Closed babl-timandrews closed 4 years ago
The best way to accomplish this is to re-create it using a browser LMI call - and see the actual policy data that is passed to the REST API. The file format is not obvious that needs to be passed.
It has been a while since I had to do this - and am forgetting the exact details of how the input of policy should be formatted.
Please try this sort of role:
action: ibmsecurity.isam.aac.authentication.policies.set_file
isamapi:
name: "{{ set_auth_policy_name }}"
policy_file: "{{ set_auth_policy_policy_file }}"
description: "{{ set_auth_policy_description }}"
uri: "{{ set_auth_policy_uri }}"
dialect: "{{ set_auth_policy_dialect }}"
enabled: "{{ set_auth_policy_enabled }}"
Here is a sample input:
set_auth_policy_name: "mypol"
set_auth_policy_uri: "urn:ibm:security:authentication:asf:mypol"
set_auth_policy_policy_file: "{{env_directory}}/policies/auth_policy_mypol.xml"
set_auth_policy_description: "My Own Policy"
set_auth_policy_enabled: True
Here is what the auth_policy_mypol.xml would look like:
<Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:mypol"><Description>My Own Policy</Description><Step id="id15205489634650" type="Authenticator"><Authenticator id="id15205489634651" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:mypol"/></Step></Policy>
Typically I generate that XML from a lower environment appliances's LMI. Hope this is helpful?
Be careful not to have unnecessary line break in the policy file. Experience shows that line breaks cause problems.
Confirmed that this works for a single auth policy. I'll have a go at getting it work with multiples.
Cool - please update and close this issue out. Thanks.
Sorted, so I'm using a custom role with the set_file command do the import. Thanks for the assistance.
Hi,
I've been trying to configure authentication policies and I haven't had any success.
First off the name in the role configure_authentication_policies is still "Configure authentication mechanisms".
Using the configure_authentication_policies role the advice is to export a policy from another server which I've done. I've also tried writing my own role to do the file import using ibmsecurity.isam.aac.authentication.policies.set_file and having the content in a local file.
Basic policy I've tried has varied, but a one-step policy I've tried is:
<Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:orgUsernamePassword"><Description/><Step id="id15106059704710" type="Authenticator"><Authenticator id="id15106059704711" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:redirect_root"/></Step></Policy>
where redirect_root is an authentication mechanism that already exists.
Playbook is:
Create
The other items required are in the same inventory vars.yml file. Is this the right way to be trying to configure the authentication policies? Is there any other documentation that you can point me to that would help on how to configure this feature? Thanks, Tim.