Installing Thycotic SDK Client TSS on Linux

What is Thycotic TSS?

The SDK CLI application allows the host to retrieve following after initialization without the need of storing any passwords locally on the host.

  • Tokens
  • Secrets
  • Secret fields

How is Thycotic SDK Client Secure?

It allows an application or server to request tokens, secrets, and secret fields without having to store a local password on the host, encrypted at rest or not. This is done by generating and storing a key that only this host can use.

Yes, if the host root or admin gets comprised and gains access to the code, all bets are off and can gain access to all passwords. Security standards, compliances and engineers frown upon passwords stored in a file.

Trust me, I have argued there is no difference

How to Install

  • Download the SDK Client from Thycotic to your linux server, you will need an account to gain access.
  • Create a directory called tss, I put in in one of my directories in my path that was displayed by entering:
    • echo $PATH
sudo mkdir /usr/local/bin/tss
  • Unzip it to the new directory
    • sudo unzip 1.0.0-rhel.7-x64.zip -d /usr/local/bin/tss/
  • Make the tss executable
    • sudo chmod g+x /usr/local/bin/tss/tss
  • If needed, might want to change the group so your team can have access
    • sudo chgrp YourGroupFile -hR /usr/local/bin/tss/
  • Finally, Test… should look like this to make sure it is installed correctly.
/usr/local/bin/tss/tss
Thycotic Secret Server Client - A Secret Server Integration Utility

Usage: tss [options] [command]

Options:
  -v|--verbose      Output verbose errors
  -i|--interactive  Enable interactive mode
  -?|-h|--help      Show help information

Commands:
  cache   Manage the cache strategy for this instance.
  exit    Exit the Secret Server CLI.
  init    Initializes this machine to communicate with your Thycotic Secret Server.
  remove  Remove configuration settings.
  secret  Get the value of a field from the specified secret
  token   Retrieve an access token to use in your scripts.

Use "tss [command] --help" for more information about a command.
  • Now initialize.
    • Format is:
    • tss init --url <url> -r <rule> -k <key>
    • Example:
tss init --url https://myserver/SecretServer/ -r ProductionWebApp -k
CNrQwRBscnq4qAZ6v3EIAcE27vQuLlz6KSpfRJHryyA=
  • An error message that might occur might be:
400 - Bad Request
{
  "errorCode": "API_RuleDoesNotExist",
  "message": "The onboarding rule does not exist."
}
----------
  • if this occurs, make sure that on boarding token matches the username
  • If successful, you will get:
----------
Your SDK Client Account registration is complete.

How to Get a Token for the Python REST API

The goal for this program is to just use the TSS SDK to get a token that can be used for REST API requests to Thycotic.

Required Modules

Python version 2.7.10 is not exactly required, but it is the version being used.

  • pexpect==4.6.0

The Code

>>> import pexpect
>>> allTokenText = pexpect.run('/usr/local/bin/tss/tss token')
>>> allTokenText
'\x1b]0;Thycotic Secret Server CLI\x07\x1b[?1h\x1b=DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw\r\n'

The output that gets captured from pexpect.run(cmd) adds \x1b]0;Thycotic Secret Server CLI\x07\x1b[?1h\x1b= at the

beginning so:

  • We split it at the = with .split('=')
  • Select item 1 in the list that gets created with [1]
  • and strip off the /r/n at the ends with .strip()
>>> allTokenText.split('=')[1].strip()
'DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw'

  • Read it to a variable for later use in a Rest API Request
>>> token = allTokenText.split('=')[1].strip()
>>> token
'DYZbfxDzHNUFW5bgSlWXeeuzrvolP79_EWGK7xbD43_ppKV0TDcn7zEeA6oOkIyCE2irkFHlhe-PWKfiISB4CNmAvEpomP98Jry0FLgL5EOgA-53cQCUPCNSoOGlUwNv7F3EivYLeI2RxBQjLKBkYbU8jfmii8TojdcDRgVD_gR_V-Sz2ew3i_JmRKyxb_dj8brUaB36YXUqrN4W7-Gngu_b4v1E-G77dairW21zjqudN64bnB6g7cwxzP420HqUUJOumr7qIFZhwBBzhrmdgw7C_VVMNhD7SjsFwA6L9T7a_MR4a0vZ32JRcSNh07EkDa_PBACV830Q1oZmyFfN7MeJGtK4VxSJ-yWKGtaUQMBlYgbgop993CPEX48Nv-B44Z5FT-MMJ9xgFezWBSf2IfqnqTIuONFHaG9yEe-s99cv3h5w-rYQMn4crIDIMDAhTJQSrf_UyWhz81w8hnI-ie5Ou-Bii1UGbhr4WXsEwtaqV-syMLx879T0vup_mwkvUdqeHyWAJqyWDtGx4CZFU0Gsf_-ZDMJTjCEYWVDFVIQ-lspBNoeIXM04nNkg74CiLI5HAId9AT8jR1DgCh2dJ1WIlsWAgCoP2b68ewjNfav_9XxlURf3xQnEPmRjmRfDA8Pd6pwZMpJ49-EHgVbKrw'

About Daniel Fredrick

Technology enthusiast, Programmer, Network Engineer CCIE# 17094

View all posts by Daniel Fredrick →

2 Comments on “Installing Thycotic SDK Client TSS on Linux”

  1. Hi Daniel,

    Thanks for your post. I am trying to initialize tss using the official guide which is similar to instructions on your page. I am getting a 500 error while sending request. This is related to peer certificate:

    500 – An error occurred while sending the request.
    System.Net.Http.HttpRequestException: An error occurred while sending the request. —> System.Net.Http.CurlException: Peer certificate cannot be authenticated with given CA certificates

    Did you face anything like this? Any thoughts on how this can be tackled?

    1. I did not run into that problem. From the sounds of things, your host does not seem to trust that CA. If it is self-signed, that might be a difficult one. What happens if you just use the curl command to a URL on the secret server? If it is not a self-signed, then just import the ROOT CA so that your Server trusts it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.