Posted on 04-25-2018 04:35 PM
I'm curious how people are managing security for the REST API. With only basic auth it's a huge security risk. I've added a feature request to implement OAuth on the API if anyone is interested in voting it up:
In the meantime we're going to have to disable the API because the security team is concerned that it will be compromised. How are other people solving this issue?
Posted on 04-25-2018 04:58 PM
I’m handling it by using an admin only node that does accept outside connections on my cluster. I have deleted it from the other tomcat nodes.
Posted on 04-26-2018 02:22 AM
Can you explain how your setup works in a bit more detail?
Posted on 04-26-2018 04:23 AM
@tangerinehuge I've added my vote ;-)
Do you know if it's possible to disable the API on a Jamf hosted JSS instance?
With GDPR coming into force in a matter of weeks, our Cyber Sec team are getting increasingly twitchy about anything that can serve up user related details (not to mention things like SMTP and Network information) and will have kittens over an unsecured API!
Posted on 04-26-2018 06:00 AM
Very simple...setup a limited access dmg as the document described...ensure all internal and external communication is working for you as needed. That’s the important step and that all functions of the JSS work as you require in both places.
Once that difficult first step is done, to disable the API externally, you would delete the api folder from your root context on the dmz instance and modify your web.xml on your dmz instance to disallow the restletservlet
I gave a beginners presentation on clustering last year at JNUC. I would start there: https://m.youtube.com/watch?v=WSGiEXfd6hY
If you are intrigued by the concepts presented, consider signing up for the Certified Server Admin course as it goes into the fine-grain nuts and bolts of scaling for most any situation along with securing it. As a result of that course, the api for our server is only available internally.
Posted on 04-26-2018 06:06 AM
I’ll ask in advance that you forgive my less than stellar presentation skills... content was solid though and based on what you learned from that presentation I’m more than willing to answer any questions that I can for you.
Posted on 04-26-2018 12:04 PM
Thanks for the detailed explanation. I have my system setup similarly. I was hoping there was another way to access the API from an external source in a secure manner but I'm guessing that won't be possible until JAMF implements better security. Disabling the API externally makes it difficult to integrate other cloud based services with JAMF Pro.
@jsherwood I'm not sure about disabling things in a hosted environment. I'd open a support ticket to see if they can turn it off for you.
Posted on 04-26-2018 01:21 PM
If I need to use the api at home or off campus, I establish a vpn connection on my MacBook and hit the admin url/instance. Perhaps you could set up some vpn to allow your connections between your internal admin console (with api enabled) and whichever service you are using.
Posted on 04-26-2018 05:23 PM
Yeah that's probably what we'll end up doing. Do you know of a way to disable the Universal API? That's also a potential target.
Posted on 04-26-2018 05:25 PM
Honestly no...I would likely escalate that to your jamf buddy. Someone should be able to clarify for sure. I know you disable the rest api in your web.xml file by disabling a Tomcat servlet