Self-signed certificates in pyaim #53
Comments
|
Using verify=True with self-signed certs goes against the validation process... since self-signed, no trusted authority. Why not get a certificate especially for something like CyberArk to ensure no man in the middle attacks can occur. |
|
Perhaps 'self-signed' is not the correct term. We have an internal, trusted certificate authority that provides a trusted CA cert. This enables the enterprise to execute a man in the middle attack on its own traffic for inspection reasons. Accepting that internal CA as trusted is an accepted risk. The SSL library used in pyaim has a mechanism for allowing custom certificate locations and is referenced in their Security Considerations section. I would like this mechanism surfaced in pyaim. For those who follow, I unwrapped the pyaim objects and recreated the relevant bits using the requests library something like this: import requests
CCP_ENDPOINT = 'https://cyberarkserver.my.domain.example.com'
DEFAULT_APPID = 'MyAppID'
DEFAULT_SAFEID = 'MySafeID'
def build_request(object_name, appid=None, safe=None, endpoint=None):
if object_name is not None:
if appid is None:
appid = get_appid()
if safe is None:
safe = get_safeid()
if endpoint is None:
endpoint = get_ccp_endpoint()
api_extension = "/AIMWebService/api/Accounts?"
request_url = (endpoint + api_extension +
"AppID=" + appid +
"&" +
"Safe=" + safe +
"&" +
"Object=" + object_name)
return request_url
def fetch_account(object_name):
appid = get_appid()
safe = get_safeid()
endpoint = get_ccp_endpoint()
request = build_request(object_name,
appid=appid,
safe=safe,
endpoint=endpoint)
result = get_result(request=request)
return(result)
def get_appid():
return(DEFAULT_APPID)
def get_ccp_endpoint():
return(CCP_ENDPOINT)
def get_result(request, verify='/etc/ssl/certs/ca-bundle.crt'):
if request is not None:
result = requests.get(request, verify=verify)
if result.status_code == 200:
return(result.json())
def get_safeid():
return(DEFAULT_SAFEID) |
|
This is currently a backlog item for me until more requests come through for this support. However, I just opened up contributions so feel free to submit a PR for this feature to be added! |
My organization uses self-signed certs internally. I would like to be able to pass an argument to the object initializer to specify the cert location.
I verified that if I pass
verify=Falseto the CCPPasswordREST() function, everything works. That's not ideal, though.This first code block demonstrates what I'm doing to replicate the conditions in the aimccp.py file. I grab the same package imports, set up the app endpoint (names all redacted), and walk through the object creation including SSL setup. I included the relevant part of the error message from the conn.getresponse() call.
I did some digging and found the
requestspackage method of handling the verify argument. They allow for passing the location of your local certs bundle. the http.client package has a similar capability. This sample shows the added lines to my example that declare the local cert location. It turns out that the standard (on my distro, anyway) location for certs works fine. It just needs to be expressly declared. I think that is something to do with conda.When the essential line (
context.load_verify_locations(cafile=certs)) is added to the non-working example above, the http.client code is able to connect to my app server. To integrate this, I suggest modifying the CCPPasswordREST definition to be something like this:This overloads the verify argument similar to the requests package. The alternate option I see would be to add another argument to the definition,
def __init__(self, base_uri, verify=True, cafile='/etc/ssl/certs/ca-bundle.crt'):or some such.The text was updated successfully, but these errors were encountered: