Hi All
I am setting up ISAM 9.0.7 using ansible and so far successful doing the DB, LDAP and ISAM configuration (including initial config, runtime, cluster). But i cannot find any relevant ansible roles to configure Kerberos for authentication. 
Is this possible only through LMI?
I am trying to achieve maximum infrastructure automation for ISAM and this is mostly last step in that. 

Any pointer is greatly appreciated in case i might have overlooked/missed anything. 

Thank you in advance.

------------------------------
Sanjay Sutar
------------------------------

Hi Sanjay,

kerberos authentication (I suppose you are refering to spnego and not kcd?) is configured in the WebSEAL configuration files, so you'll need the ansible playbooks to update the webseal configuration file (cfr: github ansible repo).

For documentation on how to configure spnego, have a look here

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Thu October 31, 2019 11:30 PM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Hi All
I am setting up ISAM 9.0.7 using ansible and so far successful doing the DB, LDAP and ISAM configuration (including initial config, runtime, cluster). But i cannot find any relevant ansible roles to configure Kerberos for authentication. 
Is this possible only through LMI?
I am trying to achieve maximum infrastructure automation for ISAM and this is mostly last step in that. 

Any pointer is greatly appreciated in case i might have overlooked/missed anything. 

Thank you in advance.

------------------------------
Sanjay Sutar
------------------------------

Thank You Kristof for quick response.
Sorry if i was not clear in my post. I am looking for ansible role to configure embedded kerberos client
I am already using the ansible roles from github for other configuration - initial appliance config, policy runtime config, WRP creation/config, junction creation etc.

------------------------------
Sanjay Sutar
------------------------------

Original Message:
Sent: Fri November 01, 2019 03:07 AM
From: Kristof Goossens
Subject: ISAM Kerberos configuration using ansible...

Hi Sanjay,

kerberos authentication (I suppose you are refering to spnego and not kcd?) is configured in the WebSEAL configuration files, so you'll need the ansible playbooks to update the webseal configuration file (cfr: github ansible repo).

For documentation on how to configure spnego, have a look here

------------------------------
Kristof Goossens

Original Message:
Sent: Thu October 31, 2019 11:30 PM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Hi All
I am setting up ISAM 9.0.7 using ansible and so far successful doing the DB, LDAP and ISAM configuration (including initial config, runtime, cluster). But i cannot find any relevant ansible roles to configure Kerberos for authentication. 
Is this possible only through LMI?
I am trying to achieve maximum infrastructure automation for ISAM and this is mostly last step in that. 

Any pointer is greatly appreciated in case i might have overlooked/missed anything. 

Thank you in advance.

------------------------------
Sanjay Sutar
------------------------------

Sanjay

This is an exceprt from what you can use to import the keytab file along the instruction to set the WRP instance.

roles:
- role: import_spnego_keytab
# keytab file must be imported and commited before being refered to by the role 'set_reverseproxy_conf'
tags: ["ISAM_RP", "baseline", "spnego", "keytab"]
import_spnego_keytab_id: "{{ spnego_krb_keytab_file }}"
import_spnego_keytab_filename: "{{ fact_rp_dir }}/{{ spnego_krb_keytab_file }}"
- role: set_reverseproxy_conf
tags: ["ISAM_RP", "baseline", "spnego"]
set_reverseproxy_conf_entries:
- { stanza_id: "server", entries: "[['auth-challenge-type','spnego, forms']]" }
- { stanza_id: "spnego", entries: "[['spnego-auth','https']]" }
- { stanza_id: "spnego", entries: "[['spnego-krb-keytab-file','{{ spnego_krb_keytab_file }}']]" }
- { stanza_id: "spnego", entries: "{{ spnego_krb_service_name_entries }}" }



As for the role 'import_spnego_keytab' you could be using this code of ours:

- name: Import keytab {{ import_spnego_keytab_filename | basename }}
isam:
appliance: "{{ inventory_hostname }}"
username: "{{ username }}"
password: "{{ password }}"
lmi_port: "{{ lmi_port }}"
log: "{{ log_level }}"
force: "{{ force }}"
action: ibmsecurity.isam.web.kerberos_configuration.keyfiles.import_keytab
isamapi:
id: "{{ import_spnego_keytab_id }}"
file: "{{ import_spnego_keytab_filename }}"
when: import_spnego_keytab_filename is defined
notify: Commit Changes

# Flush Handler now to wait for sso keys import completion
- meta: flush_handlers

Not sure why we needed to create our own role however.

Hope it helps.

------------------------------
Sylvain Gilbert
------------------------------

Original Message:
Sent: Fri November 01, 2019 03:57 AM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Thank You Kristof for quick response.
Sorry if i was not clear in my post. I am looking for ansible role to configure embedded kerberos client
I am already using the ansible roles from github for other configuration - initial appliance config, policy runtime config, WRP creation/config, junction creation etc.

------------------------------
Sanjay Sutar

Original Message:
Sent: Fri November 01, 2019 03:07 AM
From: Kristof Goossens
Subject: ISAM Kerberos configuration using ansible...

Hi Sanjay,

kerberos authentication (I suppose you are refering to spnego and not kcd?) is configured in the WebSEAL configuration files, so you'll need the ansible playbooks to update the webseal configuration file (cfr: github ansible repo).

For documentation on how to configure spnego, have a look here

------------------------------
Kristof Goossens

Original Message:
Sent: Thu October 31, 2019 11:30 PM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Hi All
I am setting up ISAM 9.0.7 using ansible and so far successful doing the DB, LDAP and ISAM configuration (including initial config, runtime, cluster). But i cannot find any relevant ansible roles to configure Kerberos for authentication. 
Is this possible only through LMI?
I am trying to achieve maximum infrastructure automation for ISAM and this is mostly last step in that. 

Any pointer is greatly appreciated in case i might have overlooked/missed anything. 

Thank you in advance.

------------------------------
Sanjay Sutar
------------------------------

Thank you Sylvain for your inputs

------------------------------
Sanjay Sutar
------------------------------

Original Message:
Sent: Fri November 01, 2019 09:21 AM
From: Sylvain Gilbert
Subject: ISAM Kerberos configuration using ansible...

Sanjay

This is an exceprt from what you can use to import the keytab file along the instruction to set the WRP instance.

roles:
- role: import_spnego_keytab
# keytab file must be imported and commited before being refered to by the role 'set_reverseproxy_conf'
tags: ["ISAM_RP", "baseline", "spnego", "keytab"]
import_spnego_keytab_id: "{{ spnego_krb_keytab_file }}"
import_spnego_keytab_filename: "{{ fact_rp_dir }}/{{ spnego_krb_keytab_file }}"
- role: set_reverseproxy_conf
tags: ["ISAM_RP", "baseline", "spnego"]
set_reverseproxy_conf_entries:
- { stanza_id: "server", entries: "[['auth-challenge-type','spnego, forms']]" }
- { stanza_id: "spnego", entries: "[['spnego-auth','https']]" }
- { stanza_id: "spnego", entries: "[['spnego-krb-keytab-file','{{ spnego_krb_keytab_file }}']]" }
- { stanza_id: "spnego", entries: "{{ spnego_krb_service_name_entries }}" }



As for the role 'import_spnego_keytab' you could be using this code of ours:

- name: Import keytab {{ import_spnego_keytab_filename | basename }}
isam:
appliance: "{{ inventory_hostname }}"
username: "{{ username }}"
password: "{{ password }}"
lmi_port: "{{ lmi_port }}"
log: "{{ log_level }}"
force: "{{ force }}"
action: ibmsecurity.isam.web.kerberos_configuration.keyfiles.import_keytab
isamapi:
id: "{{ import_spnego_keytab_id }}"
file: "{{ import_spnego_keytab_filename }}"
when: import_spnego_keytab_filename is defined
notify: Commit Changes

# Flush Handler now to wait for sso keys import completion
- meta: flush_handlers

Not sure why we needed to create our own role however.

Hope it helps.

------------------------------
Sylvain Gilbert

Original Message:
Sent: Fri November 01, 2019 03:57 AM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Thank You Kristof for quick response.
Sorry if i was not clear in my post. I am looking for ansible role to configure embedded kerberos client
I am already using the ansible roles from github for other configuration - initial appliance config, policy runtime config, WRP creation/config, junction creation etc.

------------------------------
Sanjay Sutar

Original Message:
Sent: Fri November 01, 2019 03:07 AM
From: Kristof Goossens
Subject: ISAM Kerberos configuration using ansible...

Hi Sanjay,

kerberos authentication (I suppose you are refering to spnego and not kcd?) is configured in the WebSEAL configuration files, so you'll need the ansible playbooks to update the webseal configuration file (cfr: github ansible repo).

For documentation on how to configure spnego, have a look here

------------------------------
Kristof Goossens

Original Message:
Sent: Thu October 31, 2019 11:30 PM
From: Sanjay Sutar
Subject: ISAM Kerberos configuration using ansible...

Hi All
I am setting up ISAM 9.0.7 using ansible and so far successful doing the DB, LDAP and ISAM configuration (including initial config, runtime, cluster). But i cannot find any relevant ansible roles to configure Kerberos for authentication. 
Is this possible only through LMI?
I am trying to achieve maximum infrastructure automation for ISAM and this is mostly last step in that. 

Any pointer is greatly appreciated in case i might have overlooked/missed anything. 

Thank you in advance.

------------------------------
Sanjay Sutar
------------------------------