How to connect to an SSL enabled TEA server using Python.

How to connect to an SSL enabled TEA server using Python.

book

Article ID: KB0084629

calendar_today

Updated On:

Products Versions
TIBCO Enterprise Administrator (TEA) -
Not Applicable -

Description

Description:
TIBCO Enterprise Administrator provides a command line utility called the TIBCO Enterprise Administrator shell. The same activities can also be performed using a Python scripting. Attached is a sample shell and python script (Filename: realmConfiguration_from_shell.txt, realmConfigurationFromPython.py) to configure an LDAP realm, import groups and users.


Resolution

Below are the steps to connect to SSL enabled TEA server using Python.


1). Convert your server jceks keystore to PKCS12 keystore.


# converting Client keystore to PKCS12 keystore
# sample command follows.
# keytool -importkeystore -srckeystore <client keystore file> -destkeystore <dest keystore file with .p12 extension> -srcstoretype <src keystore type> -deststoretype <dest keystore type> -srcstorepass <src keystore password> -deststorepass <dest keystore password> -srcalias <src client keystore alias> -destalias <dest client keystore alias> -srckeypass <src key password> -destkeypass <dest key password> -noprompt
# e.g.
keytool -importkeystore -srckeystore httpclientsslkeys.jceks -destkeystore httpclientsslkeys.p12 -srcstoretype JCEKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias httpclient -destalias httpclient -srckeypass password -destkeypass password -noprompt 
 
# converting Server keystore to PKCS12 keystore.
# Sample command follows.
# keytool -importkeystore -srckeystore <server keystore file> -destkeystore <dest keystore file with .p12 extension> -srcstoretype <src keystore type> -deststoretype <dest keystore type> -srcstorepass <src keystore password> -deststorepass <dest keystore password> -srcalias <src server keystore alias> -destalias <dest server keystore alias> -srckeypass <src key password> -destkeypass <dest key password> -noprompt
# e.g.
keytool -importkeystore -srckeystore httpserversslkeys.jceks -destkeystore httpserversslkeys.p12 -srcstoretype JCEKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias httpserver -destalias httpserver -srckeypass password -destkeypass password -noprompt

2). Convert this .p12 files to .pem files

#converting .p12 to .pem using openssl with encrypted PEM password.
# command format.
openssl pkcs12 -in <your .p12 keystore file> -out <new .pem file name with .pem extension> -passin pass:<your .p12 keystore password>
 
# e.g. convert client .p12 keystore to .pem
openssl pkcs12 -in httpclientsslkeys.p12 -out httpclientsslkeys.pem -passin pass:password
# e.g. convert server .p12 keystore to .pem
openssl pkcs12 -in httpserversslkeys.p12 -out httpserversslkeys.pem -passin pass:password
 
# Note: It will prompt you for passwords. Enter it and you will have your .pem file. This will store the encrypted password in the file.
# While connecting to the TEA Server using tibco.tea.EnterpriseAdministrator(), it will ask you for the PEM password. After enterong those passwords you will be connected to the server.
 
# If you do not want to provide the PEM password, you can use the following command to store the non-encrypted key in the certificate.
# command format.
openssl pkcs12 -in <your .p12 keystore file> -out <new .pem file name with .pem extension> -passin pass:<your .p12 keystore password> -nodes
 
# e.g. convert client .p12 keystore to .pem
openssl pkcs12 -in httpclientsslkeys.p12 -out httpclientsslkeys.pem -passin pass:password -nodes
# e.g. convert server .p12 keystore to .pem

openssl pkcs12 -in httpserversslkeys.p12 -out httpserversslkeys.pem -passin pass:password -nodes

3). Refer to following table to connect to the TEA Server when it is SSL enabled.


Authentication

Combinations

Usage of client and server cert paths

Certification based

Mutual Authentication

http.want.client.auth = true

http.need.client.auth = false

only provide server_cert_path.

So that means the client certification is optional.

http.want.client.auth = false

http.need.client.auth = true

provide both client_cert_path and server_cert_path.

So that means the client certification is required.

http.want.client.auth = true

http.need.client.auth = true

Same as the above case, the client certification is required.

Certification based

One-way Authentication

http.want.client.auth = false

http.need.client.auth = false

only provide server_cert_path.



4). A sample script to connect to an SSL enabled TEA Server for mutual authentication is as follows.


import tibco.tea
# The URL should be the HTTPS URL.
# client_cert_path is the path to the client .pem keystore which you created in step #2.
# server_cert_path is the path to the server .pem keystore which you created in step #2.
tea = tibco.tea.EnterpriseAdministrator(url='https://localhost:8777', \
    client_cert_path='/home/pjajoo/SSLCertificates/SSL-scripts/httpclientsslkeys2.pem', \
    server_cert_path='/home/pjajoo/SSLCertificates/SSL-scripts/httpserversslkeys2.pem')




Note: 

  • Refer to KB 44448 for more samples of Python and shell commands to configure realms.
  • Sample  file "realmConfiguration from shell.txt" and "realmConfiguration from python.py" are attached to this KB.

Issue/Introduction

How to connect to an SSL enabled TEA server using Python.

Additional Information

KB 44448

Attachments

How to connect to an SSL enabled TEA server using Python. get_app
How to connect to an SSL enabled TEA server using Python. get_app
Powered by Wolken Software