Symantec Access Management

Expand all | Collapse all

Ansible CA Web Agent Install/Uninstall

Jump to Best Answer
  • 1.  Ansible CA Web Agent Install/Uninstall

    Posted 05-03-2018 10:05 AM

    We are trying to automate the install/uninstall of the CA Web Agent and we would like to know if there are better solutions to installing and uninstalling:

     

    Installing

    Is this really the best way to determine the web agent is installed? By looking at the "ca_wa_env.sh" file?

        - name: Check if CA Web Agent is installed
          stat:
            path: "{{ siteminder_install_dir }}/ca_wa_env.sh"
          register: ca_file

     

    We then download and run the install (if the "ca_wa_env.sh" file doesn't exist) and then the registration. The registration is where we would like to know if we can check if a host is already registered; what we are doing right now is checking if "SmHost.conf" is available, if not then the registration will happen. Also, is there a way to reference more than one policy server so the SmHost config is populated with more than one? Otherwise we have to manually modify this file.

        - name: Download CA Web Agent
          get_url:
            url: "http://{{ repo_server }}/ca/ca-wa-12.52-sp01-cr07-linux-x86-64.bin"
            dest: "/tmp/{{ siteminder_package_name }}"
            mode: 0755
          notify: Cleanup CA Web Agent download
          when: ca_file.stat.exists == false

        - name: Install CA Web Agent
          command: "/tmp/ca-wa-12.52-sp01-cr07-linux-x86-64.bin -i silent -DUSER_INSTALL_DIR={{ siteminder_install_dir }}"
          when: ca_file.stat.exists == false

        - name: Register server
          shell: "source {{ siteminder_install_dir }}/ca_wa_env.sh && ../bin/smreghost -o -i <policy server> -hn $(hostname -s) -hc <host config> -u {{ SIMPLE_USER_NAME }} -p {{ SIMPLE_USER_PASS | quote }}"
          args:
            chdir: "{{ siteminder_install_dir }}/config"
            creates: "{{ siteminder_install_dir }}/config/SmHost.conf"
          no_log: true
          ignore_errors: true
          register: siteminder_output

     

    Just want to see if there are better ways around the installation here, since this seems a bit hacky.

     

    Uninstalling

    This does not work at all, the uninstall flag actually just does a resinstall. It seems like doing an uninstall with "-i silent" works, but the files in the ca install path are still available.

    ./ca-wa-12.52-sp01-cr07-linux-x86-64.bin -uninstall

     

    So what is the best way to remove the agent and cleanup everything?



  • 2.  Re: Ansible CA Web Agent Install/Uninstall

    Broadcom Employee
    Posted 05-09-2018 04:35 PM

    Have you considered using the web agent silent install property file?

     

    - There is a HOST_REGISTRATION_YES parameter that you can enable by checking for SmHost.conf before writing the template file.

     

    - The IP_ADDRESS_STRING parameter takes multiple Policy Server IPs/hostnames. For example:

     

    {% if hostvars[groups['pstore'][0]].internal_lb is defined %}
    IP_ADDRESS_STRING={{ hostvars[groups['pstore'][0]].internal_lb }}
    {% elif groups['smps']|length == 1 %}
    IP_ADDRESS_STRING={{ hostvars[groups['smps'][0]].ansible_hostname }}
    {% else %}
    IP_ADDRESS_STRING={{ groups['smps'] | join(",") }}
    {% endif %}



  • 3.  Re: Ansible CA Web Agent Install/Uninstall

    Posted 05-09-2018 11:47 PM

    So you are using an jinja2 template? I'm not following what you are really doing here, the install creates the SmHost.conf.



  • 4.  Re: Ansible CA Web Agent Install/Uninstall

    Broadcom Employee
    Posted 05-10-2018 04:12 PM

    Yes, I'm using jinja2 template:

     

    - name: Write the web agent properties file for installation
    template: src=ca-wa-installer.properties.j2 dest={{ temp_dir }}/ca-wa-installer.properties mode=0755
    tags: smwa

     

    - name: Execute the web agent silent install
    shell: ./{{ smwa_installer }} -i silent -f {{ temp_dir }}/ca-wa-installer.properties executable=/bin/bash chdir={{ temp_dir }} creates={{ wa_install_dir }}
    tags: smwa

     

    I'm not sure if we can attach files here, but here is a snippet of my ca-wa-installer.properties.j2:

     

    USER_INSTALL_DIR={{ wa_install_dir }}

    USER_SHORTCUTS=/root

    HOST_REGISTRATION_YES={{ wa_host_reg }}

    ADMIN_REG_NAME={{ wa_admin_name }}
    DEFAULT_ADMIN_REG_PASSWORD={{ siteminder_password }}

    SHARED_SECRET_ROLLOVER_YES={{ wa_secret_rollover }}

    TRUSTED_HOST_NAME={{ wa_trusted_hostname }}
    CONFIG_OBJ={{ default_hco }}


    {% if hostvars[groups['pstore'][0]].internal_lb is defined %}
    IP_ADDRESS_STRING={{ hostvars[groups['pstore'][0]].internal_lb }}
    {% elif groups['smps']|length == 1 %}
    IP_ADDRESS_STRING={{ ps_server }}
    {% else %}
    IP_ADDRESS_STRING={{ groups['smps'] | join(",") }}
    {% endif %}

     

    FIPS_VALUE={{ fips }}

     

    SM_HOST_FILENAME={{ wa_smhost_file }}
    SM_HOST_DIR={{ wa_smhost_dir }}

     

    APACHE_SELECTED=1
    APACHE_WEBSERVER_ROOT={{ wa_apache_root }}

    APACHE_SPECIFIC_PATH_YES=
    APACHE_VENDOR_TYPE=HTTP_APACHE
    APACHE_VERSION={{ wa_apache_version }}

    WEB_SERVER_INFO=Apache,{{ wa_apache_root }}/conf,Apache {{ wa_apache_version }},+EMPTYSTR+,apache,{{ wa_apache_version }},{{ wa_apache_root }},Unix,+EMPTYSTR+,1,1,0,0,0,1,No advanced authentication,{{ wa_aco }},0,undefined,ENC:...==,

    ENABLE_WEBAGENT_RESULT={{ wa_enable_agent }}

    AGENT_CONFIG_OBJ={{ wa_aco }}



  • 5.  Re: Ansible CA Web Agent Install/Uninstall

    Posted 05-17-2018 10:02 AM

    Thanks for sharing. Just curious on how you handle idempotency; does it try to install again, how do you handle host registration, how do you handle uninstalls?

     

    We can get the install fine with this simple task

        - name: Install CA Web Agent
          command: "/tmp/ca-wa-12.52-sp01-cr07-linux-x86-64.bin -i silent -DUSER_INSTALL_DIR={{ siteminder_install_dir }}"
          when: ca_file.stat.exists == false

     

    but I am really looking for a complete install/registration/unregistration/uninstall



  • 6.  Re: Ansible CA Web Agent Install/Uninstall
    Best Answer

    Broadcom Employee
    Posted 05-22-2018 10:00 AM

    On idempotency, we can use a combination of Ansible "creates" parameter or "when" conditions to skip steps that have already been performed. We are also looking to experiment with the meta module to end a play when a status file exists.

     

    On host registration, it's handled by silent install (which, with silent install property file, will not only install the agent but also configure it.) We are also looking to update the playbook to possibly use static shared secret (Use Web Agent in Dynamically Scaled Environments - CA Single Sign-On - 12.8 - CA Technologies Documentation) to move towards immutable architecture.

     

    We currently don't handle uninstalls. As mentioned we are evaluating the idea of immutable architecture where instances are disposable and new ones can just be created quickly, so rather than uninstall, we prefer dropping the instance and create new ones when needed. Using static shared secret means unregistration is not needed.



  • 7.  Re: Ansible CA Web Agent Install/Uninstall

    Broadcom Employee
    Posted 05-09-2018 09:36 PM

    Yes, silent install properties file is a way I've come across.

    - Vijay



  • 8.  Re: Ansible CA Web Agent Install/Uninstall

    Posted 05-09-2018 11:48 PM

    Do you have an example to share? I would like to understand how you are doing this and why it cannot be done with the command line optionsl