How to connect to an SSL enabled TEA server using Python.

Products	Versions
TIBCO Enterprise Administrator (TEA)	-
Not Applicable	-

Description

Description:
TIBCO Enterprise Administrator provides a command line utility called the TIBCO Enterprise Administrator shell. The same activities can also be performed using a Python scripting. Attached is a sample shell and python script (Filename: realmConfiguration_from_shell.txt, realmConfigurationFromPython.py) to configure an LDAP realm, import groups and users.

Issue/Introduction

Resolution

Below are the steps to connect to SSL enabled TEA server using Python.

1). Convert your server jceks keystore to PKCS12 keystore.

# converting Client keystore to PKCS12 keystore
# sample command follows.
#
 keytool -importkeystore -srckeystore <client keystore file> 
-destkeystore <dest keystore file with .p12 extension> 
-srcstoretype <src keystore type> -deststoretype <dest keystore
 type> -srcstorepass <src keystore password> -deststorepass 
<dest keystore password> -srcalias <src client keystore 
alias> -destalias <dest client keystore alias> -srckeypass 
<src key password> -destkeypass <dest key password> 
-noprompt
# e.g.
keytool -importkeystore -srckeystore httpclientsslkeys.jceks -destkeystore httpclientsslkeys.p12 -srcstoretype JCEKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias httpclient -destalias httpclient -srckeypass password -destkeypass password -noprompt 
 
# converting Server keystore to PKCS12 keystore.
# Sample command follows.
#
 keytool -importkeystore -srckeystore <server keystore file> 
-destkeystore <dest keystore file with .p12 extension> 
-srcstoretype <src keystore type> -deststoretype <dest keystore
 type> -srcstorepass <src keystore password> -deststorepass 
<dest keystore password> -srcalias <src server keystore 
alias> -destalias <dest server keystore alias> -srckeypass 
<src key password> -destkeypass <dest key password> 
-noprompt
# e.g.
keytool -importkeystore -srckeystore httpserversslkeys.jceks -destkeystore httpserversslkeys.p12 -srcstoretype JCEKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias httpserver -destalias httpserver -srckeypass password -destkeypass password -noprompt

2). Convert this .p12 files to .pem files

#converting .p12 to .pem using openssl with encrypted PEM password.

# command format.
openssl pkcs12 -in <your .p12 keystore file> -out <new .pem file name with .pem extension> -passin pass:<your .p12 keystore password>
 
# e.g. convert client .p12 keystore to .pem
openssl pkcs12 -in httpclientsslkeys.p12 -out httpclientsslkeys.pem -passin pass:password
# e.g. convert server .p12 keystore to .pem
openssl pkcs12 -in httpserversslkeys.p12 -out httpserversslkeys.pem -passin pass:password
 
#
 Note: It will prompt you for passwords. Enter it and
 you will have your .pem file. This will store the encrypted password in
 the file.
# While connecting to the TEA Server using 
tibco.tea.EnterpriseAdministrator(), it will ask you for the PEM 
password. After enterong those passwords you will be connected to the 
server.
 
# If you do not want to provide the PEM password, you can use the following command to store the non-encrypted key in the certificate.
# command format.
openssl pkcs12 -in <your .p12 keystore file> -out <new .pem file name with .pem extension> -passin pass:<your .p12 keystore password> -nodes
 
# e.g. convert client .p12 keystore to .pem
openssl pkcs12 -in httpclientsslkeys.p12 -out httpclientsslkeys.pem -passin pass:password -nodes
# e.g. convert server .p12 keystore to .pem
openssl pkcs12 -in httpserversslkeys.p12 -out httpserversslkeys.pem -passin pass:password -nodes
3). Refer to following table to
	connect to the TEA Server when it is SSL enabled. 
	

Authentication	Combinations	Usage of client and server cert paths
Certification based Mutual Authentication	http.want.client.auth = true http.need.client.auth = false	only provide server_cert_path. So that means the client certification is optional.
http.want.client.auth = false http.need.client.auth = true	provide both client_cert_path and server_cert_path. So that means the client certification is required.
http.want.client.auth = true http.need.client.auth = true	Same as the above case, the client certification is required.
Certification based One-way Authentication	http.want.client.auth = false http.need.client.auth = false	only provide server_cert_path.

Authentication

Combinations

Usage of client and server cert paths

Certification based

Mutual Authentication

http.want.client.auth = true

http.need.client.auth = false

only provide server_cert_path.

So that means the client certification is optional.

http.want.client.auth = false

http.need.client.auth = true

provide both client_cert_path and server_cert_path.

So that means the client certification is required.

http.want.client.auth = true

http.need.client.auth = true

Same as the above case, the client certification is required.

Certification based

One-way Authentication

http.want.client.auth = false

http.need.client.auth = false

only provide server_cert_path.

4). A sample script to connect to an SSL enabled TEA Server for mutual authentication is as follows.

import tibco.tea
# The URL should be the HTTPS URL.
# client_cert_path is the path to the client .pem keystore which you created in step #2.
# server_cert_path is the path to the server .pem keystore which you created in step #2.
tea = tibco.tea.EnterpriseAdministrator(url='https://localhost:8777', \
    client_cert_path='/home/pjajoo/SSLCertificates/SSL-scripts/httpclientsslkeys2.pem', \
    server_cert_path='/home/pjajoo/SSLCertificates/SSL-scripts/httpserversslkeys2.pem')

Note:

Refer to KB 44448 for more samples of Python and shell commands to configure realms.
Sample file "realmConfiguration from shell.txt" and "realmConfiguration from python.py" are attached to this KB.

Additional Information

KB 44448

Attachments

How to connect to an SSL enabled TEA server using Python. get_app

Welcome to "KB Articles"