- The Ansible Automation Platorm can integrate with both CCP and Conjur products under the CyberArk secrets manager solution
- This guide demonstrates the integration between AAP and CyberArk.
- RHEL 9.1
- Ansible Automation Platorm 2.3
- Ansible Automation Controller 4.3
- PAM/CCP 12.6
- Conjur Enterprise 12.9.0
| Hostname | Role |
|---|---|
| cybr.ark.vx | CCP server |
| conjur.vx | Conjur master |
| aap.vx | Ansible Automation Controller |
| foxtrot.vx | Ansible managed node |
- AAP requires a PostgreSQL server, but this will be part of the
Standalone automation controller with internal databaseinstallation processs from AAP version 2.3
- Ref: Standalone automation controller with internal database
- Retrieve the latest AAP installer from your Red Hat subscription
- Extract the AAP installer and change directory into the extracted folder
tar xvf ansible-automation-platform-setup-bundle-2.3-1.4.tar.gz
cd ansible-automation-platform-setup-bundle-2.3-1.4- Add the hostname of the controller under
[automationcontroller]
⋮
[automationcontroller]
aap.vx ansible_connection=local
⋮- Set a password for the AAP admin login
- Set the PostgreSQL server details
⋮
[all:vars]
admin_password='Cyberark1'
pg_host=''
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='Cyberark1'
pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL
⋮- Set the container registry login credentials for the installer to push the execution environment container images
⋮
# Execution Environment Configuration
⋮
registry_url='registry.redhat.io'
registry_username='my_red_hat_username'
registry_password='my_red_hat_password'
⋮- Set the AAP SSL certificate (if you have any)
⋮
# SSL-related variables
# If set, this will install a custom CA certificate
8000
to the system trust store.
custom_ca_cert=/tmp/certificate_authority.pem
# Certificate and key to install in nginx for the web UI and API
web_server_ssl_cert=/tmp/aap.pem
web_server_ssl_key=/tmp/aap.key
⋮./setup.sh- The default directory for manual SCM is in
/var/lib/awx/projects - Prepare the directory and download the demo playbooks
helloworld.yaml- this is a sample from Ansiblewebserver.yaml- this installs apache web server in the managed node and deploy theindex.htmlfromindex.html.j2template
- ☝️ Note: the
sudo -i -u awxpart of the commands is crucial, this runs the commands asawxuser, so that we won't encounter permission issues on the directory/playbooks
sudo -i -u awx mkdir /var/lib/awx/projects/cybrdemo
sudo -i -u awx curl -o /var/lib/awx/projects/cybrdemo/helloworld.yaml https://raw.githubusercontent.com/ansible/ansible-tower-samples/master/hello_world.yml
sudo -i -u awx curl -o /var/lib/awx/projects/cybrdemo/webserver.yaml https://raw.githubusercontent.com/joetanx/cybr-aap/main/webserver.yaml
sudo -i -u awx curl -o /var/lib/awx/projects/cybrdemo/index.html.j2 https://raw.githubusercontent.com/joetanx/cybr-aap/main/index.html.j2- Login to the AAP and import a subscription
-
Configure an inventory:
CyberArk Demo Inventory
- Configure the managed node in this inventory
- Configure a project:
CyberArk Demo Project- Organization:
Default - Execution Environment:
Default execution environment - Source Control Type:
Manual - Playbook Directory:
cybrdemo(this is the directory prepared in 1.3., if you encounter folder-not-found errors, make sure that the preparation commands were run inawxuser)
- Organization:
- Create user and set password to
Cyberark1
useradd ansible
echo -e "Cyberark1\nCyberark1" | (passwd ansible)
echo 'ansible ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/ansible- su to the ansible user
- Generate ssh key pair and set to
authorized_keys
su - ansible
mkdir ~/.ssh
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -q -N ""
cat /home/ansible/.ssh/id_rsa.pub > /home/ansible/.ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keysThis section assumes that the PAM/CCP environment is already available.
- Retrieve the private key for the user created in 2. and onboard them to PAM
- Take note the safe where the SSH key is onboarded to, the Ansible application identity will be added as a member of this safe
- Create an application identity for the AAP
- Optional: add the certificate serial number if you are using certificate authentication
- Restrict where the application identity can be used from by adding the IP address of the AAP server; requests from any other sources will be rejected
- Add the application identity as a member of the safe where the SSH key of the managed node is onboarded to
- Permissions required:
- List accounts
- Retrieve accounts
- The following parameters are required for AAP to integrate with CCP
- CyberArk AIM URL: the URL of the CCP server (or the load balancer, if CCP is behind a load balancer)
- Application ID: the application identity configured in 3.2.
- Client Key/Certificate: the PKI certificate used to authenticate the application identity
- The serial number of the certificate needs to be added under
Authenticationin 3.2. - The CA chain of the certificate needs to be trusted by the CCP server
- The serial number of the certificate needs to be added under
- Test query to the onboarded account using query string
Object=Operating System-vxUnixSSH-foxtrot.vx-ansible
- Create new
machinecredential for the managed node
- Select the
Lookup to CCPas the external secret management system
- Test query to the onboarded account using query string
Object=Operating System-vxUnixSSHKeys-foxtrot.vx-ansible
- Alternatively, queries to CCP can be also based on attributes, e.g.
Safe=LinuxSSHKeys;Username=ansible;Address=foxtrot.vx - Ref: Query parameters
- Create a job template that runs the
helloworld.yamlplaybook - This playbook performs the Ansible ping connection test task
- Select
Foxtrot from CCPcredential created in 3.4.
- Verify job template configuration and select
launch
- Verify job run success
- Now that the hello world job is successful, let's do a more complex playbook to setup the managed node as a web server
- The playbook runs the following tasks
- Install apache using yum
- Allow http service on firewalld
- Enable the httpd service to start on machine boot
- Deploy the template
index.html.j2as the index page - Restart the httpd services
- Select
Foxtrot from CCPcredential created in 3.4.
- Verify job template configuration and select
launch
- Verify job run success
- Browse to the managed node to verify that web server deployment is successful
This section assumes that the Conjur environment is already available.
Alternatively, setup Conjur master according to this guide: https://github.com/joetanx/setup/blob/main/conjur.md
- Load the Conjur policy
ansible-vars.yaml- Creates the policy
ssh_keys- Creates variables
usernameandsshprvkeyto contain credentials for the Ansible managed node - Creates
consumersgroup to authorize members of this group to access the variables
- Creates variables
- Creates the policy
ansiblewith a same-name layer and a hostdemo- The AAP server will use the Conjur identity
host/ansible/demoto retrieve credentials - Adds
ansiblelayer toconsumersgroup forssh_keyspolicy
- The AAP server will use the Conjur identity
- Creates the policy
curl -O https://raw.githubusercontent.com/joetanx/conjur-ansible/main/ansible-vars.yaml
conjur policy load -b root -f ansible-vars.yaml-
Note ☝️ : the API key of the Conjur identity
host/ansible/demowill be shown on console after loading the policy, this key is required to configure Conjur as external secrets management system in 4.3. -
Clean-up
rm -f ansible-vars.yaml📌 Perform this section on the Ansible managed node
- Setup Conjur CLI, ref: https://github.com/cyberark/conjur-api-python3/releases
curl -L -O https://github.com/cyberark/cyberark-conjur-cli/releases/download/v7.1.0/conjur-cli-rhel-8.tar.gz
tar xvf conjur-cli-rhel-8.tar.gz
mv conjur /usr/local/bin/- Clean-up
rm -f conjur-cli-rhel-8.tar.gz- Initialize Conjur CLI and login to conjur
conjur init -u https://conjur.vx
conjur login -i admin -p CyberArk123!- Set the Conjur variable value for username and SSH private key
conjur variable set -i ssh_keys/username -v ansible
conjur variable set -i ssh_keys/sshprvkey -v "$(cat /home/ansible/.ssh/id_rsa && echo -e "\r")"- The following parameters are required for AAP to integrate with Conjur
- Conjur URL: the URL of the Conjur master server (or the load balancer, if Conjur is clustered behind a load balancer)
- Account: the account name of the Conjur deployment
- Username: the host identity configured in 4.1.
- API Key: the API key for the host identity, this is shown in console when loading the Conjur policy
- Public Key Certificate: the certificate of the Conjur master/cluster or the issuer certificate used by AAP to verify legitimacy of Conjur
- Test query to the
ssh_keys/sshprvkeyvariable
- Create new
machinecredential for the managed node
- Select the
Lookup to Conjuras the external secret management system
- Test query to the
ssh_keys/sshprvkeyvariable
- Note ☝️ : Notice that instead of entering the username, you can also configure the credential lookup to username variable (e.g.
ssh_keys/username)
- Create a job template that runs the
helloworld.yamlplaybook - This playbook performs the Ansible ping connection test task
- Select
Foxtrot from Conjurcredential created in 4.4.
- Verify job template configuration and select
launch
- Verify job run success
- Now that the hello world job is successful, let's do a more complex playbook to setup the managed node as a web server
- The playbook runs the following tasks
- Install apache using yum
- Allow http service on firewalld
- Enable the httpd service to start on machine boot
- Deploy the template
index.html.j2as the index page - Restart the httpd services
- Select
Foxtrot from Conjurcredential created in 4.4.
- Verify job template configuration and select
launch
- Verify job run success
- Browse to the managed node to verify that web server deployment is successful