Table of Contents

Compliance XCH API

At the moment we support four different API calls for NCCM and compliance:

Forcing an NCCM poll

You can also force an NCCM poll through the exchange server. A sample exchange XML call looks like this:

<task>
  <head
    userid="--your login name--"
    passwd="--your (encrypted) password--"
    task_type="xml_request"
    task_name="nccm_run"
  />
  <request
    node_name="switch13"
    fqdn="192.168.60.113"
  />
</task>

The parameters you can send are simple:

These nodes will be scheduled for an NCCM poll and they will be picked up on the nccmd daemon's next cycle (if load permits).

Submit a manual NCCM configuration

The configurations are normally retrieved from the nodes (jobs, nccm poll). But sometimes it could be desired to upload a configuration directly into the NCCM. For example when a node configuration cannot be retrieved directly and a NCCM report or Compliance check is required anyway.

The nccm_submit API call allows you to create an NCCM entry for a node as the 'latest' configuration. To submit a configuration for a node it must exist as either a CMDB node or as an YCE node.

The configuration can be submitted with an optional attribute, nccm_polltime, to insert a manual timestamp of the configuration instead of the current date and time. However, as with GIT and other 'diff' based storage engines, the NCCM cannot process submitted configurations out-of-order. The provided polling timestamps are mostly administrative and the configuration is still considered the 'latest' superseding the previous configuration. The option is useful mostly to submit a series of configurations taken at different historical moments. Their order is NOT verified or enforced although a transaction with an invalid or badly formatted nccm_polltime is rejected. The nccm_polltime must be formatted as “YYYY-MM-DD hh:mm:ss”.

As the configuration will be embedded in the XML-formatted API call, precautions must be taken to prevent conflicting XML characters in the configuration. Two options exists to achieve this.

First the configuration can be encoded using HTML codes. The < and > will then be encoded as &lt; and &gt; respectively and some other characters will be treated likewise. The use of encoding must be explicitly indicated in the request by adding xml_decode=“yes” in the “head” and <xml_decode>config</xml_decode> in the “request” part of the API call. This informs the API that the field “config” must be decoded.

An example of this call using encoding:

<task>
  <head 
    userid="username" 
    passwd="xxxxxxxxxxxxxx" 
    log_level="0" 
    task_type="xml_request" 
    task_name="nccm_submit" 
    xml_decode="yes" />
  <request > 
    <node_name>asd--cr01001</node_name>
    <nccm_polltime>2022-09-27 09:20:00</nccm_polltime>
    <xml_decode>config</xml_decode>
    <config>
#
# This configuration is automatically generated at 2022-06-09 16:59:00
#
hostname &lt;asd--cr01001&gt;
 
snmp-server localhost
#
interface loopback 
  address 127.0.0.1 255.255.255.255
#
end
    </config>
  </request>
</task>

The second option is to insert the configuration as CDATA. This encapsulates the configuration using the header <![CDATA[ and footer ]]>, which informs the XML decoder to ignore any xml characters within this section. The use of CDATA does not require any variables in the API request.

The same example using CDATA for the configuration:

<task>
  <head 
    userid="username" 
    passwd="xxxxxxxxxxxxxx" 
    log_level="0" 
    task_type="xml_request" 
    task_name="nccm_submit" />
  <request node_name="asd--cr01001">
<config><![CDATA[
#
# This configuration is automatically generated at 2020-06-09 16:59:00
#
hostname <asd--cr01001>
 
snmp-server localhost
#
interface loopback
  address 127.0.01
#
end
]]></config>
  </request>
</task>

The response to these calls:

<task>
  <head> ... </head>
  <request> ... </request>
  <response 
    nccm_status="configuration unchanged, not added to nccm" 
    request_error="0" 
    request_status="completed">
    <log>configuration has '14' lines</log>
    <log>configuration unchanged, not added to nccm</log>
    <nccm_data 
      action="upload" 
      job_descr="nccm upload" 
      node_domain="DOM013400" 
      node_fqdn="asd--cr01001.acme.com" 
      node_name="asd--cr01001" 
      node_vendor="HP_C5" 
      operator="username" 
      session_type="mgmt" 
      state="manual" 
      verbose="1"/>
  </response>
</task>

If a configuration was determined as unchanged, the response nccm_status will say as much. When a new entry is created in the NCCM, the message will read “created new nccm diff config: 65”, where the number refers to the Nccm_id where it is stored.

The response will also return the node details it used to create the NCCM entry like the fqdn, vendor and domain name.

Forcing a Compliance check

You can also force a Compliance check through the exchange server. A sample exchange XML call looks like this:

<task>
  <head
    userid="--your login name--"
    passwd="--your (encrypted) password--"
    task_type="xml_request"
    task_name="cmpl_run"
  />
  <request
    node_name="switch13"
    fqdn="192.168.60.113"
  />
</task>

The parameters you can send are simple:

These nodes will be scheduled for compliance and they will be picked up on the nccmd daemon's next cycle (if load permits).

Requesting reports

You can request reports with the same search filters as you can in the reports form (for more information, refer to the Reports section. A sample request looks like this:

<task response="">
    <head
        userid="--your login name--"
	passwd="--your (encrypted) password--"
	task_type="xml-request"
	task_name="cmpl_report"
    />
    <request
        type="rules"
        report_template_id="1001"
	hostname="ASD-CR01001"
        policy_id="1005"
        policy_name="Compliance Check 1"
        rule_name="Compliance Check 2"
        vendor_type="Cisco_IOS"
        group_name="Cisco_IOS"
	detail_level="3"
        status="0"
        severity="Critical"
        report_summary="is not compliant"
    />
</task>

Either one of these following is mandatory, to prevent overloading the system

Additional parameters to set as filters:

A sample return is as follows:

<task>
    <head abort_on_error="1" error="0" log_level="0" passwd="--encrypted password--" req_host="eth0gate.netyce.org" status="completed" task_id="0127_0005" task_level="2" task_name="cmpl_report" task_type="xml-request" userid="NetYCE">
    <logs> </logs>
</head>
<request Group_name="1234" hostname="swi" request_id="1" type="rules"> </request>
    <response request_error="0" request_status="completed">
    <reports Compliance="Not compliant" Hostname="switch1" Policy_id="523" Policy_name="Test Policy" Report_details="Rule 'test 3' compliance failure:" Report_id="138835" Report_rule_id="156547" Rule_id="5015" Rule_name="test 3" Severity="1" Severity_color="#cc9977" Severity_text="Minor" Status="0" Vendor_type="HP_C5"/>
    <reports Compliance="Compliant" Hostname="switch1" Policy_id="523" Policy_name="Test Policy" Report_details="Rule 'test' compliance success. " Report_id="138835" Report_rule_id="156535" Rule_id="2961" Rule_name="test" Severity="1" Severity_color="#cc9977" Severity_text="Minor" Status="1" Vendor_type="HP_C5"/>
    <reports Compliance="Compliant" Hostname="switch1" Policy_id="523" Policy_name="Test Policy" Report_details="Rule 'test 2' compliance success. " Report_id="138835" Report_rule_id="156539" Rule_id="5013" Rule_name="test 2" Severity="1" Severity_color="#cc9977" Severity_text="Minor" Status="1" Vendor_type="HP_C5"/>
    </response>
</task>