSI Training Institutes in Chennai | Best VLSI Training Institute in Chennai
Great Article
IEEE Projects for Engineering Students
Final Year Projects for CSE
Great information
sas training in Marathahalli
sas training institutes in Marathahalli
Great, this article is quite awesome and I have bookmarked this page for my future reference. Keep blogging like this with the latest info.
VMware Training in Chennai
VMware Training in Velachery
Cloud Computing courses in Chennai
Cloud Training in Chennai
Azure Training in Chennai
Microsoft Azure Training in Chennai
AWS Certification in Chennai
DevOps course in Chennai
Cloud Computing Training in Chennai
It was really an interesting blog, Thank you for providing unknown facts.
Aviation Academy in Chennai
Air hostess training in Chennai
Airport management courses in Chennai
Ground staff training in Chennai
Aviation Courses in Chennai
air hostess institute in Chennai
airline and airport management courses in Chennai
airport ground staff training courses in Chennai
I have been following your post for a long time. I always found it very interesting and valuable. keep posting it is really helpful.
Cloud Migration services
Aws Cloud Migration services
Azure Cloud Migration services
We are a part of the success story for many of our customer's successful cloud Migrations.
Vmware Cloud Migration services
Database Migration services
Thank you for the informative post about Security challenges in AWS , Found it useful . cloud migration services have now become secured and with no-risk
Lia Infraservices
I am really impressed with the way of writing of this blog. The author has shared the info in a crisp and short way.
Cloud Migration services
Best Cloud Migration Tool
Finally found a decent guide on VMWare vShield, hope to apply it to Remote VM Backup. Tghanks!
Good Article about VMWare..Thanks for sharing it.
Best Data Science Training in Chennai
Top 5 Data Science Training in Chennai
Data Science training Course Content
Data Science Training in Velachery
Data Science Training in omr
Data Science Training in vadapalani
Data Science Training in Chennai
Data Science Courses in Chennai
Data Science Training Institute in Chennai
Data Science online course
Data Science with python training in chennai
Data Science with R training in chennai
Great Article
final year projects for computer science on android
Java Training in Chennai
FInal Year Project Centers in Chennai
Java Training in Chennai
Lovely post and i eagerly waiting for your new updates about this title.
Spark Training in Chennai
Spark Training Academy Chennai
Linux Training in Chennai
Oracle Training in Chennai
Power BI Training in Chennai
Tableau Training in Chennai
Pega Training in Chennai
Advanced Excel Training in Chennai
Oracle DBA Training in Chennai
Spark Training in Velachery
Spark Training in OMR
This blog is really nice and informative blog, The explanation given is really comprehensive and informative.
german classes in bangalore
german language course in bangalore
german language classes in bangalore
best german classes in bangalore
German Language Course in Chennai
german language course in madurai
german classes in hyderabad
German Language Classes in Chennai
DevOps Training in Bangalore
DOT NET Training in Bangalore
Great post!!! Thanks for sharing this wonderful blog with us...
SEO Training in Chennai
SEO Course in Chennai
SEO Training
SEO Training Center in Chennai
SEO training in Tambaram
SEO training in Guindy
Python Training in Chennai
Big data training in chennai
SEO training in chennai
JAVA Training in Chennai
I wonder how a writer could be more diligent in creating each and every word of the blog. Wondering for the next blog Web Designing Course Training in Chennai | Web Designing Course Training in annanagar | Web Designing Course Training in omr | Web Designing Course Training in porur | Web Designing Course Training in tambaram | Web Designing Course Training in velachery
Great Article
Cyber Security Projects
projects for cse
Networking Projects
JavaScript Training in Chennai
JavaScript Training in Chennai
The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training
Amazing Article,Really useful information to all So, I hope you will share more information to be check and share here.
inplant training
inplant training chennai
inplant training meaning
inplant training certificate
inplant training report
report for inplant training
inplant training certificate format
inplant training meaning in tamil
what is inplant training
inplant training in chennai for mechanical
This information is really great. Thanks for sharing this article thank you..
roles and responsibilities of devops engineer
7 habits of highly effective people
mobile application testing tools
importance of website development
microsoft excel interview questions
Aivivu chuyên cung cấp vé máy bay, Tham khảo
vé máy bay đi Mỹ bao nhiêu tiền
chuyến bay thẳng từ mỹ về việt nam
vé máy bay từ Hà nội đi Los Angeles
lịch bay từ canada về việt nam
Post a Comment
Subscribe to Post Comments [Atom]
<< Home