Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM REST API Resiliency

This thread has been viewed 5 times

  • 1.  CPPM REST API Resiliency

    Posted Jun 01, 2020 10:24 AM

    We're looking to onboard the ClearPass REST APIs to our internal API gateway and I'd like to prepare for resiliency related questions that will be asked.

     

    What is the relationship between the API and our pub/sub model? Should we use a VIP for API calls?

     

    I noticed that my access token, once retrieved, works on all cluster members. Are there any exceptions to this?

     

    Any best practices for using the API at scale?



  • 2.  RE: CPPM REST API Resiliency

    Posted Jun 01, 2020 06:41 PM

    So your absolutely correct, once you have the JWT from the underlying OAuth process it will work  across all cluster members based upon the lifetime of the bearer token.

     

    There are a few things to be aware of and some of this relates back to the underlying PUB/SUB architecture.

     

    In short, updates {POST/PATCH/DELETEJ} can only be made when there is an active PUB in the cluster, why you ask, well because the PUB is the only node with write capabilities. So if you say PATCH against a  SUB, it will proxy the command to the PUB to update the Db. If the PUB has gone done or the PUB is transitioning to the standby-PUB the HTTP PATCH will fail. Not that the PUB should ever go down and if it does the standby can be configured to automatically take over.

     

    I'd prefer not writing to the VIP but to the 'real' address.

     

    HTH