Identity-Based Microsegmentation Guide
LAST UPDATED: June 23, 2021

Install apoctl

Prerequisites

  • The following procedure uses an app credential to authenticate to the Microsegmentation Console. App credentials require a mutual TLS connection to the Microsegmentation Console API. Any TLS-intercepting middleboxes must be configured to exclude your connections to the Microsegmentation Console from interception.
  • If you connect through a firewall or endpoint agent, ensure that you can access *.prismacloud.io, *.network.prismacloud.io, and *.aporeto.com.
  • jq installed

Installing and configuring apoctl

  1. Download the executable appropriate to your platform.

    sudo curl -o /usr/local/bin/apoctl \
      https://download.aporeto.com/apoctl/darwin/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
    sudo curl -o /usr/local/bin/apoctl \
      https://download.aporeto.com/apoctl/linux/apoctl && \
    sudo chmod 755 /usr/local/bin/apoctl
    
    curl https://download.aporeto.com/apoctl/windows/apoctl.msi -o apoctl.msi; `
    if ($?) {. .\apoctl.msi /quiet}
    if ($?) {$env:PATH+="C:\Program Files\Apoctl;"}
    

  2. Open the Network Security section of the Prisma Cloud web interface.

  3. Navigate to the top-level namespace that you have access to. In the following example, we have access to the top-level namespace /803920923337065472.

    Namespace navigator

  4. Click the lock icon in the bottom left corner, then click Copy to clipboard, as shown below. Copying the configure command

  5. Paste the configuration command into your terminal and press ENTER. An example command follows, using https://api.app0.network.prismacloud.io as the URL of the Microsegmentation Console API and a Microsegmentation account.

    apoctl configure -A https://api.app0.network.prismacloud.io 
                     -n /803920923337065472 
                     -t eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6IlBDSWRlbnRpdHlUb2tlbiIsImRhdGEiOnsibmFtZXNwYWNlIjoiODAzOTIwOTIzMzM3MDY1NDcyIiwi...
    
  6. Authenticate at the prompt. It should return the following.

    apoctl profile 'default' successfully configured
    
  7. Issue the following commands to extract the URL of your Microsegmentation Console API, set it in a MICROSEG_API environment variable, and ensure that the environment variable persists across sessions.

    export MICROSEG_API=$(apoctl auth verify | jq -r '.iss')
    echo "export MICROSEG_API=$MICROSEG_API" | tee -a ~/.bash_profile
    
    $env:MICROSEG_API = (apoctl auth verify | jq -r '.iss')
    $env:MICROSEG_API = [System.Environment]::SetEnvironmentVariable('MICROSEG_API','User')
    

  8. Confirm that you can connect to the Microsegmentation Console API and that you trust its certificate.

    curl $MICROSEG_API
    
    wget $MICROSEG_API
    

  9. Issue the following command to confirm that you’re authenticated.

    apoctl auth verify
    

    It should return something like the following.

    {
      "data": {
        "commonName": "app:credential:6022d9eeeb15c100010d9290:jwellington@email.com-apoctl-default-credentials",
        "organization": "/803920923337065472",
        "realm": "certificate",
        "serialNumber": "96242056717083374710660459658200369221",
        "subject": "96242056717083374710660459658200369221"
      },
      "exp": 1612903956,
      "iat": 1612896755,
      "iss": "api.app0.network.prismacloud.io",
      "realm": "Certificate",
      "restrictions": {},
      "sub": "96242056717083374710660459658200369221"
    }
    

Great job! You’ve installed and configured apoctl.