This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DemisT
Participant
‎2019-11-13 01:55 AM

Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

Hey,

With the new Check Point modules released in Ansible 2.9, I'm trying to run a simple Ansible playbook. Unfortunately when running the playbook, I'm getting an error that says:

 

 

fatal: [SMS]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: This system is for authorized use only.\nPermission denied, please try again.", "unreachable": true}

 

 

I have enabled the API from SmartConsole dashboard under Manage & Settings > Blades > Management API > All IP addresses and performed an API restart.

I've also installed the relevant hotfix (Check_Point_R80.30_JHF_T76_Ansible_Hotfix_sk114661_FULL.tgz) and verified with show installer packages installed.

The playbook looks like this:

 

 

---
- name: test
  hosts: management
  connection: httpapi
  gather_facts: no

  tasks:

    - name: show-networks
      cp_mgmt_network_facts:
        details_level: standard
      register: response

 

 

 

My host file looks like this:

 

 

[management:vars]
ansible_connection=ssh
ansible_user=<Smartconsole user>
ansible_password=<SmartConsole password>
ansible_python_interpreter="/opt/CPsuite-R8*/fw1/Python/bin/python"
ansible_httpapi_validate_certs=False
ansible_httpapi_use_ssl=True
ansible_network_os=checkpoint

 

 

 

I've verified logging into Smart Console manually with these credentials, which is working. Also a curl command from the ansible host seems to be working:

 

curl -vvvv -H "Content-Type: application/json" -X POST -d '{"user":"demis","password":"adminsystempass123"}' <a href="<a href="https://10.23.112.110/web_api/login" target="_blank">https://10.23.112.110/web_api/login</a>" target="_blank"><a href="https://10.23.112.110/web_api/login</a" target="_blank">https://10.23.112.110/web_api/login</a</a>> --insecure

 

 

What am I missing?

 

Edit: I was using the SmartConsole username/password which is probably why the error occurred, but changing it to the Gaia OS username/password gives me this error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AssertionError: socket_path must be a value
fatal: [SMS]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"<stdin>\", line 102, in <module>\n  File \"<stdin>\", line 94, in _ansiballz_main\n  File \"<stdin>\", line 40, in invoke_module\n  File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/runpy.py\", line 192, in run_module\n    fname, loader, pkg_name)\n  File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/modules/cp_mgmt_network_facts.py\", line 131, in <module>\n  File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/modules/cp_mgmt_network_facts.py\", line 126, in main\n  File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\", line 170, in api_call_facts\n  File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/ansible_cp_mgmt_network_facts_payload.zip/ansible/module_utils/connection.py\", line 121, in __init__\nAssertionError: socket_path must be a value\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-11-13 10:04 AM

Looks like you're calling a Gaia API command and not a Management API command.
The authentication for those APIs is different (Gaia OS user versus SmartConsole user).
0 Kudos
DemisT
Participant
‎2019-11-13 12:44 PM
In response to PhoneBoy

Not sure if it's by design or a bug, but ansible_connection and ansible_python_interpreter seemed to be the culprit in my host file. Uncommenting them both seemed to fix the issue. Unfortunately for me, my other tasks rely on these variables, so uncommenting them isn't a solution. Defining them as var inside the play, which override the host file vars, seemed to do the trick.

---
- name: test
  hosts: management
  connection: httpapi
  vars:
    ansible_connection: httpapi
    ansible_python_interpreter:
    ansible_user: demis
    ansible_password: configsystem123

  tasks:

  - name: Create host object
    checkpoint_host:
      name: workaround3
      ip_address: 192.168.0.193

 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events