443 lines
14 KiB
Org Mode
443 lines
14 KiB
Org Mode
:PROPERTIES:
|
|
:ID: c33df84f-9b64-47a8-b716-fcadc0ec4f8c
|
|
:END:
|
|
#+Title: Cisco Staging Environment Doc
|
|
#+Author: Yann Esposito
|
|
#+Date: [2023-10-17]
|
|
|
|
- tags ::
|
|
- source ::
|
|
|
|
* Node static configuration (config.edn)
|
|
** Static/Dynamic cyclic dependency
|
|
|
|
Some static configuration need to be generated after some dynamic configuration
|
|
has been made.
|
|
Typically you should first create many modules via the API and only then
|
|
retrieve the generated module-ids to be used in the configuration.
|
|
|
|
** IROH Auth Configuration
|
|
*** Example in PROD NAM
|
|
|
|
#+begin_src clojure
|
|
:iroh-auth
|
|
{:activation-url
|
|
"https://visibility.amp.cisco.com/account-activation",
|
|
:allowed-login-origins
|
|
#{"http://dev.9dcdd4915aad0ae7d12b8618:1957"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:1958"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:3000"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:3001"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:3002"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:3003"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:3004"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4000"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4001"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4002"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4003"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4004"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4005"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4006"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4008"
|
|
"http://dev.9dcdd4915aad0ae7d12b8618:4010"
|
|
"https://consumer.orbital.amp.cisco.com"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:1957"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:1958"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4000"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4001"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4002"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4003"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4004"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4005"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4006"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4008"
|
|
"https://dev.9dcdd4915aad0ae7d12b8618:4010"
|
|
"https://iroh-adm.ap-northeast-1.prod.iroh.site"
|
|
"https://iroh-adm.eu-west-1.prod.iroh.site"
|
|
"https://iroh-adm.int.iroh.site"
|
|
"https://iroh-adm.test.iroh.site"
|
|
"https://iroh-adm.us-east-1.prod.iroh.site"
|
|
"https://orbital.amp.cisco.com"
|
|
"https://registration.us.security.cisco.com"
|
|
"https://securex-ui-dashboard.us.security.cisco.com"
|
|
"https://securex.us.security.cisco.com"
|
|
"https://tactical-portal.us.security.cisco.com"
|
|
"https://threatresponse.security.cisco.com"
|
|
"https://threatresponse.us.security.cisco.com"
|
|
"https://visibility.amp.cisco.com"
|
|
"https://xdr.us.security.cisco.com"},
|
|
:cache-store-ids
|
|
{:codes "auth-codes",
|
|
:requests "auth-requests",
|
|
:responses "auth-responses"},
|
|
:idps
|
|
{"idb-amp"
|
|
{:allow-all-role-to-login false,
|
|
:auth-kind :oidc,
|
|
:authorize-uri
|
|
"https://csaidb.us.security.cisco.com/oauth2/default/v1/authorize",
|
|
:client-id "0oapp4bnkk3coKe3T696",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/idb-amp/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table
|
|
{:is-admin? [:amp_user_admin],
|
|
:org-id [:business_guid],
|
|
:org-name [:organization_name],
|
|
:sub [:user_id],
|
|
:user-email [:email],
|
|
:user-name [:name]},
|
|
:grant-type :code,
|
|
:id "idb-amp",
|
|
:idp-account-url "https://castle.amp.cisco.com/my/account",
|
|
:idp-logout-url "https://auth.amp.cisco.com/auth/session/logout",
|
|
:legacy true,
|
|
:msg "For existing Threat Response & AMP users.",
|
|
:name "Cisco Security Account",
|
|
:position 1,
|
|
:safe-for-emails-verification true,
|
|
:scim-id :nam,
|
|
:scopes ["profile" "email" "iroh_auth"],
|
|
:token-uri
|
|
"https://csaidb.us.security.cisco.com/oauth2/default/v1/token"},
|
|
"idb-tg"
|
|
{:admin-roles #{"admin" "org-admin"},
|
|
:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
|
|
:client-id "9e1e759e-8d17-496e-8ae6-bc70b03fc023",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/idb-tg/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table
|
|
{:org-id [:threatgrid :organization_id],
|
|
:org-name [:threatgrid :organization_name],
|
|
:role [:threatgrid :role],
|
|
:user-name [:threatgrid :name]},
|
|
:grant-type :code,
|
|
:id "idb-tg",
|
|
:idp-logout-url "https://panacea.threatgrid.com/logout",
|
|
:legacy true,
|
|
:msg "For Secure Malware Analytics users.",
|
|
:name "Cisco Secure Malware Analytics",
|
|
:org-namespace "threatgrid",
|
|
:position 2,
|
|
:scopes ["threatgrid:profile" "email"],
|
|
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"},
|
|
"sxso"
|
|
{:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
|
|
:client-id "0oa4dovqtv0MMc797357",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:grant-type :code,
|
|
:id "sxso",
|
|
:idp-account-url "https://me.security.cisco.com",
|
|
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
|
|
:manage-orgs false,
|
|
:msg "For new and existing SecureX users.",
|
|
:name "Security Cloud Sign On",
|
|
:position 0,
|
|
:safe-for-emails-verification true,
|
|
:scopes ["profile" "email" "iroh_auth"],
|
|
:token-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/token"},
|
|
"threatgrid"
|
|
{:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
|
|
:client-id "4fe0068b-eb2a-4918-871f-dd9c9592990e",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/threatgrid/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table {:org-id [:tg_org]},
|
|
:grant-type :code,
|
|
:hidden true,
|
|
:id "threatgrid",
|
|
:name "Secure Malware Analytics",
|
|
:org-namespace "threatgrid",
|
|
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"}},
|
|
:invite
|
|
{:first-url-sx "https://securex.us.security.cisco.com",
|
|
:first-url-xdr "https://xdr.us.security.cisco.com",
|
|
:help-url
|
|
"https://www.cisco.com/c/en/us/td/docs/security/secure-sign-on/sso-quick-start-guide.html",
|
|
:idp-id "sxso",
|
|
:invite-lifetime-in-days 7,
|
|
:mail-source "no-reply@security.cisco.com",
|
|
:store-id "invites"},
|
|
:login-filters-store-id "auth-login-filters",
|
|
:login-uri-prefix
|
|
"https://visibility.amp.cisco.com/iroh/iroh-auth/login",
|
|
:org-access-request-confirmation-url
|
|
"https://registration.us.security.cisco.com/org-access-request-status.html",
|
|
:provisioning
|
|
{:onboardings
|
|
{:csc {:http {:url "https://admin.prod.nam.csc.cisco.com/onboard"}},
|
|
:di
|
|
{:http {:url "https://insights-api.us.security.cisco.com/api"}},
|
|
:sca
|
|
{:http
|
|
{:url
|
|
"https://tr-relay-production.obsrvbl.obsrvbl.com/onboard"}}}},
|
|
:redirect-uri
|
|
"https://visibility.amp.cisco.com/iroh/iroh-auth/login",
|
|
:registration-url
|
|
"https://registration.us.security.cisco.com/auth-ui.html",
|
|
:signup-url-sx
|
|
"https://sign-on.security.cisco.com/home/bookmark/0oa4erf174FSrO1jd357/2557",
|
|
:signup-url-xdr
|
|
"https://sign-on.security.cisco.com/home/bookmark/0oasvqwo7jgaATJcM357/2557",
|
|
:spa-orgs
|
|
{:matching-admins-limit 1000, :pagination-admins-limit 1000},
|
|
:url "https://visibility.amp.cisco.com"}
|
|
#+end_src
|
|
|
|
*** IdPs (Identity Providers)
|
|
|
|
From far away
|
|
|
|
#+begin_src clojure
|
|
{,,,
|
|
:iroh-auth ;; IROH-Auth is a bundle of big services (not http services)
|
|
{,,,
|
|
:idps
|
|
{"idb-amp" ,,,
|
|
"idb-tg" ,,,
|
|
"sxso" ,,,
|
|
;; never really knew why but threatgrid IdP is mandatory
|
|
;; if you remove it, something breaks, but I never knew exactly what
|
|
;; nor why
|
|
"threatgrid" {,,, :hidden true ,,,}}
|
|
,,,}
|
|
,,,}
|
|
#+end_src
|
|
|
|
Here is the current PROD NAM config for IdPs:
|
|
|
|
#+begin_src clojure
|
|
{,,,
|
|
:idps
|
|
{"idb-amp"
|
|
{:allow-all-role-to-login false,
|
|
:auth-kind :oidc,
|
|
:authorize-uri
|
|
"https://csaidb.us.security.cisco.com/oauth2/default/v1/authorize",
|
|
:client-id "0oapp4bnkk3coKe3T696",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/idb-amp/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table
|
|
{:is-admin? [:amp_user_admin],
|
|
:org-id [:business_guid],
|
|
:org-name [:organization_name],
|
|
:sub [:user_id],
|
|
:user-email [:email],
|
|
:user-name [:name]},
|
|
:grant-type :code,
|
|
:id "idb-amp",
|
|
:idp-account-url "https://castle.amp.cisco.com/my/account",
|
|
:idp-logout-url "https://auth.amp.cisco.com/auth/session/logout",
|
|
:legacy true,
|
|
:msg "For existing Threat Response & AMP users.",
|
|
:name "Cisco Security Account",
|
|
:position 1,
|
|
:safe-for-emails-verification true,
|
|
:scim-id :nam,
|
|
:scopes ["profile" "email" "iroh_auth"],
|
|
:token-uri
|
|
"https://csaidb.us.security.cisco.com/oauth2/default/v1/token"},
|
|
"idb-tg"
|
|
{:admin-roles #{"admin" "org-admin"},
|
|
:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
|
|
:client-id "9e1e759e-8d17-496e-8ae6-bc70b03fc023",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/idb-tg/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table
|
|
{:org-id [:threatgrid :organization_id],
|
|
:org-name [:threatgrid :organization_name],
|
|
:role [:threatgrid :role],
|
|
:user-name [:threatgrid :name]},
|
|
:grant-type :code,
|
|
:id "idb-tg",
|
|
:idp-logout-url "https://panacea.threatgrid.com/logout",
|
|
:legacy true,
|
|
:msg "For Secure Malware Analytics users.",
|
|
:name "Cisco Secure Malware Analytics",
|
|
:org-namespace "threatgrid",
|
|
:position 2,
|
|
:scopes ["threatgrid:profile" "email"],
|
|
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"},
|
|
"sxso"
|
|
{:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
|
|
:client-id "0oa4dovqtv0MMc797357",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:grant-type :code,
|
|
:id "sxso",
|
|
:idp-account-url "https://me.security.cisco.com",
|
|
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
|
|
:manage-orgs false,
|
|
:msg "For new and existing SecureX users.",
|
|
:name "Security Cloud Sign On",
|
|
:position 0,
|
|
:safe-for-emails-verification true,
|
|
:scopes ["profile" "email" "iroh_auth"],
|
|
:token-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/token"},
|
|
"threatgrid"
|
|
{:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
|
|
:client-id "4fe0068b-eb2a-4918-871f-dd9c9592990e",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/threatgrid/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:correlation-table {:org-id [:tg_org]},
|
|
:grant-type :code,
|
|
:hidden true,
|
|
:id "threatgrid",
|
|
:name "Secure Malware Analytics",
|
|
:org-namespace "threatgrid",
|
|
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"}}
|
|
,,,}
|
|
#+end_src
|
|
|
|
**** SCSO
|
|
|
|
Contact Ryan, ask him to create the OAuth2 client and the Okta bookmarks
|
|
|
|
***** The actual config in PROD NAM
|
|
|
|
#+begin_src clojure
|
|
{,,,
|
|
"sxso"
|
|
{:allow-all-role-to-login true,
|
|
:auth-kind :oidc,
|
|
:authorize-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
|
|
:client-id "0oa4dovqtv0MMc797357",
|
|
:client-secret
|
|
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
|
|
:grant-type :code,
|
|
:id "sxso",
|
|
:idp-account-url "https://me.security.cisco.com",
|
|
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
|
|
:manage-orgs false,
|
|
:msg "For new and existing SecureX users.",
|
|
:name "Security Cloud Sign On",
|
|
:position 0,
|
|
:safe-for-emails-verification true,
|
|
:scopes ["profile" "email" "iroh_auth"],
|
|
:token-uri
|
|
"https://sign-on.security.cisco.com/oauth2/default/v1/token"}
|
|
,,,}
|
|
#+end_src
|
|
|
|
**** AMP
|
|
|
|
Contact Ryan and perhaps Secure Endpoint team to create an OIDC client in Okta
|
|
that connects to the SAML client from AMP
|
|
|
|
**** TG
|
|
|
|
Contact Austin Haas from SMA (Secure Malware Analytics) to create a new OIDC client.
|
|
Apparently OIDC clients created for IROH are no more supported by Threatgrid.
|
|
You must use *magic* to create/update these clients.
|
|
Sync with Austin Haas for help.
|
|
|
|
* Dynamic Configuration
|
|
|
|
** Create Master users
|
|
|
|
**** Ops-only
|
|
|
|
In order to be able to access the admin API which is a must-have to configure
|
|
the nodes you first need to configure a first master user.
|
|
|
|
Easiest method, copy an existing master user from another env to the new env by
|
|
copying the Org and User row in the DB.
|
|
Change the ~email-address~ to match the one you would like to use.
|
|
The important field for the user to be a master user is to have
|
|
~additional-scopes~ set to ~["iroh-master","iroh-admin","cisco"]~.
|
|
|
|
**** Using the API
|
|
|
|
1. Launch a node
|
|
2. Login via AMP (or TG) for auto Org creation
|
|
3. Retrieve user-id (see response from API after login)
|
|
4. change node conf to add user-id to admin-filters configuration
|
|
5. restart the node and login again
|
|
6. Use the admin API to PATCH the user with ={additional-scopes: ["iroh-master","iroh-admin","cisco"]}=
|
|
7. change the node conf to remove admin-filters
|
|
|
|
Add new masters:
|
|
|
|
1. Invite new users to the first main Org then PATCH then using the admin API
|
|
|
|
** Provisioning
|
|
*** Official Provisioning OAuth2 Clients
|
|
|
|
You must create PIAM team a new Org with ~additional-scopes~
|
|
containing ~cisco/platform~.
|
|
Then add the user from the contact of the PIAM team that should create its own
|
|
OAuth2 client for provisioning.
|
|
|
|
*** Internal Org Provisioning
|
|
|
|
Create a new client with the scopes ~["cisco/platform" "cisco/tac"]~ and use the
|
|
scripts in ~xdr-provisioning~ (Adapt them to use the new Stage env).
|
|
|
|
** SSE Integration
|
|
|
|
*** SSE Client ! Claim Aliases
|
|
|
|
SSE OIDC client expect some specific claims so we should configure the client to
|
|
copy and replace the content accordingly to their expectation
|
|
|
|
** DI Integration
|
|
|
|
*** OAuth2 Client
|
|
- audience
|
|
- trusted
|
|
- allow-all-role-to-login
|
|
|
|
|
|
*** Webhooks
|
|
** Automation Integration
|
|
|
|
See ~config.edn~, configuration of the iroh-ao API/bootstrap
|
|
See Mark for help.
|
|
|
|
|
|
*** OAuth2 Client
|
|
- audience
|
|
- trusted
|
|
- allow-user-sopces
|
|
- short tokesn
|
|
- org-level-authorization
|
|
|
|
*** Webhooks
|
|
|
|
** 1-click module setup integrations
|
|
|
|
Every team should have a dedicated Org.
|
|
At least one dev of this team should create an OAuth2 client to be used.
|
|
|
|
Once the dev could test for its own org, the client should be promoted to
|
|
availability everyone.
|
|
And after the client should be marked as trusted.
|
|
|
|
The team should also create the module-type that should be then promoted as
|
|
visbility global.
|
|
|
|
* Maintenance
|
|
Every dynamic change must be made on all environments, often needing master-user privileges.
|
|
Typically:
|
|
- module-type change.
|
|
- OAuth2 client change (URL)
|
|
- create specific tenant for PMs/Tests
|
|
|
|
Expect a few hours a week.
|