User Key Provision

The API will provision the key to the selected host(s) and vault.

Before you begin

Before attempting to provision the key, make sure the current key groups of the selected key and the selected host(s) have RW permissions.

Request Structure

Endpoint: /ssh/user-key/provision
Type: POST
Sample URL: https://<IP/HostName/TenantName>:<GWPORT>/avxapi/ssh/user-key/provision?gwsource=external

To understand the elements of the sample URL, click here.
Headers:
Content-Type: application/json
Table 1. Request Parameters
Name Description
sessionId

Header

 (Mandatory) Session ID received after login.

Type: String

Constraints: Required if username and password are not provided.
username

Header

 (Mandatory) AppViewX login username.

Type: String

Constraints: Required if sessionId is not provided.
password

Header

 (Mandatory) AppViewX login password.

Type: String

Constraints: Required if sessionId is not provided.
Content-Type

Header

 (Mandatory) Specifies the nature of the data in the payload.

Type: String

Constraints: The value of the param should be ‘application/json’.
gwsource

Query

 (Mandatory) Source from which the request is triggered. (E.g. external)

Type: String
requestId

queryParam

 (Mandatory) Request Id of the bulk upload request.

Type: String
Payload

Body

 (Mandatory) Contains all the parameters to be sent in the request body for the post request.

Type: Payload

Payload

Name Description
keyFingerPrint

(Mandatory) Fingerprint of the selected key.

Type: String
keyEntity

(Mandatory) Entity of the key.

Possible values: keyPair, publicKey, privateKey

Type: String
enableVaultConfig

(Mandatory) Enable vault configuration or not.

Possible values: true, false

Type: Boolean
keyProvisionRequestDetails

(Mandatory) Request details to provision key to the selected host(s).

Type: keyProvisionRequestDetails
vaultKeyProvisionRequestDetails

(Mandatory) Request details to push the key to the selected vault.

Type: vaultKeyProvisionRequestDetails
Table 2. keyProvisionRequestDetails
Name Description
deviceName

(Mandatory) Device name of the selected host.

Type: String
userName

(Mandatory) User to whom the key has to be provisioned.

Type: List of Strings
keyEntity

(Mandatory) Entity type of the key.

Possible Values: publicKey, privateKey

Type: String
Table 3. vaultKeyProvisionRequestDetails
Name Description
vaultConfigDetails

(Mandatory) Details of the vault where the key has to be pushed.

Type: vaultConfigDetails
Table 4. vaultConfigDetails
Name Description
profileName

(Mandatory) Configured CyberArk profile name.

Type: String
username

(Mandatory) User to whom the key has to be associated.

Type: String
accountName

(Mandatory) New account name for the key to be pushed.

Type: String
serverAddress

(Mandatory) Server address to which the pushed key can be used to connect.

Format: IP Address or Fqdn

Type: String

Response Structure

200 OK returns string of type application/json with the following body params.

Table 5. Response Parameters
Name Description
response

Contains the response message of the API.

Type: Key provision response
message null

Type: String

appStatusCode null.

Type: String

tags More info in case of failure response.
Table 6. Key provision response
Name Description
status

Status of the key provision request.

Type: String

Status Codes

Table 7. Status Codes and Description
HTTP Status code appStatusCode Message and Possible remediation
200 OK NA Success
401 Unauthorized AVX_GW_003 Authentication failed, reason - Invalid Credentials

Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param.
400 Bad Request VALIDATION_ERROR_0004 Mandatory field <<field name>> is missing or or empty

Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request.
400 Bad Request ERR-SSH_NB-270 Max request size exceeded::[Max request size allowed is 25]

Possible remediation: Check and ensure that the number of requests specified in the payload is less than 25.
417 Expectation Failed ERR-SSH-NB-298

One or more groups do not have permission to perform this action.

Possible remediation: Check and ensure that the user has access to the specified key compliance group.

Sample Request/Response

Use Case

To provision the key to the selected host(s) and vault using /user-key/provision API.

Request URL
https://<IP/HostName/TenantName>:<GWPORT>/avxapi/ssh/user-key/provision?gwsource=external
Sample Request
{
   "keyFingerPrint": "QU+J4ZvjMNqODgKzyUFfd6drvSO8KISW7a7VXQzD38w",
   "keyEntity": "keyPair",
   "enableVaultConfig": true,
   "keyProvisionRequestDetails": [
       {
           "deviceName": "node130",
           "filePath": "~/.ssh/authorized_keys",
           "userName": "appviewx",
           "keyEntity": "publicKey"
       },
       {
           "deviceName": "node130",
           "filePath": "~/.ssh/test/testKey",
           "userName": "appviewx",
           "keyEntity": "privateKey"
       }
   ],
   "vaultKeyProvisionRequestDetails": {
           "vaultConfigDetails": {
               "profileName": "testCyberArk",
               "safeName": "poc-ssh",
		  "username": "test-ssh-user",
               "accountName": "sshDemo1",
               "serverAddress": "1.1.1.1"
           }
       }
}
Sample Response

{
   "response": {
       "status": "Key provision request saved Successfully"
   },
   "message": null,
   "appStatusCode": null,
   "tags": null,
   "headers": null
}

Reference

Understanding the sample URL:
  • IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
    • IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication

      The IP address will be included in the endpoint URL for an on-prem deployment.

    • HostName: A human-readable label assigned to a device (host) on a network

      The hostname will be included in the endpoint URL for an on-prem deployment.

    • TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify

      The tenant name will be included in the endpoint URL for a SaaS deployment.

  • GWPORT: AppViewX gateway port
    A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.
    Note: GWPORT is not required for SaaS setups.

    Example: 31443

  • avxapi: Path parameter value (static) that is part of the endpoint's URL
  • Endpoint: Endpoint of the API, for example: /ssh/host/create
  • gwsource: Source or origin of a gateway, for example: external.

What's Next