{"id":5372,"date":"2021-08-04T23:52:09","date_gmt":"2021-08-04T23:52:09","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=5372"},"modified":"2021-11-04T23:53:16","modified_gmt":"2021-11-04T23:53:16","slug":"thales-cipher-trust-manager-backup-script-via-powershell-and-api","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/thales-cipher-trust-manager-backup-script-via-powershell-and-api","title":{"rendered":"Thales Cipher Trust Manager Backup Script via Powershell and API"},"content":{"rendered":"

# KeySecure API endpoint and POST params
$keysecures = @(“%KeysecureIPorDNS%”)

#Import Credentials from Credential XML, this is protected by file level application for security Format <Credentials><Credential><Name\\User\\Password>keysecure<\/Name\\User\\Password><\/Credential><\/Credentials>
$credxml = Select-Xml -Path \u00a0“\\\\sydfileserver\\shared\\Security\\Project 2020 – Huon\\CLI\\Credentials.xml” -XPath ‘\/Credentials\/Credential’ | Select-Object -ExpandProperty Node

#import credentials from XML into values to be used
$kscreds = $credxml | Where-Object {$_.Name -eq “keysecure”}
$pscpcreds = $credxml | Where-Object {$_.Name -eq “pscp”}

#change ks creds for Json
$kscreds = @{ username = $kscreds.User; password = $kscreds.Password; }

#look through all KeySecures and do
foreach ($keysecure in $keysecures) {
\u00a0 \u00a0 #Output current Keysecure
\u00a0 \u00a0 $keysecure

\u00a0 \u00a0 # Make API request to get bearer token valid for 300 Seconds
\u00a0 \u00a0 $bearer_token = Invoke-WebRequest https:\/\/$keysecure\/api\/v1\/auth\/tokens -Method Post -Body $kscreds -UseBasicParsing | ConvertFrom-Json
\u00a0 \u00a0 $bearer_token = $bearer_token.jwt
\u00a0 \u00a0 #Build Header with Bearer Token for Future Requests
\u00a0 \u00a0 $headers = @{Authorization = “Bearer $bearer_token”}

\u00a0 \u00a0 #Create Backup
\u00a0 \u00a0 $params = @{ tiedToHSM = “false”; scope = “”; backupKey =””; }
\u00a0 \u00a0 $response = Invoke-RestMethod -Uri https:\/\/$keysecure\/api\/v1\/backups -Method Post -Headers $headers \u00a0-Body $params -UseBasicParsing

\u00a0 \u00a0 #Output Backup ID for Fault Finding
\u00a0 \u00a0 $response.id<\/a>
\u00a0 \u00a0 $response = $response.id<\/a>
\u00a0 \u00a0 #While look to check Backup status then download and delete backup once completed


\u00a0 \u00a0 #12 tries 5 Seconds each
\u00a0 \u00a0 $maxRetries = 12; $retryCount = 0; $completed = $false

\u00a0 \u00a0 #Check for Loop to complete
\u00a0 \u00a0 while (-not $completed) {

\u00a0 \u00a0 #Get Backup Status
\u00a0 \u00a0 $bkstaus = Invoke-RestMethod -Uri https:\/\/$keysecure\/api\/v1\/backupStatus -Method get -Headers $headers -UseBasicParsing;
\u00a0 \u00a0 #Output Backup Status for Fault Finding
\u00a0 \u00a0 $bkstaus.status


\u00a0 \u00a0 \u00a0 \u00a0 if ($bkstaus.status -eq “Completed”){

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 $completed = $true

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #download File
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Invoke-RestMethod -Uri https:\/\/$keysecure\/api\/v1\/backups\/$response\/download -Method get -Headers $headers -OutFile “C:\\Temp\\$keysecure$response.bak”
\u00a0 \u00a0 \u00a0 \u00a0
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #move to SCP NFS\u00a0



\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #check File Exists
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 IF (Test-Path C:\\Temp\\$keysecure$response.bak) {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #Check not 0KB
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 If ((Get-Item C:\\Temp\\$keysecure$response.bak).length -gt 0kb) {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0#delete File from KeySecure
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Invoke-RestMethod -Uri https:\/\/$keysecure\/api\/v1\/backups\/$response -Method delete -Headers $headers \u00a0-Body $params -UseBasicParsing
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0$body += $keysecure+’ backed up using ‘ + $response + ” id<br>”

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 } \u00a0else { $body += “Error” + $keysecure+$response + \u00a0” File 0kb<br>” }
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 } \u00a0else { $body += “Error” + $keysecure+$response + \u00a0” Backup file does not exist<br>” }



\u00a0 \u00a0 \u00a0 \u00a0 }
\u00a0 \u00a0 \u00a0 \u00a0 else {

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0if ($retryCount -ge $maxRetries) {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0#output error for retries waiting for backup to complete
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0$body += “Error” + $keysecure+$response+ ‘Max retries exceeded wating for backup<br>’
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 } else {
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 #wait 5 seconds and try again
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Start-Sleep -Seconds ‘5’
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 $retryCount++

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }
\u00a0 \u00a0 \u00a0 \u00a0 }


\u00a0 \u00a0 }

}


#email out

$EmailFrom = %FROMEMAIL%”;
$EmailTo = ” %TOEMAIL%\u00a0 “;
#Note: Use comma separated list if more than one CC email address below:
$EmailCopies = ” %TOEMAIL% “;\u00a0
if($Body -like ‘*Error*’) {$Subject= ‘Keysecure Backup Error’} Else { $Subject = ‘Keysecure Backup Success’} ;
$Body = $body;
$mailMessage = New-Object Net.Mail.MailMessage($EmailFrom, $EmailTo, $Subject, $Body);
foreach ($addr in $EmailCopies.split(‘,’)) {
$mailMessage.CC.Add($addr );
}
$mailMessage.IsBodyHtml = $true;
$SMTPServer = “%SMTP%”;
# Make Windows negotiate higher TLS version:
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer);
$SMTPClient.EnableSsl = $true;
$SMTPClient.Send($mailMessage);<\/p>","protected":false},"excerpt":{"rendered":"

# KeySecure API endpoint and POST params$keysecures = @(“%KeysecureIPorDNS%”)#Import Credentials from Credential XML, this is protected by file level application for security Format <Credentials><Credential><Name\\User\\Password>keysecure<\/Name\\User\\Password><\/Credential><\/Credentials>$credxml = Select-Xml -Path […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5372","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t