Manual Chapter :
Secure Password Policy Enforcement on F5 Modules for Ansible
Applies To:
Show Versions
BIG-IP LTM
- 16.0.0, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Secure Password Policy Enforcement on F5 Modules for Ansible
F5 Modules for Ansible use basic auth to communicate with the BIG-IP over
HTTPS, so when password policy is enforced with
config
reset
, Ansible will not be able to reach the BIG-IP until you update the password
of your host in the inventory file. If you do not change the inventory password, your task
will fail because it cannot authenticate.The following code is an example of resetting the system configuration:
# config reset task - name: Reset the BIG-IP bigip_config: reset: yes save: True delegate_to: localhost
After config reset, you must immediately set the inventory password to match
the new admin password. For example:
- name: Reset the BIG-IP - name: After reset, configure the expired admin password uri: url: "https://{{ inventory_hostname }}/mgmt/shared/authz/users/admin” method: PATCH body: '{"oldPassword":"admin","password":"{{ bigip_password }}"}’ body_format: json validate_certs: no force_basic_auth: yes user: admin password: admin headers: Content-Type: "application/json” delegate_to: localhost
The root password is automatically changed to the admin password if it was previously
unchanged, so you will also need to update the root password to match the inventory
password that Ansible expects.
- name: Last part of config reset - configure the root password bigip_user: full_name: root username_credential: root password_credential: "{{ bigip_password }}” update_password: always delegate_to: localhost
