Chapter 7. Configuring Ansible Automation Platform

Procedure

1. From the navigation panel, select Settings Platform gateway.
2. The Platform gateway settings page is displayed.
3. To configure the options, click Edit.

4. You can configure the following Security settings:

   • Allow admin to set insecure: Whether a superuser account can save an insecure password when editing any local user account.

   • Gateway basic auth enabled: Enable basic authentication to the platform gateway API.

     Turning this off prevents all basic authentication (local users), so customers need to make sure they have their alternative authentication mechanisms correctly configured before doing so.

     Turning it off with only local authentication configured also prevents all access to the UI.

     Social auth username in full email: Enabling this setting alerts social authentication to use the full email as username instead of the full name.

     Gateway token name: The header name to push from the proxy to the backend service.

     Warning

     If this name is changed, backends must be updated to compensate.

   • Gateway access token expiration: How long the access tokens are valid for.

   • Jwt private key: The private key used to encrypt the JWT tokens sent to backend services.

     This should be a private RSA key and one should be generated automatically on installation.

     Note

     Use caution when rotating the key as it will cause current sessions to fail until their JWT keys are reset.

   • (Read only) Jwt public key: The private key used to encrypt the JWT tokens sent to backend services.

     This should be a private RSA key and one should be generated automatically on installation.

     Note

     See other services' documentation on how they consume this key.

5. Click Save changes to save the changes or proceed to configure the other platform options available.

Procedure

1. From the navigation panel, select Settings Platform gateway.
2. The Platform gateway settings page is displayed.
3. To configure the options, click Edit platform gateway settings.
4. Enter the time in seconds before a session expires in the Session cookie age field.
5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

Procedure

1. From the navigation panel, select Settings Platform gateway.
2. The Platform gateway settings page is displayed.
3. To configure the options, click Edit platform gateway settings.

4. You can configure the following Password Security options:

   • Password minimum uppercase letters: How many uppercase characters need to be in a local password.
   • Password minimum length: The minimum length of a local password.
   • Password minimum numerical digits: How many numerical characters need to be in a local password.
   • Password minimum special characters: How many special characters need to be in a local password.
5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

Procedure

1. From the navigation panel, select Settings Platform gateway.
2. The Platform gateway settings page is displayed.
3. To configure the options, click Edit platform gateway settings.

4. You can configure the following Custom Login options:

   • Custom login info: Provide specific information (such as a legal notice or a disclaimer) to a text box in the login modal. For example, you can include a company banner with a statement such as, “This is only to be used for <COMPANY_NAME>, etc.”
   • Custom logo : Provide an image file for setting up a custom logo (must be a data URL with a base64-encoded GIF, PNG, or JPEG image).
5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.

Procedure

1. From the navigation panel, select Settings Platform gateway.
2. The Platform gateway settings page is displayed.
3. Click Edit platform gateway settings.

4. You can configure the following Other settings:

   • Jwt expiration buffer in seconds: The number of seconds before a JWT token’s expiration to revoke from the cache.

     When authentication happens a JWT token is created for the user and that token is cached. When subsequent calls happen to services such as automation controller or Event-Driven Ansible, the token is taken from the cache and sent to the service. Both the token and the cache of the token have an expiration time. If the token expires while in the cache the authentication process attempts results in a 401 error (unauthorized). This setting gives Red Hat Ansible Automation Platform a buffer by removing the JWT token from the cache before the token expires. When a token is revoked from cache a new token with a new expiration is generated and cached for the user. As a result, expired tokens from the cache are never used. This setting defaults to 2 seconds. If you have a large latency between platform gateway and your services and observe 401 responses you must increase this setting to lower the number of 401 responses.

   • Status endpoint backend timeout seconds: Timeout (in seconds) for the status endpoint to wait when trying to connect to a backend.
   • Status endpoint backend verify: Specifies whether SSL certificates of the services are verified when calling individual nodes for statuses.
   • Request timeout: Specifies, in seconds, the length of time before the proxy will report a timeout and generate a 504.
   • *Allow external users to create OAuth2 tokens *: For security reasons, users from external authentication providers, such as LDAP, SAML, SSO, Radius, and others, are not allowed to create OAuth2 tokens. To change this behavior, enable this setting. Existing tokens are not deleted when this setting is turned off.
5. Click Save platform gateway settings to save the changes or proceed to configure the other platform options available.