handling of persistency cookies

ELANDJEA commented 6 months ago

Is your feature request related to a problem? Please describe.

We want to utilize Ansible to publish root accounts of newly deployed servers. However, when we utilize the ansible modules to use the PVWA path through our netscaler loadbalancers, we get error "401" (unauthorized)......when we use an "api_base_url" pointing directly to one of the servers behind the loadbalancer the logon and provisioning functions as expected.

At this point we think this is result of the (within our organisation) standard configuration of the netscalers, which provides a cookie to handle session persistancy (https://docs.netscaler.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-persistence/http-cookie-persistence.html)

Describe the solution you would like

within powershell rest calls (invoke-restmethod), there are options to use a websession/sessionvariable to parse cookie info during a restcall (https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-7.4)....making the used loadbalancer config "transparent" for the restcall.

is it possible to also build such handling in the Ansible cyberark authentication modules to also make it possible to use session persistency based on cookies?

Describe alternatives you have considered

A clear and concise description of any alternative solutions or features that may be related to this that you have considered.

Additional context

code and results sofar:

name: Create computeraccount in Cyberark hosts: localhost become: false gather_facts: false collections:
- cyberark.pas
vars: cyberark_url: https://pamserver.localdns.nl cyberark_username: causer

vars_prompt:
- name: cyberark_password prompt: cyberark password
tasks:
- name: Logon to CyberArk Vault using PAS Web Services SDK cyberark_authentication: api_base_url: "{{ cyberark_url }}" validate_certs: false concurrentSession: true username: "{{ cyberark_username }}" password: "{{ cyberark_password }}"
- name: Cyberark output ansible.builtin.debug: var: cyberark_session
- name: Create computer account register: cyberarkaction cyberark_account: cyberark_session: "{{ cyberark_session }}" logging_level: DEBUG identified_by: "address" name: "root-srv9999.localdns.nl" safe: "T-LINUX-ROOT" address: "srv9999.localdns.nl" username: "root" platform_id: "T-Linux-root-00000" secret: "##123$$" secret_management: automatic_management_enabled: true state: present
- name: Cyberark create account output ansible.builtin.debug: var: cyberarkaction
- name: Logoff from CyberArk Vault cyberark_authentication: state: absent cyberark_session: "{{ cyberark_session }}"

failure code

fatal: [localhost]: FAILED! => changed=false headers: Authorization: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER Content-Type: application/json User-Agent: CyberArk/1.0 (Ansible; cyberark.pas) msg: |- Error while performing get_account.Please validate parameters provided. * end_point=**/PasswordVault/api/accounts?filter=safeName%20eq%20T-LINUX-ROOT&search=srv9999.localdns.nl ==> HTTP Error 401: Unauthorized status_code: 401

szh commented 6 months ago

@cyberark-bizdev @infamousjoeg

Danjaraka commented 1 week ago

Currently facing the exact same issue in my organization...

Our current workaround is to use the Ansible URI module and manually making the REST calls.

cyberark / ansible-security-automation-collection