1.2. Connecting to a Server

There are several ways to connect your client to a running xGT server:

  1. Use SSH Tunneling

  2. Connect over an SSL-encrypted network connection

  3. Connect to an open port on the server

The default port number is 4367. The xGT server listens on that port with a default hostname of “localhost”. Throughout this page, we assume the server platform has a DNS name of “my.example.com”.

1.2.1. Use SSH Tunneling

This strategy requires the user to have an SSH login account on the server platform running the xGT server process. To use this strategy, one must first establish an SSH connection, with tunneling, from their client laptop/desktop to the server platform:

$ ssh -L 4367:localhost:4367 my.example.com

The -L option says to map local port 4367 to the socket localhost:4367 on the server platform. Now, all that a Python script needs to do is the same as if it were connecting to an xGT server running on its local platform:

import xgt
server = xgt.Connection(host='localhost')

1.2.2. Connect Via SSL-encrypted Network Connection

In order to run a secure xGT server, it is necessary to configure the server in this way as part of its startup settings (e.g. xgtd.conf file):

"system.usessl" : True,
"system.ssl_root_dir" : "/path/to/certs/root"

The /path/to/certs/root should point to the root directory where this directory subtree exists:

├── certs
│   ├── ca-chain.cert.pem
│   └── server.cert.pem
└── private
    └── server.key.pem

Please consult your system administrator to determine if xGT has been set up for SSL connections.

To connect to an xGT server using SSL, the client needs to pass the following flags to xgt.Connection(): ssl, ssl_root_dir or ssl_server_cert, and ssl_server_cn. The ssl flag needs to be set to true. The ssl_root_dir flag can be set to the root directory containing the SSL certificates and private keys for the client. The ssl_server_cert flag can be set to point to the certificate chain file. The default location is ssl_root_dir + certs/ca-chain.cert.pem. The ssl_server_cn flag should be set to the common name for the server listed on the server side SSL certificate. The ssl_use_mtls flag can be set to True to require mutual TLS communication, in which the client’s identity is validated with its own certificates. The default is False. The ssl_client_cert flag can be set to point to the client’s certificate file when using mutual TLS. The ssl_cient_key flag can be set to point to the client’s private key file when using mutual TLS. These flags can be used instead of the ssl_root_dir flag when files are not in the same directory.

The xGT client expects the following directory structure for SSL certificates and private keys when using mutual TLS validation for the ssl_root_dir flag:

├── certs
│   ├── ca-chain.cert.pem
│   └── client.cert.pem
└── private
    └── client.key.pem

The ssl_server_cert, ssl_client_cert and ssl_client_key can be used when those files do not reside in a common directory structure.

Here is a sample Python script showing connecting to a server via an SSL-encrypted channel for the simpler case:

import xgt
server = xgt.Connection(flags = {
  'ssl' : True, 'ssl_server_cert' : "/path/to/client/certs/ca-chain.cert.pem",
  'ssl_server_cn' : "my.xGT.cn" })

Note that the only requirement for the client is to have a file available describing the certificate chain.

The following is a sample Python script showing connecting to a server via an SSL-encrypted network using mutual TLS:

import xgt
server = xgt.Connection(flags = {
  'ssl' : True, 'ssl_root_dir' : "/path/to/client/certs/",
  'ssl_server_cn' : "my.xGT.cn",
  'ssl_use_mtls' : True })

Mutual TLS requires that the client possess certificates validating its identity and stored in the expected directory structure. Consult your system administrator on how to obtain client certificates and how to store them securely on your client machine.

The following is an alternative example to connect to a server that requires mutual TLS. Each file is specified individually in this case.

import xgt
server = xgt.Connection(flags = {
  'ssl' : True, 'ssl_server_cert' : "/path/to/client/certs/ca-chain.cert",
  'ssl_server_cn' : "my.xGT.cn",
  'ssl_client_cert' : "/path/to/client/certs/client.cert.pem",
  'ssl_client_key' : "/path/to/client/certs/client.key.pem",
  'ssl_use_mtls' : True })

A complete example on how to connect to a server using an SSL-encrypted channel is as follows:

import xgt

server = xgt.Connection(auth = xgt.BasicAuth(username = 'myuser',
                                             password = getpass.getpass())
  host = '',
  flags = { 'ssl' : True,
            'ssl_server_cert' : "/path/to/client/certs/ca-chain.cert.pem",
            'ssl_server_cn' : "my.xGT.cn" })
for ns in server.get_namespaces():
  print (ns)
for frame in conn.get_frames():
  print (frame)

As can be seen from the example script, once the connection has been established and authentication has been validated, the usage is the same. In this case, the script prints out the namespaces and frames that the user has access to on the server.

1.2.3. Connecting to an Open Port


This method is insecure without enabling SSL support. It is not recommended.

To use this connection strategy, the server must be configured with the DNS name of the server system as hostname. For example:

"system.hostname" : "my.example.com"

To connect to this server from anywhere on the internet, a Python script can do:

import xgt
server = xgt.Connection(host = 'my.example.com')

1.2.4. User Authentication

xGT supports using authentication to limit access to the server. The three available authentication types are no authentication, username / password authentication, and Kerberos authentication. The authentication type will be set up by the system administrator.

A user authenticates by passing an authentication class when constructing a Connection object using the keyword argument auth.

The xGT client supports four authentication classes:

  • NoAuth: Indicates that no authentication is needed. Default.

  • BasicAuth: Basic username / password authentication information.

  • KerberosAuth: Kerberos ticket-based single-sign on authentication.

  • PKIAuth: Public Key Infrastructure password-less authentication. No Authentication

To create a connection using the Python client when the server is setup to not require authentication, the user doesn’t need to pass anything to the auth keyword argument as no authentication is the default:

conn = xgt.Connection() User Password Authentication

To create a connection when the server is using username / password authentication, the user must pass a BasicAuth object to the auth keyword argument, providing a username and password:

conn = xgt.Connection(auth = xgt.BasicAuth("user01", "password01"))

When using a script or notebook, the Python getpass module can be used to securely authenticate a user’s password, prompting for a password input when run:

import getpass
conn = xgt.Connection(auth = xgt.BasicAuth("user01", getpass.getpass()))

If authenticating into xGT with the client’s currently logged in UNIX user or LDAP user, the module may also be used to retrieve the username:

import getpass
conn = xgt.Connection(auth = xgt.BasicAuth(getpass.getuser(), getpass.getpass())) Kerberos Authentication

To connect to an xGT server using Kerberos-based single-sign-on capabilities, the user must have already authenticated to the third-party Kerberos Key Distribution Center (KDC) using a utility such as kinit.

To establish a connection, the user must use the KerberosAuth authentication class:

conn = xgt.Connection(host = "graph_server", auth = xgt.KerberosAuth())

Usually, no arguments need to be given to the KerberosAuth constructor as the user identity is derived from the already obtained Kerberos tickets. However, the host argument must be supplied to the Connection constructor. Depending on how the system running the xGT server has been set up, it might be necessary to specify another parameter called the Kerberos service principal. The default value of the Kerberos service principal is computed from the name of the host running the service by the xGT client by using the prefix “xgtd/”. The string “TROVARES.COM”, in this example, is the name of the Kerberos realm, which usually maps to the network domain name. The keyword argument principal on the KerberosAuth constructor allows the specification of that parameter when the default is not acceptable.

conn = xgt.Connection(host = "localhost",
                      auth = xgt.KerberosAuth("xgtd/graph_server@TROVARES.COM"))

Consult your system administrator for details on how to connect to the xGT server using Kerberos. PKI Authentication

PKI authentication can be enabled for xGT when configured to use SSL-encrypted connections and mutual TLS (Transport Layer Security). Mutual TLS requires the use of client keys and x509 certificates. If those certificates include a valid userId field, then that is enough to provide that identity to xGT for connection and access.

conn = xgt.Connection(auth = xgt.PKIAuth(ssl_root_dir = '/home/user/ssl_certs'))

The connection to xGT will use PKI authentication if the class PKIAuth is used for the auth parameter. A directory containing a valid client key and certificate is used by the Python client to initialize an encrypted, mutual TLS connection. The directory must have the structure described in Using an SSL Secure Channel. The default for those files is ~/.ssl, that is the .ssl directory under the user’s home directory.

Consult your system administrator for details on how to connect to the xGT server using PKI.