last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM REST API Resiliency

  • 1.  CPPM REST API Resiliency

    Posted Jun 01, 2020 10:24 AM

    We're looking to onboard the ClearPass REST APIs to our internal API gateway and I'd like to prepare for resiliency related questions that will be asked.


    What is the relationship between the API and our pub/sub model? Should we use a VIP for API calls?


    I noticed that my access token, once retrieved, works on all cluster members. Are there any exceptions to this?


    Any best practices for using the API at scale?

  • 2.  RE: CPPM REST API Resiliency

    Posted Jun 01, 2020 06:41 PM

    So your absolutely correct, once you have the JWT from the underlying OAuth process it will work  across all cluster members based upon the lifetime of the bearer token.


    There are a few things to be aware of and some of this relates back to the underlying PUB/SUB architecture.


    In short, updates {POST/PATCH/DELETEJ} can only be made when there is an active PUB in the cluster, why you ask, well because the PUB is the only node with write capabilities. So if you say PATCH against a  SUB, it will proxy the command to the PUB to update the Db. If the PUB has gone done or the PUB is transitioning to the standby-PUB the HTTP PATCH will fail. Not that the PUB should ever go down and if it does the standby can be configured to automatically take over.


    I'd prefer not writing to the VIP but to the 'real' address.