Credential CyberArk AIM with certs Timeout, Non-Cert works #6986
Assignees
Labels
Comments
|
Bump |
|
Hey @mgperry1, This issue tracker is for tracking feature enhancements and bugs to AWX itself. If you need help troubleshooting an AWX install, try our mailing list or IRC channel: http://webchat.freenode.net/?channels=ansible-awx |
|
Thanks, so basically your point is I'm wasting time with what I think issue maybe and you assume I'm too stupid to have maybe have found some issue with the code base that uses SSL certs and Cyberark AIM creds.. which I assumed was part of AWX , I was just trying to get this feature working and though I might be one of the few people who are using it and could help troubleshoot , I get it not important |
|
We have the same issues that @mgperry1 on our AWX server. The AIM creds works when we use the authentication by certificate on CyberArk from AWX 9.0.0. But after upgrade to upper version AWX to 11.2.0 . We have an error on AWX and the AIM feature don't work anymore. In my opinion, it's not a problem due to AWX installation. Therefore, I have this issues after an upgrade or new installation |
|
Thanks for the report @gael-fuhs2 @mgperry1, We'll take a look. |
What's odd about this is that the AIM plugin hasn't really changed in a notable way in recent history: commit b9829e2bde65da6c3c8f3c7144c87341d199527e
Author: Gabe Muniz <gmuniz@redhat.com>
Date: Tue Mar 10 23:08:38 2020 +0000
removed extra quotes in example
commit ce5bb9197e8c06d7a0b4e4ab06287740a116c2e4
Author: Ryan Petrello <rpetrell@redhat.com>
Date: Wed Oct 16 15:58:35 2019 -0400
rename the CyberArk AIM credential type
see: https://github.com/ansible/awx/issues/4400
commit b2d84a5d8936f32cbd7699b6aab62579353fc3fb
Author: olia-dev <olia-dev@ktah.net>
Date: Wed Jul 10 12:39:57 2019 +0200
related #4274 - moved function 'create_temporary_fifo' to 'awx/main/utils/common.py' and referenced it in other plugins (fixe> |
|
Given that you all have described that you're encountering a hang, this is the likely path of code you're stuck in: https://github.com/ansible/awx/blob/devel/awx/main/credential_plugins/aim.py#L93-L98 That said, there isn't much exciting here - we're just writing a cert file and handing it off to the requests library to make an HTTP request. If you can reliably encounter a hang, it would be helpful if you were able to jump in with an interactive debugger, or something like For what it's worth, I do have a CyberArk AIM install with a client cert and key, and it does work for me (it doesn't hang). |
|
Is the CyberArk server up and responsive for you from within the bash-4.4$ nc -vz your-cyberark.example.org 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to ...:443.
Ncat: 0 bytes sent, 0 bytes received in 0.24 seconds.
bash-4.4$ curl -vk https://your-cyberark.example.org |
|
Hi , |
|
Okay, I've dug some more, and I've produced something similar that I think is actually a limitation of cc @jakemcdermott this probably means we can't rely on a fifo here, and we may just have to write these files to tmp space, appropriately owned by the awx user. |
|
It seems to me that at some point in time, this just worked, but it looks like perhaps something changed in a newer/different version of cpython? Could be related to the move to CentOS8. Either way, it looks like we can't rely on this to work this way, so we'll probably need to remove the usage of named pipes here. Just to confirm, does a diff like this make the issue go away for you? diff --git a/awx/main/credential_plugins/aim.py b/awx/main/credential_plugins/aim.py
index c75d4d85aa..06b98a91f8 100644
--- a/awx/main/credential_plugins/aim.py
+++ b/awx/main/credential_plugins/aim.py
@@ -1,3 +1,6 @@
+import tempfile
+import os
+
from .plugin import CredentialPlugin
from urllib.parse import quote, urlencode, urljoin
@@ -10,6 +13,30 @@ from awx.main.utils import (
create_temporary_fifo,
)
+class CertFiles():
+
+ certfile = None
+
+ def __init__(self, cert, key):
+ self.cert = cert
+ self.key = key
+
+ def __enter__(self):
+ if not self.cert:
+ return None
+ self.certfile = tempfile.NamedTemporaryFile('wb')
+ self.certfile.write(self.cert.encode())
+ if self.key:
+ self.certfile.write(b'\n')
+ self.certfile.write(self.key.encode())
+ self.certfile.flush()
+ return str(self.certfile.name)
+
+ def __exit__(self, *args):
+ if os.path.exists(self.certfile.name):
+ os.remove(self.certfile.name)
+
+
aim_inputs = {
'fields': [{
'id': 'url',
@@ -81,21 +108,14 @@ def aim_backend(**kwargs):
request_qs = '?' + urlencode(query_params, quote_via=quote)
request_url = urljoin(url, '/'.join(['AIMWebService', 'api', 'Accounts']))
- cert = None
- if client_cert and client_key:
- cert = (
- create_temporary_fifo(client_cert.encode()),
- create_temporary_fifo(client_key.encode())
+ with CertFiles(client_cert, client_key) as cert:
+ res = requests.get(
+ request_url + request_qs,
+ timeout=30,
+ cert=cert,
+ verify=verify,
)
- elif client_cert:
- cert = create_temporary_fifo(client_cert.encode())
-
- res = requests.get(
- request_url + request_qs,
- timeout=30,
- cert=cert,
- verify=verify,
- )
res.raise_for_status()
return res.json()['Content'] |
|
Yes I'm a bit of noob so I wasn't sure where to make the change so I updated the aim.py with your code changes int the awx_task and awx_web containers. I then restarted the containers and tried the test and the whole thing works with the cert and key file. I do see an excpetion in the awx_web container popping up: Code Change: /var/lib/awx/venv/awx/lib/python3.6/site-packages/awx/main/credential_plugins/aim.py |
|
Hey @mgperry1 thanks for the feedback - I can clean something up in my diff to address that error, but I don't expect it to break anything (more of a warning). Were you able to fetch CyberArk AIM secrets using this patch? If so, I'll open a PR. |
Ah, I should've read more closely. I'll open a PR. Thanks for reporting this and helping test it. |
ryanpetrello
added a commit
to ryanpetrello/awx
that referenced
this issue
May 27, 2020
this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible#6986 see: urllib3/urllib3#1880
ryanpetrello
added a commit
to ryanpetrello/awx
that referenced
this issue
May 27, 2020
this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible#6986 see: urllib3/urllib3#1880
ryanpetrello
added a commit
to ryanpetrello/awx
that referenced
this issue
May 27, 2020
this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible#6986 see: urllib3/urllib3#1880
|
@one-t this is the same one but for devel |
|
Verified that this has been fixed. |
honnamkuan
added a commit
to honnamkuan/awx
that referenced
this issue
Aug 21, 2020
* Correctly parse sumologic url paths - Sumologic includes a token with a '==' at the end of it's host path. This adds rsyslog conf parsing tests and does not escape equals signs. * allow org admins to remove labels * Fix misc. linter errors due to the flake8-3.8.1 release - [Ref] https://flake8.pycqa.org/en/latest/release-notes/ * properly write rsyslog configuration as 0640 see: https://github.com/ansible/tower/issues/4383 * Bump foreman collection to 0.8.1 * New release includes: 'add host_filters and want_ansible_ssh_host like script used to have' * foreman: use group_prefix for all groups * awx's "compatibility layer" for the foreman plugin had the group_prefix hard-coded to 'foreman_' * delete and re-add host when ip address changes * The websocket backplane interconnect is done via ip address for Kubernetes and OpenShift. On init run_wsbroadcast reads all Instances from the DB and makes a decision to use the ip address or the hostname based, with preference given to the ip address if defined. For Kubernetes and OpenShift the nodes can load the Instance before the ip_address is set. This would cause the connection to be tried by hostname rather than ip address. This changeset ensures that an ip address set after an Instance record is created will be detected and used. * track stats by hostname not remote host/ip * broadcast websockets have stats tracked (i.e. connection status, number of messages total, messages per minute, etc). Previous to this change, stats were tracked by ip address, if it was defined on the instance, XOR hostname. This changeset tracks stats by hostname. * don't block on log aggregator socket.send() calls see: https://github.com/ansible/tower/issues/4391 * Send content-type with mattermost notifications, fixes ansible#7264 * Make all_parents_must_converge settable when creating node When targeting, ../workflow_job_templates/id#/workflow_nodes/ endpoint, user could not set all_parents_must_converge to true. 3.7.1 backport for awx issue ansible#7063 * disable reports option for foreman * Allow use of fallback instance_ids * update VMWARE_INSTANCE_ID_VAR * Favor instanceUuid * .. but fall back to instanceuuid if necessary * Add queue / instance group registration to heartbeat for k8s installs There is some history here. ansible#7190 <- This PR was an attempt at fixing a bug notting ran into where some jobs on k8s installs would get stuck in Waiting forever. The PR mentioned above introduced a bug where there are no instance groups on a fresh k8s-based install. This is because this process currently happens in the launch scripts, before the database is up. With this patch, queue / instance group registration happens in the heartbeat, right after auto-registering the instance. * wrap --instance-id-var in quotes * revert EC2_INSTANCE_ID_VAR * UI translation strings for release_3.7.1 branch * fix a regression in how job host summaries are generated this change fixes a bug introduced in the optimization at ansible#7352 1. Create inventory with multiple hosts 2. Run a playbook with a limit to match only one host 3. Run job, verify that it only acts on the one host 4. Go to inventory host list and see that all the hosts have last_job updated to point to the job that only acted on one host. * [DO NOT PORT to AWX] Pin dev requirements (ansible#4413) * add backwards support for ssl_verify in foreman * plugin changed option name from ssl_verify to validate_cert * UI translation strings for release_3.7.1 branch for es and nl * Added the ability, to set the broadcast_websocket_secret variable. This is nessesary if you would like to rerun the playbook. Signed-off-by: JoelKle <34544090+JoelKle@users.noreply.github.com> * Fixed a bug, where the redis.conf first would be stored with mod 0600 and in the next task changed to 0666. This has broke the ability to rerun the playbook. Signed-off-by: JoelKle <34544090+JoelKle@users.noreply.github.com> * Reintroduce label filtering Labels are visible if you have a role on the org they are in, or on a job template they're attached to. * use jinja2.sandbox for credential type injectors * Don't follow redirects in credential plugins * Reduce error detail in webhook notification * Reduce error detail in credential lookups * prevent unsafe jinja from being saved in the first place for cred types see: https://github.com/ansible/tower-security/issues/21 * add tests for clarified label permissions * Include instance_id in host edit request * fixed broken UI links * remove the usage of create_temporary_fifo from credential plugins this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible#6986 see: urllib3/urllib3#1880 * Upgrade community.vmware for better error surfacing * Change Dockerfile to copy custom venv * update the named URL code to properly return 404 vs 403 * Force worker processes to have a different signal handler from the parent Situations have come up where the 5+ minute kill signal for run_task_manager is emitted to the worker process running it, but since the worker improperly inherited the AWXConsumerBase().stop() handler a deadlock ultimately was triggered on the database connection. * properly report 30x errors on credential plugin tests * pin pytest-forked to fix broken unit tests * properly obfuscate connection errors for credential lookup failure * Cache downloaded roles & collections Populate the cache the first time the job is run for a revision that needs them, and for future runs for that revision just copy it into the private directory. Delete the cache on project deletion. Invalidate the cache on a new project revision Also download roles/collections during the sync job Since we're writing into a per-revision cache, we can do this easily now. Don't try and install content if there aren't any requirements expecting it Adjust pathing to the proper location. Force install if doing a manual sync. Requirements may be unversioned. Remove the cache when delete-on-update is set Integrate content caching with existing task logic Revert the --force flags use the update id as metric for role caching Shift the movement of cache to job folder from rsync task to python Only install roles and collections if needed Deal with roles and collections for jobs without sync Skip local copy if roles or collections turned off update docs for content caching Design pivot - use empty cache dir to indicate lack of content Do not cache content if we did not install content Test changes to allay concerns about reliability of local_path Do not blow away cache for SCM inventory updates Remove project update vars no longer used Remove job pre-creation of content folders code style edit, always use cache_id as property in tasks Fix log message * Avoid using long name of option not in 2.8 * Use quotations when marking strings for translation * Add settings framework * Hide license route based on install and add useConfig hook * ARM image build support * upgrade `chromedriver` for ARM support * upgrade `pynacl` to fix `libsodium` build issue on ARM * remove unnecessary i686-specific `libstdc++.so.6` package * install `kubectl` and `tini` from upstream binaries for ARM support * use upstream `postgres` and `alpine` docker images for `postgresql` helm chart Fixes ansible#7051 * Fix garbage being printed when exporting as YAML - related ansible#7795 This resolves issue ansible#7795, by passing the `encoding` keyword argument only when the code is run on a Python 2 interpreter. related ansible#7795. * Adds delete functionality to user tokens list * Removes Inventory Script screens, routes, stubs etc. * remove vNNN from example migration files * Create marginally more realistic event data with firehose * Fix rbac on Add button on User Access/Team Roles lists * mark PRIMARY_GALAXY_USERNAME and PRIMARY_GALAXY_PASSWORD as deprecated * Handle form submission errors that may be deeply nested in the return object * Updated import/export names for consistency * Adding RuntimeError which is returned from a connection error in awx/main/dispatch/control.py * Fix isolated dev env * begin a 14.0.0 changelog * Bump version to 14.0.0 * Make 'inputs' idempotent in credentials module, add test to check this works * Add execution environment metadata to AWX collection * Remove showExpandCollapse prop from the DataListToolbar calls Remove showExpandCollapse prop from the DataListToolbar calls. This is not an expected prop to be passed to this component. Inside DataListToolbar. ``` const showExpandCollapse = onCompact && onExpand; ``` In order to use this feature, `onCompact` and `onExpand` props should be passed. ... * Add advanced search to UI * Updates to support advanced search changes: - make set type and lookup prefixes/suffixes on searchColumns explicitly defined - send possible search keys from options requests on (most) lists * fix duplicate variable and key usng array index issues * Add AdvancedSearch propTypes and defaultProps * Move Search to hooks and excise PF Dropdown in favor of Select * fix merge conflicts and failing test * fix AddRersourceRole sort column * add selectors for cypress tests * add back in searchable keys props to user token list * make sortColumnKey error message more clear * update searchablekeys prop names for project lookup * make name default searchColumn for ProjectJobTemplatesList. also add helpful error message to tell you this is the issue * update rest of lookups to use correct searchableKeys props * delete inadverdently added back InventoryScriptLookup file * fix busted flake8 CI * Fix early return in assign related method This change fixes an erroneus early return in a private method that was preventing more than one type of related object from being correctly assigned to the parent object, and therefore imported. Also, a minor spelling mistake was corrected. * Export Workflow Job Template Node Labels This change adds related Labels to the Workflow Job Template document that is exported by the AWX CLI. Previously, exporting and then importing Workflow Job Templates would not retain their related Labels. * Update websockets.md Add documentation for websocket backplane secret key exchange logic. * Update websockets.md spelling * Add feature to add instance group Add feature to add instance group. See: ansible#7744 * Refactor organization look to use useRequest hook * Add smart inventory add form and host filter lookup * Add smart inventory edit form * Decode host filter chip values and fix boolean search filter chip bug * Upgrade gitpython to pick up bug fix * Revert updater changes to Ansible requirements * Allow YAML as a CLI import format This changset allows the import of YAML formatted resources. The CLI user can indicate which format to use with the `-f, --format` option. The CLI help text has been amended to reflect the new feature. The AWX CLI `export` subcommand offers the option of formatting the output as YAML or JSON, so it makes sense that the `import` subcommand reflects this. A simple test is also provided. In order to ease the task of testing commands that import resources by reading the stdin, the CLI has been extended to allow specifying an alternative file descriptor for stdin, similarly to stdout and stderr. * update to a newer python-ldap to address a bug see: ansible#7868 * minor cleanup up CLI import -f yaml support * Change regex to match what is in source * Add feature to edit instance group Add feature to edit instance group. See: ansible#7767 * start notification template list * flushing out notification template detail * flush out template detail * more template details; add template delete button * add notification status indicator * send test notifications * add notification list tests * add ObjectDetails for HTTP Headers display * changelog updates for recent additions * workaround import/dependency bug in tests * Add smart inventory host list view * Remove undefined prop from SelectedList call Remove undefined prop from `SelectedList` call. * kebabify additional controls when advanced search is displayed * change name of hook to be useKebabifiedMenu * add onShowAdvancedSearch callback test * remove unnecessary selectors from kebabification test * Add changelog preparing for awx.awx 14.1.0 bug fix * Update websockets.md Add more details about backplane websocket functionality. * Update websockets.md * Add custom host toggle tooltip for smart inventory hosts * update existing relatedSearchKey requests to new convention and fix UJT searchKeys * Adds User Token Details page * Utilizes UserDateDetail, Capitalizes Scope value, fixes spelling errors * Support workflow prompting on launch * Run prettier * Pin pytest-xdist * make event stdout encoding more resilient to UTF-16 surrogate pairs see: https://en.wikipedia.org/wiki/Universal_Character_Set_characters#Surrogates * Use organization api to create users This ensures that the user will be related to the chosen organization when it is created. * Embolden user organization name * add a deprecation warning for mercurial project syncs see: ansible#7932 * adds fix to allow look up to fetch data * clean up old authtoken support just use Bearer tokens - those are the only type of tokens we support * fix a bug that prevents the explicit removal of instances from groups * Update awx/ui_next/src/components/Lookup/CredentialLookup.jsx Co-authored-by: Jake McDermott <yo@jakemcdermott.me> * Adds workflow detail tab to workflow results * Adding import/export awx kit features Changed library structure Origional TowerModule becomes TowerLegacyModule TowerModule from tower_api becomes TowerAPIModule A real base TowerModule is created in tower_module.py A new TowerAWXKitModule is created in tower_awxkit TowerAWXKitModule and TowerAPIModule are child classes of TowerModule * Adding integration tests and example in import * Fix python3 Zuul error with awxkit * Fixing truthy linting issues * Removed default: '' and updated [] to '' per specification * Another linting issue * Expanding examples * Fixing linting issues * Fixing ansible pep8 issues * Fixing validate-module errors * Fixing exit_module -> exit_json * Fix linter whitespace error * Trying to gobble up logs incase there are errors * Fixing oauth token login and making module respect token over username/password * Fixing sanity error * Updating to remove auth_type since its not longer required * Trying to make AWXKIT tests not run on python2 * Use a patternfly CSS variable instead of red Use a patternfly CSS variable instead of red. See: https://pf4.patternfly.org/documentation/overview/global-css-variables * changelog for arm64 builds * more changelog updates * Add list of jobs for instance groups Add list of jobs for instance groups. See: ansible#7930 * Add type column to users list Add type column to users list. Also, update `UserListItem` to be a functional component. See: ansible#5684 * update newly useRequested lists to get advanced searchableKeys * add searchable keys support for AssociateModal and SelectResourceStep lists * Adds support for toggling approval notifications on orgs and wfjts * Add label to show isolated group Add label to show isolated group. See: https://tower-mockups.testing.ansible.com/patternfly/instance-groups/instance-groups/ * Only disable single notification row when toggling, not all rows Co-authored-by: Ryan Petrello <rpetrell@redhat.com> Co-authored-by: Christian Adams <chadams@redhat.com> Co-authored-by: beeankha <beeankha@gmail.com> Co-authored-by: Christian Adams <rooftopcellist@gmail.com> Co-authored-by: Jim Ladd <jladd@redhat.com> Co-authored-by: chris meyers <chris.meyers.fsu@gmail.com> Co-authored-by: Chris Meyers <chrismeyersfsu@users.noreply.github.com> Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com> Co-authored-by: Seth Foster <fosterbseth@gmail.com> Co-authored-by: Jake McDermott <yo@jakemcdermott.me> Co-authored-by: AlanCoding <arominge@redhat.com> Co-authored-by: Shane McDonald <me@shanemcd.com> Co-authored-by: ansible-translation-bot <ansible-translation-bot@gmail.com> Co-authored-by: JoelKle <34544090+JoelKle@users.noreply.github.com> Co-authored-by: Bill Nottingham <notting@splat.cc> Co-authored-by: Graham Mainwaring <graham@mhn.org> Co-authored-by: Gabe Muniz <gmuniz@redhat.com> Co-authored-by: Stefan Jakobs <sjakobs@anexia-it.com> Co-authored-by: Jeff Bradberry <jeff.bradberry@gmail.com> Co-authored-by: Marliana Lara <mlara@redhat.com> Co-authored-by: Andrew Gaffney <andrew@agaffney.org> Co-authored-by: Rigel Di Scala <rdiscala@redhat.com> Co-authored-by: softwarefactory-project-zuul[bot] <33884098+softwarefactory-project-zuul[bot]@users.noreply.github.com> Co-authored-by: Alex Corey <alex.swansboro@gmail.com> Co-authored-by: mabashian <mabashia@redhat.com> Co-authored-by: John Westcott IV <john.westcott.iv@redhat.com> Co-authored-by: beeankha <bstohrer@redhat.com> Co-authored-by: nixocio <nixocio@gmail.com> Co-authored-by: John Mitchell <jmitchel@Johns-MacBook-Pro-46.local> Co-authored-by: John Mitchell <jmitchel@ovpn-114-250.rdu2.redhat.com> Co-authored-by: Keith Grant <keithjgrant@redhat.com> Co-authored-by: John Mitchell <jmitchel@ovpn-113-13.rdu2.redhat.com> Co-authored-by: Alex Corey <acorey@redhat.com> Co-authored-by: John Mitchell <jmitchel@ovpn-117-206.rdu2.redhat.com>
webknjaz
pushed a commit
to ansible/awx-plugins
that referenced
this issue
Aug 27, 2024
this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible/awx#6986 see: urllib3/urllib3#1880
webknjaz
pushed a commit
to ansible/awx-plugins
that referenced
this issue
Aug 27, 2024
this resolves an issue that causes an endless hang on with Cyberark AIM lookups when a certificate *and* key are specified the underlying issue here is that we can't rely on the underyling Python ssl implementation to *only* read from the fifo that stores the pem data *only once*; in reality, we need to just use *actual* tempfiles for stability purposes see: ansible/awx#6986 see: urllib3/urllib3#1880
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ISSUE TYPE
SUMMARY
Credential CyberArk AIM with certs Timeout, Non-Cert works.
We are able to use CuberArk AIm credentials and pull password, however when we try to add Key Cert to the call the process hangs and times out.
ENVIRONMENT
STEPS TO REPRODUCE
We have setup safe and App Id in CyberArk to test pulling passwords from a CyberArk safe., The process is working fine with the Test URL(https://[awxhost]/api/v2/credentials/XX/test/) able to pull a test password. However, when l we configure to use a client key and certificate to validate the client connection the process "hangs" and nginx reports a timeout.
EXPECTED RESULTS
Test URL(https://[awxhost]/api/v2/credentials/XX/test/) Responds with with the password for the Query I pass in, this does work if I don't use Key/Cert validation.
ACTUAL RESULTS
Test URL(https://[awxhost]/api/v2/credentials/XX/test/) produces Nginx timeout
ADDITIONAL INFORMATION
I'm not sure where I can pull any logs related to the API URL Test URL(https://[awxhost]/api/v2/credentials/XX/test/). I've tried docker logs on each container and I cant see anything related to the call.
I have test the CyberArk call Certs with a basic Python Program and it works fine so I'm fairly certain that CyberArk is properly configured to respond. Include the Pyhton Code I'm using that works :
#import http.client
import http.client
import json
import ssl
Defining certificate related stuff and host of endpoint
certificate_file = '/loc/cert.pem'
certificate_secret= ''
host = 'cyberarkhost'
Defining parts of the HTTP request
request_url='/AIMWebService/api/Accounts?AppID=APP_GSF_D_Ansible_Test&Safe=GSF_D_Ansible_Test&UserName=Ansible-User'
request_headers = {
'Content-Type': 'application/json'
}
request_body_dict={
"AppID": "APP_GSF_D_Ansible_Test",
"object_query": "Safe=GSF_D_Ansible_Test;UserName=Ansible-User",
"object_query_format": "Exact",
"reason":"sss"
}
Define the client certificate settings for https connection
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(certfile=certificate_file, password=certificate_secret)
Create a connection to submit HTTP requests
connection = http.client.HTTPSConnection(host, port=443, context=context)
Use connection to submit a HTTP POST request
connection.request(method="GET", url=request_url, headers=request_headers, body=json.dumps(request_body_dict))
Print the HTTP response from the IOT service endpoint
response = connection.getresponse()
print(response.status, response.reason)
data = response.read()
print(data)
Thanks Matt
The text was updated successfully, but these errors were encountered: