Symantec Access Management

We are trying to automate the install/uninstall of the CA Web Agent and we would like to know if there are better solutions to installing and uninstalling:

Installing

Is this really the best way to determine the web agent is installed? By looking at the "ca_wa_env.sh" file?

    - name: Check if CA Web Agent is installed
      stat:
        path: "{{ siteminder_install_dir }}/ca_wa_env.sh"
      register: ca_file

We then download and run the install (if the "ca_wa_env.sh" file doesn't exist) and then the registration. The registration is where we would like to know if we can check if a host is already registered; what we are doing right now is checking if "SmHost.conf" is available, if not then the registration will happen. Also, is there a way to reference more than one policy server so the SmHost config is populated with more than one? Otherwise we have to manually modify this file.

    - name: Download CA Web Agent
      get_url:
        url: "http://{{ repo_server }}/ca/ca-wa-12.52-sp01-cr07-linux-x86-64.bin"
        dest: "/tmp/{{ siteminder_package_name }}"
        mode: 0755
      notify: Cleanup CA Web Agent download
      when: ca_file.stat.exists == false

    - name: Install CA Web Agent
      command: "/tmp/ca-wa-12.52-sp01-cr07-linux-x86-64.bin -i silent -DUSER_INSTALL_DIR={{ siteminder_install_dir }}"
      when: ca_file.stat.exists == false

    - name: Register server
      shell: "source {{ siteminder_install_dir }}/ca_wa_env.sh && ../bin/smreghost -o -i <policy server> -hn $(hostname -s) -hc <host config> -u {{ SIMPLE_USER_NAME }} -p {{ SIMPLE_USER_PASS | quote }}"
      args:
        chdir: "{{ siteminder_install_dir }}/config"
        creates: "{{ siteminder_install_dir }}/config/SmHost.conf"
      no_log: true
      ignore_errors: true
      register: siteminder_output

Just want to see if there are better ways around the installation here, since this seems a bit hacky.

Uninstalling

This does not work at all, the uninstall flag actually just does a resinstall. It seems like doing an uninstall with "-i silent" works, but the files in the ca install path are still available.

./ca-wa-12.52-sp01-cr07-linux-x86-64.bin -uninstall

So what is the best way to remove the agent and cleanup everything?

Have you considered using the web agent silent install property file?

- There is a HOST_REGISTRATION_YES parameter that you can enable by checking for SmHost.conf before writing the template file.

- The IP_ADDRESS_STRING parameter takes multiple Policy Server IPs/hostnames. For example:

{% if hostvars[groups['pstore'][0]].internal_lb is defined %}
IP_ADDRESS_STRING={{ hostvars[groups['pstore'][0]].internal_lb }}
{% elif groups['smps']|length == 1 %}
IP_ADDRESS_STRING={{ hostvars[groups['smps'][0]].ansible_hostname }}
{% else %}
IP_ADDRESS_STRING={{ groups['smps'] | join(",") }}
{% endif %}

So you are using an jinja2 template? I'm not following what you are really doing here, the install creates the SmHost.conf.

Yes, I'm using jinja2 template:

- name: Write the web agent properties file for installation
template: src=ca-wa-installer.properties.j2 dest={{ temp_dir }}/ca-wa-installer.properties mode=0755
tags: smwa

- name: Execute the web agent silent install
shell: ./{{ smwa_installer }} -i silent -f {{ temp_dir }}/ca-wa-installer.properties executable=/bin/bash chdir={{ temp_dir }} creates={{ wa_install_dir }}
tags: smwa

I'm not sure if we can attach files here, but here is a snippet of my ca-wa-installer.properties.j2:

USER_INSTALL_DIR={{ wa_install_dir }}

USER_SHORTCUTS=/root

HOST_REGISTRATION_YES={{ wa_host_reg }}

ADMIN_REG_NAME={{ wa_admin_name }}
DEFAULT_ADMIN_REG_PASSWORD={{ siteminder_password }}

SHARED_SECRET_ROLLOVER_YES={{ wa_secret_rollover }}

TRUSTED_HOST_NAME={{ wa_trusted_hostname }}
CONFIG_OBJ={{ default_hco }}

{% if hostvars[groups['pstore'][0]].internal_lb is defined %}
IP_ADDRESS_STRING={{ hostvars[groups['pstore'][0]].internal_lb }}
{% elif groups['smps']|length == 1 %}
IP_ADDRESS_STRING={{ ps_server }}
{% else %}
IP_ADDRESS_STRING={{ groups['smps'] | join(",") }}
{% endif %}

FIPS_VALUE={{ fips }}

SM_HOST_FILENAME={{ wa_smhost_file }}
SM_HOST_DIR={{ wa_smhost_dir }}

APACHE_SELECTED=1
APACHE_WEBSERVER_ROOT={{ wa_apache_root }}

APACHE_SPECIFIC_PATH_YES=
APACHE_VENDOR_TYPE=HTTP_APACHE
APACHE_VERSION={{ wa_apache_version }}

WEB_SERVER_INFO=Apache,{{ wa_apache_root }}/conf,Apache {{ wa_apache_version }},+EMPTYSTR+,apache,{{ wa_apache_version }},{{ wa_apache_root }},Unix,+EMPTYSTR+,1,1,0,0,0,1,No advanced authentication,{{ wa_aco }},0,undefined,ENC:...==,

ENABLE_WEBAGENT_RESULT={{ wa_enable_agent }}

AGENT_CONFIG_OBJ={{ wa_aco }}

Thanks for sharing. Just curious on how you handle idempotency; does it try to install again, how do you handle host registration, how do you handle uninstalls?

We can get the install fine with this simple task

    - name: Install CA Web Agent
      command: "/tmp/ca-wa-12.52-sp01-cr07-linux-x86-64.bin -i silent -DUSER_INSTALL_DIR={{ siteminder_install_dir }}"
      when: ca_file.stat.exists == false

but I am really looking for a complete install/registration/unregistration/uninstall

On idempotency, we can use a combination of Ansible "creates" parameter or "when" conditions to skip steps that have already been performed. We are also looking to experiment with the meta module to end a play when a status file exists.

On host registration, it's handled by silent install (which, with silent install property file, will not only install the agent but also configure it.) We are also looking to update the playbook to possibly use static shared secret (Use Web Agent in Dynamically Scaled Environments - CA Single Sign-On - 12.8 - CA Technologies Documentation) to move towards immutable architecture.

We currently don't handle uninstalls. As mentioned we are evaluating the idea of immutable architecture where instances are disposable and new ones can just be created quickly, so rather than uninstall, we prefer dropping the instance and create new ones when needed. Using static shared secret means unregistration is not needed.

Yes, silent install properties file is a way I've come across.

- Vijay

Do you have an example to share? I would like to understand how you are doing this and why it cannot be done with the command line optionsl