Do the modules support enabling "Enabling Authorization Roles"?

I looked at the set_mgmtazn_role_features role but it looked like to just defined a role and did not enable the authorization roles.

Thanks
Bill

Trying to port existing settings of "request-log-format" from older version to ISAM 9. The required string is

request-log-format = { \"seconds\": \"%{%s}t\" }

But the "%{%s}t" part always caused problem in "update_reverseproxy_conf". The yml file I used is as below:

---
- name: Run some commands
  hosts: all
  connection: local
  vars:
    username: "admin"
    password: "password1234"
    lmi_port: "443"
    log_level: "CRITICAL"
    force: True
    start_config_wait_time: 120
  roles:
    - role: update_reverseproxy_conf
      update_reverseproxy_conf_reverseproxy_id: "TestInstance"
      update_reverseproxy_conf_entries:
      - stanza_id: "logging"
        entry_id: "request-log-format"
        value_id: " \"seconds\": \"%{%s}t\" "

The error message is:

FAILED! => {
    "failed": true, 
    "msg": "[{u'entry_id': u'request-log-format', u'stanza_id': u'logging', u'value_id': u' \"seconds\": \"%{%s}t\" '}]: template error while templating string: Encountered unknown tag 's'.. String:  \"seconds\": \"%{%s}t\" "
}

If I remove the 2 "%"s then it works, but we need the specific string to be there as lots of log parsing program relies on the exact format to work properly. Also tried various escape characters but none can achieve what we need, some examples listed below:

1) " { \"seconds\": \"%{%s}t\" } "  error: Encountered unknown tag 's'
2) ' { \"seconds\": \"%{%s}t\" } '  error: Encountered unknown tag 's'
3) ' { \"seconds\": \"%{\%s}t\" } ' no error but with incorrect result extra back slash before %s)  request-log-format = { "seconds": "%{\%s}t" }
4) ' { \"seconds\": \"\%{%s}t\" } ' error: Encountered unknown tag 's'
5) " { \"seconds\": \"%{%%s}t\" } "  error: tag name expected
6) " { \"seconds\": \"%%{%s}t\" } "  error: tag name expected
7) '{% raw %}{ "seconds": "%{%s}t" }{% endraw %}'  error: Encountered unknown tag 's'
8) !unsafe ' { "seconds": "%{%s}t" } '  error: SyntaxError: invalid syntax MODULE FAILURE

Also tried below .yml but still failed

---
- name: Run some commands
  hosts: all
  connection: local
  vars:
    username: "admin"
    password: "password1234"
    lmi_port: "443"
    log_level: "CRITICAL"
    force: True
    start_config_wait_time: 120
    starter_value: " { \"seconds\": \"${$s}t\" } "       
  roles:
    - role: update_reverseproxy_conf
      update_reverseproxy_conf_reverseproxy_id: "TestInstance"
      update_reverseproxy_conf_entries:
      - stanza_id: "logging"
        entry_id: "request-log-format"
        value_id: "{{ starter_value | regex_replace('\\$','%') }}"

Can see the "regex_replace" part is working as the final "value_id" string has the "$" correctly changed to "%". The error message shown below is the same as before (Encountered unknown tag 's').

FAILED! => {
    "failed": true, 
    "msg": "{u'entry_id': u'request-log-format', u'stanza_id': u'logging', u'value_id': u' { \"seconds\": \"%{%s}t\" } '}: template error while templating string: Encountered unknown tag 's'.. String:  { \"seconds\": \"%{%s}t\" } "
}

Also raised a question in
stackoverflow but all of the suggestions received failed.

Plus, how do we know whether it's Ansible or ISAM or the isam-ansible-roles code that throws the error?

Please help. Thanks.

In the set_junction role the action being called in main.yml is:

action: ibmsecurity.isam.web.reverse_proxy.junctions.add

Is there a reason why it doesn't call the ibmsecurity.isam.web.reverse_proxy.junctions.set function?

And if there is what is the correct role to use to call the set junction?

As a sub-question, why would there be an add_junction role? From what I understand the set function does the idempotence check & calls add if needed. Why would someone want to use add directly instead of using set?

Thanks !!

• name: Create a report on all Junctions
  hosts: all
  no_log: false
  connection: local
  vars:
  log_level: "DEBUG"
  roles:

  • role: start_config

  • role: get_reverseproxies

  • role: get_junctions

  • role: get_junction_details

  • role: gen_report
    gen_report_template: "report_junctions.template"
    gen_report_dir: "/tmp"

Ouptput shows this:

TASK [gen_report : Generate Report using template report_junctions.template] ***
[WARNING]: Unable to find 'base_commands.yml' in expected paths.
fatal: [ciaisawd0005.sys.cigna.com]: FAILED! => {"changed": false, "failed": true, "msg": "AnsibleError: An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: base_commands.yml"}

When I make changes on the 'master' the "Restart AAC Runtime' handler will restart the runtime. But the other runtimes in the appliance cluster runtimes do not get restarted. Is there a way to call the 'Restart AAC Runtime' handler directly from a playbook and force it to restart to accomplish this?

Thanks
Bill

There is syntax error in the 'when' clause, i.e. a missing 'and'.

Will submit a pull request shortly.

So trying to create a test firewall step / playbook to checkout backend connections

Like to SSH into the OVA Appliance and run the tools command to test all network connections to the back end junctions etc.

Anyone been able to use an Ansible module to accomplish this?

Thanks

Hi,

The create_mgmt_root_dir Ansible role utilizes the following action:
ibmsecurity.isam.web.reverse_proxy.management_root.directory.create
This function has the following signature:
create(isamAppliance, instance_id, id, name, check_mode=False, force=False)

Upon executing a task using this role, I received the following trace:
[DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():64] Text: [{\"name\":\"ISAM Base Appliance\",\"description\":\"IBM Security Access Manager Base Appliance\",\"id\":\"wga\",\"enabled\":\"True\"}]\n", "msg": "Error> action does not have the right set of arguments or there is a code bug! Options: isamAppliance=isam_server, force=False, instance_id=\"rp-demotest\", id=\"management/C\", filename=\"dirname\"", "name": "ibmsecurity.isam.web.reverse_proxy.management_root.directory.create"}

This is due to an incorrect mapping in the actual task: see here.

Which according to the API should use "name" instead of "filename".

I'll open a Pull Request in order to resolve this issue.

Kind regards,
Dries Eestermans

P.S.: A restart of the reverse proxy instance should also be issued, this will be added via the PR as well.

I have enough use cases where the variance is slight enough to need to externalize it, but to not want to maintain more vars

**pdadmin command file contents:

"server task {{ isam_server_instance }} list"**

ansible-playbook -i inventories/0-DFLT pdadmin.yml -v -e "da_name=jason_test execute_pdadmin_domain=Default9 isam_server_instance=jason_test-webseald-localhost" | sed 's/\n/\n/g'

It does the substitution and visually appears accurate, but I get a server not found message.

Thanks

Hello,

we are testing use of 'add_federation' and getting an error returned for 'add_federation_templateName:'
The REST API documentation shows this is not a required value, but if is commented out the entire role is skipped. We also tried uncommenting and using 'SAML2_0' and also 'saml_post' for the template values and these cause the error at bottom of this post..
any ideas what we are doing wrong?

following is our parameters for the role:
role: "add_federation"
add_federation_name: "resilientfed2"
add_federation_protocol: "SAML2_0"
add_federation_role: "ip"
add_federation_templateName: ""
add_federation_configuration:
pointOfContactUrl: "https://192.168.0.35/isam"
companyName: "company"
sessionTimeout: 7200
singleSignOnService: "192.168.0.35"
needConsentToFederate: True
singleSignOnServiceData:
binding: ["post","redirect"]
url: "https://192.168.0.35"
singleLogoutService: "192.168.0.35"
serviceData:
binding: ["post","redirect"]
identityMapping:
activeDelegateId: "skip-identity-map"

error that results with the above..
...[ibmsecurity.appliance.ibmappliance] [_process_warnings():92] Checking for minimum version: 9.0.1.0.\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():108] Checking for one of required modules: ['federation'].\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [INFO] [ibmsecurity.appliance.ibmappliance] [_process_warnings():119] Modules satisfying requirement: [u'federation']\n[2018-02-27 21:35:52,382] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():125] Warnings: []\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():301] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {"role": "ip", "configuration": {"singleLogoutService": "192.168.0.35", "serviceData": {"binding": ["post", "redirect"]}, "sessionTimeout": 7200, "needConsentToFederate": true, "singleSignOnServiceData": {"url": "https://192.168.0.35\", "binding": ["post", "redirect"]}, "companyName": "company", "singleSignOnService": "192.168.0.35", "pointOfContactUrl": "https://192.168.0.35/isam\", "identityMapping": {"activeDelegateId": "skip-identity-map"}}, "protocol": "SAML2_0", "name": "resilientfed2", "templateName": ""}\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():35] Suppressing SSL Warnings.\n[2018-02-27 21:35:52,383] [PID:27823 TID:139956807944000] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():24] Issuing request to: https://192.168.0.33:443/iam/access/v8/federations\n[2018-02-27 21:35:52,385] [PID:27823 TID:139956807944000] [DEBUG] [urllib3.connectionpool] [_new_conn():824] Starting new HTTPS connection (1): 192.168.0.33\n[2018-02-27 21:35:53,030] [PID:27823 TID:139956807944000] [DEBUG] [urllib3.connectionpool] [_make_request():396] https://192.168.0.33:443 "POST /iam/access/v8/federations HTTP/1.1" 500 75\n[2018-02-27 21:35:53,033] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():46] Request failed: \n[2018-02-27 21:35:53,034] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():47] status code: 500\n[2018-02-27 21:35:53,034] [PID:27823 TID:139956807944000] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():49] text: {"result":"java.lang.String incompatible with com.ibm.json.java.JSONArray"}\n", "msg": "('HTTP Return code: 500', u'{"result":"java.lang.String incompatible with com.ibm.json.java.JSONArray"}')", "name": "ibmsecurity.isam.fed.federations.add"}

Not the bigger issue on earth but the set of "xxx_reverseproxy_conf roles (add/delete/update) and also the role execute_isamcfg have "AAC" reference in their play name as can be reported in the following search result:

isam-ansible-roles\add_reverseproxy_conf\tasks\main.yml(2): - name: Configure Reverse Proxy for AAC (Updates)
isam-ansible-roles\delete_reverseproxy_conf\tasks\main.yml(1): - name: Configure Reverse Proxy for AAC (Deletes)
isam-ansible-roles\execute_isamcfg\tasks\rp_config_adds.yml(3): - name: Configure Reverse Proxy for AAC (Adds)
isam-ansible-roles\execute_isamcfg\tasks\rp_config_updates.yml(3): - name: Configure Reverse Proxy for AAC (Updates)
isam-ansible-roles\update_reverseproxy_conf\tasks\main.yml(2): - name: Configure Reverse Proxy for AAC (Updates)

Of course, these roles are very useful but not only for "AAC" reverse proxies but also for any reverse proxies that one can think off. When these roles run in playbooks their output can cause confusion if you know you have not integrated any AAC functionality yet.
I would volunteer to change those names to something more generic. I propose replacing “Configure Reverse Proxy for AAC (xxx)” with “Configure Reverse Proxy stanza entries (xxx)”
Any thought?

Per the doc for the activate_module role, the valid module names are "wga", "mga", and "federation". However, I observed that if I pass in a name other than those (e.g. "fed") then the module will still be activated successfully. However, if I re-run the same role, it will throw an error saying that the module is already activated and the play will terminate. This breaks idempotency for this role.

## This works for initial activation, but fails if module is already activated
- role: activate_module
  activate_module_id  : "fed"
  activate_module_code: "{{ lookup('file', '~/isam_federation_code.txt') }}"

If I use the correct module name ("federation" in this case) then the error will be successfully ignored.

## This runs successfully every time
- role: activate_module
  activate_module_id  : "federation"
  activate_module_code: "{{ lookup('file', '~/isam_federation_code.txt') }}"

IMO the module should never have been activated using an incorrect name in the first place. This would force the playbook author to use the correct name from the start instead of discovering their error much later on.

Now that the ibmsecurity module supports OIDC for API Definition (see IBM-Security/ibmsecurity#58 for ref), I am looking to provide the required customizations to the role 'add_oauth_definition' to support the additionnal 9.0.4 OIDC API Definition parameters, and simply looking for advise.

Should we A) let the playbook developper using the role 'add_oauth_definition' build this unique oidc json object (see below) and pass it as a single parameter to the role, or B) add in the role every required individual parameters and build the oidc json object internaly in the role ?

   "oidc":{
     "enabled":true,
     "alg":"RS256",
     "db":"rt_profile_keys",
     "cert":"server",
     "poc":"https://www.myWebSEAL.com",
     "lifetime":3600,
     "enc":{
       "enabled":false
     },
     "attributeSources":[
       {
         "attributeName": "exampleAttribute",
         "attributeSourceId": "1"
       }
     ]
   }

Thanks

Sometime it is necessary to add some stanza to ISAM RP configuration files (for junction related settings or cred attributes setup) as it is described in the ISAM federation cookbook.

So we have developed a specialized role for dealing with the addition of non-existing stanza to ISAM RP configuration files (called add_reverseproxy_conf_stanza using stanza.py). But I wonder if instead we should not extend the implementation of the existing add_reverseproxy_conf role to have it detect automatically if entries/values pairs are to be added/updated for stanza that are not yet defined, and proceed with adding those automatically. Similarly, the update_reverseproxy_conf could be updated similarly.

Extending the roles such as add_reverseproxy_conf (as opposed to provide a new one) would help limit the proliferation of small utilities roles and help playbook developer get the job done more easily.
Should update_reverseproxy_conf deserve the same treatment?

What are your thoughts?

Is there a way to change the interface on the runtime listening interfaces under Secure Access Control
(ie i want to change it from local interface to 1.2)
Thanks
Bill

I would like a feature to configure kerberos configuration. Web Settings|Kerberos Configuration.

My company uses this feature for many internal applications

Thanks
Bill

Hi need some help. Built ISAM 9 VM following "ISAM9 Federation Cookbook", and was able to use ansible on docker to do lots of things following "isam-ansible-playbook-sample" such as run pdadmin commands, create snapshot, activate module, create reverse proxy,...etc.

However, "add_junction" always fail with error "action does not have the right set of arguments or there is a code bug" as shown below. Also tried just use "TestInstance" as "add_junction_reverseproxy_id", but still gets same error.

If I commented out the "add_junction_reverseproxy_id" line then it just said "skipping" and nothing happened.

Any idea what have I done wrong? Or is there any working example "add_junction" available? Thanks.

The search_mapping_rule role currently registers the resulting mapping rule ID in a variable which is always called "search_mapping_rule". This causes issues if you need to lookup multiple mapping rule IDs for a single task (i.e. if you are creating a module chain which uses more than one mapping rule, as we frequently do). I have shown in my local environment that by making the name of the registered variable configurable, it is possible to lookup multiple mapping rules within a single task.

Example of the modification to the search_mapping_rule role:

- name: Search for a Mapping Rule
  isam:
    appliance: "{{ inventory_hostname }}"
    username:  "{{ username }}"
    password:  "{{ password }}"
    lmi_port:  "{{ lmi_port }}"
    log:       "{{ log_level }}"
    force:     "{{ force }}"
    action: ibmsecurity.isam.aac.mapping_rules.search
    isamapi:
      name: "{{ search_mapping_rule_name }}"
  when: search_mapping_rule_name is defined
  register: "{{ search_mapping_rule_register }}"

Example task from playbook:

- name: Add Module Chains
  hosts: all
  connection: local
  roles:
    - role: search_mapping_rule
      search_mapping_rule_name: mapping-rule-1
      search_mapping_rule_register: map1

    - role: search_mapping_rule
      search_mapping_rule_name: mapping-rule-2
      search_mapping_rule_register: map2

    - role: add_module_chain
      module_chain_name: test-chain
      module_chain_template_name: test-chain-template
      module_chain_request_type: "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue"
      module_chain_description: "Test"
      module_chain_token_type: "*"
      module_chain_issuer:
        address: "REGEXP: (.*/test-chain)"
      module_chain_applies_to:
        address: "REGEXP: (.*)"
      module_chain_properties:
        self:
          - name: map-01.map.rule.reference.ids
            value:
              - "{{ map1['data'] }}"
          - name: map-02.map.rule.reference.ids
            value:
              - "{{ map2['data'] }}
# OMITTED...

If this is acceptable, I will submit a pull request for this update.

Was testing "add_partner" and keep getting ParerError, after compared with the working "add_federation", noticed line 9-10 in "add_partner/tasks/main.yml" for "action:" and "isamapi:" both have different indentation when compared with "add_federation/tasks/main.yml". Created local copy of the roles, changed the indentation and confirmed working.

Current Ansible invocations of the python code re-create the connections and collection of meta-data. This can be avoided once Ansible provides a feature to maintain state as proposed here:

ansible/proposals#24

Reporting Stuff is awesome

get_junction_details -> Please allow us to provide the inputs to see the details

Use Case: Create / Mod a Junction, then show the updates after its complete

Should the Report Junction Template work on ISAM version 9.0.1?

All of the 9.0.2 instances work fine but on 9.0.1 it seems to only pull the first server junction point
Did the format of the servers attribute change between versions ?

Thanks

Low priority.

If I run the detail junction process with a group of rps
It only runs one of the rp of the group and then ends

Hi,

We have found that when using role 'set_ldap_user_pw' to set an existing embedded_ldap account's password (such as the one for easuser) that it only become effective after the AAC Runtime is restarted. This would be quick code change to add a "Runtime Restart" after the "Commit". But is it a good thing ? Woud there be cases where the AAC Runtime should not be restarted right away ?

Just looking for advise. Will test the code and submit a pull if I found that it resolves this behavior.

Hi

Anyone having a working playbook using the role set_admin_cfg ?

I keep getting the error msg "action does not have the right set of arguments or there is a code bug" when running a very simple role:

- role : set_admin_cfg
  set_admin_cfg_key : "enableSSLv3"
  set_admin_cfg_value : "false"

fatal: [stha9n0fw.iad.ca.inet]: FAILED! => {
"changed": false,
"failed": true,
"invocation": {
"module_args": {
"action": "ibmsecurity.isam.base.admin.set",
"appliance": "*",
"force": false,
"isamapi": {
"key": "enableSSLv3",
"value": "false"
},
"lmi_port": 443,
"log": "DEBUG",
"password": "",
"username": "admin@local"
}
},
"log": "[2017-12-11 16:37:39,746] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.user.applianceuser] [init():9] Creating a user\n[2017-12-11 16:37:39,746] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.user.user] [init():8] Creating a user\n[2017-12-11 16:37:39,746] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.isamappliance] [init():13] Creating an ISAMAppliance\n[2017-12-11 16:37:39,746] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [init():15] Creating an IBMAppliance\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():30] *** Retrieving firmware ***\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():92] Checking for minimum version: None.\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():108] Checking for one of required modules: None.\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():125] Warnings: []\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():301] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {}\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():35] Suppressing SSL Warnings.\n[2017-12-11 16:37:39,747] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():24] Issuing request to: https://stha9n0fw.iad.ca.inet:443/firmware_settings\n[2017-12-11 16:37:39,749] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_new_conn():824] Starting new HTTPS connection (1): stha9n0fw.iad.ca.inet\n[2017-12-11 16:37:40,085] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_make_request():396] https://stha9n0fw.iad.ca.inet:443 "GET /firmware_settings HTTP/1.1" 200 483\n[2017-12-11 16:37:40,088] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Status Code: 200\n[2017-12-11 16:37:40,088] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():65] Text: [{"partition":"1 (Active)","last_boot":"1512828512","name":"isam_9.0.3.1_20171017-2336","active":true,"comment":"","id":1,"firmware_version":"IBM Security Access Manager 9.0.3.1","install_date":"1512396478","backup_date":null,"install_type":"ISO"}, {"partition":"2","last_boot":"Never","name":"isam_9.0.3.1_20171017-2336","active":false,"comment":"","id":2,"firmware_version":"IBM Security Access Manager 9.0.3.1","install_date":"1512396497","backup_date":null,"install_type":"ISO"}]\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():30] *** Get Setup Complete Settings ***\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():92] Checking for minimum version: None.\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():108] Checking for one of required modules: None.\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():125] Warnings: []\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():301] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {}\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():35] Suppressing SSL Warnings.\n[2017-12-11 16:37:40,089] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():24] Issuing request to: https://stha9n0fw.iad.ca.inet:443/setup_complete\n[2017-12-11 16:37:40,090] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_new_conn():824] Starting new HTTPS connection (1): stha9n0fw.iad.ca.inet\n[2017-12-11 16:37:40,323] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_make_request():396] https://stha9n0fw.iad.ca.inet:443 "GET /setup_complete HTTP/1.1" 200 21\n[2017-12-11 16:37:40,326] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Status Code: 200\n[2017-12-11 16:37:40,326] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():65] Text: { "configured": true}\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():30] *** Retrieving activations ***\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():92] Checking for minimum version: None.\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():108] Checking for one of required modules: None.\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():125] Warnings: []\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():301] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {}\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():35] Suppressing SSL Warnings.\n[2017-12-11 16:37:40,327] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():24] Issuing request to: https://stha9n0fw.iad.ca.inet:443/isam/capabilities/v1\n[2017-12-11 16:37:40,328] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_new_conn():824] Starting new HTTPS connection (1): stha9n0fw.iad.ca.inet\n[2017-12-11 16:37:40,577] [PID:2535 TID:140474922600256] [DEBUG] [urllib3.connectionpool] [_make_request():396] https://stha9n0fw.iad.ca.inet:443 "GET /isam/capabilities/v1 HTTP/1.1" 200 None\n[2017-12-11 16:37:40,580] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Status Code: 200\n[2017-12-11 16:37:40,580] [PID:2535 TID:140474922600256] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():65] Text: [{"name":"ISAM Base Appliance","description":"IBM Security Access Manager Base Appliance","id":"wga","enabled":"True"}, {"name":"ISAM Advanced Access Control","description":"IBM Security Access Manager Advanced Access Control","id":"mga","enabled":"True"}, {"name":"ISAM Federation","description":"IBM Security Access Manager Federation","id":"federation","enabled":"True"}]\n",
"msg": "Error> action does not have the right set of arguments or there is a code bug! Options: isamAppliance=isam_server, force=False, key="enableSSLv3", value="false"",
"name": "ibmsecurity.isam.base.admin.set"
}

Hi When trying to import certificate using below playbook (attached playbook file) I am gettting below error.
This is just part of error logs - I am using ansible 2.3.1

Issuing request to: https://10.39.0.10:9443/isam/ssl_certificates/pdsrv/signer_cert\n[2017-08-04 17:45:54,822] [PID:13564 TID:257 69803872] [DEBUG] [urllib3.connectionpool] [_new_conn():818] Starting new HTTPS connection (1): 10.39.0.10\n[2017-08-04 17:45:58,021] [PID:13564 TID:25769803872] [DEBUG] [urllib3.connectionp ool] [_make_request():395] https://10.39.0.10:9443 "POST /isam/ssl_certificates/pdsrv/signer_cert HTTP/1.1" 500 129\n[2017-08-04 17:45:58,026] [PID:13564 TID:25769803872] [ERROR] [ibmsecur ity.appliance.ibmappliance] [_process_response():45] Request failed: \n[2017-08-04 17:45:58,026] [PID:13564 TID:25769803872] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response ():46] status code: 500\n[2017-08-04 17:45:58,026] [PID:13564 TID:25769803872] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():48] text: {"message":"CTGSK3046W The key file "/var/www/lmi/tmp/webseal_cert4011025435604025012cert.cer" could not be imported."}\n", "msg": "('HTTP Return code: 500', u'{"message":"CTGSK3046W The key file &q uot;/var/www/lmi/tmp/webseal_cert4011025435604025012cert.cer" could not be imported."}')", "name": "ibmsecurity.isam.base.ssl_certificates.signer_certificate.import_cert"}

Probaby an easy one for you folks.

Submitting a pdadmin cmd which does not contain any special characters work fine:

domain create childDomain sec_master somepassword -desc "somedescription"

but when submitting a pdadmin cmd like the following, that contains a comma for instance, how should we pass it to the role 'execute_pdadmin_domain':

user import _tammon cn=someuser,secAuthority=Default

This is the results I am getting:

"[2018-01-28 19:30:32,946] [PID:15157 TID:140127864330048] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {"admin_pwd": "passw0rd", "admin_domain": "Default", "commands": ["user import _tammon cn=someuser", "secAuthority=Default"], "admin_id": "sec_master"}",

Just above the ibmsecurity stack receives the cmd arladt splitted in 2 parts ...

"[2018-01-28 19:12:43,911] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():46] Request failed: ",
"[2018-01-28 19:12:43,912] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():47] status code: 500",
"[2018-01-28 19:12:43,912] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():49] text: {"result":"cmd> user import _tammon cn=someuser\nCould not perform the administration request\nError: HPDMG0755W The specified Distinguished Name (DN) does not exist. (status 0x14c012f3)\ncmd> secAuthority=Default\nError: Unknown command. Try using 'help' for a list of commands"}",
""

Somewhere before it get's to python module, the pdadmin cmd gets splitted in 2 pieces which make it invalid for ISAM to process.

When executing a pdadmin cmd with the execute_pdadmin role and an error is captured, I obtained a syntax execution error because the ret_obj['data'] is undefined.

TASK [execute_pdadmin : Output of PDAdmin command execution] ***********************************************************************************************************
fatal: [stha9n0fw.iad.ca.inet]: FAILED! => {"msg": "The conditional check '(ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))' failed. The error was: error while evaluating conditional ((ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))): Unable to look up a name or access an attribute in template string ({% if (ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode)) %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/home/sygilber/isam_home/ansible/roles/isam-ansible-roles/execute_pdadmin/tasks/main.yml': line 22, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Output of PDAdmin command execution\n ^ here\n"}

When making some change in the play named "Output of PDAdmin command execution" to refer to ret_obj instead of ret_obj['data'] then the execution error is cleared.

Here is a summary of what would look like the modification if I would create a pull request.

diff --git a/execute_pdadmin/tasks/main.yml b/execute_pdadmin/tasks/main.yml
index 2e07353..997bf12 100644
--- a/execute_pdadmin/tasks/main.yml
+++ b/execute_pdadmin/tasks/main.yml
@@ -14,8 +14,8 @@
register: ret_obj

• name: Output of PDAdmin command execution
• debug: msg="{{ ret_obj['data']['result'].split('\n') }}"
• when: (ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))

• debug: msg="{{ ret_obj['result'].split('\n') }}"^M
• when: (ret_obj is defined and 'result' in ret_obj and ret_obj|succeeded and (not ansible_check_mode))^M

• name: Error Messages if PDAdmin command failed
  debug: msg="{{ ret_obj['log'].split('\n') }}"

But before I do that, I am looking for advise/comments if this is the right thing. Or it is possible that depending of the appliance version, the returned object is not structured the same way, or the version of ansible introcuces changes ? Here are details about the ansible stack we are running:

ansible 2.4.0.0
python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

the current reverse proxy federation role assumes that federation module is available on the reverse proxy server and searches for the federation ID on the reverse proxy instance and fails as there is no reverse proxy instance.

I have changed the appliance host variable in the task to get the role working but thats may not be a good idea. I guess we can define a new variable or do something similar to search mapping rule.

• name: Lookup a Federation ID - {{config_reverseproxy_federation_name}}
  isam:
  appliance: "{{ Policy_Server_inventory_hostname }}"
  username: "{{ username }}"
  password: "{{ password }}"
  lmi_port: "{{ lmi_port }}"
  log: "{{ log_level }}"
  force: "{{ force }}"
  action: ibmsecurity.isam.fed.federations.search
  isamapi:
  name: "{{ config_reverseproxy_federation_name }}"
  register: ret_obj
  when: config_reverseproxy_federation_name is defined

Although I get a 500 error, it does add the node to the cluster.

Here is my playbook...

Build out entire environment

• name: Setup Reverse Proxy Appliance
  hosts: reverseproxy
  connection: local
  roles:
  • role: add_cluster_node
    tags: ["cluster", "add"]
    add_cluster_node_signature_file: "./files/clustersign/primary.sign"
    add_cluster_node_restricted: True

Here is the output from the screen.

fatal: [ciaisawd0016.sys.cigna.com]: FAILED! => {"changed": false, "failed": true, "log": "[2017-04-20 20:57:14,473] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.user.applianceuser] [init():9] Creating a user\n[2017-04-20 20:57:14,473] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.user.user] [init():8] Creating a user\n[2017-04-20 20:57:14,473] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.isamappliance] [init():11] Creating an ISAMAppliance\n[2017-04-20 20:57:14,473] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [init():15] Creating an IBMAppliance\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** Retrieving firmware ***\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():293] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():297] Input Data: {}\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:14,475] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/firmware_settings\n[2017-04-20 20:57:14,838] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():61] Status Code: 200\n[2017-04-20 20:57:14,838] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Text: [{"partition":"1 (Active)","last_boot":"1492704508","name":"isam_9.0.2.0_20161102-2353","active":true,"comment":"","id":1,"firmware_version":"IBM Security Access Manager 9.0.2.0","install_date":"1487600798","backup_date":null,"install_type":"ISO"}, {"partition":"2","last_boot":"Never","name":"isam_9.0.2.0_20161102-2353","active":false,"comment":"","id":2,"firmware_version":"IBM Security Access Manager 9.0.2.0","install_date":"1487600816","backup_date":null,"install_type":"ISO"}]\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** Get Setup Complete Settings ***\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():293] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():297] Input Data: {}\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:14,839] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/setup_complete\n[2017-04-20 20:57:14,882] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():61] Status Code: 200\n[2017-04-20 20:57:14,883] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Text: { "configured": true}\n[2017-04-20 20:57:14,883] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** Retrieving activations ***\n[2017-04-20 20:57:14,883] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:14,883] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:14,884] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:14,884] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():293] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-04-20 20:57:14,884] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():297] Input Data: {}\n[2017-04-20 20:57:14,884] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:14,884] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/isam/capabilities/v1\n[2017-04-20 20:57:14,987] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():61] Status Code: 200\n[2017-04-20 20:57:14,987] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Text: [{"name":"ISAM Base Appliance","description":"IBM Security Access Manager Base Appliance","id":"wga","enabled":"True"}]\n[2017-04-20 20:57:14,988] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** Retrieve the cluster identifier ***\n[2017-04-20 20:57:14,988] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:14,988] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:14,989] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:14,989] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():293] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-04-20 20:57:14,989] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():297] Input Data: {}\n[2017-04-20 20:57:14,989] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:14,989] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/isam/cluster/id/v2\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():61] Status Code: 200\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Text: {"value":"10.27.66.252"}\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** List the current nodes in the cluster ***\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():293] Headers are: {'Content-type': 'application/json', 'Accept': 'application/json'}\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():297] Input Data: {}\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:15,197] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/isam/cluster/nodes/v1\n[2017-04-20 20:57:15,446] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():61] Status Code: 200\n[2017-04-20 20:57:15,446] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():63] Text: []\n[2017-04-20 20:57:15,446] [PID:2664 TID:139910666479424] [INFO] [ibmsecurity.appliance.ibmappliance] [_log_desc():28] *** Add a node to the cluster ***\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():90] Checking for minimum version: None.\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():106] Checking for one of required modules: None.\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_warnings():123] Warnings: []\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [invoke_post_files():144] Headers are: {'Accept': 'application/json,text/html,application/xhtml+xml,application/xml'}\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_suppress_ssl_warning():33] Suppressing SSL Warnings.\n[2017-04-20 20:57:15,447] [PID:2664 TID:139910666479424] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_url():22] Issuing request to: https://ciaisawd0016.sys.cigna.com:443/isam/cluster/nodes/v1\n[2017-04-20 20:57:21,822] [PID:2664 TID:139910666479424] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():44] Request failed: \n[2017-04-20 20:57:21,823] [PID:2664 TID:139910666479424] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():45] status code: 500\n[2017-04-20 20:57:21,823] [PID:2664 TID:139910666479424] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():47] text: {"message":"Error: DPWAP0003I An error occured while executing the command: /usr/sbin/mesa_control commit /tmp/clusterp (0x4)"}\n", "msg": "('HTTP Return code: 500', u'{"message":"Error: DPWAP0003I An error occured while executing the command: /usr/sbin/mesa_control commit /tmp/clusterp (0x4)"}')", "name": "ibmsecurity.isam.base.cluster.node.add"}

We have developed a role to import the support license file. We intent to share it but I was wondering if it should be named “import_license”, “apply_license”, or “install_license”. The actual python code and rest api documentation both refer to the act of “installing” a license whereas the appliance web help refers of “importing”. I don’t think that one can add numerous license file (although I never tried) so I was ruling out the “add” semantics. Open to comments. Will later track the pull request to this issue.

Will submit in the coming days a role for adding Web Service server connection into the AAC. Currently, only LDAP role exist. Will provide as well the counterpart python code candidate implementation.

While calling set_reverseproxy_conf role to set 'request-log-format', it failed when tried to remove the default value which has '%' character:

'HTTP Return code: 500', u'<H1>SRVE0232E: Internal Server Error. <br> Exception Message: [URLDecoder: Illegal hex characters in escape (%) pattern - For input string: \"h%\"]</H1><BR><H3>URLDecoder: Illegal hex characters in escape (%) pattern - For input string: \"h%\"</H3><BR><I>IBM WebSphere Application Server</I>' 

I suspect that the input was not properly URLEncoded when calling the API to delete the entry.

Hello, i have questions around upload_mapping_rule, set_mapping_rule

1. upload_mapping_rule - so this process works for the first time, say i named test, OAUTH and test.js mapping rule js file . If i try to upload another mapping rule with test2,OAUTH and same test.js mapping rule js file it doesnt work.
2. set_mapping_rule - do you have any template available to make this role work? i tried but not able to update any of the existing mapping rule. if you have any templates which can show how to update existing mapping rules it would be great.

the Current role for setup_common_root.yml does not have a variable to specify if we have to create the web root in a different domain.

added a new variable to get it working in my environment, may be there are better ways to handle it.

• name: Create Common Web Root
  isamadmin:
  appliance: "{{ inventory_hostname }}"
  username: "{{ username }}"
  password: "{{ password }}"
  lmi_port: "{{ lmi_port }}"
  log: "{{ log_level }}"
  isamuser: "{{ create_reverseproxy_admin_id }}"
  isampwd: "{{ create_reverseproxy_admin_pwd }}"
  isamdomain: "{{ create_pdadmin_domain }}"
  commands:
  • "object create /WebSEAL/{{common_web_root}} "{{common_web_root_description}}" 5 ispolicyattachable yes"
    ignore_errors: true
    when: common_web_root is defined and create_reverseproxy_admin_id is defined and create_reverseproxy_admin_pwd is defined

Trying to run execute_pdadmin admin but for this reverse proxy instance we have a unique domain = Default9

ibmsecurity/ibmsecurity/isam/web/runtime/pdadmin.py - Seems to have the parameter available
I don't see in isamadmin.py where it loads that property from the dictionary
And the vars aren't exposed through the roles

This may be intentional so I wanted to at least ask the question.

I know the APIs aren't hard for these but these playbooks make it so easy.

1. Deploy / Rollback Pending Changes
2. Start / Stop / Restart Reverse Proxy Instance
3. Delete a Reverse Proxy Instance

We could consider support in this existing role the parameter 'comment' for tuning parameter set (key,value, comment). The ibmmodule python code does support it already so should not be a big deal implementing it in the existing role.

Will come up with propose adjustement (PR) in the coming days.

When HVDB changes occur, they are not effective automatically since the role is not notifying "Restart AAC Runtime" handler.

On the other hand, if the role would notify "Restart AAC Runtime", it would always initiate a restart of the AAC Runtime even when other cluster changes occured unrelated to the DB occured.

So I don't know what is best approach.

i want to import a personal certificate on appliance and and set it as default. when i saw what you already made there is the ansible role (import_personal_cert) to import a personal certificate without property to make it as default. I searched inside the python code of IBMSecurity aund found the method "set" in ibmsecurity/ibmsecurity/isam/base/ssl_certificates/personal_certificate.py to make a personal cert as default but i'm not up to create a new role just to call this method. so i think tht i can create a new python method to import and set sametime a personal cert ...... wht are you thinking about it ?

Will provide updates to the existing role 'add_oauth_client' to add support for 9.0.4 parameters

These 2 roles use "server_uid" instead of "server_uuid" and this caused the roles to fail with message "action does not have the right set of arguments or there is a code bug!".

Will submit a fix/pull request eventually for this. I recall having seen earlier this year changes in ibmsecurity regarding server_uuid updates in the code.

Any thoughs on this issue as to why the old wrong paramater may still be refered in roles ? A simple over-loooked issue or a backward appliance (rest api) compatibility issue ?

Thanks

In the playbook snippet below we try to set the request-log-format to a string that contains non-alphanumerical characters such as '{' '%':

- role: update_reverseproxy_conf
      update_reverseproxy_conf_reverseproxy_id: "{{ reverseproxy_instance_name }}"
      update_reverseproxy_conf_entries:
        - stanza_id: "logging"
          entry_id: "request-log-format"
          value_id: "TS:%{%Y-%m-%dT%H:%M:%S}t C:%a I:%A U:%{AZN_CRED_PRINCIPAL_NAME}C AL:%{AUTHENTICATION_LEVEL}C SI:%{tagvalue_session_index}C T:%d M:%m ST:%s B:%B F:%F URL:%U"

The error is

template error while templating string: Encountered unknown tag 'Y'.. String: TS:%{%Y-%m-%dT%H:%M:%S}t C:%a I:%A U:%{AZN_CRED_PRINCIPAL_NAME}C AL:%{AUTHENTICATION_LEVEL}C SI:%{tagvalue_session_index}C T:%d M:%m ST:%s B:%B F:%F URL:%U"

We have tried different ways to escape the string, none of them seems to work.

I was able to make it work with '!unsafe' directive when make the API call directly:

- name: update logging format
  isam:
      appliance: "{{ ISAM_M1_INTERFACE }}"
      password: "{{ ISAM_admin_pw }}"
      action: ibmsecurity.isam.web.reverse_proxy.configuration.entry.add
      isamapi: 
          reverseproxy_id: "{{reverseproxy_id}}"
          stanza_id: "logging"
          entries: [[ 'request-log-format', !unsafe 'TS:%{%Y-%m-%dT%H:%M:%S}t C:%a I:%A U:%{AZN_CRED_PRINCIPAL_NAME}C AL:%{AUTHENTICATION_LEVEL}C SI:%{tagvalue_session_index}C T:%d M:%m ST:%s B:%B F:%F URL:%U' ]]

Note: the above API calls entry.add, not entry.update, it takes different input - JSON array entries vs entry_id and value_id

However, we were not able to use the roles to add/update/set the value with these special characters.

I would very much like to see a major overhaul of the deploy pending changes process to be consistent with the published REST API documentation. At the moment it appears that each deploy calls /restarts/commit_and_restart which isn't actually even documented in the REST API doc, and causes the LMI to be restarted (slow) every time.

What is supposed to happen is that you GET /isam/pending_changes to see if anything needs commiting, and if it does then PUT /isam/pending_changes. Then you need to introspect the response, and SELECTIVELY decide what to do next based on the returned result Integer, AND status bitmask.

There may also need to be some state management around remembering the last start time of the LMI and/or runtime to ensure that you wait until restarted services are actually restarted. This is not entirely easy, but when done right things are MUCH faster to configure, and everyone benefits.

Will contibute a new role for adding a Point of Contact. It is only this week that we found why one wound want to create a new poc.

For now I have named it 'update_point_of_contact'. Of course it could be named also 'add_point_of_contact' but what I want to prevent is that we push the 2 version of the role 'add and update'. I check the ibmsecurity implementation and it supports both adding/updating when invoking the 'ibmsecurity.isam.fed.point_of_contact.set' method. Ansible is about idempotency and so we should not have to decide which add/update role to invoke when developping playbook.

Also, I am unsure if it should be commited right away in the new structure (base|aac|fed|web) commited last week. And if so, if it should fall under fed or aac category. Theorically it is bound to "fed" rest-api but it is used in both AAC and FED modules (LMI menus).

Comments welcomed.

So wanted to discuss a concept:

I am looking to reduce the knowledge our developers have about out environment and am looking to create an alias for the RP instance name so that is all they need to supply to execute playbooks

hosts file would be ~
test-myapp-0024 ansible_host=localhost da_name=test-myapp-0024

So this causes an issue in that the start_confg process is hard coded to inventory_hostname.

Just wanted to put this here and see what thoughts people have.

Thanks

Currently execute_rp_op role has unbalanced braces
i.e.
with_items: "{{execute_rp_op_ids | default({}) }}}"

Is there a way to "not" take snapshots each time a commit is done? Seems this is a lot of overhead when it might be rarely needed, particuarly when configuring a new appliance from scratch.

The current role updates a current entry. However there are times when would like to "add" an entry to an existing stanza. (ie. logcfg=blah,blah,blah)

I tried creating a new role that uses the action ibmsecurity.isam.web.reverse_proxy.configuration.entry.add. This is the message i get.

"msg": "Error> action does not have the right set of arguments or there is a code bug!

Hi,

I would have assumed that it is necessary to invoke the handler "Restart AAC Runtime" when runtime parameters are applied and it triggers a change. But as it turn out, it does not. For instance, in the below test run, changing the parameter 'enable_sslv3" from True to False using Ansible only has the usual "Commit Changes" handler invoked. I can see in the role "set_runtime_tuning_parameter" that it is meant to only invoke the "Commit Changes".

Is it normal ? Maybe there is something I am not getting.

TASK [set_runtime_tuning_parameter : Snapshot Appliance Before Setting Runtime Tuning Parameters] *******************************************************************************************************************************************
ok: [someserver]

TASK [set_runtime_tuning_parameter : Set Runtime Tuning Parameters] *************************************************************************************************************************************************************************
changed: [stha9n0fw.iad.ca.inet] => (item={u'runtime_tuning_parameter_value': False, u'runtime_tuning_parameter_option': u'enable_sslv3'})
ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'rt_keys', u'runtime_tuning_parameter_option': u'keystore'})
ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'somelabel', u'runtime_tuning_parameter_option': u'keystore_label'})
ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'sometruststore', u'runtime_tuning_parameter_option': u'truststore'})

TASK [add_runtime_listening_interface : Snapshot Appliance Before Adding Runtime Listening Interfaces] **************************************************************************************************************************************
ok: [someserver]

TASK [add_runtime_listening_interface : Add Runtime Listening Interfaces] *******************************************************************************************************************************************************************
ok: [someserver] => (item={u'runtime_listening_interface_port': u'443', u'runtime_listening_interface_secure': True, u'runtime_listening_interface_interface': u'all-application-interfaces'})

RUNNING HANDLER [start_config : Commit Changes] *********************************************************************************************************************************************************************************************
changed: [someserver]

RUNNING HANDLER [start_config : Await Appliance Commit LMI Response] ************************************************************************************************************************************************************************
ok: [someserver]