IBM Security Verify

 View Only
Expand all | Collapse all

Issues running Ansible Collection for ibm.isam to add_junction.yml

  • 1.  Issues running Ansible Collection for ibm.isam to add_junction.yml

    Posted Mon April 24, 2023 10:55 AM

    Has anyone encountered an issue running a playbook for adding an ISAM junction using ibm.isam collections.

    We are trying to migrate our jenkins playbook to run on the Ansible Automation Platform (AAP).  We setup a template that is using an execution environment to satisfy the requirements documented at: https://github.com/IBM-Security/isam-ansible-collection
     
    The template, project, inventories have all be setup in AAP.

    When running the template, we are seeing errors trying to SSH to the ISAM appliance.  We would have expected a http api call to be made not an SSH error. 

    Has anyone encountered this type of issue?

    Error Message: 

    <lxasam001d-mgmt> ESTABLISH SSH CONNECTION FOR USER: root
    77
    <lxasam001d-mgmt> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/runner/cp/a6a14c5490"' lxasam001d-mgmt '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
    78
    <lxasam001d-mgmt> (255, b'', b'OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for \'final all\' host lxasam001d-mgmt originally lxasam001d-mgmt\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched \'final\'\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-h…
    79
    fatal: [lxasam001d-mgmt]: UNREACHABLE! => {
    80
    "changed": false,
    81
    "msg": "Failed to connect to the host via ssh: OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0\r\ndebug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf\r\ndebug2: checking match for 'final all' host lxasam001d-mgmt originally lxasam001d-mgmt\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final'\r\ndebug2: match not found\r\ndebug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)\r\ndebug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config\r\ndebug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-]\r\ndebug3: kex names ok: [curve2…


    ------------------------------
    Sandra Morrissette
    Engineer
    Prime Therapeutics, LLC
    Eagan MN
    612-777-4571
    ------------------------------


  • 2.  RE: Issues running Ansible Collection for ibm.isam to add_junction.yml

    IBM Champion
    Posted Tue April 25, 2023 08:51 AM

    Make sure you have the Ansible variable ansible_connection: local set.  I set it in my inventory file at the top level (i.e. my all group).  I'm using a lot of the older ibmsecurity Python package with ISAM ansible roles, granted we have heavily customized on the stuff quite a bit, but I've not had that issue except when I didn't have the connection set to local.  Otherwise Ansible tries to ssh to the host to run the tasks.



    ------------------------------
    Matt Jenkins
    ------------------------------



  • 3.  RE: Issues running Ansible Collection for ibm.isam to add_junction.yml

    Posted Tue April 25, 2023 09:06 AM

    In Ansible Automation, we configured an execution environment that contained all the packages needed to run the ibm.isam collection, using this article https://github.com/IBM-Security/isam-ansible-collection/blob/master/README.md.  In the README file it contained an Example inventory file, which referenced a variable that was not defined in our playbook, ansible_connection.  I missed one variable setting in the playbook, ansible_connection: ibm.isam.isam.  As soon as this variable was added, the playbook ran successfully.

     

    Thanks for your response!

     

    Sandra Morrissette

    Principal Engineer
    Prime Therapeutics

    tel: 612.777.4571

    cell: 651.231.1998

    web: primetherapeutics.com

     

     

    Prime Therapeutics made the following annotations
    ---------------------------------------------------------------------
    CONFIDENTIALITY NOTICE: The information contained in this communication may be confidential, and is intended only for the use of the recipients named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender.


    ---------------------------------------------------------------------