cp_mgmt_administrator creating administrator on SMS

nadmin — Thu, 15 Aug 2024 02:37:42 GMT

Hello, does anyone have a working ansible playbook to create an administrator on and R81.20 SMS?

I want to create the user "ansible" in my Lab SMS using Ansible. I will then use ansible to automated must of my lab creating. Full details of how environment set up: https://github.com/doritoes/NUC-Labs/blob/xcp-ng-improvement/XCP-ng/Appendix-Ansible.md

Using the inventory file below (with ansible_checkpoint_domain=System Data commented out)

1. I can use cp_mgmt_host without problem

2. When I try to use cp_mgmt_administrator to create an administrator i get the error

Checkpoint device returned error 400 with message {'code': 'err_inappropriate_domain_type', 'message': 'This command can only work on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain).'} Unpublished changes were discarded.

From links here and looking at the API documentation I have found that the domain should be specified as "System Data" for an SMS. When I uncomment the line ansible_checkpoint_domain=System Data in the inventory file, I get a new error. ansible.module_utils.connection.ConnectionError: Server returned response without token info during the connection authentication: 400

The odd thing is that I tried a couple dozen varieties of configuration got it working 2 times, but I can't get it working again to document what works.

File: inventory

[check_point] #sms IP 192.168.41.20 [check_point:vars] ansible_httpapi_use_ssl_True ansible_httpapi_validate_certs=False ansible_user=cpadmin ansible_password=supersecret #ansible_checkpoint_domain=System Data ansible_network_os=check_point.mgmt.checkpoint

File: add_user.yml

--- - name: Test playbook hosts: check_point connection:httpapi tasks: - name: add-administrator cp_mgmt_administrator: authentication_method: check point password email: admin@gmail.com must_change_password: False name: ansible password: anothersecret permissions_profile: read write all phone_number: 1800-800-800 state: present auto_publish_session: True

Command:

ansible-playbook -i inventory add_user.yml

FAQs

1) how did you install the ansible module?

sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
sudo apt install -y ansible python3-paramiko python3-pip
ansible-galaxy collection install community.general vyos.vyos check_point.mgmt
python3 -m pip install XenAPI

2) did you set up ssh keys? yes i did and that playbook to complete the FTW using ansible uses a separate inventory file and playbook. this is specifically using the mgmt API using ansible

3) Did you enable the API in smartconsole?

Yes. Manage & Settings > Blades > Management API > Advanced Settings > All IP addresses. And then publish. The other playbook task to add a host object works fine. Without specifying the domain.

    - name: Create host object
      cp_mgmt_host:
        color: dark green
        ipv4_address: 192.168.41.100
        name: Manager
        comments: management workstation
        state: present
        auto_publish_session: True

4) Did you read the docs?

Yes. For example: https://sc1.checkpoint.com/documents/latest/APIs/?#cli/add-administrator~v1.9.1%20

This is were the "System Data" domain is mentioned.

5) Why not just created the administrator manually?

I am using automation to build the enter lab to speed up testing. I use terraform with XCP-ng to deploy networks, routers, firewalls, servers, and workstations. I use ansible to complete FTW on firewalls. I will use ansible to deploy policies and configurations on the SMS and push to the firewalls. I really want to

EDIT: Yes mgmt_cli can be run using ansible to do the same thing

mgmt_cli -f json -r true login -d "System Data" > session.txt mgmt_cli -s session.txt add administrator name "ansible2" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "check point password" permissions-profile "read write all" --domain 'System Data' --format json mgmt_cli -f json -s session.txt publish rm session.txt

Re: cp_mgmt_administrator creating administrator on SMS

PhoneBoy — Thu, 15 Aug 2024 17:17:43 GMT

Try performing a cprestart of your management server and see if that resolves the issue.
Otherwise, this might require a TAC case: https://help.checkpoint.com

Re: cp_mgmt_administrator creating administrator on SMS

nadmin — Sun, 25 Aug 2024 18:01:45 GMT

Thank you @PhoneBoy for the reply. I stepped away from this issue for a week, and just tried cprestart, cpstop && cprestart. I don't have time to try on R81.10 to see if this is one of the R81.20 management issues. I switched to using ansible mgmt_cli command for this one step so I can continue with the rest.

topic Re: cp_mgmt_administrator creating administrator on SMS in Ansible

cp_mgmt_administrator creating administrator on SMS

Re: cp_mgmt_administrator creating administrator on SMS

Re: cp_mgmt_administrator creating administrator on SMS