Configuring the Ansible Tower connector

As an automation engineer, you configure an on-premises connector to establish a connection between BMC Helix Intelligent Automation and Ansible Tower. 

To configure a connector, the high-level process includes the following steps:

Before you begin

Before you configure the on-premises connector, ensure that you the following conditions are met: 

• The server where you want to run and install the remote plugin matches the minimum requirements. 
  For more information, see System requirements.

• (For Linux) The GCC G++ compiler version is 5.4.0 or later. 

   Click here to do the steps before you run the plugin

  1. Install and update GCC version 5.4.0 or later.

  2. Run the following command to unlink the current version.

     sudo unlink /usr/lib64/libstdc++.so.6

  3. Run the following command to copy the new version.

     sudo cp /usr/local/lib64/libstdc++.so.6 /usr/lib64

Task 1: To create a plugin key

1. Click Connectors > Plugin Keys tab.
2. Click Create Plugin Key and do the following steps: 
   1. (Optional) Enter a new name for the plugin with which you want to associate the plugin key.

   2. (Optional) Update the expiry date for the plugin key.
      By default, a plugin key expires in 90 days. To ensure that the connector is running, you can extend the date before it expires.

   3. Click Download Plugin Key.
      A creds.json file gets downloaded. 

      Warning

      If you close the Create Plugin Key panel before downloading the key, you cannot download and use the plugin key. Instead, you need to create a new plugin key.

3. Click Save.
   The plugin and the associated plugin key appear on the Plugins page.

Optional Task: To reuse an existing plugin key

If you have configured any on-premises connector, you already have a plugin key. You can use the same key to configure any other on-premises connector. 

1. Click Connectors > Available Connectors and click Configure against the connector that you want to configure.
2. On the following message that appears on the configure connector page, click the download & install link.
   
   On the Configure On-premises Connector page, the plugin keys available for reuse are displayed.
   
3. Skip Task 2 and continue with Task 3 to configure the connector.

Task 2: To download the plugin

You can download and run a plugin on a Linux or a Microsoft Windows server. This server should be accessible from the computer where the automation tool or application is installed. 

1. In the BMC Helix Intelligent Automation console, click Connectors > Available Connectors and click Configure against the connector.
2. On the following message that appears on the configure connector page, click the download & install link.
   
   
   
3. On the Configure On-premises Connector page, click Download Plugin.
   The remote-restapi-plugin.zip file is downloaded.
4. Copy and extract the downloaded ZIP file and go to the remote-restapi-plugin directory.
5. Go to the remote-restapi-plugin\config location and and replace the creds.json file with the credential file generated in Task 1.
6. (For Linux only) Ensure that the run.sh file has the execute permission.

Optional task: To use a pass-through proxy server

If the host where you download the plugin to configure a connector does not have internet access, you can use a proxy server to configure the connector. The host where the connector is to be configured and the automation tool must be in the same network domain. You can also configure the proxy server with basic authentication mechanism. 

1. Navigate to the remote-restapi-plugin directory.

2. Run the following command to create credentials for the proxy server without any authentication.

   For Linux

    credential.sh create -n proxy -i <hostname:port of the proxy server> -p proxy -a noauth  

   For Windows

   credential.bat create -n proxy -i <hostname:port of the proxy server> -p proxy -a noauth 

3. Run the following command to create credentials for the proxy server with basic authentication.

   credential.bat create -n proxy -i <hostname:port of the proxy server> -p proxy -a basic

   When prompted, enter the username and password for the proxy server.

4. Continue to the next task. 

Task 3: To create credentials by using the plugin key

A plugin requires credentials to authenticate and execute various actions on the target applications that are defined in an automation policy. The credential CLI utility enables you to create, search, update, and delete credentials for a plugin. 

This server should be accessible from the server where the on-premise application is installed.

1. Navigate to the directory where you have extracted the remote-restapi-plugin.zip file.
   The remote-restapi-plugin directory contains credential.sh/credential.bat.
2. Ensure that the credential.sh file has the execute permission.

3. Run the following create switch command to create credentials.
   Whenever credentials are created, a unique credential ID is assigned to it.

   Sample command for Microsoft Windows

   credential.bat create -n <credentialsName> -i <http://host:port> -p <provider> -a <AuthenticationType>

   Sample command for Linux

   ./credential.sh create -n <credentialsName> -i <http://host:port> -p <provider> -a <AuthenticationType>

   Example for Ansible Tower by using basic authentication

   ./credential.sh create -n ansibleCreds -i https://172.20.65.241:6443 -p ansible_tower -a basic

   Example for Ansible Tower credentials by using bearer authentication

   ./credential.sh create -n ansibleCreds -i https://172.20.65.241:6443 -p ansible_tower -a bearer

   
   In the example:
   

   Field	Description	Sample value
   credentialsName	Enter a unique name for the credentials. A name can contain a maximum of 30 characters. Enclose the name in double quotes if it contains spaces.	AnsibleTowerCredentials
   credentialsTargetID	Enter the target identifier based on the credentials provider. Note: Ensure that you do not provide the same target ID while configuring any other connector.	https://172.20.65.241:6443
   credentialsProviderID	Enter ansible_tower	-
   authenticationType	Enter one of the supported authentication mechanisms:  basic: Requires a username and a password bearer: Requires the access token generated from Ansible Tower	Bearer: 1ZmDqTScGhe6SHct7vF5To6Pp3Vf3h

4. For Login required, enter n.
   Credentials are created successfully. 

5. (Optional) To create credentials in a single step, create a JSON file, which contains all the credentials required for configuring the connector and run the following command:

   Sample command for Microsoft Windows

   credential.bat create -n <ConnectorName> -i <hostname> -p ansible_tower -a bearer -f C:\\Users\\Administrator\\Downloads\\auth_json_file.json

   Credentials are created successfully. The following figure shows a sample output: 

{
  "credential_id": "fd5af7f8-6c3d-4116-9ff8-32582b6a64ed",
  "credential_name": "ansible",
  "credential_target_id": "https://hostname.com",
  "credential_type": "",
  "credential_provider_id": "ansible_tower",
  "credential_source": "External",
  "credential_object": {
  "api_key": "dN4k9HzQZYRNII1Q1X8xEKl3zvJv04",
  "login_action": {
  "": {
"post": {
"parameters": [],
"requestBody": {
"content": {
"application/x-www-form-urlencoded": {
"username": "",
"password": "*******"
}
}
}
}
}
},
"security_scheme": {
"type": "http",
"in": "bearer",
"bearerFormat": ""
}
},
"encryption_key_id": null,
"credential_metadata": null,
"createdAt": "2022-04-27T14:56:56.146Z",
"updatedAt": "2022-04-27T14:56:56.146Z"
}
]

Task 4: To provide a server-side SSL certificate

To configure the plugin to connect to any of the products running on HTTPS/SSL, do the following steps:

1. Download the server-side certificate and convert it into a .PEM format.
   In case of multiple products, convert and merge all individual certificates into a single .PEM file.
2. Copy and place the certificate in the server-certs directory located in the remote-restapi-plugin directory.
3. Continue to the next step to start and run the plugin. 

Optional task: To start or run the plugin by using HTTPS 

When you start or run the plugin, by default, the plugin runs by using the HTTP protocol. To run it on the HTTPS protocol, you must generate the client-side certificates and update the properties in the plugin.properties file to enable the support. On Linux-based operating systems, client-side certificates are automatically generated and added to a client-certs folder. 

If you want to run it on the HTTPS protocol, perform the following steps:

For Microsoft Windows only

1. Navigate to the remote-restapi-plugin directory.
2. Create a new folder with and name it client-certs. 
3. Generate a client certificate and the key of the host, in a PEM format, where the plugin will run.

4. Copy the certificate to the client-certs folder.

For Microsoft Windows and Linux-based operating systems

1. Navigate to the remote-restapi-plugin\config and open the plugin.properties file.
   The file contains the following new properties:

   Sample

   config.sslEnabled=false
   config.sslPort=8443
   config.sslCertPath=<pathToTheClientCertificate.pem file>
   config.sslCertKeyPath=<pathToTheClientKey.pem file>

2. Specify the path to the folder where the certificate and key files are located.

3. Specify config.sslEnabled as true.

   Example

   config.sslEnabled=true
   config.sslPort=8443
   config.sslCertPath=client-certs/client_cert.pem
   config.sslCertKeyPath=client-certs/client_key.pem

4. Save changes and continue to the next step. 
   When you start the plugin, it runs by using an HTTPS server. 

Task 5: To start and run the plugin as a service

If a remote plugin is installed as a service, you can start, stop, or restart it as any other service. BMC recommends that you run the plugin as a service as against running it as a batch or shell process. You can run remote plugin as a service only on Microsoft Windows Server 2016 Enterprise and CentOS 7 operating systems.

Before running a plugin as a service, ensure that the following prerequisites are fulfilled:

• You have administrative or root privileges on the host where the plugin is extracted.

• The host where the plugin is available is also accessible from the host where the application is installed.

To run plugin as a service:

1. Navigate to the directory where you have extracted the remote-restapi-plugin.zip file.
2. Run the install.bat (for Microsoft Windows) or install.sh (for Linux) command.
   You can also use the install.bat install command. The plugin now runs as a service.

If a service is installed successfully, in the list of services available in the Microsoft Windows Service Manager, the remote restapi plugin service is displayed. On Linux servers, if you run the install.sh status command, a system process with the name BMC remote-restapi-plugin appears.

Optional: To start the plugin as a batch or shell process

After successfully creating the credentials, run the plugin to enable the connector. 

1. Navigate to the remote-restapi-plugin/config directory, and replace the creds.json file with the creds.json file that you have downloaded while creating the plugin key.
2. Run the run.sh script to start the plugin.

Task 6: To test the plugin

BMC recommends that you test whether the plugin is able to connect to the automation tool or application successfully before creating automation policies. 

1. In the BMC Helix Intelligent Automation console, click Connectors > PluginKeys.
2. Click Actions > Test against the plugin that is used to configure the connector.
   A message appears that shows that the connection is successful. 

The Ansible Tower connector is configured and appears in the Configured Connectors tab with the status as Connected. 

If the connector is not successfully connected, the status appear as Disconnected. Click the  icon to view the error message and fix the configuration issue.  

Where to go from here

Now that the connector is configured successfully, you can create policies to execute actions supported by Ansible Tower. For more information, see Launching a job template.