Setup WinRM for Ansible with Certificate Authentication in 8 Easy Steps

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another video of devops lab I'm your host sky and today we will be discussing how to set up VN r M over HTTPS for ansible the first thing we have to do on the ansible server side is set up the client certificates now here I have a simple repository linked in the description as always it has ansible server and windows server scripts we have the generate client cert script which uses open SSL to generate a third valid for 10 years and with the ansible runner as the CN I also have the open SSL config file which configured for client earth certificate generation currently I have a virtual environment activated with the requirements as you see in the requirements file now before running the script I need to set the open SSL config for the session so I will set the open SSL count variable to my config and now I'll execute the script and there it is and we have two files generated the cert and the key and I'm just going to move these over to the windows server for the next steps and now we move to the windows server side to set that up the first thing that we have to do is install the client certificates that we just generated now as you can see I have copied over the repository with the prerequisite scripts as well as the keys and the first script we are going to run is the import client cert now this one basically installs the client certificates in two places the root and the trustor people and the first thing I'm going to do is just run the PowerShell script and that's it now I'm just going to open MMC and now just snap and certificates local account and now I'm just going to validate that the certificates are indeed installed the first thing we're going to check is the route and as you can see ansible Runner and the personal you should be empty at this time if it's a clean machine like mine and now for the trusted people yes ansible is installed now let's enable windows remote manager the Square will basically set up the remote manager enable automatic launch as well as make sure that the powershell remoting is enabled now let's just run the script might take a while and it's done now I'm just going to go into services and check if the service is actually set up and set to automatic now let's just scroll down to the windows remote manager and as you can see the service started and let's expand this and it is set to automatic on to the next step where we're creating and installing the server certs on the windows host now this simple script will do that for you we just need to run it and this certificate should be installed now I can just check in MMC again and refresh it and now in personal there I see the newly generated certificate let's move on to creating the ansible user on the wind' server this is the practice I like to follow because I do not want to use the same user and this script as you can see is doing a few things it's not only creating the admin user is generating a random password for it because this was designed for templating and it's adding it to the administrators group without which it won't run properly and also taking the certificate for the server that we recently generated and then attaching it to that user now we're just going to run this script and it will create the user and do all the relevant things that we need and there it's done let's move on to creating the win RM HTTP listener this script overrides any existing listeners with one that uses the certificates we created it also enables a certificate authentication and ensures other authentications are disabled now let's go on and run the script as you can see only negotiate and certificate are set to true while the rest are set to false now let's just run when RM enumerate to confirm our settings when RM and numerate and there it is HTTP with 450 986 and finally we allowed the HTTP port for ven RM in the Windows Firewall and we run the script and it's done let's move to the ansible server now and try to connect to our Windows machine now let them first check if we can actually reach the port so in that cat wheezy IP 1050 986 yes so the we've got a proper response now let's just VI into the test inventory that I created so we have the group with the IP then we have the VARs for it the ansible runner connection is ven RM transport is certificate we have the key and the Pam and then we have the port 59 6 scheme is HTTP and it's validation is ignore obviously because it's a self-signed cert so next we're just going to run event paying with ansible and the testamentary all - I strand venturi in pink and of course I forgot to activate the in a virtual environment and running the same command again and we ran into an issue that you sometimes run into it with when are I'm on a Mac so what I'm going to do is I'm going to just export the no proxy to star so export no proxy star and now I'll run it again and success now as you can see this is responding and we can start running our windows and Sybil scripts thank you for watching this is your host guy signing off [Music]

Info

Channel: DevOpsLab

Views: 3,249

Rating: 4.9259257 out of 5

Keywords: ansible, ansible tutorial, devops, devops tools, ansible molecule, ansible docker, devops tutorial, how to, ansible how to, configuration management, infrastructure as code, infrastructure as code tutorial, infrastructure as code guide, configuration management tutorial, Windows, Windows DevOps, winrm, WinRM Certificates, HTTPS, Windows Server, authentication, howto, guide, tutorial

Id: vcx0bIgGJXI

Channel Id: undefined

Length: 8min 36sec (516 seconds)

Published: Wed Jun 03 2020