Client scripting API
The BeyondTrust access console scripting feature is composed of three parts:
- The BeyondTrust Access Console Script file format
- Command line parameters for the access console
- The BeyondTrust client scripting API
The BeyondTrust Access Console script file
A BeyondTrust Console Script (BRCS) is a file that contains a sequence of commands to be executed by the BeyondTrust access console. The file extension is in the format "brcs-." The Company Site Name is the name used to access your BeyondTrust site. During installation, the BeyondTrust access console uses the OS to associate the access console with the BRCS file type. Therefore, users can double-click a BRCS file and have it automatically executed by the BeyondTrust access console.
BRCS files have the following format:
BRCS1.0
<command>
<command>
…
This is more formally expressed as:
brcs_file = header , newline , commands ;
header = "BRCS" , version ;
version = digit , "." , digit ;
commands = command { newline , command } ;
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" ;
newline = "\n" | "\r\n" ;
Note
Script files can have a maximum of 10 commands.
Each command consists of a set of key-value pairs separated by "&". The key in each pair is separated from the value by "=". Keys and values use the percent-encoding algorithm described in RFC3986 section 2.1. This is commonly referred to as url-encoding or url-escaping. It is commonly seen in the address bar of web browsers to represent the parameters passed to a web server. Commands have the following format:
action=<action>¶meter1=value1¶meter2=value2...
This is more formally expressed as:
command = "action=", value, [ parameters ] ;
parameters = "&", parameter, [ parameters ] ;
parameter = url_encoded_string, "=", url_encoded_string ;
url_encoded_string = {* see RFC 3986 *} ;
Command line parameters for the access console
Two command line parameters exist in the access console to support BRCS:
run-script <BRCS command>
run-script-file <path to BRCS file>
These command line parameters allow users to implement BRCS login via the command line.
Different behaviors can be seen when running a script from the command line, depending on the state of the access console:
- If the access console is not running, then attempting to run a script from the command line causes the access console to start the login dialog. After the user successfully logs in, the script is run.
- If the access console is already running but the user is not logged in, then the login dialog is shown. After the user logs in, the script is run.
- If the access console is already running and the user is already logged in, then attempting to run a script from the command line causes the existing instance of the access console to run the script.
Access console exit status:
- If an invalid script is given on the command line, then the access console terminates with an exit status > 0.
- If a valid script is given on the command line, then the access console terminates with an exit status of 0.
Examples:
bomgar-acc.exe --run-script "action=start_jump_item_session&client.hostname=ABCEF02&session.custom.external_key=123456789"
bomgar-acc.exe --run-script-file my_script_file.brcs-beta60
The BeyondTrust client scripting API
The client scripting API enables you to generate a BeyondTrust Console Scripting (BRCS) file which allows you to send commands to the BeyondTrust access console from external applications.
Customers can use the client scripting API to generate BRCS files that can start a session with a specific Jump Item or to log into the access console.
The client scripting API URL is https://access.example.com/api/client_script.
This API accepts a client type (rep), an operation to perform (generate), a command to put in the script file, and a set of parameters to pass to the command. Here is an example of a valid Client Scripting API request:
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_jump_item_session&client.hostname=ABCDEFG02
The above request prompts the user to download a BeyondTrust access console script file. After downloading the script file, the user can run it using the access console. In this case, the script file contains commands to start a session with the Jump Item whose hostname, comments, public IP, or private IP matches the search string "ABCDEF02".
Parameters for client scripting API
| type=rep type=web_console | The BeyondTrust client to which the command applies. Currently the API only supports rep or web_console as the client type. |
| operation=generate operation=execute | The operation to perform. Currently the API only supports generate or execute as the operation. If the type is rep, the operation should be generate. If the type is web_console, the operation should be execute. |
| action=<command>¶meter=[value] | The name of the command to run and the necessary parameters. Available actions include:
The web_console type supports only the start_jump_item_session action. |
Commands
login
When generating any BeyondTrust Console Script, the login command is automatically added as the first command in the script file. It does not need to be specified in the URL used to generate the script file.
By default, this command opens the access console and attempts to log in using the credentials saved locally in the access console. If no credentials are saved, the command opens the access console login prompt. Once the user has correctly authenticated, the script continues running.
The login command has no effect if a user is already logged into the access console.
If you wish to specify the credentials to be used, you can create a separate script specifically to be used for logging in. The login command passes the login mechanism along with a username and password. Both username and password parameters are sent in plain text and is unencrypted.
Important
- You cannot specify multiple commands in the URL used to generate a script. For example, you cannot specify login and multiple start_jump_item_session commands in the same URL. Each command must be generated as a separate script.
- A developer may edit the .brcs script file once it has been generated in order to modify the login credentials and then run another command. BeyondTrust does not support scripts modified in this manner.
Optional parameters for login command
| mechanism=[string] | The mechanism to use for authentication. Currently, only username_password is supported. If this parameter is supplied, both other parameters must also be supplied. |
| username=[string] | The username of the account with which to log in. If this parameter is supplied, both other parameters must also be supplied. |
| password=[string] | The password of the account with which to log in. If this parameter is supplied, both other parameters must also be supplied. |
Query examples: login
- Log into the access console, specifying the username and password
https://access.example.com/api/client_script?type=rep&operation=generate&action=login&mechanism=username_password&username=username&password=password
start_shell_jump_session
The start_shell_jump_session command initiates a Shell Jump session, creating an SSH or Telnet connection to a remote network device.
Required parameter for the start_shell_jump_session command
| target=[string] | The hostname or IP address of the machine targeted for a Shell Jump session. |
Optional parameters for the start_shell_jump_session command
| jumpoint=[string] | The Jumpoint through which to start the Shell Jump session. This Jumpoint must be on the same subnet as the target computer. If not specified and the user has access to only one Jumpoint, then that Jumpoint is used automatically. If not specified and the user has access to more than one Jumpoint, then a dialog opens from which the user must select a Jumpoint. |
| username=[string] | The username to use when authenticating. If not specified, the user must enter the username. |
| protocol=[string] | The network protocol to use. May be one of ssh (default) or telnet. |
| port=[integer] | The port number on which to connect. Defaults to 22. |
| terminal | The terminal type to use. May be one of xterm (default) or vt100. |
| session.custom.[custom field]=[string] | The code name and value of any custom fields. These fields must first be configured in /login > Management > API Configuration. Each attribute must be specified as a different parameter. Each customer field has a maximum length of 1024 characters. The maximum total size of all combined custom fields, including the external key, must be limited to 10KB. |
Query examples: start_shell_jump_session
- Start a Shell Jump session with the computer "ABCDEF02"
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_shell_jump_session&target=ABCDEF02
- Start a Shell Jump session with the computer "ABCDEF02" through the Jumpoint "Network01"
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_shell_jump_session&target=ABCDEF02&jumpoint=Network01
- Start a Shell Jump session with the computer "ABCDEF02" through the Jumpoint "Network01". Authenticate with "jsmith", and use a Telnet protocol through port 40 with terminal type vt100
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_shell_jump_session&target=ABCDEF02&jumpoint=Network01&username=jsmith&protocol=telnet&port=40&terminal=vt100
- Start a Shell Jump session with the computer "ABCDEF02" and associate custom attributes with the session
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_shell_jump_session&target=ABCDEF02&session.custom.custom_field1=Custom%20Value&session.custom.custom_field2=123
push_and_start_local
The push_and_start_local command attempts to push the endpoint client client to a computer on the local network to start an access session. This can also be described as a local Jump.
Required parameter for push_and_start_local command
| hostname=[string] | The hostname of the computer that is the target of the push and start operation. This field has a maximum length of 255 characters. |
Optional parameter for push_and_start_local command
| session.custom.[custom field]=[string] | The code name and value of any custom fields. These fields must first be configured in /login > Management > API Configuration. Each attribute must be specified as a different parameter. Each customer field has a maximum length of 1024 characters. The maximum total size of all combined custom fields, including the external key, must be limited to 10KB. |
Query examples: push_and_start_local
- Jump to the local network computer "ABCDEF02"
https://access.example.com/api/client_script?type=rep&operation=generate&action=push_and_start_local&hostname=ABCDEF02
- Jump to the local network computer "ABCDEF02" and associate custom attributes with the session
https://access.example.com/api/client_script?type=rep&operation=generate&action=push_and_start_local&hostname=ABCDEF02&session.custom.custom_field1=Custom%20Value&session.custom.custom_field2=123
push_and_start_remote
The push_and_start_remote command attempts to push the endpoint client client to a computer on a remote network through a Jumpoint in order to start an access session. This can also be described as a remote Jump.
Required parameter for push_and_start_remote command
| target=[string] | The hostname or IP address of the target machine. |
Optional parameters for push_and_start_remote command
| jumpoint=[string] | The Jumpoint through which to start the session. This Jumpoint must be on the same subnet as the target computer. If not specified and the user has access to only one Jumpoint, then that Jumpoint is used automatically. If not specified and the user has access to more than one Jumpoint, then a dialog opens from which the user must select a Jumpoint. |
| session.custom.[custom field]=[string] | The code name and value of any custom fields. These fields must first be configured in /login > Management > API Configuration. Each attribute must be specified as a different parameter. Each customer field has a maximum length of 1024 characters. The maximum total size of all combined custom fields, including the external key, must be limited to 10KB. |
Query examples: push_and_start_remote
- Jump to the remote computer "ABCDEF02" through the Jumpoint "Network01"
https://access.example.com/api/client_script?type=rep&operation=generate&action=push_and_start_remote&target=ABCDEF02&jumpoint=Network01
- Jump to the remote computer "ABCDEF02" through the Jumpoint "Network01" and associate custom attributes with the session
https://access.example.com/api/client_script?type=rep&operation=generate&action=push_and_start_remote&target=ABCDEF02&jumpoint=Network01&session.custom.custom_field1=Custom%20Value&session.custom.custom_field2=123
start_jump_item_session
The start_jump_item_session command attempts to start a session with a BeyondTrust Jump Item. Users may run this command for all Jump Items they are permitted to access via the Jump management interface in the access console.
Optional parameters for the start_jump_item_session command
| jump.method | If specified, only Jump Items using the designated Jump method are included in the results. Acceptable values for this field are push (remote push), local_push, pinned (Jump Client), rdp, vnc, and shelljump. |
| credential_id | If specified, only a Jump Item with that specific credential ID associated is returned. This field has a maximum length of 255 characters. |
| search_string | Identifies the search criteria used to select and return specific Jump Items as results. This parameter is required only if no of the client fields below are specified. |
| client.comments | If specified, only Jump Items with the given comments are included in the results. This field has a maximum length of 255 characters. Search is partial and case-insensitive. |
| client.hostname | If specified, only Jump Items with the given hostname are included in the results. This field has a maximum length of 255 characters. Search is partial and case-insensitive. |
| client.private_ip | If specified, only Jump Clients with the given private IP address are included in the results. This search field applies only to pinned clients. This field has a maximum length of 255 characters. Search is partial and case-insensitive. |
| client.public_ip | If specified, only Jump Clients with the given public IP address are included in the results. This search field applies only to pinned clients. This field has a maximum length of 255 characters. Search is partial and case-insensitive. |
| client.tag | If specified, only Jump Items with the given tag are included in the results. This field has a maximum length of 255 characters. Search is partial and case-insensitive. |
| session.custom.[custom field]=[string] | The code name and value of any custom fields. These fields must first be configured in /login > Management > API Configuration. Each attribute must be specified as a different parameter. Each custom field has a maximum length of 1024 characters. The maximum total size of all combined custom fields, including the external key, must be limited to 10KB. |
Important
At least one client._ parameter must be specified. If multiple client._ parameters are specified, then only clients matching all criteria are returned.
Query examples: start_jump_item_session
- Start a session with a Jump Item whose hostname contains "ABCDEF02"
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_jump_item_session&client.hostname=ABCDEF02
- Start a session with a Jump Item whose comments contain "maintenance" and whose tag contains "server"
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_jump_item_session&client.comments=maintenance&client.tag=server
- Start a session with a pinned Jump Client whose private IP address begins with "10.10.24" and associate custom attributes with the session
https://access.example.com/api/client_script?type=rep&operation=generate&action=start_jump_item_session&client.private_ip=10.10.24&jump.method=pinned&session.custom.custom_field1=Custom%20Value&session.custom.custom_field2=123
Note
If more than one Jump Item matches the search criteria, then a dialog opens, giving the user the option to select the appropriate Jump Item.
Updated about 1 month ago