topic OCI REST API security &amp; Python headsup in Active IQ Unified Manager Discussions https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/OCI-REST-API-security-amp-Python-headsup/m-p/106799#M18827 <P>Hey all,</P><P>&nbsp;</P><P>Team OCI goes to great lengths to ensure that our REST API is additive over time, such that your integrations will continue to work in the future as you upgrade to newer OCI releases.</P><P>&nbsp;</P><P>However, Python has been a bit finicky with regards to negotiation SSL/TLS sessions, so there is some stuff you want to know to get ahead of some pitfalls.</P><P>&nbsp;</P><P>#1. The OCI demo REST API python code contains a file <STRONG>oci_rest.py</STRONG>. If you look at lines 69 through 79, you will see that we are forcing Python to use TLS - this was because certain Python versions would have problems where they would attempt to negotiate SSLv3, fail, and not attempt TLS, and therefore not establish a HTTPS session, which is a bit of an inhibitor for working with REST.</P><P>&nbsp;</P><P>The problem is that <STRONG>line 79</STRONG> is forcing a TLS 1.0 connection. This is somewhat lame on our part - all versions of OCI 7.0.x, and OCI 7.1.0 speak TLS 1.[0-2]</P><P>&nbsp;</P><P>The problem - <STRONG>OCI 7.1.1 will likely be TLS 1.2</STRONG> only.</P><P>&nbsp;</P><P>Change <STRONG>ssl_version=ssl.PROTOCOL_TLSv1</STRONG> to<STRONG> ssl_version=ssl.PROTOCOL_TLSv1_2</STRONG> to get ahead of this. Then test your integrations - we'd be pretty surprised if you noticed anything</P><P>&nbsp;</P><P>#2. Recent Python 2.7 versions seem to have disabled RC4 based ciphers. This means these impacted versions will generate a handshake failed message when talking to OCI 7.0.2 and 7.1.0.</P><P>&nbsp;</P><P>OCI 7.0.3 does not have this problem,&nbsp; because we changed the default cipher.</P><P>&nbsp;</P><P>It is possible to change OCI 7.0.2 / 7.1.0 to use</P><P>&nbsp;</P><P><STRONG>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</STRONG></P><P>&nbsp;</P><P>On your OCI operational server, navigate to</P><P>..\SANscreen\jboss\server\onaro\deploy\jbossweb.sar</P><P>&nbsp;</P><P>Make a backup of server.xml to a different location</P><P>&nbsp;</P><P>Edit the <STRONG>server.xml</STRONG>, look for the line</P><P>&nbsp;</P><P><STRONG>ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"</STRONG></P><P>&nbsp;</P><P>change to</P><P>&nbsp;</P><P><STRONG>ciphers = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"</STRONG></P><P>&nbsp;</P><P>Save the file, restart the "SANscreen Server" service.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 05 Jun 2025 04:08:04 GMT ostiguy 2025-06-05T04:08:04Z OCI REST API security & Python headsup https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/OCI-REST-API-security-amp-Python-headsup/m-p/106799#M18827 <P>Hey all,</P><P>&nbsp;</P><P>Team OCI goes to great lengths to ensure that our REST API is additive over time, such that your integrations will continue to work in the future as you upgrade to newer OCI releases.</P><P>&nbsp;</P><P>However, Python has been a bit finicky with regards to negotiation SSL/TLS sessions, so there is some stuff you want to know to get ahead of some pitfalls.</P><P>&nbsp;</P><P>#1. The OCI demo REST API python code contains a file <STRONG>oci_rest.py</STRONG>. If you look at lines 69 through 79, you will see that we are forcing Python to use TLS - this was because certain Python versions would have problems where they would attempt to negotiate SSLv3, fail, and not attempt TLS, and therefore not establish a HTTPS session, which is a bit of an inhibitor for working with REST.</P><P>&nbsp;</P><P>The problem is that <STRONG>line 79</STRONG> is forcing a TLS 1.0 connection. This is somewhat lame on our part - all versions of OCI 7.0.x, and OCI 7.1.0 speak TLS 1.[0-2]</P><P>&nbsp;</P><P>The problem - <STRONG>OCI 7.1.1 will likely be TLS 1.2</STRONG> only.</P><P>&nbsp;</P><P>Change <STRONG>ssl_version=ssl.PROTOCOL_TLSv1</STRONG> to<STRONG> ssl_version=ssl.PROTOCOL_TLSv1_2</STRONG> to get ahead of this. Then test your integrations - we'd be pretty surprised if you noticed anything</P><P>&nbsp;</P><P>#2. Recent Python 2.7 versions seem to have disabled RC4 based ciphers. This means these impacted versions will generate a handshake failed message when talking to OCI 7.0.2 and 7.1.0.</P><P>&nbsp;</P><P>OCI 7.0.3 does not have this problem,&nbsp; because we changed the default cipher.</P><P>&nbsp;</P><P>It is possible to change OCI 7.0.2 / 7.1.0 to use</P><P>&nbsp;</P><P><STRONG>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</STRONG></P><P>&nbsp;</P><P>On your OCI operational server, navigate to</P><P>..\SANscreen\jboss\server\onaro\deploy\jbossweb.sar</P><P>&nbsp;</P><P>Make a backup of server.xml to a different location</P><P>&nbsp;</P><P>Edit the <STRONG>server.xml</STRONG>, look for the line</P><P>&nbsp;</P><P><STRONG>ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"</STRONG></P><P>&nbsp;</P><P>change to</P><P>&nbsp;</P><P><STRONG>ciphers = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"</STRONG></P><P>&nbsp;</P><P>Save the file, restart the "SANscreen Server" service.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 05 Jun 2025 04:08:04 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/OCI-REST-API-security-amp-Python-headsup/m-p/106799#M18827 ostiguy 2025-06-05T04:08:04Z