Skip to main content

Python Script

Connector name

agpython

Connector type

Executable with Python script

Type (UI field value)

Python Script

Target system versions supported / tested

Any system that can use a Python script to set passwords and create accounts.

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Upgrade notes

If you have installed Connector Pack 4.5 or newer and have a version of Bravura Security Fabric older than 12.6, there are also alternate versions of the agtpython connector located in the agent\alt directory that are compatible for specific Python versions.

The following Bravura Security Fabric operations are supported by the connector for Python scripts (agtpython):

  • get server information

  • user verify password

  • user change password

  • administrator reset password

  • administrator reset+expire password

  • expire password

  • unexpire password

  • check password expiry

  • administrator verify password

  • verify+reset password

  • enable account

  • disable account

  • check account enabled

  • lock account

  • unlock account

  • check account lock

  • expire account

  • check account expiry

  • unexpire account

  • create account

  • delete account

  • add user to group

  • delete user from group

  • add group to group

  • remove group from group

  • add owner(user) to group

  • remove owner(user) from group

  • create group

  • delete group

  • update group

  • move contexts

  • rename account

  • update attributes

  • run command

  • custom operations

  • list account attributes

  • challenge response authentication

  • List:

    • accounts

    • attributes

    • groups

    • members

    • computer objects

    • service accounts

    • members of built-in administrators group

For a full list and explanation of each connector operation, see Connector operations.

See also

Python Script (Ticket) shows you how to trigger updates when certain events occur on the Bravura Security Fabric server, using the pxpython interface program.

Preparation

Installing required software

Ensure that the following are installed on all Bravura Security Fabric servers:

  • Python 3.11.2+

  • Any required Python modules

Note

Ensure that Python is installed for all users. Python installs in the context of the current user by default. You must choose to do a custom install, then select "all users" when the selection becomes available. This will allow the Bravura Security Fabric service user (psadmin) account to have appropriate access to the Python installation.

It is recommended to add Python to the system PATH. This may also be added by selecting the option for "Add Python 3.11 to PATH" during the Python installation.

Writing a script

Account management operations are implemented using a Python script to provide details for interaction between Bravura Security Fabric and the target application. You must write this script and include it in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory on the Bravura Security Fabric server. Sample scripts agtpython-simple.py and agtpython-sqlite.py are located in the samples directory. If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

Caution

Any sample script should be modified to fit your environment and prevent security exploits.

See general information about writing a Python script to support Bravura Security Fabric operations.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the Python script target system to perform operations.

Ensure that the designated account can log into the application from the Bravura Security Fabric server, and that the account has the necessary privileges to set passwords and manage accounts.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

Targeting an application

For each application that uses a Python script to manage accounts, add a target (Manage the system >Resources >Target systems):

  • The Type is Python Script.

  • The Address requires the name of the Python Script file you created in Writing a script .Ensure that the script is located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

    You can optionally specify Other settings that can be used in the script. You must enter the settings in KVGroup format:

    {setting1=value;setting2=value;}

    For example:

    {hostname=pythonapp;}

    The address is entered as:

    {script=agtpython-simple.py;settings={hostname=pythonapp;};}

  • The Administrator ID and Password are the login ID and password for the target system administrator you configured in Configuring a target system administrator .

The full list of target system parameters is explained in Target System Options .

Note

You can extend the address wizard by adding address line elements using the addressattrs function, as shown in the sample script. This is useful when creating a scripted target system with a scripted platform definition file.

Creating a template account

Consult the documentation included with your specific application to learn how to create an account to use as a template in Bravura Identity . You can then add account attributes to determine how new accounts should be created based on the template account’s parameters.

Bravura Security Fabric still requires a template account, even though attributes may or may not be copied from the template account, for example, if the configured action for all account attributes is Set.

Creating account attributes

The attributes that define accounts are unique to specific applications; you must therefore create your own set of account attributes. You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module account attributes menu. See Account attributes for more information.

Managing groups

If group management functions are supported by your application, you can configure Bravura Security Fabric’s workflow engine to manage group membership on your targets. You can also map profile attributes to group attributes on the target so that users can select groups when making a request; however, this method is currently incompatible with group management through Bravura Security Fabric ’s workflow configuration. Changes made in one method are not updated in the other.

For more information about account attributes and managed groups, see Groups.

Managing keys for Python-based targets

Note

Authentication key management was introduced in Connector Pack 4.5+.

When managing SSH keys for users and host keys for Python-based targets, use the appropriate programs on the operating system, for example by using ssh-keygen . Ensure that SSH keys are properly stored and managed to maintain security and prevent authentication issues.

The methods noted below are suitable for the aix_ng , solaris_ng , and linux_ng Python-based connectors. These connectors make use of paramiko for the Python library to implement the SSHv2 protocol and to establish a secure remote connection through SSH.

These connectors do not allow empty administrator passwords for password-based authentication.

When the authentication key file is used, the passphrase must be provided and you must enter it in the target system’s administrator ID password field. Authentication key files for users are stored in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.

Private Key Security Policies

Private key storage

Each organization has a unique set of security policies related to private key storage. For example, using Bravura Safe is one of the recommended products to use for private key storage. Leaving private keys on a UNIX system, although convenient, is not a secure practice.

The scenarios below for generating keys is meant to show a simple strategy to target against a UNIX system, but public/private keys are ideally suited to sharing across an organization. Considerations should be made on how best to implement a security policy for targeting multiple UNIX systems using a minimal set of public/private keypairs.

Generating different key formats and encryptions

You can also change the algorithm to shorten the private key. A private secure RSA key now suggests a bit length of 2048. For example:

ssh-keygen -m PEM -t rsa -b 2048 -f user_ppk.pem

You would then use the ssh-copy-id command to copy the key to the authorized_keys file, for example:

ssh-copy-id <userid>@<hostname>
ssh-copy-id -i <keyfile> <userid>@<hostname>

Discovering Key Formats, Size, and Encryption

In most cases, RSA is still the industry standard for public/private pairs; however, if you are unsure as to which encryption method was used, run the following command:

ssh-keygen -lf <keyfile>

This command will indicate in the output the key format that was used.

Public/Private Authentication Key Management

When configuring SSH connections, there are two general scenarios.

The first involves generating a public/private key pair, adding the public key to the authorized key file of the target SSH system, then adding the private key value as the target system's administrator password.

This generates the private key unencrypted and using it as the administrator password. This method is preferred since the administrative password field is encrypted and this process does not require the added complexity of storing private keys on the filesystem.

The second scenario entails using a pre-existing public/private key pair, typically in PEM/PPK format, such as when authenticating to an AWS UNIX instance. The authentication key file is used and the passphrase is specified for the administrator password.

Scenario one: Target using a private key value as the administrator password

This scenario is suitable when creating a key pair from a self-signed certificate not certified by a CA signing authority. It uses a private key value as the administrator password for authentication.

  1. Use the ssh-keygen program on the operating system to create the public/private key pair:

    ssh-keygen -m pem -t rsa

    Use the default file name to save the key.

    When prompted, ensure to not specify a passphrase. This scenario will not work when an actual passphrase is specified.

  2. Add the public key to the user's authorized_keys file; for example:

    cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

  3. Generate the output for a single line value for the private key:

    cat ~/.ssh/id_rsa | tr -d '\n'; echo

    This will generate a private key that is in the following format:

    -----BEGIN RSA PRIVATE KEY-----<private key>-----END RSA PRIVATE KEY-----

  4. Ensure that the Authentication method target address option is set to RSA.

  5. Set the administrator id to the SSH user that was used to create the private key. Copy the private key value from step 3 to use for the administrator passsword.

Scenario two: Target using an authentication key file and passphrase

This scenario is appropriate when importing a key pair from a signed certificate certified by a CA signing authority. It uses an authentication key file and a passphrase is used for the administrator password for authentication. The authentication key file is copied from the SSH server to the Bravura Security Fabric server.

  1. Use the ssh-keygen program on the operating system to create the public/private key pair:

    ssh-keygen -m pem -t rsa

  2. Choose a file name to save the key, for example, /root/.ssh/id_rsa_LINUX

  3. Enter a passphrase when prompted.

  4. Add the public key to the user's authorized_keys file; for example:

    cat ~/.ssh/id_rsa_LINUX.pub >> ~/.ssh/authorized_keys

  5. Copy the private key from the SSH server, for example from here:

    /root/.ssh/id_rsa_LINUX

    to the Bravura Security Fabric server in the script directory, for example here:

    <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\id_rsa_LINUX.key

  6. Ensure that the Authentication method target address option is set to RSA .

  7. Set the Authentication key file target address option to the key file name, for example: id_rsa_LINUX.key

  8. Set the administrator id to the SSH user that was used to create the private key. Set the administrator passsword to the passphrase used for the SSH key.

Troubleshooting

When generating an SSH public/private key pair, OPENSSH PKCS#8 formatted private keys as administrative passwords is not supported. These types of keys use the following format:

-----BEGIN OPENSSH PRIVATE KEY-----<value>-----END OPENSSH PRIVATE KEY-----

The following may also appear in the logs:

agtpython.exe Warning: Failed to connect with Python fabric error [OPENSSH PKCS#8 format private keys as admin passwords not supported].

The PKCS#8 keys are generated using a command such as " ssh-keygen ". The underlying Python framework uses Paramiko and does not currently handle private keys as administrative passwords in PKCS#8 format.

Instead, the " -m pem " option must be used: ssh-keygen -m pem -t rsa.

When generating an SSH public/private key pair and using a command such as ssh-keygen -m pem -t rsa , the passphrase must be blank/empty. This is for Scenario One above when using a private key value as the administrator password.

Listing computer objects

In order for scripted connectors to write proper computer object list files for the Bravura Security Fabric server to load, the output file must be properly formatted. The script will load computers from any source that Python can use.

For Bravura Security Fabric 12.0.0 and later, the output must be in SQLite table format. It is written to the <target id>.db file in <instance>\psconfig\ and must include the following:

Table 1. agtpython discobj table output for computer objects

stableid

type

longid

shortid

displayid

sd

Computer Name

COMP

Computer Name

Computer Name

Computer Description



Table 2. agtpython discobjattr table output for computer objects

stableid

type

attrkey

attrval

seqno

Computer Name

COMP

cn

Computer Name

0

Computer Name

COMP

objectGUID

<GUID>

0

Computer Name

COMP

DnsHostName

<full dns name>

0



See sample scripts agtpython-simple.py and agtpython-sqlite.py located in the samples directory.

Listing account objects

When listing account objects, agtpython writes output to files in the <instance>\psconfig\ directory.

For Bravura Security Fabric 12.0.0 or later, agtpython writes output in SQLite table format. It writes to the <target id>.db file in the <instance>\psconfig\ directory and must include the following:

Table 3. agtpython discobj table output for account objects

stableid

type

longid

shortid

displayid

sd

<SID of user>

<account type>

<SID of user>

<SID of user>

<Object name>



Table 4. agtpython discobjattr table output for account objects

stableid

type

attrkey

attrval

seqno

<SID of user>

<account type>

disabled

0

0

<SID of user>

<account type>

deleted

0

0

<SID of user>

<account type>

attr1

value 1-1

0

<SID of user>

<account type>

attr2

value 1-2

0



Table 5. agtpython discobjrel table output for account objects

parent_stableid

parent_type

reltype

child_stableid

child_type

child_name

child_sd

SID of user

<account type>

SUB

stableid

ACCT

lingid

securityDomain



See sample scripts agtpython-simple.py and agtpython-sqlite.py located in the samples directory.

In this section: