Thales Cipher Trust Manager Backup Script via Powershell and API

August 4, 2021
Research
0 Comments
paris

# KeySecure API endpoint and POST params$keysecures = @(“%KeysecureIPorDNS%”)#Import Credentials from Credential XML, this is protected by file level application for security Format <Credentials><Credential><Name\User\Password>keysecure</Name\User\Password></Credential></Credentials>$credxml = Select-Xml -Path “\\sydfileserver\shared\Security\Project 2020 – Huon\CLI\Credentials.xml” -XPath ‘/Credentials/Credential’ | Select-Object -ExpandProperty Node#import credentials from XML into values to be used$kscreds = $credxml | Where-Object {$_.Name -eq “keysecure”}$pscpcreds = $credxml | Where-Object {$_.Name -eq “pscp”}#change ks creds for Json$kscreds = @{ username = $kscreds.User; password = $kscreds.Password; }#look through all KeySecures and doforeach ($keysecure in $keysecures) { #Output current Keysecure $keysecure # Make API request to get bearer token valid for 300 Seconds $bearer_token = Invoke-WebRequest https://$keysecure/api/v1/auth/tokens -Method Post -Body $kscreds -UseBasicParsing | ConvertFrom-Json $bearer_token = $bearer_token.jwt #Build Header with Bearer Token for Future Requests $headers = @{Authorization = “Bearer $bearer_token”} #Create Backup $params = @{ tiedToHSM = “false”; scope = “”; backupKey =””; } $response = Invoke-RestMethod -Uri https://$keysecure/api/v1/backups -Method Post -Headers $headers -Body $params -UseBasicParsing #Output Backup ID for Fault Finding $response.id $response = $response.id #While look to check Backup status then download and delete backup once completed #12 tries 5 Seconds each $maxRetries = 12; $retryCount = 0; $completed = $false #Check for Loop to complete while (-not $completed) { #Get Backup Status $bkstaus = Invoke-RestMethod -Uri https://$keysecure/api/v1/backupStatus -Method get -Headers $headers -UseBasicParsing; #Output Backup Status for Fault Finding $bkstaus.status if ($bkstaus.status -eq “Completed”){ $completed = $true #download File Invoke-RestMethod -Uri https://$keysecure/api/v1/backups/$response/download -Method get -Headers $headers -OutFile “C:\Temp\$keysecure$response.bak” #move to SCP NFS #check File Exists IF (Test-Path C:\Temp\$keysecure$response.bak) { #Check not 0KB If ((Get-Item C:\Temp\$keysecure$response.bak).length -gt 0kb) { #delete File from KeySecure Invoke-RestMethod -Uri https://$keysecure/api/v1/backups/$response -Method delete -Headers $headers -Body $params -UseBasicParsing $body += $keysecure+’ backed up using ‘ + $response + ” id<br>” } else { $body += “Error” + $keysecure+$response + ” File 0kb<br>” } } else { $body += “Error” + $keysecure+$response + ” Backup file does not exist<br>” } } else { if ($retryCount -ge $maxRetries) { #output error for retries waiting for backup to complete $body += “Error” + $keysecure+$response+ ‘Max retries exceeded wating for backup<br>’ } else { #wait 5 seconds and try again Start-Sleep -Seconds ‘5’ $retryCount++ } } }}#email out$EmailFrom = %FROMEMAIL%”;$EmailTo = ” %TOEMAIL% “;#Note: Use comma separated list if more than one CC email address below:$EmailCopies = ” %TOEMAIL% “; if($Body -like ‘*Error*’) {$Subject= ‘Keysecure Backup Error’} Else { $Subject = ‘Keysecure Backup Success’} ;$Body = $body;$mailMessage = New-Object Net.Mail.MailMessage($EmailFrom, $EmailTo, $Subject, $Body);foreach ($addr in $EmailCopies.split(‘,’)) {$mailMessage.CC.Add($addr );}$mailMessage.IsBodyHtml = $true;$SMTPServer = “%SMTP%”;# Make Windows negotiate higher TLS version:[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer);$SMTPClient.EnableSsl = $true;$SMTPClient.Send($mailMessage);

(No Ratings Yet)