What is/are: Secure Use of the NSS Data-gathering API

Introduction

NSS consists of three main elements: an engine to crawl file-systems and gather information about the user data stored, an engine to monitor file system activity and trigger actions (prevent paths from exceeding a size, prevent certain file types from being saved, send email notifications), a series of client interfaces that allow the other two elements to be used (configure policies, view gathered data, etc.).

The NSS Console introduced a new architecture to the third of these elements; a new client architecture. This architecture will, over time, become the uniform interface for managing/using all capabilities of NSS.

Besides a new focus on information, rather than data, and the ability to securely distribute access to this information, the NSS Console also interacts with the data-gathering engine of NSS in a very different way to the 'classic' Storage Reporter interface. All communication is carried out through an API; the NSS Data-gathering API. This API, besides being used internally by NSS, is also available to customers and the Northern Professional Services team to achieve high levels of policy integration.

Customers can, usually with support from the Northern Professional Services team, program towards the Data-gathering API to automate complex processes and/or collected very specific data about how storage is being used. The output of scripts that use the API is usually in the form of file-lists, but with more advanced scripts any manner of results can be achieved.

Clearly the NSS Data-gathering API is a powerful tool that must be made secure.

Securing Access to the API

There are two recommended approaches, the choice of which will depend on the user account(s) that will be used when calling the API.

When multiple users should be able to call the Data-gathering API:
Each user account that should be able to call the API on a specific NSS server must be a member of a local security group on that server. The local group must be called "NSSCoreAdmins". This group is not created automatically by NSS, it must be manually created and accounts manually added.

When only the NSSCore Server service account will call the Data-gathering API:
This is usually the case when scripts are configured to be run to a schedule through Windows Task Scheduler. Within Task Scheduler, the security context for the script should be configured to as the NSSCore Server service account. In this configuration, no special group membership is needed - the NSSCore Server service account always has the right to communicate with the Data-gathering API.

Contact your Account Manager or Solution Manager (for customers with Augmented Support and Maintenance) for further details about the NSS Data-gathering API and how it can be used to integrate advanced UDM policies.

KB Article: 3053

Updated: 7/7/2015

  • Category
    • Reference
  • Affected versions
    • 9.60.18562.1411 [9.6 SR2]
    • 9.61.18723.1502 [9.61]
    • 9.61.18853.1503 [9.61 SR1]
    • 9.61.18990.1505 [9.61 SR2]
    • 9.61.19180.1506 [9.61 SR3]

North America HQ

NORTHERN Parklife, Inc.
301Edgewater Place, Suite 100
Wakefield, MA 01880
USA

Voice: 781.968.5424
Fax: 781.968.5301

salesUS@northern.net

 

Additional Contact Information

EMEA & APAC HQ

NORTHERN Parklife AB
St. Göransgatan 66
112 33 Stockholm
Sweden

Voice: +46 8 457 50 00

salesHQ@northern.net

Northern Parklife



©2018 northern parklife

privacy statement 
terms of use