/ home / dellemc / dellemc.openmanage / 9.1.0 / module / ome_application_security_settings

dellemc.openmanage.ome_application_security_settings (9.1.0) — module

Configure the login security properties

| "added in version" 4.4.0 of dellemc.openmanage"

Authors: Jagadeesh N V(@jagadeeshnv)

Install collection

Install with ansible-galaxy collection install dellemc.openmanage:==9.1.0

Add to requirements.yml

  collections:
    - name: dellemc.openmanage
      version: 9.1.0

Description

This module allows you to configure the login security properties on OpenManage Enterprise or OpenManage Enterprise Modular

Requirements

python >= 3.8.6

Usage examples

Scanned by Steampunk Spotter

---
- name: Configure restricted allowed IP range
  dellemc.openmanage.ome_application_security_settings:
    hostname: "192.168.0.1"
    username: "username"
    password: "password"
    ca_path: "/path/to/ca_cert.pem"
    restrict_allowed_ip_range:
      enable_ip_range: true
      ip_range: 192.1.2.3/24

Scanned by Steampunk Spotter

- name: Configure login lockout policy
  dellemc.openmanage.ome_application_security_settings:
    hostname: "192.168.0.1"
    username: "username"
    password: "password"
    ca_path: "/path/to/ca_cert.pem"
    login_lockout_policy:
      by_user_name: true
      by_ip_address: true
      lockout_fail_count: 3
      lockout_fail_window: 30
      lockout_penalty_time: 900

Scanned by Steampunk Spotter

- name: Configure restricted allowed IP range and login lockout policy with job wait time out of 60 seconds
  dellemc.openmanage.ome_application_security_settings:
    hostname: "192.168.0.1"
    username: "username"
    password: "password"
    ca_path: "/path/to/ca_cert.pem"
    restrict_allowed_ip_range:
      enable_ip_range: true
      ip_range: 192.1.2.3/24
    login_lockout_policy:
      by_user_name: true
      by_ip_address: true
      lockout_fail_count: 3
      lockout_fail_window: 30
      lockout_penalty_time: 900
    job_wait_timeout: 60

Scanned by Steampunk Spotter

- name: Enable FIPS mode
  dellemc.openmanage.ome_application_security_settings:
    hostname: "192.168.0.1"
    username: "username"
    password: "password"
    ca_path: "/path/to/ca_cert.pem"
    fips_mode_enable: true

Inputs

port:
default: 443
description: OpenManage Enterprise or OpenManage Enterprise Modular HTTPS port.
type: int

ca_path:
description:
- The Privacy Enhanced Mail (PEM) file that contains a CA certificate to be used for
the validation.
type: path
version_added: 5.0.0
version_added_collection: dellemc.openmanage

timeout:
default: 30
description: The socket level timeout in seconds.
type: int
version_added: 5.0.0
version_added_collection: dellemc.openmanage

hostname:
description: OpenManage Enterprise or OpenManage Enterprise Modular IP address or
hostname.
required: true
type: str

job_wait:
default: true
description:
- Provides an option to wait for job completion.
type: bool

password:
description:
- OpenManage Enterprise or OpenManage Enterprise Modular password.
- If the password is not provided, then the environment variable C(OME_PASSWORD) is
used.
- 'Example: export OME_PASSWORD=password'
required: true
type: str

username:
description:
- OpenManage Enterprise or OpenManage Enterprise Modular username.
- If the username is not provided, then the environment variable C(OME_USERNAME) is
used.
- 'Example: export OME_USERNAME=username'
required: true
type: str

validate_certs:
default: true
description:
- If C(false), the SSL certificates will not be validated.
- Configure C(false) only on personally controlled sites where self-signed certificates
are used.
- Prior to collection version C(5.0.0), the I(validate_certs) is C(false) by default.
type: bool
version_added: 5.0.0
version_added_collection: dellemc.openmanage

fips_mode_enable:
description:
- The FIPS mode is intended to meet the requirements of FIPS 140-2 level 1. For more
information refer to the FIPS user guide
- This is applicable only for OpenManage Enterprise Modular only
- This is mutually exclusive with I(restrict_allowed_ip_range) and I(login_lockout_policy).
- C(WARNING) Enabling or Disabling this option resets your chassis to default settings.
This may cause change in IP settings and loss of network connectivity.
- C(WARNING) The FIPS mode cannot be enabled on a lead chassis in a multi-chassis
management configuration. To toggle enable FIPS on a lead chassis, delete the chassis
group, enable FIPS and recreate the group.
- C(WARNING) For a Standalone or member chassis, enabling the FIPS mode deletes any
fabrics created. This may cause loss of network connectivity and data paths to the
compute sleds.
type: bool

job_wait_timeout:
default: 120
description:
- The maximum wait time of I(job_wait) in seconds. The job is tracked only for this
duration.
- This option is applicable when I(job_wait) is C(true).
type: int

login_lockout_policy:
description:
- Locks the application after multiple unsuccessful login attempts.
- This is mutually exclusive with I(fips_mode_enable).
suboptions:
by_ip_address:
description: Enable or disable lockout policy settings based on the IP address.
This restricts the number of unsuccessful login attempts from a specific IP
address for a specific time interval.
type: bool
by_user_name:
description: Enable or disable lockout policy settings based on the user name.
This restricts the number of unsuccessful login attempts from a specific user
for a specific time interval.
type: bool
lockout_fail_count:
description: The number of unsuccessful login attempts that are allowed after
which the appliance prevents log in from the specific username or IP Address.
type: int
lockout_fail_window:
description: Lockout fail window is the time in seconds within which the lockout
fail count event must occur to trigger the lockout penalty time. Enter the duration
for which OpenManage Enterprise must display information about a failed attempt.
type: int
lockout_penalty_time:
description: The duration of time, in seconds, that login attempts from the specific
user or IP address must not be allowed.
type: int
type: dict

restrict_allowed_ip_range:
description:
- Restrict to allow inbound connections only from the specified IP address range.
- This is mutually exclusive with I(fips_mode_enable).
- C(NOTE) When I(restrict_allowed_ip_range) is configured on the appliance, any inbound
connection to the appliance, such as alert reception, firmware update, and network
identities are blocked from the devices that are outside the specified IP address
range. However, any outbound connection from the appliance will work on all devices.
suboptions:
enable_ip_range:
description: Allow connections based on the IP address range.
required: true
type: bool
ip_range:
description: 'The IP address range in Classless Inter-Domain Routing (CIDR) format.
For example: 192.168.100.14/24 or 2001:db8::/24'
type: str
type: dict

Outputs

error_info:
  description: Details of http error.
  returned: on http error
  sample:
    error:
      '@Message.ExtendedInfo':
      - Message: Unable to process the request because the domain information cannot
          be retrieved.
        MessageArgs: []
        MessageId: CGEN8007
        RelatedProperties: []
        Resolution: Verify the status of the database and domain configuration, and
          then retry the operation.
        Severity: Critical
      code: Base.1.0.GeneralError
      message: A general error has occurred. See ExtendedInfo for more information.
  type: dict
job_id:
  description: Job ID of the security configuration task.
  returned: When security configuration properties are provided
  sample: 10123
  type: int
msg:
  description: Overall status of the login security configuration.
  returned: always
  sample: Successfully applied the security settings.
  type: str