Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

DemisT — Wed, 13 Nov 2019 12:22:18 GMT

Hey,

With the new Check Point modules released in Ansible 2.9, I'm trying to run a simple Ansible playbook. Unfortunately when running the playbook, I'm getting an error that says:

fatal: [SMS]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: This system is for authorized use only.\nPermission denied, please try again.", "unreachable": true}

I have enabled the API from SmartConsole dashboard under Manage & Settings > Blades > Management API > All IP addresses and performed an API restart.

I've also installed the relevant hotfix (Check_Point_R80.30_JHF_T76_Ansible_Hotfix_sk114661_FULL.tgz) and verified with show installer packages installed.

The playbook looks like this:

--- - name: test hosts: management connection: httpapi gather_facts: no tasks: - name: show-networks cp_mgmt_network_facts: details_level: standard register: response

My host file looks like this:

[management:vars] ansible_connection=ssh ansible_user=<Smartconsole user> ansible_password=<SmartConsole password> ansible_python_interpreter="/opt/CPsuite-R8*/fw1/Python/bin/python" ansible_httpapi_validate_certs=False ansible_httpapi_use_ssl=True ansible_network_os=checkpoint

I've verified logging into Smart Console manually with these credentials, which is working. Also a curl command from the ansible host seems to be working:

curl -vvvv -H "Content-Type: application/json" -X POST -d '{"user":"demis","password":"adminsystempass123"}' <a href="<a href="https://10.23.112.110/web_api/login" target="_blank">https://10.23.112.110/web_api/login</a>" target="_blank"><a href="https://10.23.112.110/web_api/login</a" target="_blank">https://10.23.112.110/web_api/login</a</a>> --insecure

What am I missing?

Edit: I was using the SmartConsole username/password which is probably why the error occurred, but changing it to the Gaia OS username/password gives me this error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AssertionError: socket_path must be a value fatal: [SMS]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/runpy.py\", line 192, in run_module\n fname, loader, pkg_name)\n File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/modules/cp_mgmt_network_facts.py\", line 131, in <module>\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/modules/cp_mgmt_network_facts.py\", line 126, in main\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\", line 170, in api_call_facts\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/module_utils/connection.py\", line 121, in __init__\nAssertionError: socket_path must be a value\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Re: Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

PhoneBoy — Wed, 13 Nov 2019 18:04:37 GMT

Looks like you're calling a Gaia API command and not a Management API command.
The authentication for those APIs is different (Gaia OS user versus SmartConsole user).

Re: Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

DemisT — Wed, 13 Nov 2019 20:44:57 GMT

Not sure if it's by design or a bug, but ansible_connection and ansible_python_interpreter seemed to be the culprit in my host file. Uncommenting them both seemed to fix the issue. Unfortunately for me, my other tasks rely on these variables, so uncommenting them isn't a solution. Defining them as var inside the play, which override the host file vars, seemed to do the trick.

--- - name: test hosts: management connection: httpapi vars: ansible_connection: httpapi ansible_python_interpreter: ansible_user: demis ansible_password: configsystem123 tasks: - name: Create host object checkpoint_host: name: workaround3 ip_address: 192.168.0.193

topic Re: Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password in Ansible

Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

Re: Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

Re: Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password