LoadMaster Ansible Reference Guide
Contents
1 Introduction
Ansible is an open source automation platform. It can help with configuration management, application deployment, and task automation. In Kemp, we use Ansible to configure LoadMasters by running playbook configurations that are pushed out to LoadMasters through Kemp 360 Central.
First you define your layout in the Ansible playbook. When you run the playbook it calls Application Program Interface (API) commands on Kemp 360 Central, which then configures the LoadMasters connected to Kemp 360 Central.
Kemp have developed the following modules to be used in Ansible playbooks:
- Virtual Service
- Sub Virtual Service (SubVS)
- Real Server
- Add LDAP Authentication
- Add or Modify an LDAP-based SSO
- Add or Modify a RADIUS-based SSO
- Add or Modify a RADIUS-LDAP-based SSO
- Add or Modify a Certificate-based SSO
- Add or Modify a SAML-based SSO
- Add GEO FQDN Data
- Update GEO Maps and Clusters
- Update GEO Miscellaneous Options and GEO Partnership
- Upload Certificate
- Add Header Rule
- Delete Header Rule
- Replace Body Rule
- Replace Header Rule
- Match Content Rule
- Modify URL Rule
- Update Global Parameters
Requesting the API Key
To get the API key for Ansible, execute the following API command using your Kemp 360 Central credentials:
Make a curl request against your installation of Kemp 360 Central in the following way:
curl "https://{CENTRAL}/api/v1/user/authenticate/" --data "{""username"":""admin"",""password"":""{PASSWORD}""}"
You should see a response similar to below:
{
"apikey": "abc123",
"id": 1,
"success": true
}
2 Modify a Virtual Service on a LoadMaster
2.1 Synopsis
This module adds or modifies a Virtual Service on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0.
2.2 Parameters
Parameter | Choices/ Defaults |
Comments |
allow_https_2
str |
Choices:
|
Enable HTTP/2 for this Virtual Service. SSL Acceleration must be enabled before HTTP/2 can be enabled. The BestPractices cipher set should be used when HTTP/2 is enabled. |
cache
int |
Choices:
|
Enable or disable the caching of URLs. |
cache_percent
str |
Choices:
|
Specify the maximum percentage of cache space permitted for this Virtual Service. This is only relevant if cache is enabled. The maximum value is 100. |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
central_api_key str/required |
Admin-level API Key to access API services on Kemp 360 Central. | |
central_username str/required |
Username for Kemp 360 Central that is linked to the given API key. | |
cert_name
str |
Identifier (name) of a preexisting certificate on the LoadMaster to assign to the Virtual Service. | |
check_host str |
The check_use_11 parameter must be enabled to set the check_host value. When using HTTP/1.1 checking, the Real Servers require a Hostname be supplied in each request. If no value is set then this value is the IP address of the Virtual Service. | |
check_pattern
str |
When the check_type is set to http or https, this corresponds to the Reply 200 Pattern in the WUI. This parameter only applies when the HTTP Method is set to GET or POST. When the check_type is set to bdata: Specify the hexadecimal string that will be searched for in the response. Specify an empty value to unset check_pattern. |
|
check_port
int |
The port to be checked. If a port is not specified, the Real Server port is used. Specify 0 to unset check_port. | |
check_post_data
str |
This parameter is only relevant if the HTTP Method is set to POST. When using the POST method, up to 2047 characters of POST data can be sent to the server. | |
check_type
str |
Choices:
|
Specify which protocol is to be used to check the health of the Real Server. The default value is dependent on the Virtual Service port. |
check_url
str |
|
When the check_type is set to http or https - by default, the health checker tries to access the URL / to determine if the machine is available. A different URL can be set in the check_url parameter. When the check_type is set to bdata: Specify a hexadecimal string to send to the Real Server. The maximum character length for the check_url parameter value is 126 characters. |
check_use_11 str |
Choices:
|
By default, the health checker uses HTTP/1.0 when checking the Real Server status. Enabling check_use_11 means HTTP/1.1 is used (which is more efficient). |
check_use_get
int |
Choices:
|
When accessing the health check URL - the system can use the HEAD, the GET, or the POST method. |
compress
int |
Choices:
|
When enabled, files sent from the LoadMaster are compressed with Gzip. |
copy_hdr_from
str |
Choices:
|
The source header field to copy from when the request is sent to the LoadMaster. |
copy_hdr_to
str |
The name of the header field into which the source header is copied. This is used with the copy_hdr_from variable. | |
cipher_set
str |
Choices:
|
This parameter can be used to assign a cipher set to a Virtual Service. System-defined cipher sets and custom cipher sets can be assigned using this parameter. |
ciphers
str |
Multiple ciphers can be assigned by inserting a colon between each cipher. When ciphers are assigned in this way, a Cipher Set called Custom_<VirtualServiceID> is created/updated. Note: The assigned ciphers list is overwritten when ciphers are added in this way. Ensure to include all ciphers to be assigned. | |
default_gw
str |
Set the default gateway for this Virtual Service. | |
enable str/required |
Choices:
|
Specify if the Virtual Service should be created in a live (enabled) state. |
enhanced_health_checks
int |
Choices:
|
Enabling the enhanced_health_checks parameter provides an additional health check parameter - rs_minimum. If the enhanced_health_checks parameter is disabled, the Virtual Service is considered available if at least one Real Server is available. If the enhanced_health_checks parameter is enabled, you can specify the minimum number of Real Servers that should be available to consider the Virtual Service to be available. |
ensure str/required |
Present (default) | Value set to indicate to Kemp 360 Central that this Virtual Service should always exist. This is set automatically by the module. |
error_code int |
If no Real Servers are available, the LoadMaster can terminate the connection with a HTTP error code. Specify the error code number in this parameter. Valid values are in the range 200-505. | |
error_url
str |
When no Real Servers are available and an error response is sent back to the client, you can also specify a redirect URL. | |
follow_vsid
int |
Specify the ID of the Virtual Service to follow. This is used for redirects. | |
force_l7
int |
Choices:
|
Enabling force_l7 means the Virtual Service runs at Layer 7 and not Layer 4. This may be needed for various reasons, including that only Layer 7 services can be non-transparent. |
vs_ip str/required |
The IPv4 Address to assign to the Virtual Service. | |
ldap_endpoint
str |
Specify the name of an LDAP endpoint to use for the health checks. If LDAP is selected as the check_type, the server IP address (or addresses) and ports from the LDAP endpoint configuration are used instead of the Real Server IP address and port. | |
lm_address str/required |
IP address and port of the LoadMaster that contains the Virtual Service or SubVS that the Real Server should be created or modified on. The format is 'ip:port'. | |
match_body_rules
list |
Names (Identifiers) of Match Body type Content Rules to assign to the Virtual Service. These content rules must exist on the LoadMaster before being assigned to a Virtual Service. | |
match_length
int |
This parameter is only relevant when the check_type is set to bdata. By setting this you can specify the number of bytes to find the check_pattern within. | |
need_host_name
int |
Choices:
|
When this parameter is enabled, the hostname is always required to be sent in the TLS client hello message. If it is not sent, the connection is dropped. |
nickname str/required |
Choices:
|
The nickname to assign to the Virtual Service. It must be unique. |
ocsp_verify
int |
Choices:
|
Verify (using Online Certificate Status Protocol (OCSP)) that the client certificate is valid. |
persist
str |
Choices:
|
Specify the type of persistence (stickiness) to be used for this Virtual Service. |
persist_timeout
int |
The length of time (in seconds) after the last connection that the LoadMaster remembers the persistence information. Timeout values are rounded down to an even number of minutes. Setting a value that is not a number of whole minutes results in the excess being ignored. Setting a value to less than 60 seconds results in a value of 0 being set, which disables persistency. | |
vs_port int/required |
The port on which the Virtual Service must be active. Can be any valid port number from 3 to 65530, or a wildcard `*`. | |
preprocess_rules
list |
Names (Identifiers) of Preprocess type Content Rules to assign to the Virtual Service. These content rules must exist on the LoadMaster before being assigned to a Virtual Service. | |
vs_protocol str/required |
Choices:
|
The protocol type that this Virtual Service uses. |
qos
str |
Choices:
|
Quality of Service sets a type of service that deals with packets, which treats and prioritizes the traffic. |
request_rules list |
Names (Identifiers) of Request type Content Rules to assign to the Virtual Service. These content rules must exist on the LoadMaster before being assigned to a Virtual Service. | |
response_rules
list |
Names (Identifiers) of Response type Content Rules to assign to the Virtual Service. These content rules must exist on the LoadMaster before being assigned to a Virtual Service. | |
rs_minimum
int |
An integer that specifies how many Real Servers must be up for a Virtual Service or SubVS to be considered up. It is an integer from 0 to N, where N is the number of Real Servers on this particular service. In practice, this value is usually 1. | |
rs_rule_precedence
int |
This parameter should be used in conjunction with rs_rule_precedence_pos. This parameter is used to specify the name of the existing rule whose position you want to change. | |
rs_rule_precedence_pos
str |
This parameter, in conjunction with the rs_rule_precedence parameter, is used to change the position of the rule in a sequence of rules. For example, a position of 2 means the rule will be checked second. | |
schedule
str |
Choices:
|
Specify the type of scheduling of new connections to Real Servers that is to be performed. |
ssl_acceleration
int |
Choices:
|
Enable SSL handling services for the Virtual Service. |
ssl_reencrypt
int |
Choices
|
When this option is enabled, the SSL data stream is re-encrypted before sending to the Real Server. This parameter is only valid if SSL Acceleration is enabled. |
ssl_rewrite
str |
Choices
|
When the Real Server rejects a request with a HTTP redirect, the requesting Location URL may need to be converted to specify HTTPS instead of HTTP (the opposite also applies). |
subnet_originating int |
Choices
|
When transparency is disabled for a Virtual Service, the source IP address of connections to Real Servers is the Virtual Service. When enabled, the source IP address is the local address of the LoadMaster. If the Real Server is on a subnet, the subnet address of the LoadMaster is used. |
tls_type
list |
Choices
|
Specify which of the following protocols to support; SSLv3, TLS1.0, TLS1.1, TLS1.2, or TLS1.3. |
transparent
int |
Choices
|
(Layer 7 only) When transparency is enabled, connections at the Real Server appear to originate at the client. With transparency disabled, connections originate at the LoadMaster. |
use_for_snat
int |
Choices
|
By default, when the LoadMaster is being used to NAT Real Servers, the source IP address used on the internet is that of the LoadMaster. Enabling this option allows the Real Servers configured to use the Virtual Service as the source IP address instead. If the Real Servers are configured on more than one Virtual Service which has this option set, only connections to destination port 80 will use this Virtual Service as the source IP address. |
vs_type str/required |
Choices
|
This specifies the type of service being load balanced. |
allowed_hosts
str |
This parameter is only relevant when ESP is enabled. Specify all the virtual hosts that can be accessed using this Virtual Service. | |
allowed_directories str |
This parameter is only relevant when ESP is enabled. Specify all the virtual directories that can be accessed using this Virtual Service. You can specify up to 254 characters for this parameter. | |
domain
str |
The Single Sign On (SSO) domain in which this Virtual Service will operate. | |
logoff
str |
This parameter is only relevant when ESP is enabled and when the Client Authentication Mode is set to Form Based. Specify the string that the LoadMaster should use to detect a logout event. Multiple logoff strings can be specified by using a space-separated list. If the URL to be matched contains sub-directories before the specified string, the Logoff String will not be matched. Therefore, the LoadMaster will not log the user off. You can specify up to 255 characters for this parameter. | |
add_auth_header
str |
This option is only available if SAML is selected as the input_auth_mode. Specify the name of the HTTP header. This header is added to the HTTP request from the LoadMaster to the Real Server and its value is set to the user ID for the authenticated session. You can specify up to 255 characters for this parameter. | |
display_pub_priv
int |
Choices
|
Display the public/private option on the login page. Based on the option the user selects on the login form, the session timeout value is set to the value specified for either the public or private timeout. |
disable_password_form
int |
Choices
|
Enabling this option removes the password field from the login page. This may be needed when password validation is not required, for example if using RSA SecurID authentication in a singular fashion. |
captcha
str |
Enable this parameter to allow CAPTCHA verification on the login page. The LoadMaster only supports CAPTCHA v2. The input_auth_mode must be set to 2 (Form Based) for the CAPTCHA parameters to be relevant. All CAPTCHA parameters must be set before it can be used. Both the LoadMaster and the client machine must be able to access Google for this to work. Before the CAPTCHA has been correctly answered, the submit button on the login form is disabled. If the user does not submit the form within two minutes of answering the CAPTCHA, the CAPTCHA times out (Google-specified timeout), and the user must verify a new CAPTCHA (the submit button is disabled until the new CAPTCHA has been verified). |
|
captcha_private_key
str |
The key that was provided as the private key when you signed up for the CAPTCHA service. | |
captcha_access_url int |
Choices
|
The URL of the service that provides the CAPTCHA challenge. Usually: www.google.com/recaptcha/api.js Do not start this URL with https. Only CAPTCHA V2 is currently supported. |
captcha_verify_url str |
The URL of the service that verifies the response to the CAPTCHA challenge. Usually: www.google.com/recaptcha/api/siteverify Do not start this URL with https. Only CAPTCHA V2 is currently supported. |
|
esp_logs int |
Choices:
|
Enable ESP logging. Valid values are below: 0 - Logging off 1 - User Access 2 - Security 3 - User Access and Security 4 - Connection 5 - User Access and Connection 6 - Security and connection 7 - User Access, Security and Connection Note: The only valid values for SMTP services are 0 and 4. For SMTP services, security issues are always logged. Nothing is logged for user access because there are no logins. |
smtp_allowed_domains
str |
Specify all the permitted domains that are allowed to be received by this Virtual Service. | |
excluded_directories
str |
This parameter is only relevant when ESP is enabled. Any virtual directories specified within this field will not be pre-authorized on this Virtual Service and are passed directly to the relevant Real Servers. | |
esp_enabled
int |
Choices
|
Enable or disable the Edge Security Pack (ESP) features. |
input_auth_mode
int |
Choices:
|
Specify the client authentication method to be used: 0 - Delegate to Server 1 - Basic Authentication 2 - Form Based 4 - Client Certificate 5 - NTLM 6 - SAML |
output_auth_mode int |
Choices:
|
Specify the server authentication mode to be used: 0 - None 1 - Basic Authentication 2 - Form Based 3 - KCD 4 - Server Token |
server_fba_path
str |
Only relevant when using form-based authentication as the Server Authentication Mode (output_auth_mode). Set the authentication path for server-side Form Based Authentication (FBA). When used in Exchange environments, this does not need to be set. | |
out_conf str |
Enter the name of the outbound SSO domain. | |
single_sign_on_dir
str |
This parameter relates to the SSO Image Set drop-down in the ESP Options section of the modify Virtual Service screen in the LoadMaster User Interface (UI). Specify the name of the image set to be used for the login screen. If no image set is specified, the default Exchange image set will be used. | |
single_sign_on_message
str |
Specifies the SSO message that is displayed. The single_sign_on_message parameter accepts HTML code, so you can insert an image if required. There are several characters that are not supported. These are the grave accent character ( ` ) and the single quote ('). If a grave accent character is used in the SingleSignOnMessage, the character will not display in the output, for example a`b`c becomes abc. If a single quote is used, users will not be able to log in. |
|
allowed_groups
str |
Specify the groups that are allowed to access this Virtual Service. If the parameter value is longer than the maximum length of a HTTP GET query (1024 characters), you must set the HTTP Method to POST. You can specify up to 2048 characters for this parameter. |
|
group_sids str |
Specify the group security identifiers (SIDs) that are allowed to access this Virtual Service. Each group is separated by a semi-colon. Spaces are used to separate bytes in certain group SIDs. Here is an example: S-1-5-21-703902271-2531649136-2593404273-1606 SIDs can be found by using the get-adgroup-Identity GroupName command. If the parameter value is longer than the maximum length of HTTP GET query (1024 characters), you must set the HTTP Method to POST. |
|
include_nested_groups str |
This parameter relates to the AllowedGroups parameter. Enable this option to include nested groups in the authentication attempt. If this option is disabled, only users in the top-level group will be granted access. If this option is enabled, users in both the top-level and first sub-level group will be granted access. | |
steering_groups str |
Enter the Active Directory group names that will be used for steering traffic. Use a semi-colon to separate multiple group names. The steering group index number corresponds to the location of the group in this list. If the parameter value is longer than the maximum length of a HTTP GET query (1024 characters), you must set the HTTP Method to POST. |
|
excluded_domains str |
Any virtual directories specified within this field will not be pre-authorized on this Virtual Service and will be passed directly to the relevant Real Servers. Multiple excluded domains can be specified by using a space-separated list. | |
alt_domains str |
Specify alternative domains to be assigned to a Virtual Service when configuring multi-domain authentication. To specify multiple alternative domains, use a space-separated list. | |
user_pwd_change_url str |
This is relevant when using form-based LDAP authentication. Specify the URL that users can use to change their password. If a user's password has expired, or if they must reset their password, this URL and the user_pwd_change_msg is displayed on the login form. This URL must be put into the exception list for authentication, if required. | |
user_pwd_change_msg str |
This parameter is only relevant if the user_pwd_change_url parameter is set. Specify the text to be displayed on the login form when the user must reset their password. | |
user_pwd_expiry_warn int |
Choices
|
By default, SSO users are notified about the number of days before they must change their password. If you disable this option, the password expiry notification will not appear on the login forms. This parameter is only relevant if the input_auth_mode is set to Form Based (2) and the user_pwd_change_url is set. The language of the warning text is based on the SSO Image Set that is selected (English, French, or Portuguese). |
user_pwd_expiry_warn_days
int |
Specify the number of days to show the warning before the password is expired. This parameter is only relevant if the input_auth_mode is set to Form Based (2) and the user_pwd_change_url is set. | |
intercept
int |
Choices
|
Enable or disable the Web Application Firewall (WAF). |
intercept_opts list |
A list of strings to enable or disable certain WAF features. | |
intercept_post_other_content_types
list |
Enter a comma-separated list of POST content types allowed for WAF analysis, for example text/plain,text/css. By default, all types (other than XML/JSON) are enabled. To set this to any other content types, set the value to any. Enabling the inspection of any other content types may increase system resource utilization (CPU and memory). A specific list of content types should be considered. |
|
alert_threshold
int |
This is the threshold of incidents per hour before sending an alert. Setting this to 0 disables alerting. Range: 0 - 100000 |
|
waf_rules
list |
List of WAF rules and which group they belong to with the name of the rule and IDs to disable in the format: G\<rule_name>:208080:2000023 |
2.3 Examples
- name: Create a Virtual Service hosts: localhost vars: central_address: '10.35.23.180' central_username: 'admin' central_api_key: '4ef39d110474a18639bab' lm_address: '10.35.23.2:443' ip: '10.35.23.156' port: 443 prot: 'tcp' tasks: - name: Create Virtual Service Pathos on LM virtual_service: central_address: '{{ central_address }}' central_username: '{{ central_username }}' central_api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' enable: 'Y' nickname: 'Pathos' ip: '{{ ip }}' port: '{{ port }}' protocol: '{{ prot }}' vs_type: 'http' ssl_acceleration: 1 check_type: 'icmp' qos: 'Maximize-Reliability' transparent: 1
2.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the Virtual Service. Sample: VS Updated |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"check_type": "icmp","NickName": "Pathos","SSLAcceleration": "Y", "TlsType": "3", "Transparent": "Y"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
2.5 Status
This module is maintained by Kemp Technologies.
3 Modify a SubVS on a LoadMaster
3.1 Synopsis
This module configures a SubVS on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. To configure a SubVS on a Virtual Service, the Virtual Service must be defined in your playbook before the SubVS.
3.2 Parameters
Parameter | Choices/ Defaults |
Comments |
add_via
int |
Choices:
|
Corresponds to the add http headers in LM |
central_username str/required |
The Kemp 360 Central username. | |
central_api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
enable
str |
Choices:
|
Enable the SubVS. |
lm_address str/required |
IP address and port of the LoadMaster that contains the Virtual Service or SubVS that the Real Server should be created or modified on. The format is 'ip:port'. | |
vs str/required |
The IP address of the parent Virtual Service on the LoadMaster. | |
port int/required |
The port of the parent Virtual Service on the LoadMaster value between 3 and 65530. | |
limit
int |
The maximum number of open connections that can be sent to a Real Server before it is taken out of rotation; values 0-100000. | |
nickname str/required |
Nickname of a SubVS. | |
qos
int |
Choices
|
Quality of Service sets a type of service that deals with how packets treat and prioritize the traffic. |
subnet_originating
int |
Choices:
|
When transparency is not enabled, the source IP address of connections to the Real Servers is that of the Virtual Service. When transparency is enabled, the source IP address is the IP address that is initiating connection to the Virtual Service. If the Real Server is on a subnet, and the Subnet Originating Requests option is enabled, then the subnet address of the LoadMaster is used as the source IP address. |
vs_type
str |
Choices:
|
This specifies the type of service being load balanced. |
critical
int |
Choices:
|
Enabling this parameter indicates that the Real Server is required for the Virtual Service to be considered available. The Virtual Service is marked as down if the Real Server has failed or is disabled. |
check_type
str |
Choices:
|
Specify which protocol is to be used to check the health of the Real Server. |
check_codes
str |
A space-separated list of HTTP status codes that should be treated as successful when received from the Real Server. | |
check_port
int |
The port to be checked. If a port is not specified, the Real Server port is used. Specify 0 to unset check_port. | |
weight
int |
When using weighted round robin scheduling, the weight of a Real Server is used to indicate what relative proportion of traffic should be sent to the server. Servers with higher values receive more traffic. The weight of a SubVS can also be updated using the modrs command - set the Real Server to the number that appears in the Id column for the relevant SubVS in the parent Virtual Service modify screen; values 1-65535. | |
check_host
str |
The check_use_11 parameter must be enabled to set the check_host value. When using HTTP/1.1 checking, the Real Servers require a Hostname be supplied in each request. If no value is set, then this value is the IP address of the Virtual Service. | |
check_pattern
str |
When the check_type is set to http or https - this corresponds to the Reply 200 Pattern in the WUI. This parameter only applies when the HTTP Method is set to GET or POST. When the check_type is set to bdata: Specify the hexadecimal string, which is searched for in the response. Specify an empty value to unset check_pattern. | |
check_headers
str |
Specify up to four additional headers/fields that will be sent with each health check request. Separate the pairs with a pipe, for example; Host:xyc|UserAgent:prq. | |
check_use_11
str |
Choices:
|
By default, the health checker uses HTTP/1.0 when checking the Real Server status. Enabling check_use_11 means HTTP/1.1 is used (which is more efficient). |
enhanced_health_checks
int |
Choices
|
Enabling the enhanced_health_checks parameter provides an additional health check parameter - rs_minimum. If the enhanced_health_checks parameter is disabled, the Virtual Service is considered available if at least one Real Server is available. If the enhanced_health_checks parameter is enabled, you can specify the minimum number of Real Servers that should be available to consider the Virtual Service to be available. |
rs_minimum int |
An integer that specifies how many Real Servers must be up for a Virtual Service or SubVS to be considered up. It is an integer from 0 to N, where N is the number of Real Servers on this particular service. In practice, this value is usually 1. | |
extra_header_key
str |
Specify the key for the extra header to be inserted into every request sent to the Real Servers. | |
extra_header_value str |
Specify the value for the extra header to be inserted into every request sent to the Real Servers. | |
error_code
int |
If no Real Servers are available, the LoadMaster can terminate the connection with a HTTP error code. Specify the error code number in this parameter. To unset the error code, set the parameter to an empty string. | |
error_url
str |
When no Real Servers are available and an error response is sent back to the client, a redirect URL can also be specified. | |
ldap_endpoint
str |
Specify the name of an LDAP endpoint to use for the health checks. If LDAP is selected as the check_type, the server IP address (or addresses) and ports from the LDAP endpoint configuration are used instead of the Real Server IP address and port. | |
copy_header_from
str |
This is the name of the source header field to copy into the new header field before the request is sent to the Real Servers. | |
copy_header_to
str |
Used in conjunction with the copy_header_from parameter. The name of the header field into which the source header is to be copied. | |
transparent
int |
Choices:
|
When using Layer 7, when this is enabled - the connection arriving at the Real Server appears to come directly from the client. Alternatively, the connection can be non-transparent, which means that the connections at the Real Server appear to come from the LoadMaster. If a Virtual Service (with or without a SubVS) has SSL re-encrypt enabled, the transparency flag of the Virtual Service has no meaning (re-encryption forces transparency to be off). The transparency setting can still be modified by the API and is honored when re-encrypt is disabled on the Virtual Service. |
multi_connect
int |
Choices:
|
Enabling this option permits the LoadMaster to manage connection handling between the LoadMaster and the Real Servers. Requests from multiple clients are sent over the same TCP connection. Multiplexing only works for simple HTTP GET operations. This parameter cannot be enabled in certain situations, for example if WAF, ESP, or SSL Acceleration is enabled. |
non_local
int |
Choices:
|
By default only Real Servers on local networks can be assigned to a Virtual Service. Enabling this option allows a non-local Real Server to be assigned to the Virtual Service. This option is only available if a non local Real Server is enabled and the Transparent option is disabled on the relevant Virtual Service. |
check_url
str |
When the check_type is set to http or https - by default, the health checker tries to access the URL / to determine if the machine is available. A different URL can be set in the check_url parameter. When the check_type is set to bdata: Specify a hexadecimal string to send to the Real Server. The maximum character length for the check_url parameter value is 126 characters. | |
check_post_data
str |
This parameter is only relevant if the HTTP Method is set to POST. When using the POST method, up to 2047 characters of POST data can be sent to the server. | |
check_use_get
int |
Choices:
|
When accessing the health check URL - the system can use the HEAD, the GET, or the POST method. |
persist
str |
Choices:
|
Specify the type of persistence (stickiness) to be used for this Virtual Service. |
persist_timeout
int |
The length of time (in seconds) after the last connection that the LoadMaster remembers the persistence information. Timeout values are rounded down to an even number of minutes. Setting a value that is not a number of whole minutes results in the excess being ignored. Setting a value to less than 60 seconds results in a value of 0 being set, which disables persistency. | |
match_len
int |
This parameter is only relevant when the check_type is set to bdata. Specify the number of bytes to find the check_pattern within; values 0-8000. | |
stand_by_addr
str |
Specify the IP address of the 'Sorry' server that is to be used when no other Real Servers are available. This server will not be health checked and is assumed to be always available. | |
stand_by_port
int |
Specify the port of the 'Sorry' server. | |
schedule str |
Choices:
|
Specify the type of scheduling of new connections to Real Servers that is to be performed. |
rs_rule_precedence
str |
This parameter should be used in conjunction with rs_rule_precedence_pos. This parameter is used to specify the name of the existing rule whose position you want to change. | |
rs_rule_precedence_pos
int |
This parameter, in conjunction with the rs_rule_precedence parameter, is used to change the position of the rule in a sequence of rules. For example, a position of 2 means the rule is checked second. | |
selection_rules
str |
Specify a list of selection rules to add to the SubVS. | |
request_header_rules
str |
Add a list of request rules to a SubVS. | |
response_header_rules
str |
Add a list of response rules to a SubVS. |
3.3 Examples
- name: Create a Sub VS hosts: localhost vars: central_address: '10.35.23.180' central_username: 'admin' central_api_key: '4ef39d1104767e18639bab' lm_address: '10.35.23.2:443' tasks: - name: Create SubVS sub_virtual_service: central_address: '{{ central_address }}' central_api_key: '{{ central_api_key }}' central_username: '{{ central_username }}' lm_address: '{{ lm_address }}' vs: 10.35.23.100' port: 80 prot: 'tcp' nickname: 'Beta' vs_type: 'http' enable: 'Y' enhanced_health_checks: 1 schedule: 'Round-Robin' content_rules: ['matchRedHeader']
3.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the SubVS. Sample: SubVS Updated |
changed bool |
always |
A Boolean to indicate whether changes were made during the task true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Transparent": "N", "UseforSnat": "N", "VSPort": "0", "VStype": "http", "NickName": "Epsilon"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
3.5 Status
This module is maintained by Kemp Technologies.
4 Modify a Real Server on a LoadMaster
4.1 Synopsis
This module adds or modifies a Real Server to Virtual Services and SubVS on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. To configure a Real Server on a Virtual Service, the Virtual Service must be defined in your playbook before the Real Server. To configure a Real Server on a SubVS, the SubVS must be defined in your playbook before the Real Server.
4.2 Parameters
Parameter | Choices/ Defaults |
Comments |
lm_address str/required |
The IP address and port of the LoadMaster that contains the Virtual Service or SubVS that the Real Server should be created or modified on. | |
lm_port
str |
The port of the LoadMaster. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
vs_ip str/required |
The IP address of the Virtual Service on the provided LoadMaster. | |
vs_port
int/required |
The port of the Virtual Service on the provided LoadMaster. Values are between 3 and 65530. | |
vs_prot str/required |
Choices
|
The protocol of the Virtual Service on the provided LoadMaster. |
rs_ip str/required |
The IP address of the Real Server that is being created or modified. | |
rs_port str/required |
The port of the Real Server that is being created or modified. Values are between 3 and 65530. | |
rs_limit
int |
The maximum number of open connections that can be sent to a Real Server before it is taken out of rotation. Values are between 0 and 100000. | |
rs_weight
int |
When using weighted round robin scheduling, the weight of a Real Server is used to indicate what relative proportion of traffic should be sent to the server. Servers with higher values receive more traffic. The weight of a SubVS can also be updated using the modrs command; set the Real Server to the number that appears in the Id column for the relevant SubVS in the parent Virtual Service modify screen. |
|
rs_fw_method str |
Choices
|
The type of forwarding method used. The default method is NAT. Direct server return can only be used with Layer 4 services. |
rs_enable
str |
Choices
|
Enable or disable the Real Server. |
rs_critical
int |
Choices
|
Enabling this parameter indicates that the Real Server is required for the Virtual Service to be considered available. The Virtual Service is marked as down if the Real Server has failed or is disabled. |
sub_vs_nickname
str |
To create or modify a Real Server on a SubVS; the nickname of the SubVS must be provided. | |
addtoallsubvs
int |
Choices
|
Enable this option when adding a Real Server to all SubVSs of a Virtual Service; values are 0 or 1. |
newport
int |
The port on the Real Server to be used. Values are between 3 and 65535. | |
follow
int |
|
Specify what Real Server the health check is based on by setting this parameter to the RsIndex of the Real Server to be followed. This can either be set to the RsIndex of the same Real Server to health check based on that particular Real Server status, or another Real Server can be specified. For example, if Real Server 1 is down, any Real Servers that have their health check based on Real Server 1 are also marked as down, regardless of their actual Real Server status. |
content_rules
list |
|
A list of content rule names to be added to a Real Server. The names provided must be previously added to the LoadMaster and must be Content Matching rules. |
4.3 Examples
- name: Create Real Server hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key: '699129a26ad34466a4cc' tasks: - name: Create Real Server hosts: localhost tasks: - name: Create RS for VS 10.35.39.25:8010 real_server: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key: '{{ api_key }}' vs_ip: '10.35.39.25' vs_port: 8010 vs_prot: 'tcp' rs_ip: '10.35.39.6' rs_port: 4006 rs_limit: 220
4.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the Real Server. Sample: Real Server 10.35.39.180:8010 created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Addr": "10.35.39.180", "Critical": "N", "DnsName": null, "Enable": "Y", "Follow": "0", "Forward": "nat"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
4.5 Status
This module is maintained by Kemp Technologies.
5 Add LDAP Authentication on the LoadMaster
5.1 Synopsis
Module to add LDAP authentication on LoadMaster.
5.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address
str |
The IP address of the Kemp 360 Central machine that the LoadMaster is added to. | |
username str |
The username of the Kemp 360 Central user. | |
api_key
str |
The API key for the Kemp 360 Central machine. | |
name
str |
The name of the LDAP service. | |
ldaptype
str |
Choices:
|
Specify the transport protocol to use when communicating with the LDAP server. |
adminuser
str |
The username that is used to check the LDAP server. | |
adminpass
str |
The password that is used to check the LDAP server. | |
server str |
Specify the address, or addresses, of the LDAP server to be used. You can also specify a port number, if desired. Separate multiple addresses with a space. | |
vinterval
str |
Specify how often to revalidate the user the with the LDAP server. Range: 10 - 86400 seconds |
|
referralcount
str |
Multiple hops may increase authentication latency. There is a performance impact that depends on the number and depth of referrals required in your configuration. You must have intimate knowledge of your Active Directory structure to set the referral limit appropriately. The same credentials are used for all lookups, and so on. The use of Active Directory Global Catalog (GC) is the preferred configuration as the primary means of resolution instead of enabling LDAP referral chasing. A GC query can be used to query the GC cache instead of relying on LDAP and the referral process. Using Active Directory GC has little or no performance drag on the LoadMaster. For steps on how to add/remove the GC, refer to the following TechNet article: Add or Remove the Global Catalog. | |
timeout
str |
Specify the LDAP server timeout in seconds. The default value is 5. Valid values range from 5 to 60. |
5.3 Examples
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.60.27' central_username: 'admin' central_api_key: '7291f46c25094ee5edc8ef4bf54c3144050e2717' lm_address: '10.35.60.30' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set SSO LDAP sso_ldap: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' name: 'TestLdap' ldaptype: '2' server: 'ldap://10.35.23.154' vinterval: '240' adminuser: 'user123' adminpass: 'test' referralcount: 0 timeout: 3600
5.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified. Sample: LDAP auth was configured successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
dataChanged | when changed is true | The error message related to why the task failed. |
msg str |
when task fails |
The error message relating to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0 |
5.5 Status
This module is maintained by Kemp Technologies.
6 Add or Modify an LDAP-based SSO on the LoadMaster
6.1 Synopsis
Module to add or modify a Certificate based SSO on LoadMaster.
6.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address
str |
The IP address of the Kemp 360 Central machine that the LoadMaster is added to. | |
username str |
The username of the Kemp 360 Central user. | |
api_key
str |
The API key for the Kemp 360 Central machine. | |
domain
str |
Set the name for the logon domain you are providing. | |
auth_type
str |
Set the authentication type for the LoadMaster. For sso_ldap this can only be LDAP-Unencrypted. | |
ldap_endpoint
str |
The name of an existing LDAP endpoint. Specify the LDAP endpoint to use. | |
logon_domain
str |
This parameter corresponds with the Domain/Realm field in the WUI. This is the login domain to be used. This is also used with logon_fmt to construct the normalized user name. | |
logon_fmt
str |
Choices:
|
Specify the logon string format used to authenticate to the LDAP server. |
logon_transcode
str |
Choices:
|
Enable or disable the transcode of logon credentials from ISO-8859-1 to UTF-8, when required. |
ldapephc
str |
Choices:
|
Enable this parameter to use the LDAP endpoint admin username and password for the health check. |
max_failed_auths
str |
The maximum number of failed login attempts before the user is locked out. Range: 0-999 |
|
unblock_tout
str |
The timeout value (in seconds) before a blocked account is automatically unblocked. This must be greater than the reset_fail_tout value. | |
sess_tout_type
str |
Choices:
|
Specify the type of session timeout to be used. |
sess_tout_idle_pub str |
The session idle timeout value in seconds. This value is used in a public environment. | |
sess_tout_idle_priv str |
The session idle timeout value in seconds. This value is used in a private environment. | |
sess_tout_duration_priv
str |
The maximum duration timeout value for the session in seconds. This value is used in a private environment. |
6.3 Examples
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.60.27' central_username: 'admin' central_api_key: '7291f46c25094ee5edc8ef4bf54c3144050e2717' lm_address: '10.35.60.30' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set SSO LDAP sso_ldap: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' domain: 'TestLdap' ldap_endpoint: 'LDAP1' auth_type: 'LDAP-Unencrypted' logon_domain: 'logondomain' logon_fmt: 'Not Specified' logon_transcode: '0' max_failed_auths: '18' unblock_tout: '2020' sess_tout_idle_pub: '706' sess_tout_duration_pub: '700' sess_tout_idle_priv: '702' sess_tout_duration_priv: '700' sess_tout_type: 'idle time' ldapephc: '0' testuser: 'user123' testpass: 'test'
6.4 Return Values
Common return values are documented here; the following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified. Sample: Successfully updated SSO Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
dataChanged str |
when changed is true | The parameters that were changed during the task. |
msg str |
when task fails |
The error message relating to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0 |
6.5 Status
This module is maintained by Kemp Technologies.
7 Add or Modify a RADIUS-based SSO on the LoadMaster
7.1 Synopsis
Module to add or modify a RADIUS based SSO on LoadMaster.
7.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address
str |
The Kemp 360 Central IP address where the LoadMaster is added to. | |
username
str |
The username of the Kemp 360 Central user. | |
api_key str |
The API key for the Kemp 360 Central user. | |
domain
str |
An identifer for the domain you are creating. | |
auth_type
str |
The type of SSO domain this will be. For RADIUS this should be 'RADIUS'. | |
radius_shared_secret str |
The shared secret to be used between the RADIUS server and the LoadMaster. | |
radius_send_nas_id
str |
Choices:
|
If enabled, a NAS identifer string (radius_nas_id) is sent to the RADIUS server. |
radius_nas_id
str |
The Network Access Server (NAS) identifer string. | |
server str |
The address(s) of the server(s) to use to validate this domain. (IPv4 only) | |
logon_domain
str |
The domain/realm used to construct normalized username for login. | |
logon_fmt
str |
Specify the logon string format used to authenticate to the LDAP/RADIUS server. | |
logon_fmt2
str |
Specify an alternate logon string format used to authenticate to the LDAP/RADIUS. | |
logon_transcode str |
Choices:
|
Enable or disable the transcode of logon credentials from ISO-8859-1 to UTF-8, when required. |
max_failed_auths str |
The maximum number of failed login attempts before the user is locked out. Range: 0-999 |
|
unblock_tout str |
The timeout value (in seconds) before a blocked account is automatically unblocked. This must be greater than the reset_fail_tout value. | |
sess_tout_idle_pub str |
The session idle timeout value in seconds. This value is used in a public environment. | |
sess_tout_duration_pub
str |
The maximum duration timeout value for the session in seconds. This value is used in a public environment. | |
sess_tout_idle_priv
str |
The session idle timeout value in seconds. This value is used in a private environment. | |
sess_tout_duration_priv str |
The maximum duration timeout value for the session in seconds. This value is used in a private environment. | |
sess_tout_type str |
Choices:
|
Specify the type of session timeout to be used. |
reset_fail_count
str |
The number of seconds that must elapse before the Failed Login Attempts counter is reset to 0. This value must be less than the unblock_tout. |
7.3 Examples
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.60.27' central_username: 'admin' central_api_key: '7291f46c25094ee5edc8ef4bf54c3144050e2717' lm_address: '10.35.60.30' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set Radius SSO list sso_radius: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' domain: 'TestRadius' auth_type: 'RADIUS' server: '10.35.60.111' radius_shared_secret: 'def' radius_send_nas_id: '0' radius_nas_id: '1' logon_domain: 'domainTestABC' logon_fmt: 'Username Only' logon_fmt2: 'Principalname' logon_transcode: 0 max_failed_auths: '1' unblock_tout: '71' sess_tout_idle_pub: '1301' sess_tout_duration_pub: '1301' sess_tout_idle_priv: '1302' sess_tout_duration_priv: '1302' sess_tout_type: 'idle time' reset_fail_count: '79' testuser: '123' testpass: '123'
7.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the SSO domain was created successfully. |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. |
dataChanged str |
when changed is true | The parameters that were changed during the task. |
msg str |
when task fails |
The error message relating to why the task failed. |
7.5 Status
This module is maintained by Kemp Technologies.
8 Add or Modify a RADIUS-LDAP-based SSO on the LoadMaster
8.1 Synopsis
Module to add or modify a RADIUS-LDAP based SSO on LoadMaster.
8.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address str |
The IP address of the Kemp 360 Central machine that the LoadMaster is added to. | |
username str |
The username of the Kemp 360 Central user. | |
api_key str |
The API key of the Kemp 360 Central user. | |
domain
str |
Set the name for the logon domain you are providing. | |
auth_type
str |
Set the authentication type for the LoadMaster. For sso_radius this can only be RADIUS and LDAP-Unencrypted. | |
ldap_endpoint
str |
The name of an existing LDAP endpoint. Specify the LDAP endpoint to use. | |
radius_shared_secret
str |
The shared secret to be used between the RADIUS server and the LoadMaster. | |
radius_send_nas_id
str |
Choices:
|
If this parameter is disabled (default), a NAS identifier is not sent to the RADIUS server. If it is enabled, a Network Access Server (NAS) identifier string is sent to the RADIUS server. By default, this is the hostname. Alternatively, if a value is specified in the radius_nas_id parameter, this value is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed. This field is only available if the auth_type is set to a RADIUS option. |
radius_nas_id
str |
If the radius_send_nas_id parameter is enabled, the radius_nas_id parameter is relevant. When specified, this value is used as the NAS identifier. Otherwise, the hostname is used as the NAS identifier. If the NAS identifier cannot be added, the RADIUS access request is still processed. This parameter is only relevant if the auth_type is set to a RADIUS option and the radius_send_nas_id parameter is enabled. | |
server
str |
The address (or addresses) of the server(s) that are to be used to validate this domain. IPv6 is not supported for RADIUS authentication. | |
ldapephc
str |
Choices:
|
Enable this parameter to use the LDAP endpoint admin username and password for the health check. |
testuser
str |
The username to check the authentication server(s), if you are not using an LDAP endpoint. | |
testpass
str |
The password of the user to check the authentication server(s), if you are not using an LDAP endpoint. | |
logon_domain
str |
This parameter corresponds with the Domain/Realm field in the WUI. The login domain to be used. This is also used with logon format to construct the normalized user name. | |
logon_fmt
str |
Choices:
|
Specify the logon string format used to authenticate to the LDAP server. |
logon_transcode
str |
Choices:
|
Enable or disable the transcode of logon credentials from ISO-8859-1 to UTF-8, when required. |
max_failed_auths str |
Choices:
|
The maximum number of failed login attempts before the user is locked out. |
unblock_tout
str |
The timeout value (in seconds) before a blocked account is automatically unblocked. This must be greater than the reset_fail_tout value. | |
sess_tout_idle_pub
str |
The session idle timeout value in seconds. This value is used in a public environment. | |
sess_tout_duration_pub
str |
The maximum duration timeout value for the session in seconds. This value is used in a public environment. | |
sess_tout_idle_priv
str |
The session idle timeout value in seconds. This value is used in a private environment. | |
sess_tout_duration_priv
str |
The maximum duration timeout value for the session in seconds. This value is used in a private environment. | |
sess_tout_type
str |
Choices:
|
Specify the type of session timeout to be used. |
reset_fail_tout
int |
The number of seconds that must elapse before the Failed Login Attempts counter is reset to 0. This value must be less than the unblock_tout. Range: 60-86400 |
8.3 Examples
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.60.27' central_username: 'admin' central_api_key: '7291f46c25094ee5edc8ef4bf54c3144050e2717' lm_address: '10.35.60.30' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set Radius LDAP SSO sso_radius_ldap: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' domain: 'TestLdapRadius' auth_type: 'RADIUS and LDAP-Unencrypted' ldap_endpoint: 'LDAP1' radius_shared_secret: 'def' radius_send_nas_id: '1' radius_nas_id: 'ABC123' server: '10.35.60.111' ldapephc: '0' testuser: 'user123' testpass: 'test' logon_domain: 'domainTestABC' logon_fmt: 'Username Only' logon_fmt2: 'Username' logon_transcode: '0' max_failed_auths: '1' unblock_tout: '70' sess_tout_idle_pub: '701' sess_tout_duration_pub: '1201' sess_tout_idle_priv: '702' sess_tout_duration_priv: '1202' sess_tout_type: 'idle time' reset_fail_tout: '95'
8.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified. Sample: Successfully updated SSO Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0 |
8.5 Status
This module is maintained by Kemp Technologies.
9 Add or Modify a Certificate-based SSO on the LoadMaster
9.1 Synopsis
Module to add or modify a certificate-based SSO on LoadMaster.
9.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address
str |
The IP address of the Kemp 360 Central machine that the LoadMaster is added to. | |
username str |
The username of the Kemp 360 Central user. | |
api_key
str |
The API key for the Kemp 360 Central machine. | |
domain
str |
An identifer for the domain you are creating. | |
logon_domain
str |
The domain/realm used to construct the normalized username for login. | |
auth_type
str |
The type of SSO domain this will be. For RADIUS this should be 'RADIUS'. | |
logon_fmt
str |
Specify the logon string format used to authenticate to the LDAP/RADIUS server. | |
logon_fmt2
str |
Specify an alternate logon string format used to authenticate to the LDAP/RADIUS. | |
logon_transcode
bool |
Choices:
|
Enable or disable the transcode of logon credentials from ISO-8859-1 to UTF-8, when required. |
reset_fail_tout
str |
The number of seconds that must elapse before the Failed Login Attempts counter is reset to 0. This value must be less than the unblock_tout. | |
unblock_tout
str |
The timeout value (in seconds) before a blocked account is automatically unblocked. This must be greater than the reset_fail_tout value. | |
max_failed_auths
int |
The maximum number of failed login attempts before the user is locked out. (0-999) | |
sess_tout_idle_pub
str |
The session idle timeout value in seconds. This value is used in a public environment. | |
sess_tout_duration_pub
str |
The maximum duration timeout value for the session in seconds. This value is used in a public environment. | |
sess_tout_idle_priv
str |
The session idle timeout value in seconds. This value is used in a private environment. | |
sess_tout_duration_priv
str |
The maximum duration timeout value for the session in seconds. This value is used in a private environment. | |
sess_tout_type
str |
Choices:
|
Specify the type of session timeout to be used. |
9.3 Example
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.60.27' central_username: 'admin' central_api_key: '7291f46c25094ee5edc8ef4bf54c3144050e2717' lm_address: '10.35.60.30' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set SSO Certificates list sso_certificate: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' domain: 'TestCert' ldap_endpoint: 'LDAP1' auth_type: 'Certificates' ldapephc: '0' logon_domain: 'test' logon_fmt: 'Not Specified' logon_transcode: '1' max_failed_auths: '18' unblock_tout: '4022' sess_tout_idle_pub: '503' sess_tout_duration_pub: '303' sess_tout_idle_priv: '903' sess_tout_duration_priv: '503' sess_tout_type: 'max duration' reset_fail_tout: '63' cert_check_asi: '1' cert_check_cn: '1' testuser: 'user123' testpass: 'test'
9.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the SSO data was updated. Sample: Successfully updated SSO Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Could not update SSO |
9.5 Status
This module is maintained by Kemp Technologies.
10 Add or Modify a SAML-based SSO on the LoadMaster
10.1 Synopsis
Module to add or modify a SAML-based SSO on LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0.
10.2 Parameters
Parameter | Choices
/Defaults |
Comments |
lm_address str |
IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address
str |
The IP address of the Kemp 360 Central machine that the LoadMaster is added to. | |
username str |
The username of the Kemp 360 Central user. | |
api_key
str |
The API key for the Kemp 360 Central user. | |
domain
str |
Set the name for the logon domain you are providing. | |
auth_type
str |
Set the authentication type for the LoadMaster. For sso_saml this can only be SAML. | |
idp_entity_id
str |
Specify the Identity Service Provider (IdP) Entity ID. | |
idp_sso_url
str |
Specify the IdP Single Sign On (SSO) URL. | |
idp_cert
str |
Specify the IdP certificate to use for verification processing. | |
sp_cert
str |
It is optional to sign requests that are sent in the context of logon. Currently, the LoadMaster does not sign those requests. In the context of log off requests - it is mandatory and these requests must be signed. This is to avoid any spoofing and to provide extra security in relation to log off functionality. This ensures that users are not being hacked and not being logged off unnecessarily. In the sp_cert parameter, you can choose to use a self-signed certificate or third party certificate to perform the signing. To specify a self-signed certificate, set sp_cert to useselfsigned. To use a third party certificate, specify the name of the certificate to use (this certificate must be uploaded to the intermediate certificate section of the LoadMaster before it can be selected). | |
sp_entity_id
str |
The Service Provider (SP) entity ID is an identifier that is shared to enable the IdP to understand, accept, and have knowledge of the entity when request messages are sent from the LoadMaster. This must correlate to the identifier of the relying party on the AD FS server. | |
sess_tout_idle_pub str |
The session idle timeout value in seconds. This value is used in a public environment. | |
sess_tout_duration_pub
str |
The maximum duration timeout value for the session in seconds. This value is used in a public environment. | |
sess_tout_type
str |
Choices:
|
Specify the type of session timeout to be used. |
idp_match_cert
str |
Choices:
|
If this option is enabled, the IdP certificate assigned must match the certificate in the IdP SAML response. |
10.3 Examples
- name: Create a small configuration for LoadMaster hosts: localhost vars: central_address: '10.35.34.2' central_username: 'admin' central_api_key: 'b54058156b44a6ac818d58e6bc92b3ce57f17aa3' lm_address: '10.35.34.134' lm_port: '443' vs_ip: '10.35.60.123' vs_port: 443 vs_prot: 'tcp' rs_ip: '10.35.60.112' tasks: - name: Set SAML SSO list sso_saml: central_address: '{{ central_address }}' username: '{{ central_username }}' api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' domain: 'TestSaml' auth_type: 'SAML' idp_entity_id: 'test_abc123' idp_sso_url: 'https://www.def.com/url/abc123' idp_logoff_url: 'https://www.def.com/url/logoff123' idp_cert: '1' sp_cert: '38FCF8174F0E9FCF1318FC5758E8F5BC5BD6EA6D' sp_entity_id: '09876' sess_tout_idle_pub: '802' sess_tout_duration_pub: '1200' sess_tout_type: 'idle time' idp_match_cert: '0'
10.4 Return Values
Common return values are documented here; the following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the SSO data was updated Sample: Successfully updated SSO Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Could not update SSO |
10.5 Status
This module is maintained by Kemp Technologies.
11 Add GEO FQDN Data
11.1 Synopsis
Module to add GEO FQDN data on the LoadMaster.
11.2 Parameters
Parameter | Choices
/Defaults |
Comments |
central_api_key str |
The API key for the user of the Kemp 360 Central machine. | |
central_address str |
The Kemp 360 Central IP address. | |
central_username str |
The username of the Kemp 360 Central user. | |
lm_address
str |
The IP address of the LoadMaster that is attached to Kemp 360 Central. | |
lm_port int |
The port of the LoadMaster. | |
fqdn str |
The FQDN to be added or edited on the LoadMaster. | |
fail_over int |
This parameter is only relevant if the selection criteria is set to Location Based. | |
selection_criteria
str |
Choices:
|
The selection criteria for addresses associated with the FQDN. |
fail_time int |
If a failure delay is not set, normal health checking is performed. If set, this parameter defines the number of minutes to wait after a failure before finally disabling it. |
|
site_recovery_mode str |
Choices:
|
If this is set to automatic, upon site recovery the site is brought back into operation immediately. If this is set to manual, once the site has failed, the site is disabled. Manual intervention is required to restore normal operation. |
public_request_value
int |
Choices:
|
Restrict responses to clients from public IP addresses to specific classes of site. Here is an explanation of the different settings and their values:
|
private_request_value
int |
Choices:
|
Restrict responses to clients from private IP addresses to specific classes of site. Here is an explanation of the different settings and their values:
|
local_settings
int |
Choices:
|
Enabling this parameter provides two additional parameters for the FQDN - local_ttl and local_sticky. |
local_ttl int |
The Time To Live (TTL) value dictates how long the reply from the GEO LoadMaster can be cached by other DNS servers or client devices. The time interval is defined in seconds. This value should be as practically low as possible. The default value for this field is 10. Defaults to the value of the global ttl value when an FQDN is created. Range: 1 to 86400 |
|
local_sticky
int |
Stickiness, also known as persistence, is the property that enables all name resolution requests from an individual client to be sent to the same resources until a specified period of time has elapsed. | |
unanimous_checks int |
Choices:
|
When this parameter is enabled, if any IP addresses fail health checking - the other FQDN IP addresses which belong to the same cluster will be forced down. |
11.3 Examples
- name: Add FQDN to LoadMaster hosts: localhost vars: central_address: '10.35.53.100' lm_address: '10.35.53.101' lm_port: 443 username: 'admin' api_key: '699129a26ace3fcd34466a4cc' domain: 'example.com' tasks: - name: Add FQDN to LoadMaster geo_fqdn: lm_address: '{{ lm_address }}' lm_port '{{ lm_port }}' central_address: '{{ central_address }}' central_username: '{{ username }}' central_api_key: '{{ api_key }}' fqdn: '{{ domain }}' selection_criteria: 'wrr' fail_time: 50 site_recovery_mode: 'auto' local_settings: 1 local_ttl: 302 local_sticky: 304 unanimous_checks: 1
11.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the GEO FQDN data was updated. Sample: Successfully updated FQDN Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Could not update FQDN, ... |
11.5 Status
This module is maintained by Kemp Technologies.
12 Update GEO Maps and Clusters
12.1 Synopsis
Module to update GEO maps and cluster data on the LoadMaster.
12.2 Parameters
Parameter | Choices
/Defaults |
Comments |
central_api_key str |
The API key for the user of the Kemp 360 Central machine. | |
central_address
str |
The IP address of Kemp 360 Central. | |
central_username
str |
The username of the Kemp 360 Central user. | |
lm_address str |
The IP address of the LoadMaster attached to Kemp 360 Central. | |
lm_port
int |
The LoadMaster port that is attached to Kemp 360 Central. | |
fqdn
str |
The FQDN of the GEO configuration. | |
cluster_ip str |
The cluster IP address to be set. | |
cluster_name str |
The cluster nickname to be set. | |
cluster_type
str |
Choices:
|
The type of cluster. |
cluster_checker
str |
Choices:
|
Specify the method used to check the status of the cluster. |
cluster_checker_port int |
Specify the port of the cluster. | |
cluster_enable int |
Choices:
|
Enable or disable the cluster. |
cluster_latitude_seconds int |
The latitude of the cluster. | |
cluster_longitude_seconds int |
The longitude of the cluster. | |
map_ip str |
The IP address of the cluster. | |
map_checker
str |
Choices:
|
The type of checking to do on the map. |
map_weight int |
The weight of the map. | |
map_address str |
The map IP address to check. | |
map_port int |
The map port to be addressed. | |
map_enable int |
Choices:
|
Enable or disable the map. |
map_latitude_seconds str |
The map longitude. | |
map_longitude_seconds str |
The map longitude. | |
checker_ip str |
Specify the address used to health check the IP address. | |
checker_port str |
The address port used to health check the IP address. | |
country_code
str |
The country code. | |
is_continent int |
Choices:
|
When dealing with a country - the is_continent parameter must be set to 0. When adding a continent - the is_continent parameter must be set to 1. |
custom_location
str |
The custom location. |
12.3 Examples
- name: Test general geo parameters hosts: localhost vars: central_address: '10.35.53.50' central_username: 'Admin' central_api_key: '32e0513423f2df63ce7afd5cf5fdb5eda448eb9c' lm_address: '10.35.53.6' lm_port: '443' domain: 'www.example.com' name: GEO map Example geo_misc: central_address: '{{ central_address }}' central_username: '{{ central_username }}' central_api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' central_api_key: '{{ central_api_key }}' fqdn: '{{ domain }}' cluster_ip: '10.35.53.100' cluster_type: 'default' cluster_name: 'Cluster' cluster_checker: 'tcp' cluster_checker_port: 8080 cluster_enable: 1 cluster_latitude_seconds: 360 cluster_longitude_seconds: 360 map_ip: '10.35.53.101' map_enable: 1 map_checker: 'tcp' map_weight: 500 checker_ip: '10.35.53.190' checker_port: 7893 country_code: 'IE' is_continent: 0
12.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the GEO map or cluster. Sample: Map cluster and data updated |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
dataChanged str |
when changed is true | The parameters that were changed during the task. |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Could not update cluster and map data |
12.5 Status
This module is maintained by Kemp Technologies.
13 Update GEO Miscellaneous Options and GEO Partnership
13.1 Synopsis
Module to update GEO miscellaneous options and GEO partnership.
13.2 Parameters
Parameter | Choices
/Defaults |
Comments |
central_api_key str |
The API key for the user of the Kemp 360 Central machine. | |
central_address
str |
The Kemp 360 Central IP address. | |
central_username str |
The username of the Kemp 360 Central user. | |
lm_address str |
The IP address of the LoadMaster that is attached to Kemp 360 Central. | |
lm_port
int |
The port of the LoadMaster IP address. | |
zone
str |
Specify the zone name. | |
source_of_authority str |
The response set for Source of Authority requests. | |
soa_email
str |
Email address of the person responsible for the zone and to which email may be sent to report errors or problems. This is the email address of a suitable DNS administrator but more commonly the technical contact for the domain. | |
name_server
str |
Set the response sent for Name Server requests. | |
ttl
int |
Set the Time To Live (TTL) (in seconds). | |
persist
int |
This corresponds with the Stickiness WUI field. This determines how long (in seconds) a specific response will be returned to a host. | |
check_interval
int |
Set how often (in seconds) that devices will be checked. | |
conn_timeout
int |
Set the timeout (in seconds) for the check request. | |
retry_attempts
int |
Set the number of times the check will be retried before the device is marked as failed Range: 2-10 |
|
ip_range
list |
The IP range data to be added. This must include the CIDR number per IP range. | |
latitude
str |
Latitude data to be added to the IP range. | |
longtitude
str |
Longtitude data to be added to the IP range. | |
country_code
str |
Country code data to be added to the IP range. | |
custom_location
str |
Custom location data to be added to the IP range. | |
white_list list |
White list of allowed IP ranges. | |
algorithm
str |
Choices:
|
The algorithm to be used in DNS. |
key_size int |
Choices:
|
The key size to be used in DNS. |
dns_enable int |
Choices:
|
Enable or disable DNS in GEO. |
geo_clients
list |
Set the addresses of the GEO LoadMasters which can retrieve service status information from the LoadMaster. | |
geo_partners list |
Set the IP address of the GEO LoadMaster partner(s). These GEO LoadMasters will keep their DNS configurations in sync. | |
geo_ssh_port int |
The port over which GEO LoadMasters will communicate with each other. | |
geo_ssh_interface int |
Specify the ID of the GEO interface in which the SSH partner tunnel is created, for example, setting this to 0 means the interface eth0. |
13.3 Examples
- name: Add FQDN to LoadMaster hosts: localhost vars: central_address: '10.35.53.100' lm_address: '10.35.53.101' lm_port: 443 username: 'admin' api_key: '699129a26ace3fcd34466a4cc' tasks: - name: Add FQDN to LoadMaster geo_fqdn: lm_address: '{{ lm_address }}' lm_port '{{ lm_port }}' central_address: '{{ central_address }}' central_username: '{{ username }}' central_api_key: '{{ api_key }}' geo_clients: ['10.35.53.200'] geo_partners: ['10.35.53.220'] geo_ssh_port: 22
13.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the miscellaneous data was updated. Sample: Successfully updated MISC Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Could not update MISC, ... |
13.5 Status
This module is maintained by Kemp Technologies.
14 Upload a Certificate and Key on a LoadMaster
14.1 Synopsis
This module uploads a certificate and key to a LoadMaster. A certificate and key must be in the same file being uploaded. A certificate upload must be defined in your playbook before being assigned to a Virtual Service.
14.2 Parameters
Parameter | Choices/ Defaults |
Comments |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
cert_name str/required |
The name of the identifier of the cert to upload or replace. | |
cert_file str/required |
Path to the file where the key and cert are stored. This must have both key and cert in the same file. | |
replace int/required |
Choices:
|
A Boolean to upload the cert to replace the current cert. |
username int/required |
The Kemp 360 Central username. | |
intermediate
int |
Choices:
|
A Boolean to specify if the cert is an intermediate or not. |
14.3 Example
- name: Upload a certificate to the LoadMaster hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key: '699129a26ace3fcd34466a4cc' tasks: - name: Upload a certificate to the LoadMaster cert_management: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' cert_name: 'cert' cert_file: '/path/to/cert/test.pem' replace: 0 username: '{{ username }}' api_key: '{{ api_key }}'
14.4 Return Values
Common return values are documented here; the following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the certificate was uploaded. Sample: Certificate uploaded to LoadMaster |
changed bool |
always |
A Boolean to indicate whether changes were made during the task true |
msg str |
when task failed |
The error message related to why the task failed. Sample: Could not add Certificate to LM - Command Failed: Certificate Identifier already exists |
14.5 Status
This module is maintained by Kemp Technologies.
15 Add or Modify a Header Rule
15.1 Synopsis
This module adds or modifies addHeaderRules on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVSs, and Real Servers.
15.2 Parameters
Parameter | Choices/ Defaults |
Comments |
lm_address str/required |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the AddHeaderRule. | |
header str/required |
The name of the header field to be added. | |
replacement str/required |
The replacement string. You can enter a maximum of 255 characters in this parameter. | |
only_on_flag
int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. |
15.3 Examples
- name: Create AddHeaderRule hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key:'699129a26ace3fcd34466a4cc' tasks: - name: Create AddHeaderRule add_header_rule: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key: '{{ api_key }}' name: 'addHeaderRule1' header: 'name' replacement: 'username'
15.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: AddHeaderRule with name addHeaderRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Header": "name","HeaderValue": "username","Name": "addHeaderRule1"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
15.5 Status
This module is maintained by Kemp Technologies.
16 Delete Header Rule
16.1 Synopsis
This module adds or modifies a deleteHeaderRule on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVS, and Real Servers.
16.2 Parameters
Parameter | Choices/ Defaults |
Comments |
lm_address str/required |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the DeleteHeaderRule. | |
pattern str |
The pattern to be matched. | |
only_on_flag int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. |
16.3 Examples
- name: Create DeleteHeaderRule hosts localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key: '699129a26ace983fcd34466a4cc' tasks: - name: Create DeleteHeaderRule delete_header_rule: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key: '{{ api_key }}' name: 'deleteHeaderRule1' pattern: '^((http[s]?|ftl):\/)$'
16.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: DeleteHeaderRule with name deleteHeaderRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Name": "deleteHeaderRule1", "Pattern": "^((http[s]?|ftl):\\/)$"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
16.5 Status
This module is maintained by Kemp Technologies.
17 Replace Body Rule
17.1 Synopsis
This module adds or modifies a replaceBodyRule on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVS, and Real Servers.
17.2 Parameters
Parameter | Choices/ Defaults |
Comments |
lm_address str/required |
The IP address of the LoadMaster. | |
lm_port
str |
The port of the LoadMaster. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the ReplaceBodyRule. | |
replacement str/required |
The replacement string. | |
pattern
str |
The pattern to be matched. | |
only_on_flag
int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. | |
case_independent
int |
Choices:
|
Enable this parameter to ignore the case of the strings when comparing. |
17.3 Examples
- name: Create ReplaceBodyRule hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key: '699129a26acd34466a4cc' tasks: - name: Create ReplaceBodyRule replace_body_rule: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key: '{{ api_key }}' name: 'replaceBodyRule1' case_independent: 1 replacement: 'username' pattern: '^((http[s]?|ftl):\/)$'
17.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: ReplaceBodyRule with name replaceBodyRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"CaseIndependent": "N","Name": "replaceBodyRule1","Pattern": "^((http[s]?|ftl):\\/)$","Replacement": "username"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
17.5 Status
This module is maintained by Kemp Technologies.
18 Replace Header Rule
18.1 Synopsis
This module adds or modifies a replaceHeaderRule to a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVS, and Real Servers.
18.2 Parameters
Parameter | Choices/Defaults | Comments |
lm_address str/required |
The IP address of the LoadMaster. | |
lm_port
str |
The port of the LoadMaster. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the ReplaceHeaderRule. | |
header
str |
The header field name where the substitution should be performed. | |
replacement str/required |
The replacement string. | |
pattern str |
The pattern to be matched. | |
only_on_flag int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. |
18.3 Examples
- name: Create ReplaceHeaderRule hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: 'admin' api_key: '699129a26ace406fd65ee30a6983fcd34466a4cc' tasks: - name: Create ReplaceHeaderRule replace_header_rule: lm_address: '{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key: '{{ api_key }}' name: 'replaceHeaderRule1' header: 'name' replacement: 'username' pattern: '^((http[s]?|ftl):\/)$'
18.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: ReplaceHeaderRule with name replaceHeaderRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Header": "name","Name": "replaceHeaderRule1", "Pattern": "^((http[s]?|ftl):\\/)$",Replacement": "username"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
18.5 Status
This module is maintained by Kemp Technologies.
19 Match Content Rule
19.1 Synopsis
This module adds or modifies a matchContentRule on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVS, and Real Servers.
19.2 Parameters
Parameter | Choices/Defaults | Comments |
lm_address str/required |
The IP address and port of the LoadMaster. The format is 'ip:port'. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the MatchContentRule. | |
match_type
str/required |
Choices:
|
The name of the MatchContentRule. |
include_host
str |
Prepend the hostname to request URI before performing the match. | |
ignore_case
str |
Ignore case when comparing the strings. | |
negate_match
str |
Ignore case when comparing the strings. | |
include_query
str |
|
Append the query string to the URI before performing a match. |
header str/required |
The header field name that should be matched. If no header field is set, the default is to match in the URL. Set this to body to match on the body of a request. | |
pattern str/required |
The pattern to be matched. | |
set_on_match
int |
If the rule is successfully matched, set the specified flag. Accepted values: 0-9. | |
only_on_flag int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. | |
must_fail
int |
Choices:
|
If this rule is matched, then always fail to connect. |
19.3 Examples
- name: Create ModifyURLRule
hosts: localhost
vars:
central_address: '10.35.39.21'
lm_address: '10.35.39.20:443'
username: 'admin'
api_key: '699129a26acecd34466a4cc'
tasks:
- name: Create ModifyURLRule
match_content_rule:
lm_address: '{{ lm_address }}'
central_address: '{{ central_address }}'
username: '{{ username }}'
api_key: '{{ api_key }}'
name: 'matchContentRule1'
match_type: 'regex'
include_host: 'Y'
ignore_case: 'Y'
include_query: 'Y'
header:'username'
pattern: '^((http[s]?|ftl):\/)$'
19.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: MatchContentRule with name matchContentRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"CaseIndependent": "Y","Header": "username","MatchType": "Regex","Name": "matchContentRule1","Pattern": "^((http[s]?|ftl):\\/)$"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
19.5 Status
This module is maintained by Kemp Technologies.
20 Add or Modify a modifyURLRule on a LoadMaster
20.1 Synopsis
This module adds or modifies a modifyURLRule on a LoadMaster. The minimum supported LoadMaster firmware version is 7.2.47.0. Rules must be defined in your playbook before being assigned to Virtual Services, SubVS, and Real Servers.
20.2 Parameters
Parameter | Choices/Defaults | Comments |
lm_address str/required |
The IP address of the LoadMaster. | |
lm_port
str |
The port of the LoadMaster. | |
central_address str/required |
The IP address of the Kemp 360 Central that the LoadMaster is added to. | |
username str/required |
The Kemp 360 Central username. | |
api_key str/required |
The API key for the user of the Kemp 360 Central machine. | |
name str/required |
The name of the ModifyURLRule. | |
replacement str/required |
How the URL is to be modified. | |
pattern str |
The pattern to be matched. | |
only_on_flag int |
Range: 1-9. Only try to execute this rule if the specified flag is set. Using the only_on_flag and set_on_match parameters, it is possible to make rules dependent on each other, that is, only execute a particular rule if another rule has been successfully matched. |
20.3 Examples
- name: Create ModifyURLRule hosts: localhost vars: central_address: '10.35.39.21' lm_address: '10.35.39.20:443' username: admin api_key: '699129a26accd34466a4cc' tasks: - name: Create ModifyURLRule modify_url_rule: lm_address:'{{ lm_address }}' central_address: '{{ central_address }}' username: '{{ username }}' api_key:'{{ api_key }}' name: 'ModifyURLRule1' replacement: 'username' pattern: '^((http[s]?|ftl):\/)$'
20.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the task created or modified the rule. Sample: ModifyURLRule with name ModifyURLRule1 was created successfully |
changed bool |
always |
A Boolean to indicate whether changes were made during the task Sample: true |
dataChanged str |
when changed is true |
The parameters that were changed during the task. Sample: {"Name": "ModifyURLRule1","Pattern": "^((http[s]?|ftl):\\/)$","Replacement": "username"} |
msg str |
when task failed |
The error message related to why the task failed. Sample: The minimum supported LoadMaster firmware version is 7.2.47.0. |
20.5 Status
This module is maintained by Kemp Technologies.
21 Update Global Parameters
21.1 Synopsis
Module to update global parameters such as black list updates, WAF updates, and non-local Real Server.
21.2 Parameters
Parameter | Choices
/Defaults |
Comments |
central_api_key str |
The API key for the user of the Kemp 360 Central machine. | |
central_address str |
The Kemp 360 Central IP address. | |
central_username str |
The username of the Kemp 360 Central user. | |
lm_address
str |
The IP address of the LoadMaster that is attached to Kemp 360 Central. | |
lm_port int |
The port of the LoadMaster. | |
non-local_rs
int |
Choices:
|
Enable non-local Real Servers on the LoadMaster. |
black_list_auto_update int |
Choices:
|
Enable or disable the blacklist auto-update setting. |
black_list_auto_install
int |
Choices:
|
Enable or disable the blacklist auto-install setting. |
black_list_install_time
int |
The hour of the day to install the blacklist updates. | |
waf_auto_update
int |
Choices:
|
Enable or disable the WAF auto-update setting. |
waf_auto_install
int |
Choices:
|
Enable or disable the WAF auto-install setting. |
waf_install_time
int |
The hour of the day to install the WAF updates. |
21.3 Examples
- name: Configure LoadMaster Global Parameters hosts: localhost vars: central_address: '10.35.53.5' central_username: 'Admin' central_api_key: 'apikey' lm_address: '10.35.53.6' lm_port: '443' tasks: - name: Turn on some global settings global_params: central_address: '{{ central_address }}' central_username: '{{ central_username }}' central_api_key: '{{ central_api_key }}' lm_address: '{{ lm_address }}' lm_port: '{{ lm_port }}' non_local_rs: 1 black_list_auto_update: 1 black_list_auto_install: 1 black_list_install_time: 10 waf_auto_update: 1 waf_auto_install: 1 waf_install_time: 8
21.4 Return Values
The following are the fields unique to this module:
Key | Returned | Description |
message str |
always |
The message response indicating whether the global data was updated. Sample: Successfully updated Global Parameters |
changed bool |
always |
A Boolean to indicate whether changes were made during the task. Sample: true |
msg str |
when task fails |
The error message relating to why the task failed. Sample: Global setting(s) could not be set, ... |
21.5 Status
This module is maintained by Kemp Technologies.
22 Appendix
To install Ansible, refer to the Ansible Quick Start Guide at https://docs.ansible.com/ansible/latest/user_guide/quickstart.html.
Last Updated Date
This document was last updated on 28 August 2020.