Deploying GSLB configurations using DNS domain names

The new RBAC enhancements in Citrix Application Delivery Management (ADM) allow only authorized application owners to create and manage their own DNS domains in Citrix ADM. You can now authorize the app owners to create GSLB configurations from the DNS domains they own, using specific StyleBooks. If the DNS domain name selected is owned by the user, then it can be used when creating GSLB configurations using GSLB StyleBooks in Citrix ADM application dashboard. There are two workflows in Citrix ADM to configure GSLB configurations.

  1. Workflow for the admins. Set up the RBAC environment in Citrix ADM. That is, to create and import GSLB StyleBooks, you must create user groups, policies and roles, and assign users to the group. As an admin, you must perform this workflow.

  2. Workflow for the application owners. Application owners must create GSLB configurations using domain names that they own.

The following flowchart depicts both workflows:

localized image

Workflow for the admins

As an admin, your workflow to create RBAC environment in Citrix ADM consists of the following steps:

First, create a StyleBook to deploy GSLB configurations on the Citrix ADC instances. This document provides with a sample YAML content to help you create your own StyleBook - Build your StyleBook.

For more information on how to create custom StyleBooks, see Create and use custom StyleBooks.

Note

Citrix ADM supports a new construct in StyleBooks called “allowed-dynamic-values.” This construct can be used to allow the user to list and select from the DNS Domain Values present in Citrix ADM to automatically populates the “domain-name” parameter in the StyleBook in Citrix ADM GUI.

An example “domain-name” parameter section is provided for your reference.

The “domain-name” parameter used here is just an example. The parameter can be different in your custom StyleBook.

-
  name: domain-name
   label: DNS Domain Name
   description: GSLB DNS Domain Name
   type: string
   required: true
   allowed-dynamic-values:
      source: local
      resource-type: dns_domain_entry

Note

Currently in Citrix ADM, the “allowed-dynamic-values” construct is not used in any of the default StyleBooks. Create a new custom GSLB StyleBook by using the default GSLB StyleBook. Replace the part for domain name parameter with the sample provided above. You can use any text editor to create new StyleBooks.

  1. Log on to Citrix ADM as admin.

  2. Navigate to Applications > Configurations > StyleBooks.

  3. Click Import New StyleBook and upload the new GSLB StyleBook to Citrix ADM.

    localized image

    For more information on how to import StyleBooks in Citrix ADM, see Use custom StyleBooks.

  4. Navigate to System > Users > Policies and click Add to set up an access policy for the application owners as shown below.

    Citrix recommends that you create an access policy to ensure that the application owners do not evade the RBAC rules set by you.

  5. Type a name for the policy and a brief description. In the Permissions section, ensure that the following view-edit permissions are checked mandatorily.

    1. Applications > Dashboard

    2. Applications > Configurations

    3. Networks > Instances

    4. Networks > License Management

    5. Networks > DNS Domain Names

    You can provide other permissions as applicable and click Create.

    localized image

  6. Navigate to System > Users > Roles and create a role and assign the policy created in the earlier step.

  7. Type a name for the role and provide a brief description. In the Policies section, select AppOwnerExampleAccessPolicy.

    localized image

  8. Navigate to System > Users > Groups and create a group and associate the role created in the earlier step.

  9. Type a name and description, and in the Roles section, select AppOwnerExampleRole.

    localized image

  10. Click Next.

  11. In the Authorization Settings tab, select the Citrix ADC instances that the application owner has access to and the new GSLB StyleBook.

    localized image

    Repeat this step to create as many user groups as you need in your organization. Click Create Group.

  12. Create a system user and assign the user to a user group. This document refers to only users created locally. You need not create users in user groups if Citrix ADM is set up for using external authentication, for example, LDAP. User mapping to groups is retrieved from the external authentication directory.

    1. Navigate to System > Users > User.

    2. Type a user name and password for the system user and assign the user to the group.

    localized image

    Note

    Step 12 is optional and is not required if external authentication such as LDAP is used.

Citrix ADM REST API for admin workflow

REST API to log on to Citrix ADM

URL: http: //<MAS_IP>/nitro/v2/config/login
HTTPMETHOD: POST

Body Payload:
{
  "login": {
    "username": "<USER_NAME>",
    "password": "<PASSWORD>",
    "session_timeout": 1800
  }
}

The response results in a session cookie header, that can be sent with the rest of the API requests below.

Set-Cookie: SESSID=##ED31F7C886E248CCDCA8F0E0AD2AA511ACCC5F46C48D6D2BCAA719A9DE62;path=/;secure;HttpOnly

REST API to create an access policy

URL: https://<MAS_IP>/nitro/v2/config/rba_policy
HTTP METHOD: POST

{
  "rba_policy": {
    "name": " AppOwnerAccessPolicy",
    "description": " ExampleCompany AppOwner Access Policy",
    "tenant_id": "7c12ec97-1472-4096-97e7-a5acb453cc5c",
    "statement": [
      {
        "access_type": true,
        "resource_type": "application",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,app_category"
      },
      {
        "access_type": true,
        "resource_type": "application",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,ns_vserver_license,app_category,app_summary,app_health_dashboard_details,haproxy_frontend,haproxy_backend,haproxy_frontend_stats"
      },
      {
        "access_type": true,
        "resource_type": "si_app_unit",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,app_summary,si_app_summary,si_device,security_app_dashboard_details,si_geo_location,si_safety_app_firewall,si_safety_overview,si_safety_security_check,si_safety_system_security,si_safety_signature"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,ns_vserver_license"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "configpacks",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,stylebooks,ns_vserver_license"
      },
      {
        "access_type": true,
        "resource_type": "configpacks",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks_system_settings",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "stylebooks_system_settings",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_crvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_cache_redirection_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_crvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "haproxy_frontend",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,haproxy_backend,haproxy_server"
      },
      {
        "access_type": true,
        "resource_type": "haproxy_frontend",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_server",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_server,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_server",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_lbvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_lb_vserver_report,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_lbvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_service",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_service",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_servicegroup",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_servicegroupmember_binding,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_servicegroup",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_servicegroupmember_binding,ns_visualizer_lb_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_authenticationvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_authentication_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_authenticationvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "syslog_messages",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_emon_poll_policy",
        "operation_name": "get",
        "dependent_resources": "download,poll_activity_status,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_emon_poll_policy",
        "operation_name": "add",
        "dependent_resources": "download,poll_activity_status,mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "ns_visualizer_gslb_bindings",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,ns_gslbvserver_domain,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_visualizer_gslb_bindings",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,poll_activity_status,ns_emon_poll_policy,ns_gslbvserver_domain,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbservice",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbservice",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_global_server_load_balancing_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_gslbvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
     },
      {
        "access_type": true,
        "resource_type": "ns_vpnvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_vpnvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_ssl_vpn_report,poll_activity_status,ns_emon_poll_policy,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_csvserver",
        "operation_name": "get",
        "dependent_resources": "download,DeviceAPIProxy,smtp_server,perf_content_switching_report,ns_emon_poll_policy,poll_activity_status,ns_visualizer_cs_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "ns_csvserver",
        "operation_name": "add",
        "dependent_resources": "DeviceAPIProxy,mail_profile,slack_profile,smtp_server,ns_emon_poll_policy,poll_activity_status,ns_visualizer_cs_bindings,lb_export_report"
      },
      {
        "access_type": true,
        "resource_type": "dns_domain_entry",
        "operation_name": "get",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "dns_domain_entry",
        "operation_name": "add",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "devicewise_detail_summary",
        "operation_name": "get",
        "dependent_resources": "download,mps_user_heatmap,ns_event,mps_agent,active_event,smtp_server,mps_datacenter,event_severity_report,event_device_report,ns_conf,device_event_summary"
      },
      {
        "access_type": true,
        "resource_type": "devicewise_detail_summary",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "cbwanopt",
        "operation_name": "get",
        "dependent_resources": "download,device_backup,traceroute,inventory,inventory_status,ping,mps_datacenter,cbwanopt_device_profile,sdwanvw_device_profile,sdwanvw_snmp_config,sdwanvw_appflowconfig,smtp_server,cbwanopt_snmp_config,cbwanopt_appflowconfig,sdwanvw,tag"
      },
      {
        "access_type": true,
        "resource_type": "cbwanopt",
        "operation_name": "add",
        "dependent_resources": "inventory,managed_device,device_backup,upload,cbwanopt_device_profile,mps_datacenter,mail_profile,slack_profile,smtp_server,sdwanvw_device_profile,sdwanvw_snmp_config,sdwanvw_appflowconfig,cbwanopt_snmp_config,cbwanopt_appflowconfig,sdwanvw,tag"
      },
      {
        "access_type": true,
        "resource_type": "device_login",
        "operation_name": "get",
        "dependent_resources": ""
      },
      {
        "access_type": true,
        "resource_type": "ns",
        "operation_name": "get",
        "dependent_resources": "download,ns_config_replicate,ns_conf,ns_ns_runningconfig,ns_ns_savedconfig,active_event,device_backup,traceroute,inventory,inventory_status,ping,ns_device_profile,nssdx_device_profile,sdx_snmp_config,sdx_syslog_config,smtp_server,ns_cluster,ns_snmp_config,ns_syslog_config,ns_l7_latency_config,ica_l7_latency_update,af_vserver_policy,ns_vserver_appflow_config,mps_datacenter,ns_appflow_param_config,ns_ns_license,ns_ns_mode,ns_network_interface,advanced_analytics_config,tag"
      },
      {
        "access_type": true,
        "resource_type": "ns",
        "operation_name": "add",
        "dependent_resources": "inventory,ns_l7_latency_config,ica_l7_latency_update,af_vserver_policy,ns_config_replicate,managed_device,device_backup,upload,ns_device_profile,nssdx_device_profile,mps_datacenter,sdx_snmp_config,sdx_syslog_config,mail_profile,slack_profile,smtp_server,ns_cluster,ns_snmp_config,ns_syslog_config,ns_vserver_appflow_config,ns_appflow_param_config,advanced_analytics_config,tag"
      },
      {
        "access_type": true,
        "resource_type": "haproxyhost",
        "operation_name": "get",
        "dependent_resources": "download,traceroute,inventory,inventory_status,ping,mps_datacenter,smtp_server,haproxy_device_profile,device_backup,tag"
      },
      {
        "access_type": true,
        "resource_type": "haproxyhost",
        "operation_name": "add",
        "dependent_resources": "inventory,managed_device,mail_profile,slack_profile,smtp_server,mps_datacenter,haproxy_device_profile,haproxy,device_backup,tag"
      },
      {
        "access_type": true,
        "resource_type": "docker_host",
        "operation_name": "add",
        "dependent_resources": "inventory,ns_snmp_config,managed_device,ns,upload,mail_profile,slack_profile,smtp_server,mps_datacenter,ns_device_profile,docker_nscpx_image"
      },
      {
        "access_type": true,
        "resource_type": "docker_host",
        "operation_name": "get",
        "dependent_resources": "download,ns_snmp_config,ns_conf,ns_ns_runningconfig,ns_ns_savedconfig,smtp_server,mps_datacenter,ns_device_profile,traceroute,inventory,inventory_status,ping,active_event,ns_ns_license,ns_ns_mode,ns_network_interface"
      },
      {
        "access_type": true,
        "resource_type": "perf_reports",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,perf_custom_dashboard"
      },
      {
        "access_type": true,
        "resource_type": "perf_reports",
        "operation_name": "get",
        "dependent_resources": "download,smtp_server,perf_report_counters,perf_res_util_report,perf_http_req_tcp_conn_report,perf_lb_ssl_traffic_report,perf_ip_bytes_rxtx_report,perf_ip_pkt_rxtx_report,perf_icmp_pkt_rxtx_report,perf_icmp_bytes_rxtx_report,perf_icmpv6_pkt_rxtx_report,perf_icmpv6_bytes_rxtx_report,perf_ipv6_bytes_rxtx_report,perf_ipv6_pkt_rxtx_report,perf_udp_bytes_rxtx_report,perf_udp_packets_rxtx_report,perf_cmp_bytes_rxtx_report,perf_cmp_tcp_bytes_rxtx_report,perf_cmp_tcp_ratiosaving_report,perf_cmp_decmp_bytes_rxtx_report,perf_cmp_decmp_ratiosaving_report,perf_tcp_server_conn_report,perf_tcp_surgelen_spareconn_report,perf_http_bytes_rx_report,perf_http_gets_posts_report,perf_ssl_transactions_hits_report,perf_ssl_client_auth_report,perf_ssl_rsa_dhkey_report,perf_ssl_frontend_ciphers_report,perf_ssl_backend_ciphers_report,perf_wsdevice_cpu_utilization_report,perf_wsdevice_send_compression_ratio_report,perf_wsdevice_connected_plugins_report,perf_wsdevice_data_reduction_report,perf_wsdevice_link_utilization_report,perf_wsserviceclassstatstable_pass_through_connection_report,perf_wsserviceclassstatstable_service_class_report,perf_wsserviceclassstatstable_acceleration_report,perf_wslinkstatstable_throughput_report,perf_wslinkstatstable_packet_loss_report,perf_wsappstatstable_application_report,perf_wsqosstatstable_qos_report,perf_ssl_cpu_keyexchange_report,perf_ssl_be_rsa_dhkey_report,perf_custom_dashboard,perf_ns_throughput_report,perf_network_interface_report"
      },
      {
        "access_type": true,
        "resource_type": "perf_threshold",
        "operation_name": "get",
        "dependent_resources": "download,perf_reports,perf_report_counters,smtp_server,sms_server,sms_profile"
      },
      {
        "access_type": true,
        "resource_type": "perf_threshold",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server,sms_server,sms_profile"
      },
      {
        "access_type": true,
        "resource_type": "perf_poll_config",
        "operation_name": "add",
        "dependent_resources": "mail_profile,slack_profile,smtp_server"
      },
      {
        "access_type": true,
        "resource_type": "perf_poll_config",
        "operation_name": "get",
        "dependent_resources": "smtp_server,download"
      },
      {
        "access_type": true,
        "resource_type": "license_server_info",
        "operation_name": "get",
        "dependent_resources": "sms_server,license_proxy_server,jazz_license,download,sms_profile,smtp_server,user_managed_tp_vserver,managed_vserver,user_managed_vserver,haproxy_frontend,haproxy_backend,license_file,device_license_info,license_info,ns_authenticationvserver,ns_gslbvserver,ns_vpnvserver,ns_csvserver,ns_crvserver,ns_lbvserver,autoselection_preference,license_threshold,license_expiry_info"
      },
      {
        "access_type": true,
        "resource_type": "license_server_info",
        "operation_name": "add",
        "dependent_resources": "sms_server,license_proxy_server,jazz_license,sms_profile,mail_profile,slack_profile,smtp_server,user_managed_tp_vserver,managed_vserver,upload,license_file,license_info,license_threshold,mas_license,user_managed_vserver,autoselection_preference,license_expiry_info"
      }
    ],
    "ui": [
      {
        "access_type": true,
        "name": "ApplicationsDashboard",
        "display_name": "Dashboard"
      },
      {
        "access_type": true,
        "name": "SecurityDashboard",
        "display_name": "App Security Dashboard"
      },
      {
        "access_type": true,
        "name": "Stylebooks",
        "display_name": "StyleBooks"
      },
      {
        "access_type": true,
        "name": "Stylebooks",
        "display_name": "Configpacks"
      },
      {
        "access_type": true,
        "name": "StylebooksSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "CacheRedirection",
        "display_name": "Cache Redirection"
      },
      {
        "access_type": true,
        "name": "HAProxy",
        "display_name": "HAProxy"
      },
      {
        "access_type": true,
        "name": "Servers",
        "display_name": "Servers"
      },
      {
        "access_type": true,
        "name": "VirtualServers",
        "display_name": "Virtual Servers"
      },
      {
        "access_type": true,
        "name": "Services",
        "display_name": "Services"
      },
      {
        "access_type": true,
        "name": "ServiceGroups",
        "display_name": "Service Groups"
      },
      {
        "access_type": true,
       "name": "Authentication",
        "display_name": "Authentication"
      },
      {
        "access_type": true,
        "name": "MonitoringAuditing",
        "display_name": "Auditing"
      },
      {
        "access_type": true,
        "name": "MonitoringSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "GSLBDomains",
        "display_name": "Domains"
      },
      {
        "access_type": true,
        "name": "GSLBServices",
        "display_name": "Services"
      },
      {
        "access_type": true,
        "name": "GSLBVirtualServer",
        "display_name": "Virtual Server"
      },
      {
        "access_type": true,
        "name": "NetScalerGateway",
        "display_name": "NetScaler Gateway"
      },
      {
        "access_type": true,
        "name": "ContentSwitching",
        "display_name": "Content Switching"
      },
      {
        "access_type": true,
        "name": "DNSDomainNames",
        "display_name": "DNS Domain Names"
      },
      {
        "access_type": true,
        "name": "NetworkDashboard",
        "display_name": "Instances Dashboard"
      },
      {
        "access_type": true,
        "name": "NetScalerSDWANWOInstances",
        "display_name": "NetScaler SD-WAN"
      },
      {
        "access_type": true,
        "name": "InstanceOperations",
        "display_name": "Instance Operations"
      },
      {
        "access_type": true,
        "name": "NetScalerInstances",
        "display_name": "NetScaler ADC"
      },
      {
        "access_type": true,
        "name": "HAProxyInstances",
        "display_name": "HAProxy"
      },
      {
        "access_type": true,
        "name": "NetScalerCPXDockerHost",
        "display_name": "Docker Hosts"
      },
      {
        "access_type": true,
        "name": "Reports",
        "display_name": "Reports"
      },
      {
        "access_type": true,
        "name": "Thresholds",
        "display_name": "Thresholds"
      },
      {
        "access_type": true,
        "name": "ReportingSettings",
        "display_name": "Settings"
      },
      {
        "access_type": true,
        "name": "Licenses",
        "display_name": "License Management"
      }
    ]
  }
}

REST API to create an access role

URL: https://<MAS_IP>/nitro/v2/config/rba_role
HTTPMETHOD: POST

Payload:
{
  "rba_role": {
    "name": "AppOwnerRole",
    "description": "ExampleCompany App Owner Role",
    "policies": [
      "AppOwnerAccessPolicy"
    ]
  }

REST API to upload new GSLB StyleBook

URL: https://<MAS_IP>/stylebook/nitro/v2/config/stylebooks
HTTPMETHOD: POST

Payload:
{
    "stylebook": {
      "file_name": "my-own-gslb.yaml",
      "source": "bmFtZTogZ3NsYi1kbnMtZG9tYW...aXRvcm5hbWU=",
      "encoding": "base64"
    }
  }

Note

The name of the StyleBook might change on your system.

REST API to create groups and assign selected instances and StyleBooks

URL: https://<MAS_IP>/nitro/v2/config/mpsgroup
HTTPMETHOD: POST

Payload:
{
  "mpsgroup": {
    "id": "",
    "name": "AppOwnerGroup1",
    "description": "ExampleCompany App Owner Group",
    "roles": [
      "AppOwnerRole"
    ],
    "enable_session_timeout": false,
    "assign_all_devices": false,
    "ass ign_all_apps": false,
    "application_names_with_regex": [

    ],
    "standalone_instances_id": [
      "72c178da-47df-4426-9acc-cd6316f92506",
      "c948061e-6240-4062-931c-f6988ef36e3b"
    ],
    "application_list": [

    ],
    "permission": "none",
    "application_names": [

    ],
    "authscope_props": [
      {
        "propname": "configuration_template_id",
        "propvalues": [
          "NONE"
        ]
      },
      {
        "propname": "dns_domain_entry_id",
        "propvalues": [
          "cf6631e5-2f56-4bb1-b0a5-90fabfc0e3e2",
          "b268905c-522d-47e3-a2ca-3f8d8a754373"
        ]
      },
      {
        "propname": "stylebook_id",
        "propvalues": [
          "gslbbb963abe85936913035e1d4dd14b56f7",
          "moni72fad4494466d102b19c18ac329fa9f3"
        ]
      }
    ],
    "tenant_id": "6d024111-6636-4571-a250-d47b31aba7a8"
  }
}

Note

In order to obtain the IDs for DNS domain names, and GSLB StyleBooks to be used in the API payload above, you can use regular Citrix ADM APIs for querying IDs corresponding to entity names. For example, to obtain the ID for a DNS domain called “app1.acme.com”, you can use the following Citrix ADM REST API.

URL: https://<MAS_IP>/nitro/v2/config/dns_domain_entry?filter=name: app1.acme.com
HTTPMETHOD: GET

The ID of this domain can be extracted from the following response.
{
  "errorcode": 0,
  "message": "Done",
  "operation": "get",
  "resourceType": "dns_domain_entry",
  "username": "nsroot",
  "tenant_name": "Owner",
  "tenant_id": "568d8e12-1d88-42b2-8943-cbaa04826fd1",
  "resourceName": "",
  "dns_domain_entry": [
    {
      "tenant_id": "568d8e12-1d88-42b2-8943-cbaa04826fd1",
      "name": "app1.acme.com",
      "id": "3e3d85ea-1c21-49b2-97f4-60fccdbae2e0",
      "description": "app1 domain name"
    }
  ]
}

Similarly, to obtain the StyleBook ID for a StyleBook whose namespace is com.citrix.adc.stylebook, version: 1.0, name: my-own-gslb, you can use the following API.

URL: https://<MAS_IP>/stylebook/nitro/v1/config/stylebooks?filter=name:my-own-gslb,namespace:com.citrix.adc.stylebooks,version:1.0
HTTPMETHOD: GET

The response contains the StyleBook details, including its ID attribute.

{
  "stylebooks": [
    {
      "author": null,
      "builtin": "false",
      "builtins": "{"netscaler.nitro.config": "10.5"}",
      "deprecate": "false",
      "description": " This StyleBook is used to configure one or a number of Citrix ADCs in different sites into a GSLB setup. It is assumed that the SNIP IP on each Citrix ADC to be used by this StyleBook as the Site IP is already configured on the appliance.",
      "display_name": "HTTP/SSL LoadBalancing StyleBook",
      "filename": "my-own-gslb.yaml",
      "hide": null,
      "id": "gslb5a748d8b7684846cf6c409ad7dea8ccf",
      "imported_by": "",
      "imported_datetime": "2018-05-25 17:20:32.848902",
      "name": "my-own-gslb",
      "namespace": "com.citrix.adc.stylebooks",
      "pkg_id": "gslb5a748d8b7684846cf6c409ad7dea8ccf",
      "primary_keys": "["name"]",
      "private": "false",
      "recompile": "false",
      "schema_version": "1.0",
      "source": "LS0tIApuYW1lOiBsYgpuYW1lc…",
      "system": null,
      "tags": "",
      "tenant_id": null,
      "user_sb": "false",
      "version": "1.0"
    },
    {
      …
    }
  ]
}

Note

The above API returns a list of StyleBooks that match the filter. Ensure that you select the correct StyleBook from the response to retrieve the ID.

REST API to create system user

Note

This step is optional.

URL: https://<MAS_IP>/nitro/v2/config/mpsuser
HTTPMETHOD: POST

Payload:
{
  "mpsuser": {
    "name": "John",
    "password": "welcome",
    "external_authentication": false,
    "enable_session_timeout": false,
    "groups": [
      "AppOwnerGroup1"
    ]
  }
}

Workflow for the application owners

Your users must log on as application users using their credentials. The users must follow this task to create their own DNS domain names and use the new GSLB StyleBook.

  1. In Citrix ADM, navigate to Networks > DNS Domain Names.

  2. Click Add to create a new DNS domain. Create the DNS domains in Citrix ADM.

    localized image

    Note

    As an admin, you can also create these domain names and assign them to the user groups.

  3. Navigate to Applications > Dashboard and click Define Custom App.

    localized image

  4. Type a name for the application and select a category. Select Create a new application from a StyleBook and click OK. Select My own GSLB StyleBook to deploy the configuration on the selected instances.

    localized image

  5. Type the values required for all parameters in the StyleBook.

    1. Select the domain name from the list.

    2. Add the GSLB sites of your application as applicable.

    3. Select the target Citrix ADC instances in all the GSLB sites.

    4. Click Create to create a GSLB configuration.

      localized image

    Note

    The StyleBook parameter “DNS Domain Name” displays only the list of DNS domains that belong to the user in Citrix ADM.

Citrix ADM REST API for app owner workflow

REST API to log on to Citrix ADM

URL: http: //<MAS_IP>/nitro/v2/config/login
HTTPMETHOD: POST

Payload:
{
  "login": {
    "username": "<USER_NAME>",
    "password": "<PASSWORD>",
    "session_timeout": 1800
  }
}

REST API to create DNS domain names

URL: https://<MAS_IP>/nitro/v2/config/dns_domain_entry
HTTP METHOD: POST
PAYLOAD: {"dns_domain_entry":{"name":"app1.acme.com","description":"app1 acme domain"
}
}

REST API to create applications using StyleBook

URL: https://<MAS_IP>/nitro/v2/config/application
HTTPMETHOD: POST

Payload:
{
  "params": {
    "action": "app_discovery"
  },
  "application": {
    "id": "",
    "name": "app1",
    "app_c ategory": "ITOps",
    "stylebook_params": "{"name":"my-own-gslb","namespace":"com.citrix.adc.stylebooks","version":"1.0","configpack_payload":{"parameters":{"name":"app1","domain-name":"app1.acme.com",]"ttl":"30","algorithm":"ROUNDROBIN","protocol":"HTTP","sites":[{"name":"site1","ipaddress":"6.5.6.77","virtual-ip":"88.6.5.44","virtual-port":"80"}]},"targets":[ {"id":"72c178da-47df-4426-9acc-cd6316f92506"}, {"id":"0e4d0789-bffe-4266-ba1c-09adfc61db4e"}, {"id":"b5af4455-3f06-4f56-b0cb-3d9f868c1f94"}]}}"
  }
}

In the above payload:

  • The “stylebook_params” contains the name, namespaces and version of the StyleBook to use.

  • The “configpack_payload” contains the filled parameters of the StyleBook as shown in the equivalent GUI form above. Citrix ADM ensures that only DNS domain names that the user has access to, can be used as values for the parameter “domain-name”.

  • The “targets” contain the list of NetScaler IDs on which the GSLB configuration will be deployed (the NetScalers on the GSLB sites).

To obtain the NetScaler ID given a NetScaler’s management IP address, you can use the following Citrix ADM API:

URL: https://<MAS_IP>/nitro/v2/config/ns?filter=ip_address: 192.168.153.162
HTTPMETHOD: GET

The response payload contains information about this NetScaler, including its ID:

{
  "errorcode": 0,
  "message": "Done",
  ….."tenant_id": "ec0eb868-0d6b-4729-bfbd-3005dd2694c1",
  "resourceName": "",
  "ns": [
    {
      "manufacturedate": "9/30/2009",
      "is_grace": "false",
      "hostname": "youcef-ns",
      "std_bw_config": "0",
      "gateway_deployment": "false",
      "gateway_ipv6": "",
      "ha_master_state": "Primary",
      "instance_available": "0",
      "device_finger_print": "",
      "instance_state": "Down",
      "reason": "Device not reachable",
      "name": "",
      "ent_bw_available": "0",
      "description": "",
      "id": "da9ffff2-c100-45f1-a913-c542718338b2",
      "mgmt_ip_address": "192.168.153.162",
      ….
    }
  ]
}

Build your StyleBook

The full content of the file “my-own-gslb.yaml” StyleBook is shown below: You can use this custom StyleBook the way it is or customize it to your needs to generate the required GSLB configuration. The important parameter in this StyleBook called “domain-name” that should be present in any StyleBook to make use of the DNS names functionality.

name: my-own-gslb
namespace: com.citrix.adc.stylebooks
version: "1.0"
display-name: My own GSLB StyleBook
description: This StyleBook is used to configure one or a number of NetScalers in different sites into a GSLB setup. It is assumed that the SNIP IP on each NetScaler to be used by this StyleBook as the Site IP is already configured on the appliance.
schema-version: "1.0"
import-stylebooks:
  -
    namespace: netscaler.nitro.config
    version: "10.5"
    prefix: ns
  -
    namespace: com.citrix.adc.commontypes
    version: "1.0"
    prefix: cmtypes
parameters:
  -
    name: name
    label: Application Name
    type: string
    required: true
    key: true
  
  -
    name: domain-name
    label: DNS Domain Name
    description: GSLB DNS Domain Name
    type: string
    required: true
    allowed-dynamic-values:
      source: local
      resource-type: dns_domain_entry

  -
    name: ttl
    label: TTL for the Domain
    description: Time-To-Live value (number of seconds) for the Domain
    type: number
    default: 30

  -
    name: algorithm
    label: LB Algorithm
    description: Global Load Balancing Algorithm
    type: string
    default: ROUNDROBIN
    allowed-values:
      - ROUNDROBIN
      - STATICPROXIMITY
      - SOURCEIPHASH

  -
    name: protocol
    label: Protocol
    description: The protocol of the GSLB VIP
    type: string
    default: HTTP
    allowed-values:
      - HTTP
      - FTP
      - TCP
      - UDP
      - SSL
      - SSL_BRIDGE
      - SSL_TCP
      - NNTP
      - ANY
      - SIP_UDP
      - SIP_TCP
      - SIP_SSL
      - RADIUS
      - RDP
      - RTSP
      - MYSQL
      - MSSQL
      - ORACLE

  -
    name: monitor
    label: LB Monitor
    description: Monitor to be bound to the GSLB service
    type: cmtypes::monitor

  -
    name: sites
    label: GSLB Sites
    description: Provide information about the GSLB Sites
    type: object[]
    required: true
    parameters:
      -
        name: name
        label: Site Name
        type: string
        required: true
      -
        name: ipaddress
        label: Site IP Address
        description: The IP Address of this Site. Use a SNIP IP address on the site's appliance.
        type: ipaddress
        required: true
      -
        name: public-ipaddress
        label: Site Public IP Address
        description: The Public IP Address of this Site. It NATs to the Site's IP address
        type: ipaddress
      -
        name: virtual-ip
        label: Site VIP IP
        description: The IP Address for the GSLB Service on this site (The VIP on this Site)
        type: ipaddress
        required: true
      -
        name: virtual-port
        label: Site VIP Port
        description: The port number for the GSLB Service (VIP) on this site
        type: tcp-port
        default: 80

components:
  -
    name: enable-gslb-comp
    type: ns::nsfeature
    description: Enables the GSLB feature
    meta-properties:
      action: enable
    properties:
      feature: ["GSLB", "LB"]
  -
    name: gslb-monitor-comp
    type: cmtypes::monitor
    condition: $parameters.monitor
    properties:
      monitorname: $parameters.name + "-" + $parameters.monitor.monitorname + "-gslbmon"
      type: $parameters.monitor.type
      destip?: $parameters.monitor.destip
      destport?: $parameters.monitor.destport
      httprequest?: $parameters.monitor.httprequest
      send?: $parameters.monitor.send
      customheaders?: $parameters.monitor.customheaders
      respcodes?: $parameters.monitor.respcodes
      recv?: $parameters.monitor.recv
      lrtm?: $parameters.monitor.lrtm
      secure?: $parameters.monitor.secure
      interval?: $parameters.monitor.interval
      interval_units?: $parameters.monitor.interval_units
      resptimeout?: $parameters.monitor.resptimeout
      retries?: $parameters.monitor.retries
      downtime?: $parameters.monitor.downtime
  -
    name: gslb-vserver-comp
    type: ns::gslbvserver
    description: Creates a GSLB VServer config object
    properties:
      name: $parameters.name + "-gslbvserver"
      servicetype: $parameters.protocol
      lbmethod: $parameters.algorithm
    components:
      -
        name: gslb-domain-comp
        type: ns::gslbvserver_domain_binding
        properties:
          name: $parent.properties.name
          domainname: $parameters.domain-name
          ttl: $parameters.ttl
  -
    name: gslb-site-comp
    type: ns::gslbsite
    description: Creates a GSLB Site config object
    repeat: $parameters.sites
    repeat-item: site
    properties:
      sitename: $parameters.name + "-" + $site.name + "-gslbsite"
      siteipaddress: $site.ipaddress
      publicip?: $site.public-ipaddress
    components:
      -
        name: gslb-service-comp
        type: ns::gslbservice
        description: Creates a GSLB Service
        properties:
          servicename: $parameters.name + "-" + $site.name + "-gslbservice"
          ip: $site.virtual-ip
          servicetype: $parameters.protocol
          port: $site.virtual-port
          sitename: $parent.properties.sitename
        components:
          -
            name: gslb-vserver-service-binding-comp
            type: ns::gslbvserver_gslbservice_binding
            description: Creates a Binding between the GSLB vserver and the GSLB Service
            properties:
              name: $components.gslb-vserver-comp.properties.name
              servicename: $parent.properties.servicename
          -
            name: gslb-service-monitor-binding-comp
            type: ns::gslbservice_lbmonitor_binding
            description: Creates a Binding between the GSLB service and the GSLB monitor
            condition: $parameters.monitor
            properties:
              servicename: $parent.properties.servicename
              monitor_name: $components.gslb-monitor-comp.properties.monitorname