IBM Verify

Hello all,

We are currently running ISAM 9.0.7.1 (yes, we are working on migrating to version 10) and we need a script that will basically export a webseal from appliance A and replicate it on appliance B.  I was wondering if there was an Ansible playbook or something that already exists that already does it?  

My vision basically would syncing the webseal.conf settings, the management root files, ACLs and Junctions on on appliance and sync it up correctly on another appliance.  It would not attempt to apply AAC configs to a resource or other things like that.  But getting a webseal synced between webseals is something we could really useful because we want to relocate a number of webseals to different appliances.  Having to do it manually would introduce human errors and it would be a slower process.  I would think this is something that can be scripted, although it would not be easy.

Thanks,
Troy

------------------------------
Troy Burkle
------------------------------

Original Message:
Sent: 2/7/2022 2:47:00 PM
From: Troy Burkle
Subject: Sync/relocate webseal between appliances

Hello all,

We are currently running ISAM 9.0.7.1 (yes, we are working on migrating to version 10) and we need a script that will basically export a webseal from appliance A and replicate it on appliance B.  I was wondering if there was an Ansible playbook or something that already exists that already does it?  

My vision basically would syncing the webseal.conf settings, the management root files, ACLs and Junctions on on appliance and sync it up correctly on another appliance.  It would not attempt to apply AAC configs to a resource or other things like that.  But getting a webseal synced between webseals is something we could really useful because we want to relocate a number of webseals to different appliances.  Having to do it manually would introduce human errors and it would be a slower process.  I would think this is something that can be scripted, although it would not be easy.

Thanks,
Troy

------------------------------
Troy Burkle
------------------------------

Thanks Scott.  I was planning to use this export/import feature using API calls and script it.  Seems like I would be able to get a lot of what I am looking for completed with this.  I also have another script that pulls down all the ACLs so I can use that to manage the ACLs correctly.  I will probably just do this via a bash script so I can make changes where necessary.  Like the KDB files that I don't need since the assumption is the webseal will be moved within appliances on the same cluster.  I think I will need to remove kdb/stash files from the zip files before doing that.

------------------------------
Troy Burkle
------------------------------

Original Message:
Sent: Mon February 07, 2022 02:56 PM
From: Scott Exton
Subject: Sync/relocate webseal between appliances

Troy,

 

I would suggest that you take a look at the export/import functionality in the LMI.  If you select the WebSEAL instance, and then 'Manage -> Export Configuration' it will download a zip of the WebSEAL configuration.  On another appliance you can then create a new WebSEAL instance, and then 'Manage -> Import Configuration', and then select the saved configuration zip.  This will import the saved configuration into the new WebSEAL instance.  This capability can be used to 'copy' the configuration of one WebSEAL instance to another, including junctions, configuration files, key files, management root, etc.  However, it will not attempt to replicate the policy object space (e.g. ACLs).

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 2/7/2022 2:47:00 PM
From: Troy Burkle
Subject: Sync/relocate webseal between appliances

Hello all,

We are currently running ISAM 9.0.7.1 (yes, we are working on migrating to version 10) and we need a script that will basically export a webseal from appliance A and replicate it on appliance B.  I was wondering if there was an Ansible playbook or something that already exists that already does it?  

My vision basically would syncing the webseal.conf settings, the management root files, ACLs and Junctions on on appliance and sync it up correctly on another appliance.  It would not attempt to apply AAC configs to a resource or other things like that.  But getting a webseal synced between webseals is something we could really useful because we want to relocate a number of webseals to different appliances.  Having to do it manually would introduce human errors and it would be a slower process.  I would think this is something that can be scripted, although it would not be easy.

Thanks,
Troy

------------------------------
Troy Burkle
------------------------------

Hi Troy,

not a direct answer to your question, but I've created a couple of python scripts that translate a webseald.conf file to yaml, so you can use the IBM Ansible collection to deploy.
I did not find an easy way to translate an existing configuration into a yaml configuration based on the REST API ...
I've got one for junctions as well.  Both take a snapshot or an exported webseal configuration as input.

https://github.com/tombosmansibm/convertwebsealdtoyaml
https://github.com/tombosmansibm/convertjunctionxmltoyaml

It also does not take the management root etc. into account , but at least you'll have the base configuration ready.

Tom

------------------------------
Tom Bosmans
------------------------------

Original Message:
Sent: Mon February 07, 2022 02:46 PM
From: Troy Burkle
Subject: Sync/relocate webseal between appliances

Hello all,

We are currently running ISAM 9.0.7.1 (yes, we are working on migrating to version 10) and we need a script that will basically export a webseal from appliance A and replicate it on appliance B.  I was wondering if there was an Ansible playbook or something that already exists that already does it?  

My vision basically would syncing the webseal.conf settings, the management root files, ACLs and Junctions on on appliance and sync it up correctly on another appliance.  It would not attempt to apply AAC configs to a resource or other things like that.  But getting a webseal synced between webseals is something we could really useful because we want to relocate a number of webseals to different appliances.  Having to do it manually would introduce human errors and it would be a slower process.  I would think this is something that can be scripted, although it would not be easy.

Thanks,
Troy

------------------------------
Troy Burkle
------------------------------

Tom,

Thanks for the feedback.  I will look at those python scripts.  I think it would be helpful for our elevations from dev->test->prod.  We currently have playbooks that create the base webseal with a number of updates to the webseal.conf such disabling SSL/TLS settings that we don't allow.  We often find that the playbook does not get updated during development and configs get missed.  This could help us a lot.

------------------------------
Troy Burkle
------------------------------

Original Message:
Sent: Tue February 08, 2022 08:20 AM
From: Tom Bosmans
Subject: Sync/relocate webseal between appliances

Hi Troy,

not a direct answer to your question, but I've created a couple of python scripts that translate a webseald.conf file to yaml, so you can use the IBM Ansible collection to deploy.
I did not find an easy way to translate an existing configuration into a yaml configuration based on the REST API ...
I've got one for junctions as well.  Both take a snapshot or an exported webseal configuration as input.

https://github.com/tombosmansibm/convertwebsealdtoyaml
https://github.com/tombosmansibm/convertjunctionxmltoyaml

It also does not take the management root etc. into account , but at least you'll have the base configuration ready.

Tom

------------------------------
Tom Bosmans

Original Message:
Sent: Mon February 07, 2022 02:46 PM
From: Troy Burkle
Subject: Sync/relocate webseal between appliances

Hello all,

We are currently running ISAM 9.0.7.1 (yes, we are working on migrating to version 10) and we need a script that will basically export a webseal from appliance A and replicate it on appliance B.  I was wondering if there was an Ansible playbook or something that already exists that already does it?  

My vision basically would syncing the webseal.conf settings, the management root files, ACLs and Junctions on on appliance and sync it up correctly on another appliance.  It would not attempt to apply AAC configs to a resource or other things like that.  But getting a webseal synced between webseals is something we could really useful because we want to relocate a number of webseals to different appliances.  Having to do it manually would introduce human errors and it would be a slower process.  I would think this is something that can be scripted, although it would not be easy.

Thanks,
Troy

------------------------------
Troy Burkle
------------------------------