Installing Thycotic SDK Client TSS on Linux

What is Thycotic TSS?

The SDK CLI application allows the host to retrieve following after initialization without the need of storing any passwords locally on the host.

• Tokens
• Secrets
• Secret fields

How is Thycotic SDK Client Secure?

It allows an application or server to request tokens, secrets, and secret fields without having to store a local password on the host, encrypted at rest or not. This is done by generating and storing a key that only this host can use.

Yes, if the host root or admin gets comprised and gains access to the code, all bets are off and can gain access to all passwords. Security standards, compliances and engineers frown upon passwords stored in a file.

Trust me, I have argued there is no difference

How to Install

• Download the SDK Client from Thycotic to your linux server, you will need an account to gain access.
• Create a directory called tss, I put in in one of my directories in my path that was displayed by entering:
  • echo $PATH

sudo mkdir /usr/local/bin/tss

• Unzip it to the new directory
  • sudo unzip 1.0.0-rhel.7-x64.zip -d /usr/local/bin/tss/
• Make the tss executable
  • sudo chmod g+x /usr/local/bin/tss/tss
• If needed, might want to change the group so your team can have access
  • sudo chgrp YourGroupFile -hR /usr/local/bin/tss/

• Finally, Test… should look like this to make sure it is installed correctly.

/usr/local/bin/tss/tss
Thycotic Secret Server Client - A Secret Server Integration Utility

Usage: tss [options] [command]

Options:
  -v|--verbose      Output verbose errors
  -i|--interactive  Enable interactive mode
  -?|-h|--help      Show help information

Commands:
  cache   Manage the cache strategy for this instance.
  exit    Exit the Secret Server CLI.
  init    Initializes this machine to communicate with your Thycotic Secret Server.
  remove  Remove configuration settings.
  secret  Get the value of a field from the specified secret
  token   Retrieve an access token to use in your scripts.

Use "tss [command] --help" for more information about a command.

• Now initialize.
  • Format is:
  • tss init --url <url> -r <rule> -k <key>
  • Example:

tss init --url https://myserver/SecretServer/ -r ProductionWebApp -k
CNrQwRBscnq4qAZ6v3EIAcE27vQuLlz6KSpfRJHryyA=

• An error message that might occur might be:

400 - Bad Request
{
  "errorCode": "API_RuleDoesNotExist",
  "message": "The onboarding rule does not exist."
}
----------

• if this occurs, make sure that on boarding token matches the username
• If successful, you will get:

----------
Your SDK Client Account registration is complete.

How to Get a Token for the Python REST API

The goal for this program is to just use the TSS SDK to get a token that can be used for REST API requests to Thycotic.

Required Modules

Python version 2.7.10 is not exactly required, but it is the version being used.

• pexpect==4.6.0

The Code

>>> import pexpect
>>> allTokenText = pexpect.run('/usr/local/bin/tss/tss token')

>>> allTokenText
'\x1b]0;Thycotic Secret Server CLI\x07\x1b[?1h\x1b=DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw\r\n'

The output that gets captured from pexpect.run(cmd) adds \x1b]0;Thycotic Secret Server CLI\x07\x1b[?1h\x1b= at the

beginning so:

• We split it at the = with .split('=')
• Select item 1 in the list that gets created with [1]
• and strip off the /r/n at the ends with .strip()

>>> allTokenText.split('=')[1].strip()
'DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw'

• Read it to a variable for later use in a Rest API Request

>>> token = allTokenText.split('=')[1].strip()
>>> token
'DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw'