Thycotic Community - Secret Server - PHP and Perl API? - Messages

Message from Jonathan

Wed, 15 Sep 2010 15:53:26 GMT

Another option in the latest version of Secret Server is Windows Authentication based web services. This allows you to run a script as a service account which has access to specific passwords in Secret Server - it can retrieve these passwords and do its work without having any embedded passwords in the script.

Here is a KB article with a Powershell script as an example.
http://support.thycotic.com/KB/a98/using-web-services-with-windows-authentication.aspx

Message from Jonathan

Thu, 10 Jun 2010 09:13:08 GMT

Thanks for the feedback. We will explore the hashing script concept to see if this can be added to Secret Server.

If the server has been compromised there is not a lot you can really trust though. Even with an agent and hashing, an attacker is still likely to be able to intercept communication, read memory or reverse engineer binaries to obtain the credentials.

Our recommendation to protect the username/password in the script would be to use DPAPI. Here is an example using DPAPI on Windows to decrypt credentials using the keys in the machine store.
http://msdn.microsoft.com/en-us/library/ff649248.aspx
(this would prevent copying the script to another server and retrieving credentials *or* from a backup tape)

Here is a discussion about machine store implementations on the UNIX/Linux/Mac platforms.
http://ask.slashdot.org/article.pl?sid=07/03/01/237209

I would be happy to discuss these ideas in more detail - just give us a call and ask for Jonathan Cogley.

Message from Levi R

Thu, 10 Jun 2010 08:02:00 GMT

I looked at the sample code and it appears that the credentials to access the Thycotic server are still stored in the script. If the system was compromised the script could be modified or copied to gain the credentials.

Other systems I've used in the past use an agent to get the hash of the script connecting. It then verifies that the script talking to the server is indeed the one that is authorized to gain the credentials.

If you don't have something like that how do you ensure that the requesting script is supposed to get the credentials?

Message from Jonathan

Wed, 09 Jun 2010 16:47:08 GMT

Secret Server has a built in API using web services.
http://www.thycotic.comproducts_secretserver_api.html

You can access the web services in your Secret Server by going to http://yoursecretserver/webservices/sswebservice.asmx
in your web browser.

The web services can be used by practically any programming language on any operating system (including PHP, Perl, VbScript and also on Linux). It just requires basic HTTP and XML/SOAP capabilities (or even string parsing if you want to keep it really simple).

To give you an idea of the flexibility, the Secret Server mobile apps use the web services for all their integration with Secret Server.
* Secret Server iPhone app written in Objective C
* Secret Server BlackBerry app written in Java
* Coming soon the Windows Mobile app written in VB.NET

Here is some sample code using Perl to interact with the Secret Server web services.
http://support.thycotic.com/KB/a86/accessing-secret-server-programmatically-perl-sample-script.aspx

Message from Levi R

Wed, 09 Jun 2010 16:19:59 GMT

We are evaluating a couple different password management applications and I was wondering what languages your API supports.

I noticed in another thread you support .NET applications but do you also support PHP, Perl, VBScript, bash, etc? Also, would your API work on scripts running from a Linux server?