Configure IIS for REST API

RSA Archer eGRC Platform 5.4 and 5.4 SP1

June/October 2013

Introduction
This document provides the instructions for configuring Microsoft Internet Information Services (IIS) for the RSA
Archer REST API. The REST API is a web service that is configured on the web server where the RSA Archer
web application resides. The REST API will be RESTful and hosted in IIS on the web server.

This feature is not fully developed and not intend for general use. It is currently being developed for the mobile
app for Questionnaires. These instructions are for internal use only and intended for RSA Archer Customer
Support and Professional Services in case a customer asks about this feature.

Important: The REST API web application is created automatically during the RSA Archer GRC Platform 5.4 SP1
installation, but is not in RSA Archer GRC Platform 5.4.
For 5.4 you must create the web application in IIS for REST API. For more information, see Configure IIS for
REST API later in this document.

What Is RESTful API?

REST stands for Representational State Transfer. REST services are a simpler alternative to SOAP services.
Like SOAP services, REST services enable a user to access the Platform data.

Key factors of REST are:

• The client (the caller) does not have to create a proxy to consume the API. It is very simple to call.
• REST is lighter weight than SOAP services, and therefore performs better.
A true REST API must meet all of the following criteria:

1. Identification of resources

2. Manipulation of resources through representations

3. Self-descriptive messages

4. Hypermedia as the engine of application state

A RESTful API meets some but not all criterion.

8 April 2014 For Internal Use Only 1

RSA Archer eGRC Platform 5.4 and 5.4 SP1 Configure IIS for REST API

RESTful API Criterion

The following table describes how RSA Archer has implemented REST API for the mobile app.

Criteria Implementation

Identification of resources. Instead of exposing methods that can be called, RSA Archer exposes
resources that can be retrieved. For example, instead of listing methods that
have names with verbs in them like UpdateQuestionnaire. RSA Archer
exposes Questionnaires as resources with the means to interact with them
using standard HTTP verbs like GET and POST.

Manipulation of resources Rather than having a service return strongly typed objects (C# objects with all
through representations the expected properties), RSA Archer returns representations of those
resources. The caller determines the form that these representations take.
• If the caller wants a response in JSON, the Accept header must contain
application/json.
• If the caller wants a response in XML, the Accept header must contain
application/xml.

Self-descriptive messages Rather than relying on the method name having meaning for RSA Archer to
figure out how the method interacts with the resource, HTTP verbs are used.
Each message describes itself.
If the resource is accessed at /RsaArcher/api/core/application and the method
of the request is POST (POST to /RsaArcher/api/core/application/vendors), the
user is trying to save the new application called Vendors.
• If the request is a GET to /RsaArcher/api/core/application/vendors, the
user is requesting application vendors.

Hypermedia as the engine of Instead of knowing the API that interacts with RPC methods, a REST API
application state provides the root URI and a place to start for interacting with the resource.
Each response contains the links that help move through the rest of the API.
For example, when the user sends a GET to
/RsaArcher/api/core/application/vendors, the response includes a link that
shows how to update that application (PUT
/RsaArcher/api/core/application/vendors) and how to delete the application
(DELETE /RsaArcher/api/core/application/vendors).
The hypermedia (the links) serve as the engine of application state (moving the
caller through the different states of the application).

8 April 2014 For Internal Use Only 2

RSA Archer eGRC Platform 5.4 and 5.4 SP1 Configure IIS for REST API

Request Verbs and Actions

The following table explains the various verbs used in a RESTful API.

Request Verb Action Example

GET Select GET /RsaArcher/api/core/application/vendors

POST Insert POST /RsaArcher/api/core/application/vendors

PUT Update PUT /RsaArcher/api/core/application/vendors

DELETE Delete DELETE /RsaArcher/api/core/application/vendors

Online documentation for REST API is modeled after the new Web Services API Guide and will be available with
the release of the mobile app post 5.4.

Configure IIS for REST API

Complete this task to create a web application in IIS for the REST API web service for GRC Platform 5.4. RSA
Archer recommends running this web application as a child application of the RSA Archer web application. The
REST API web service must target the ASP.NET v4.0 framework.

The REST API web service can run as an independent application in a different application pool, as long as it can
access the RSA Archer database with which it interacts.

Procedure
1. Navigate to the folder where the RSA Archer Installer resides (ArcherInstall.exe).

2. Copy the Archer API folder to a location on the web server running RSA Archer web application.

3. Open Internet Information Services (IIS) Manager.

4. Navigate to Sites, right-click [RSA Archer web application], and click Add Application.

5. Complete the following:

• Alias: Name the new web application. The name must not contain spaces. Enter the name with
underscores or as camel case, for example, Archer_REST_API or ArcherRESTAPI.
• Physical Path: Select the path to the Archer API folder that you copied in step 2.

6. Click Test Settings to verify the Application Pool identity.

7. Ensure that the Application Pool identity or the identity specified within the web.config (if configured
separately) has read/write permission to the file repository in order to read/write attachments.

8. Click OK and click OK again.

9. Verify that the Archer API is targeting the ASP.NET v4.0 framework.

8 April 2014 For Internal Use Only 3

RSA Archer eGRC Platform 5.4 and 5.4 SP1 Configure IIS for REST API

10. Open a browser window and insert the URL to the Archer API web application.

• If the application is configured properly, the default “Welcome to Archer API” page is displayed.
• If you do not see this page, verify the configuration in IIS.

Troubleshooting REST API in a Multi-Server Environment

The REST API is created automatically during the RSA Archer GRC Platform 5.4 SP1 installation under the RSA
Archer web application in IIS, but not in RSA Archer GRC Platform 5.4. The Platform version that is installed
determines the steps you take to ensure the REST API is configured for a multi-server environment.

Running REST API in 5.4 SP1

REST API is installed automatically as a nested application underneath the RSA Web application. If the Web
application is configured as a multi-server application, the user running the application pool for the REST API
must have access to the Configuration service on the dedicated Services server. The easiest way to do this is to
ensure that the Application Pool running the REST API is the same as the Application Pool that is running the
Web application.

Running REST API in 5.4

REST API is not installed automatically. Instead, a copy of the RESTAPI directory must be copied from the
installer to a location on the Web server and an application must be added to IIS. If the RSA Archer Services are
installed on a different server than the Web server, the endpoint address of the REST API must be configured to
point to the Services server. Complete the following procedure to configure REST API in 5.4.

Procedure
1. Log in to the server running the Web Application and navigate to the web.config file for the RSA Archer
Application. Typically, the application is located at c:/inetpub/wwwroot/RSAarcher.

2. Open the Web.config file and find the following xml node noting the endpoint address:

<client>
<endpoint address="http://localhost:13201/ConfigService" binding="customBinding"
bindingConfiguration="ArcherCustomBinding" name="1-HTTP-ConfigurationService"
contract="ArcherTech.Configuration.IConfigurationServiceAPI"
behaviorConfiguration="ConfigServiceClientBehavior">
<identity>
<certificateReference findValue="RSA Archer Configuration" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
</identity>
</endpoint>
</client>

3. Go to the location of the REST API folder and access the REST API web.config file.

8 April 2014 For Internal Use Only 4

RSA Archer eGRC Platform 5.4 and 5.4 SP1 Configure IIS for REST API

4. Open the Web.config file and find the following xml node noting the endpoint address:

<client>
<endpoint address="http://localhost:13201/ConfigService" binding="customBinding"
bindingConfiguration="ArcherCustomBinding" name="1-HTTP-ConfigurationService"
contract="ArcherTech.Configuration.IConfigurationServiceAPI"
behaviorConfiguration="ConfigServiceClientBehavior">
<identity>
<certificateReference findValue="RSA Archer Configuration" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
</identity>
</endpoint>
</client>

The endpoint address for the REST API needs to be the same as the endpoint address for Archer

8 April 2014 For Internal Use Only 5

RSA Archer eGRC Platform 5.4 and 5.4 SP1 Configure IIS for REST API

Support and Service

Customer Support www.emc.com/support/rsa/index.htm
Information

Customer Support [email protected]

E-mail

RSA Archer https://community.emc.com/community/connect/grc_ecosystem/rsa_archer

Community

RSA Archer https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange

Exchange

RSA Solution https://gallery.emc.com/community/marketplace/

Gallery

RSA SecurCare https://knowledge.rsasecurity.com/cleartrust/ct_logon.asp?CTAuthMode=BASIC&langua

Online ge=en&CT_ORIG_URL=https%3A%2F%2Fknowledge.rsasecurity.com%3A443%2F&ct
_orig_uri=%2F

Copyright © 2013 EMC Corporation. All Rights Reserved. Published in the USA.

Trademarks
RSA, the RSA Logo, RSA Archer, and EMC are either registered trademarks or trademarks of EMC Corporation in the United
States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA
trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.

8 April 2014 For Internal Use Only 6