Skip to content

cyberark/pas-orchestrator

Repository files navigation

PAS-Orchestrator

In today’s modern infrastructure, organizations are moving towards hybrid environments, which consist of multiple public clouds, private clouds and on-premises platforms.

CyberArk has created a tailored installation and deployment method for each platform to enable easy implementation. For example, CloudFormation templates enable easy deployment on AWS, while Azure Resource Manager (ARM) templates enable easy deployment on Azure. However, it is difficult to combine the different methods to orchestrate and automate a hybrid deployment.

PAS Orchestrator is a set of Ansible roles which provides a holistic solution to deploying CyberArk Core PAS components simultaneously in multiple environments, regardless of the environment’s location.

The Ansible roles are responsible for the entire deployment process, and can be integrated with the organization’s CI/CD pipeline.

Each PAS component’s Ansible role is responsible for the component end-2-end deployment, which includes the following stages for each component:

  • Copy the installation package to the target server
  • Installing prerequisites
  • Silent installation of the component
  • Post installation procedure and hardening
  • Registration in the Vault

Ansible Roles for PVWA, CPM and PSM can be found in the following links:

The PAS Orchestrator role is an example of how to use the component roles demonstrating paralel installation on multiple remote servers

Requirements

  • IP addresses / hosts to execute the playbook against with Windows 2016 installed on the remote hosts
  • WinRM open on port 5986 (not 5985) on the remote host
  • Pywinrm is installed on the workstation running the playbook
  • The workstation running the playbook must have network connectivity to the remote host
  • The remote host must have Network connectivity to the CyberArk vault and the repository server
    • 443 port outbound
    • 443 port outbound (for PVWA only)
    • 1858 port outbound
  • Administrator access to the remote host
  • CyberArk components CD image on the workstation running the playbook

Environment setup

  • Get the PAS Orchestrator Playbook
    git clone https://github.com/cyberark/pas-orchestrator.git
    cd pas-orchestrator
    
  • Install Python requirements
    pip install -r requirements.txt
    
  • Get the components roles
    ansible-galaxy install --roles-path ./roles --role-file requirements.yml
    
  • Update the inventories hosts file with the remote hosts IPs

Role Variables

These are the variables used in this playbook

Deployment Variables

Variable Required Default Comments
vault_ip yes None Vault ip to perform registration
dr_vault_ip no None vault dr ip to perform registration
vault_port no 1858 vault port
vault_username no "administrator" vault username to perform registration
vault_password yes None vault password to perform registration
accept_eula yes "No" Accepting EULA condition
cpm_zip_file_path yes None Path to zipped CPM image
pvwa_zip_file_path yes None Path to zipped PVWA image
psm_zip_file_path yes None Path to zipped PSM image
cpm_username no "PasswordManager" Vault Component's username

Variables related to the components can be found on the Components README

Usage

The Role consists of two parts, each part runs independently:

Part 1 - Components Deployment

The task will trigger the components main roles, each role will trigger it's sub tasks (prerequisities/installation, etc.) by default, all tasks are set to true except registration. This process executes tasks on all hosts in parallel, reducing deployment time

*IMPORTANT: Component Registration should be always set to false in this phase

Part 2 - Components Registration

This task will execute the registration process of the components, all the previous tasks are set to false and only registration is enabled This process executes the registration of each component in serial

Inventory

Prior to running pas-orchestrator hosts file should be "updated" [https://github.com/cyberark/pas-orchestrator/blob/master/inventories/production/hosts] with relevant hosts data.

# file: production
# TODO: Add description how to add hosts

[pvwa]
# Add here list of hosts or ip adresses of pvwa dedicated machines
# pvwa01.example.com
# pvwa02.example.com
10.2.0.155


[cpm]
# Add here list of hosts or ip adresses of cpm dedicated machines
# cpm01.example.com
# cpm02.example.com
10.2.0.155
# Add cpm with custom component user name (default is PasswordManager)
10.2.0.156 cpm_username=LinuxManager

[psm]
# Add here list of hosts or ip adresses of psm dedicated machines
# psm01.example.com
# psm02.example.com
10.2.0.155


[psmp]
# Add here list of hosts or ip adresses of psmp dedicated machines
# psmp01.example.com
# psmp02.example.com


# DO NOT EDIT BELOW!!!
[windows:children]
pvwa
cpm
psm

Pulling specific version example :

git clone -b v12.0 -s https://github.com/cyberark/pas-orchestrator.git

Note : using the -s it saves about 10M of diskspace and doesn’t download the unnecessary stuff.

Running the playbook:

To run the above playbook, execute the following command example :

ansible-playbook -i ./inventories/production pas-orchestrator.yml -e "vault_ip=VAULT_IP ansible_user=DOMAIN\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip  connect_with_rdp=Yes accept_eula=Yes"

Command example for out of Domain , no hardening deployment in drive D with custom component username for cpm:

ansible-playbook -i ./inventories/production pas-orchestrator.yml -e "vault_ip=VAULT_IP ansible_user=DOMAIN\USER cpm_zip_file_path=/tmp/pas_packages/cpm.zip pvwa_zip_file_path=/tmp/pas_packages/pvwa.zip psm_zip_file_path=/tmp/pas_packages/psm.zip {psm_out_of_domain:true} connect_with_rdp=Yes accept_eula=Yes psm_installation_drive=D: cpm_installation_drive=D: pvwa_installation_drive=D: {psm_hardening:false} {cpm_hardening:false} {pvwa_hardening:false} cpm_username=WinManager"

** Vault and remote host passwords are entered via Prompt

Troubleshooting

In case of a failure, a Log folder with be created on the Ansible workstation with the relevant logs copied from the remote host machine. The logs are available under - pas-orchestrator/tasks/logs

Idempotence

Every stage in the roles contains validation and can be run multiple times without error in case of success or any ansible related error.This does not apply to a component installation error for which in some cases a second execution will not assist in recovery and There might be left over artifacts (i.e. app users in the vault)

Limitations

  • Only single component per server is supported
  • There is a check sum verification to the CD image zip file , it must be the original CyberArk release

License

Apache License, Version 2.0