search

IBM-Security / isam-ansible-roles

Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

configure_authentication_policies - issues importing policies #180

Closed babl-timandrews closed 4 years ago

babl-timandrews commented 4 years ago

Hi,

I've been trying to configure authentication policies and I haven't had any success.

First off the name in the role configure_authentication_policies is still "Configure authentication mechanisms".

Using the configure_authentication_policies role the advice is to export a policy from another server which I've done. I've also tried writing my own role to do the file import using ibmsecurity.isam.aac.authentication.policies.set_file and having the content in a local file.

Basic policy I've tried has varied, but a one-step policy I've tried is:

<Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:orgUsernamePassword"><Description/><Step id="id15106059704710" type="Authenticator"><Authenticator id="id15106059704711" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:redirect_root"/></Step></Policy>

where redirect_root is an authentication mechanism that already exists.

Playbook is:

Create

The other items required are in the same inventory vars.yml file. Is this the right way to be trying to configure the authentication policies? Is there any other documentation that you can point me to that would help on how to configure this feature? Thanks, Tim.

ram-ibm commented 4 years ago

The best way to accomplish this is to re-create it using a browser LMI call - and see the actual policy data that is passed to the REST API. The file format is not obvious that needs to be passed.

It has been a while since I had to do this - and am forgetting the exact details of how the input of policy should be formatted.

ram-ibm commented 4 years ago

Please try this sort of role:

    action: ibmsecurity.isam.aac.authentication.policies.set_file
    isamapi:
      name:        "{{ set_auth_policy_name }}"
      policy_file: "{{ set_auth_policy_policy_file }}"
      description: "{{ set_auth_policy_description }}"
      uri:         "{{ set_auth_policy_uri }}"
      dialect:     "{{ set_auth_policy_dialect }}"
      enabled:     "{{ set_auth_policy_enabled }}"

Here is a sample input:

      set_auth_policy_name:        "mypol"
      set_auth_policy_uri:         "urn:ibm:security:authentication:asf:mypol"
      set_auth_policy_policy_file: "{{env_directory}}/policies/auth_policy_mypol.xml"
      set_auth_policy_description: "My Own Policy"
      set_auth_policy_enabled: True

Here is what the auth_policy_mypol.xml would look like:

<Policy xmlns="urn:ibm:security:authentication:policy:1.0:schema" PolicyId="urn:ibm:security:authentication:asf:mypol"><Description>My Own Policy</Description><Step id="id15205489634650" type="Authenticator"><Authenticator id="id15205489634651" AuthenticatorId="urn:ibm:security:authentication:asf:mechanism:mypol"/></Step></Policy>

Typically I generate that XML from a lower environment appliances's LMI. Hope this is helpful?

ram-ibm commented 4 years ago

Be careful not to have unnecessary line break in the policy file. Experience shows that line breaks cause problems.

babl-timandrews commented 4 years ago

Confirmed that this works for a single auth policy. I'll have a go at getting it work with multiples.

ram-ibm commented 4 years ago

Cool - please update and close this issue out. Thanks.

babl-timandrews commented 4 years ago

Sorted, so I'm using a custom role with the set_file command do the import. Thanks for the assistance.