search

IBM-Security / isam-ansible-roles

Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

Runtime parameter changes does not trigger AAC runtime re-start #54

Closed sygilber closed 6 years ago

sygilber commented 6 years ago

Hi,

I would have assumed that it is necessary to invoke the handler "Restart AAC Runtime" when runtime parameters are applied and it triggers a change. But as it turn out, it does not. For instance, in the below test run, changing the parameter 'enable_sslv3" from True to False using Ansible only has the usual "Commit Changes" handler invoked. I can see in the role "set_runtime_tuning_parameter" that it is meant to only invoke the "Commit Changes".

Is it normal ? Maybe there is something I am not getting.

TASK [set_runtime_tuning_parameter : Snapshot Appliance Before Setting Runtime Tuning Parameters] *** ok: [someserver]

TASK [set_runtime_tuning_parameter : Set Runtime Tuning Parameters] ***** changed: [stha9n0fw.iad.ca.inet] => (item={u'runtime_tuning_parameter_value': False, u'runtime_tuning_parameter_option': u'enable_sslv3'}) ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'rt_keys', u'runtime_tuning_parameter_option': u'keystore'}) ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'somelabel', u'runtime_tuning_parameter_option': u'keystore_label'}) ok: [someserver] => (item={u'runtime_tuning_parameter_value': u'sometruststore', u'runtime_tuning_parameter_option': u'truststore'})

TASK [add_runtime_listening_interface : Snapshot Appliance Before Adding Runtime Listening Interfaces] ** ok: [someserver]

TASK [add_runtime_listening_interface : Add Runtime Listening Interfaces] *** ok: [someserver] => (item={u'runtime_listening_interface_port': u'443', u'runtime_listening_interface_secure': True, u'runtime_listening_interface_interface': u'all-application-interfaces'})

RUNNING HANDLER [start_config : Commit Changes] ***** changed: [someserver]

RUNNING HANDLER [start_config : Await Appliance Commit LMI Response] **** ok: [someserver]

ram-ibm commented 6 years ago

We can invoke multiple handlers for a given action. Currently there is a commit and restart happening that restarts the LMI. In this case we should be restarting the AAC runtime (which is also the Federation runtime). I will add the handler to the role.

I am not sure we need a snapshot before each tuning change - so I may make that optional as well.

ram-ibm commented 6 years ago

Please let me know if you have any issues. I just pushed a change for this. The AAC runtime will be restarted now when you make a change.

sygilber commented 6 years ago

Now with your commit, the AAC is restarted when runtime parameters change do occur, and the "runtime status" in LMI UX is no longer reporting "Restart Required: True"

Resolved by following commit:

https://github.com/IBM-Security/isam-ansible-roles/commit/24ffe8ec5a3e86df56953c99a6e7ef438bebf74e

Thanks