ArcSight APIs SDK Service-Oriented Architecture ESM

SN66: APIs, SDK and Service-OrientedArchitecture in ArcSight ESM Yanlin Wang Software Architect September 2010 © 2010 ArcSight, Inc. All rights reserved. ArcSight and the ArcSight logo are trademarks of ArcSight, Inc. All other product and company names may be trademarks or registered trademarks of their respective owners. www.arcsight.com © 2010 ArcSight Confidential 1 Overview  This session will be geared towards the advance ArcSight ESM user, system integrator, ISV, etc.  To learn how to programmatically consume ArcSight ESM functionalities – Run report in your portal – Retrieve ArcSight ESM resource data – Coding required www.arcsight.com © 2010 ArcSight Confidential 2 Agenda  Server architecture overview  ArcSight ESM service layer  SDK & development environment  Developing ArcSight ESM application www.arcsight.com © 2010 ArcSight Confidential 3 Server Architecture Overview www.arcsight.com © 2010 ArcSight Confidential 4 . 0 Client www.arcsight.Server Architecture Overview ArcSight ESM – The Open Platform Plugin DM Plugin DM ESM Plugin ESM Open Platform Web 2.com Web Service Client JMX-WS/WSMan Client © 2010 ArcSight Confidential iPhone/iPad 5 . arcsight.com © 2010 ArcSight Confidential 6 .Server Architecture Overview Demo www. etc.Server Architecture Overview Server Architecture  Next generation J2EE technology – ArcSight DM Framework  ArcSight ESM service layer – enterprise SOA platform – Expose ArcSight ESM functionalities to web services: SOAP. REST/JSON.com © 2010 ArcSight Confidential 7 .arcsight. REST/XML. – SDK  New management tools – ArcSight DM console – Remote JMX tool www. GWTRPC. com © 2010 ArcSight Confidential 8 .arcsight.Server Architecture Overview ArcSight ESM Manager Components Diagram ESM Service Layer Dynamic Modules ESM Manager Server DM Plugin DM Plugin DM Plugin DM ArcSight DM Framework ArcSight DM Core Services J2EE Container DM Service ArcSight DM Service Extention Equinox (OSGI) JVM www. ArcSight ESM Service Layer www.com © 2010 ArcSight Confidential 9 .arcsight. ArcSight ESM Service Layer What is ArcSight ESM Service Layer  A SOA platform – Expose ArcSight ESM functionalities to web services  Provides a suite of loosely coupled services with multiple protocols – SOAP. JMX-WS (WS-Man). GWTRPC.com © 2010 ArcSight Confidential 10 . REST (XML/JSON).  Options to consume the ArcSight ESM service – By Java service client API (ArcSight ESM SDK) • SOAP Client API • RESTful Scripts • GWTRPC Client API – By protocol • WSDL www.arcsight. etc. com Jersey JAXRS1.arcsight.ArcSight ESM Service Layer Service Implementation ArcSight ESM Manager ArcSight ESM Service Layer AXIS2 JAXWS SOAP www. XML GWT RPC JMXW S © 2010 ArcSight Confidential 11 .0 GWTRPC JSR262 RI REST/J SON. arcsight.ArcSight ESM Service Layer General Steps of Consuming Service  Login through LoginService and get auth token  Use auth token to consume services www.com © 2010 ArcSight Confidential 12 . ArcSight ESM Service Layer Example of Consuming Service via REST XML (1 of 3)  Login and get auth token – https://myhost:8443/www/coreservice/rest/LoginService/login?login=admin&password=password www.com © 2010 ArcSight Confidential 13 .arcsight. arcsight.ArcSight ESM Service Layer Example of Consuming Service via REST XML (2 of 3)  Search a data monitor with text string (Same function as console full text search) – https://myhost:8443/www/managerservice/rest/ManagerSearchService/search1?authToken=hudcmyGWT hlIGhJtWr9ZZxUZvvT9gIhKpTg4S8QHgPw.&queryStr=datamonitor event throughput&pageSize=50 www.com © 2010 ArcSight Confidential 14 . &id=C6G3MNPMAABCAbTjj DsBRuQ== www.ArcSight ESM Service Layer Example of Consuming Service via REST (3 of 3)  Get the detailed resource data – https://myhost:8443/www/managerservice/rest/ResourceService/findByUUID?authToken=hudcmyGWThlI GhJtWr9ZZxUZvvT9gIhKpTg4S8QHgPw.com © 2010 ArcSight Confidential 15 .arcsight. 0 Services – ArchiveReportService – ManagerSearchService – ResourceService – DashboardService Currently Service Layer provides service around following resources – ArchiveReport – Dashboard – DataMonitor – FileResource – Portlet – Report – Basic Resource (contains attributes share among all resources) – Resource Reference – ViewerConfigurarion www.com © 2010 ArcSight Confidential 16 .ArcSight ESM Service Layer Service Layer in ArcSight ESM 5.0    SOA infrastructure ArcSight ESM 5.arcsight. com © 2010 ArcSight Confidential 17 .ArcSight ESM Service Layer How to Find Out Services  https://myhost:8443/www/manager-service/services/listServices www.arcsight. ArcSight ESM Service Layer How to Find Out WSDL  https://myhost:8443/www/managerservice/services/servicename?wsdl www.arcsight.com © 2010 ArcSight Confidential 18 . com © 2010 ArcSight Confidential 19 .SDK & Development Environment www.arcsight. SDK & Development Environment ArcSight ESM Service Layer SDK  SDK is a set of tools and libraries provided for software developers to create their own application which consumes services provided by ArcSight ESM service layer  SDK contains SOAP and GWTRPC client Java API – Generate report – Full text search – Retrieve resource data  SDK is installed within ArcSight ESM manager – $ARCSIGHT_HOME/utilites/sdk/lib • Service client API libraries • Java doc are located www.com © 2010 ArcSight Confidential 20 .arcsight. security.validator.arcsight.ValidatorException: PKIX path building failed www.com © 2010 ArcSight Confidential 21 .6.CertificateException: No subject alternative names present – Wrong CA cert or self signed cert will get exception sun.security.SDK & Development Environment Setup JDK  Install JDK 1.cert.0_17 or above  Import ArcSight ESM manager’s CA cert or self signed cert to jdk/lib/security/cacerts – self signed certificate with ip address in CN will get exception java. 0_17 as default JDK  Create new project – Add SDK library jar files to project build path • Project->properties->Java Build Path->Libraries->Add Variable… • Choose ESM_SDK_LIB -> Extend… • Add all SDK library jar files www.arcsight. ESM_SDK_LIB) pointing to $ARCSIGHT_HOME/utilites/sdk/lib  User JDK 1.com © 2010 ArcSight Confidential 22 .6.SDK & Development Environment Setup IDE – Eclipse  Add user libraries – Preferences->Java->Build Path->Classpath Variables – Create Variable (eg. com © 2010 ArcSight Confidential 23 .arcsight.Developing ArcSight ESM Application www. // set the service base url.186:8443/www/").setBaseURL("https://10.createClient().arcsight.setProperty("com.ws.coma. // invoke login service and get authToken String authToken = loginService. ESM’s service base url is // https://host:port/www/ System. // loginServiceClientFactory.Developing ArcSight ESM Application Example of Consuming Service via SOAP Client API Provided in SDK (Slide 1 of 2) // ================================================= // Invoke Login Service // ================================================= // construct LoginServiceFactory (LoginService is part of core service // module) LoginServiceClientFactory loginServiceClientFactory = new LoginServiceClientFactory(). www. // create service client instance from factory LoginService loginService = loginServiceClientFactory. "password").arcsight.baseURL".4.login(null.client. "https://yanlinwang-pc:8443/www/"). "admin".com © 2010 ArcSight Confidential 24 .21. com © 2010 ArcSight Confidential 25 . www.arcsight.id=" + fileId).initDefaultArchiveReportDownloadByURI( authToken.Developing ArcSight ESM Application Example of Consuming Service via SOAP Client API Provided in SDK (Slide 2 of 2) // ================================================= // Invoke Archive Report Service // ================================================= ArchiveReportServiceClientFactory archiveReportServiceClientFactory = new ArchiveReportServiceClientFactory(). "/All Reports/ArcSight Administration/ESM/Configuration Changes/Resources/Resource Updated Report".html").command=download&file. // create service client instance from factory ArchiveReportService archiveReportService = archiveReportServiceClientFactory . "Manual"). the // return will be archive report file id. // invoke report service to create achiveReport by a reported. // Download report using the download job id download( new URL( "https://yanlinwang-pc:8443/www/manager-service/fileservlet?file. "Resources Updated Report. String fileId = archiveReportService . you can use that to download // report.createClient(). com © 2010 ArcSight Confidential 26 .Developing ArcSight ESM Application APIs  ArchiveReportService – generate archive report  ManagerSearchService – full text search resources  DashboardService – retrieve dashboard data  ResourceService – retrieve resource data  InfoService – retrieve manager server info www.arcsight. xxx.html in the extracted folder with web browser – Get SDK development guide from support www.Developing ArcSight ESM Application Documents – Find ArcSight ESM web services API in $ARCSIGHT_HOME/utilites/sdk/lib /manager-javadoc1.0.jar – Extract jar file into a folder – Open index.release.arcsight.com © 2010 ArcSight Confidential 27 .0. Developing ArcSight ESM Application Test and Debug  Check ArcSight ESM manager log  Use browser and REST URL to test  Write unit test before integrating into the system www.com © 2010 ArcSight Confidential 28 .arcsight. Developing ArcSight ESM Application Consuming Service via REST Programmatically (Slide 1 of 4)  Pros – Simple – No need to setup SDK libraries – Return data will be XML/JSON  Cons – Not strong typed – Not suitable for large application www.arcsight.com © 2010 ArcSight Confidential 29 . search1) * @param params .ESM service name (eg. } www. questionMark = true.getValue())).getKey() + "=" + new String(URLEncoder. String> param : params. for (Entry<String. } else { url = url + "&" + param. String> params) { String url = "https://yanlinwang-pc:8443/www/" + moduleName + "/rest/" + serviceName + "/" + methodName. } } return url.entrySet()){ if (!questionMark) { url = url + "?" + param. boolean questionMark = false.encode(param.REST service parameters * @return url string */ public static String getRestUrl (String moduleName.Developing ArcSight ESM Application Consuming Service via REST Programmatically (Slide 2 of 4) /** * generate ESM REST service URL based on parameters * * @param moduleName . manager-service) * @param serviceName . String methodName. HashMap<String.service method name (eg.com © 2010 ArcSight Confidential 30 .getKey() + "=" + new String(URLEncoder.arcsight.getValue())).encode(param. String serviceName.ESM service module (eg. ManagerSearchService) * @param methodName . getInputStream())).service method name (eg. manager-service) * @param serviceName . while ((line = in. serviceName. ManagerSearchService) * @param methodName . URL url = new URL(urlstr).toString().ESM service name (eg.readLine()) != null) { sb. String methodName. BufferedReader in = new BufferedReader(new InputStreamReader(connection. } www. String> params) throws Exception { String urlstr = getRestUrl(moduleName. URLConnection connection = url. HashMap<String.REST service parameters * @return REST response xml * @throws Exception */ public static String getRestXml(String moduleName.openConnection().ESM service module (eg. String line. params). String serviceName.arcsight. methodName.com © 2010 ArcSight Confidential 31 . } in.close(). search1) * @param params . return sb.Developing ArcSight ESM Application Consuming Service via REST Programmatically (Slide 3 of 4) /** * Query a REST service and return the xml data * * @param moduleName .append(line). StringBuffer sb = new StringBuffer(). "50"). "password"). params). params.put("login". "search1". String>().put("pageSize". String> params = new HashMap<String.newInstance(). String xml = getRestXml("core-service".getChildNodes().newDocumentBuilder().arcsight. www.put("password".out. Node node = d. params.item(0). token).out. System.put("queryStr". "ManagerSearchService". "admin"). "LoginService".getDocumentElement().println (xml). String>(). params.com © 2010 ArcSight Confidential 32 .println("Failed to login").parse(new ByteArrayInputStream( xml. "login". // Parse the XML for token DocumentBuilderFactory f = DocumentBuilderFactory. "datamonitor event throughput" ). params. if (token==null){ System. String resXml = getRestXml("manager-service". params). params. } //Search datamonitor resource params = new HashMap<String.getBytes())).getTextContent().Developing ArcSight ESM Application Consuming Service via REST Programmatically (Slide 4 of 4) //Login through REST HashMap<String.put("authToken". DocumentBuilder b = f. return. Document d = b. String token = node. arcsight.Your Feedback Builds a Better Conference!  Text to 32075 (USA & Canada) or 447786204951 (Non-USA)  Type ARCS <space> 66 and the letter to each response SMS body example: ARCS 66ae*your comments Excellent Good Fair Poor Rate the speaker a b c d Rate the content e f g h Please provide comments: (*) enter any comments/feedback Download session replays after the conference: https://protect724.com © 2010 ArcSight Confidential 33 .arcsight.com/community/protect10 www. arcsight. Inc.com www. Corporate Headquarters: 1 888 415 ARST EMEA Headquarters: +44 (0)844 745 2068 Asia Pac Headquarters: +65 6248 4795 www.arcsight.ArcSight.com © 2010 ArcSight Confidential 34 .