14 KiB
14 KiB
Cisco Staging Environment Doc
- tags
- source
Node static configuration (config.edn)
Static/Dynamic cyclic dependency
Some static configuration need to be generated after some dynamic configuration has been made. Typically you should first create many modules via the API and only then retrieve the generated module-ids to be used in the configuration.
IROH Auth Configuration
Example in PROD NAM
:iroh-auth
{:activation-url
"https://visibility.amp.cisco.com/account-activation",
:allowed-login-origins
#{"http://dev.9dcdd4915aad0ae7d12b8618:1957"
"http://dev.9dcdd4915aad0ae7d12b8618:1958"
"http://dev.9dcdd4915aad0ae7d12b8618:3000"
"http://dev.9dcdd4915aad0ae7d12b8618:3001"
"http://dev.9dcdd4915aad0ae7d12b8618:3002"
"http://dev.9dcdd4915aad0ae7d12b8618:3003"
"http://dev.9dcdd4915aad0ae7d12b8618:3004"
"http://dev.9dcdd4915aad0ae7d12b8618:4000"
"http://dev.9dcdd4915aad0ae7d12b8618:4001"
"http://dev.9dcdd4915aad0ae7d12b8618:4002"
"http://dev.9dcdd4915aad0ae7d12b8618:4003"
"http://dev.9dcdd4915aad0ae7d12b8618:4004"
"http://dev.9dcdd4915aad0ae7d12b8618:4005"
"http://dev.9dcdd4915aad0ae7d12b8618:4006"
"http://dev.9dcdd4915aad0ae7d12b8618:4008"
"http://dev.9dcdd4915aad0ae7d12b8618:4010"
"https://consumer.orbital.amp.cisco.com"
"https://dev.9dcdd4915aad0ae7d12b8618:1957"
"https://dev.9dcdd4915aad0ae7d12b8618:1958"
"https://dev.9dcdd4915aad0ae7d12b8618:4000"
"https://dev.9dcdd4915aad0ae7d12b8618:4001"
"https://dev.9dcdd4915aad0ae7d12b8618:4002"
"https://dev.9dcdd4915aad0ae7d12b8618:4003"
"https://dev.9dcdd4915aad0ae7d12b8618:4004"
"https://dev.9dcdd4915aad0ae7d12b8618:4005"
"https://dev.9dcdd4915aad0ae7d12b8618:4006"
"https://dev.9dcdd4915aad0ae7d12b8618:4008"
"https://dev.9dcdd4915aad0ae7d12b8618:4010"
"https://iroh-adm.ap-northeast-1.prod.iroh.site"
"https://iroh-adm.eu-west-1.prod.iroh.site"
"https://iroh-adm.int.iroh.site"
"https://iroh-adm.test.iroh.site"
"https://iroh-adm.us-east-1.prod.iroh.site"
"https://orbital.amp.cisco.com"
"https://registration.us.security.cisco.com"
"https://securex-ui-dashboard.us.security.cisco.com"
"https://securex.us.security.cisco.com"
"https://tactical-portal.us.security.cisco.com"
"https://threatresponse.security.cisco.com"
"https://threatresponse.us.security.cisco.com"
"https://visibility.amp.cisco.com"
"https://xdr.us.security.cisco.com"},
:cache-store-ids
{:codes "auth-codes",
:requests "auth-requests",
:responses "auth-responses"},
:idps
{"idb-amp"
{:allow-all-role-to-login false,
:auth-kind :oidc,
:authorize-uri
"https://csaidb.us.security.cisco.com/oauth2/default/v1/authorize",
:client-id "0oapp4bnkk3coKe3T696",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/idb-amp/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table
{:is-admin? [:amp_user_admin],
:org-id [:business_guid],
:org-name [:organization_name],
:sub [:user_id],
:user-email [:email],
:user-name [:name]},
:grant-type :code,
:id "idb-amp",
:idp-account-url "https://castle.amp.cisco.com/my/account",
:idp-logout-url "https://auth.amp.cisco.com/auth/session/logout",
:legacy true,
:msg "For existing Threat Response & AMP users.",
:name "Cisco Security Account",
:position 1,
:safe-for-emails-verification true,
:scim-id :nam,
:scopes ["profile" "email" "iroh_auth"],
:token-uri
"https://csaidb.us.security.cisco.com/oauth2/default/v1/token"},
"idb-tg"
{:admin-roles #{"admin" "org-admin"},
:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
:client-id "9e1e759e-8d17-496e-8ae6-bc70b03fc023",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/idb-tg/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table
{:org-id [:threatgrid :organization_id],
:org-name [:threatgrid :organization_name],
:role [:threatgrid :role],
:user-name [:threatgrid :name]},
:grant-type :code,
:id "idb-tg",
:idp-logout-url "https://panacea.threatgrid.com/logout",
:legacy true,
:msg "For Secure Malware Analytics users.",
:name "Cisco Secure Malware Analytics",
:org-namespace "threatgrid",
:position 2,
:scopes ["threatgrid:profile" "email"],
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"},
"sxso"
{:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
:client-id "0oa4dovqtv0MMc797357",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:grant-type :code,
:id "sxso",
:idp-account-url "https://me.security.cisco.com",
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
:manage-orgs false,
:msg "For new and existing SecureX users.",
:name "Security Cloud Sign On",
:position 0,
:safe-for-emails-verification true,
:scopes ["profile" "email" "iroh_auth"],
:token-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/token"},
"threatgrid"
{:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
:client-id "4fe0068b-eb2a-4918-871f-dd9c9592990e",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/threatgrid/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table {:org-id [:tg_org]},
:grant-type :code,
:hidden true,
:id "threatgrid",
:name "Secure Malware Analytics",
:org-namespace "threatgrid",
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"}},
:invite
{:first-url-sx "https://securex.us.security.cisco.com",
:first-url-xdr "https://xdr.us.security.cisco.com",
:help-url
"https://www.cisco.com/c/en/us/td/docs/security/secure-sign-on/sso-quick-start-guide.html",
:idp-id "sxso",
:invite-lifetime-in-days 7,
:mail-source "no-reply@security.cisco.com",
:store-id "invites"},
:login-filters-store-id "auth-login-filters",
:login-uri-prefix
"https://visibility.amp.cisco.com/iroh/iroh-auth/login",
:org-access-request-confirmation-url
"https://registration.us.security.cisco.com/org-access-request-status.html",
:provisioning
{:onboardings
{:csc {:http {:url "https://admin.prod.nam.csc.cisco.com/onboard"}},
:di
{:http {:url "https://insights-api.us.security.cisco.com/api"}},
:sca
{:http
{:url
"https://tr-relay-production.obsrvbl.obsrvbl.com/onboard"}}}},
:redirect-uri
"https://visibility.amp.cisco.com/iroh/iroh-auth/login",
:registration-url
"https://registration.us.security.cisco.com/auth-ui.html",
:signup-url-sx
"https://sign-on.security.cisco.com/home/bookmark/0oa4erf174FSrO1jd357/2557",
:signup-url-xdr
"https://sign-on.security.cisco.com/home/bookmark/0oasvqwo7jgaATJcM357/2557",
:spa-orgs
{:matching-admins-limit 1000, :pagination-admins-limit 1000},
:url "https://visibility.amp.cisco.com"}IdPs (Identity Providers)
From far away
{,,,
:iroh-auth ;; IROH-Auth is a bundle of big services (not http services)
{,,,
:idps
{"idb-amp" ,,,
"idb-tg" ,,,
"sxso" ,,,
;; never really knew why but threatgrid IdP is mandatory
;; if you remove it, something breaks, but I never knew exactly what
;; nor why
"threatgrid" {,,, :hidden true ,,,}}
,,,}
,,,}Here is the current PROD NAM config for IdPs:
{,,,
:idps
{"idb-amp"
{:allow-all-role-to-login false,
:auth-kind :oidc,
:authorize-uri
"https://csaidb.us.security.cisco.com/oauth2/default/v1/authorize",
:client-id "0oapp4bnkk3coKe3T696",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/idb-amp/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table
{:is-admin? [:amp_user_admin],
:org-id [:business_guid],
:org-name [:organization_name],
:sub [:user_id],
:user-email [:email],
:user-name [:name]},
:grant-type :code,
:id "idb-amp",
:idp-account-url "https://castle.amp.cisco.com/my/account",
:idp-logout-url "https://auth.amp.cisco.com/auth/session/logout",
:legacy true,
:msg "For existing Threat Response & AMP users.",
:name "Cisco Security Account",
:position 1,
:safe-for-emails-verification true,
:scim-id :nam,
:scopes ["profile" "email" "iroh_auth"],
:token-uri
"https://csaidb.us.security.cisco.com/oauth2/default/v1/token"},
"idb-tg"
{:admin-roles #{"admin" "org-admin"},
:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
:client-id "9e1e759e-8d17-496e-8ae6-bc70b03fc023",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/idb-tg/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table
{:org-id [:threatgrid :organization_id],
:org-name [:threatgrid :organization_name],
:role [:threatgrid :role],
:user-name [:threatgrid :name]},
:grant-type :code,
:id "idb-tg",
:idp-logout-url "https://panacea.threatgrid.com/logout",
:legacy true,
:msg "For Secure Malware Analytics users.",
:name "Cisco Secure Malware Analytics",
:org-namespace "threatgrid",
:position 2,
:scopes ["threatgrid:profile" "email"],
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"},
"sxso"
{:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
:client-id "0oa4dovqtv0MMc797357",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:grant-type :code,
:id "sxso",
:idp-account-url "https://me.security.cisco.com",
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
:manage-orgs false,
:msg "For new and existing SecureX users.",
:name "Security Cloud Sign On",
:position 0,
:safe-for-emails-verification true,
:scopes ["profile" "email" "iroh_auth"],
:token-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/token"},
"threatgrid"
{:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri "https://panacea.threatgrid.com/oauth2/authorize",
:client-id "4fe0068b-eb2a-4918-871f-dd9c9592990e",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/threatgrid/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:correlation-table {:org-id [:tg_org]},
:grant-type :code,
:hidden true,
:id "threatgrid",
:name "Secure Malware Analytics",
:org-namespace "threatgrid",
:token-uri "https://panacea.threatgrid.com/api/v3/oauth/token"}}
,,,}SCSO
Contact Ryan, ask him to create the OAuth2 client and the Okta bookmarks
The actual config in PROD NAM
{,,,
"sxso"
{:allow-all-role-to-login true,
:auth-kind :oidc,
:authorize-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/authorize",
:client-id "0oa4dovqtv0MMc797357",
:client-secret
"[[ with secret "iroh/data/iroh_auth/idps/sxso/client_secret" ]][[ .Data.data.value ]][[ end ]]",
:grant-type :code,
:id "sxso",
:idp-account-url "https://me.security.cisco.com",
:idp-logout-url "https://sign-on.security.cisco.com/login/signout",
:manage-orgs false,
:msg "For new and existing SecureX users.",
:name "Security Cloud Sign On",
:position 0,
:safe-for-emails-verification true,
:scopes ["profile" "email" "iroh_auth"],
:token-uri
"https://sign-on.security.cisco.com/oauth2/default/v1/token"}
,,,}AMP
Contact Ryan and perhaps Secure Endpoint team to create an OIDC client in Okta that connects to the SAML client from AMP
TG
Contact Austin Haas from SMA (Secure Malware Analytics) to create a new OIDC client. Apparently OIDC clients created for IROH are no more supported by Threatgrid. You must use magic to create/update these clients. Sync with Austin Haas for help.
Dynamic Configuration
Create Master users
Ops-only
In order to be able to access the admin API which is a must-have to configure the nodes you first need to configure a first master user.
Easiest method, copy an existing master user from another env to the new env by
copying the Org and User row in the DB.
Change the email-address to match the one you would like to use.
The important field for the user to be a master user is to have
additional-scopes set to ["iroh-master","iroh-admin","cisco"].
Using the API
- Launch a node
- Login via AMP (or TG) for auto Org creation
- Retrieve user-id (see response from API after login)
- change node conf to add user-id to admin-filters configuration
- restart the node and login again
- Use the admin API to PATCH the user with
{additional-scopes: ["iroh-master","iroh-admin","cisco"]} - change the node conf to remove admin-filters
Add new masters:
- Invite new users to the first main Org then PATCH then using the admin API
Provisioning
Official Provisioning OAuth2 Clients
You must create PIAM team a new Org with additional-scopes
containing cisco/platform.
Then add the user from the contact of the PIAM team that should create its own
OAuth2 client for provisioning.
Internal Org Provisioning
Create a new client with the scopes ["cisco/platform" "cisco/tac"] and use the
scripts in xdr-provisioning (Adapt them to use the new Stage env).
SSE Integration
SSE Client ! Claim Aliases
SSE OIDC client expect some specific claims so we should configure the client to copy and replace the content accordingly to their expectation
DI Integration
OAuth2 Client
- audience
- trusted
- allow-all-role-to-login
Webhooks
Automation Integration
See config.edn, configuration of the iroh-ao API/bootstrap
See Mark for help.
OAuth2 Client
- audience
- trusted
- allow-user-sopces
- short tokesn
- org-level-authorization
Webhooks
1-click module setup integrations
Every team should have a dedicated Org. At least one dev of this team should create an OAuth2 client to be used.
Once the dev could test for its own org, the client should be promoted to availability everyone. And after the client should be marked as trusted.
The team should also create the module-type that should be then promoted as visbility global.
Maintenance
Every dynamic change must be made on all environments, often needing master-user privileges. Typically:
- module-type change.
- OAuth2 client change (URL)
- create specific tenant for PMs/Tests
Expect a few hours a week.