Software Configuration
Event-Driven Ansible (EDA) software configuration instructions provide steps for configuring rulebooks and playbooks from the IBM EDA z/OS collection in Ansible Automation Platform (AAP) for first-time users.
This configuration enables EDA to consume zSecure alerts from z/OS via Kafka.
Note
For the end-to-end workflow to run successfully, ensure that you configure z/OS with zSecure alerts routing to Kafka for Event-Driven Ansible consumption.
Prerequisites
Ansible Automation Platform (AAP) installed and accessible.
Access to GitHub for repository management.
z/OS system with zSecure configured.
Kafka broker configured and accessible.
SMTP server for email notifications.
Appropriate credentials for:
GitHub/Source Control
z/OS managed nodes
Kafka broker
SMTP server.
Environment Preparation
Before you begin the configuration:
Ensure z/OS is configured with zSecure alerts.
Verify Kafka broker is receiving z/OS alerts.
Confirm network connectivity between AAP and all required systems.
Gather all necessary credentials and connection details.
Note
Feel free to make any changes to the playbooks and rulebooks to adapt them to your specific environment requirements.
Step 1: Obtain the collection
Clone the ibm.ibm_eda_zos collection from GitHub to your local machine:
git clone https://github.com/ansible-collections/ibm_eda_zos.git
Collection Structure:
Rulebooks location:
/extensions/eda/rulebooks/securityPlaybooks location:
/playbooks/security
Step 2: Create a repository
Review the cloned collection and make any necessary modifications for your environment.
Create a new repository in your GitHub account.
Push the collection (with or without modifications) to your new repository.
cd ibm_eda_zos
git remote set-url origin https://github.com/<your-username>/<your-repo-name>.git
git push -u origin main
Step 3: Set up credentials
Configure the following credentials in Ansible Automation Platform:
Automation Controller credentials
Source Control credential
Purpose: Connect to GitHub
Type: Source Control
Required Information:
GitHub username
Personal access token or password.
Machine credentials (z/OS)
Purpose: Connect to the z/OS managed node
Type: Machine
Required Information:
SSH username
SSH private key or password
Privilege escalation method (if required).
Event-Driven Ansible Controller credentials
Source Control credential
Purpose: Connect to GitHub
Type: Source Control
Required Information:
GitHub username
Personal access token or password.
Red Hat Ansible Automation Platform credential
Purpose: Connect to the Automation Controller
Type: Red Hat Ansible Automation Platform
Required Information:
Automation Controller URL
OAuth token or username/password.
Step 4: Create projects
Create projects in both controllers to access the collection content.
Automation Controller project
Navigate to Automation Controller → Projects.
Click Create project.
Configure the project:
Name: IBM EDA z/OS Collection
Organization: Select your organization
Source Control Type: Git
Source Control URL: Your GitHub repository URL
Source Control Credential: Select the GitHub credential created in Step 3
Update Revision on Launch: Enabled (recommended)
Click Save.
Wait for the project sync to complete.
Event-Driven Ansible Controller project
Navigate to Event-Driven Ansible → Projects.
Click Create project.
Configure the project:
Name: IBM EDA z/OS Collection
Source Control Type: Git
Source Control URL: Your GitHub repository URL
Source Control Credential: Select the GitHub credential created in Step 3
Click Create project.
Wait for the project sync to complete.
Note
Both controllers now have access to the rulebooks and playbooks in the collection.
Step 5: Playbook setup in Automation Controller
Configure the Automation Controller to execute playbooks in response to events.
Create a host
Navigate to Automation Controller → Hosts.
Click Create host.
Configure the host:
Name: Your z/OS managed node hostname
Description: z/OS system for EDA security automation
Click Save.
Create an inventory
Navigate to Automation Controller → Inventories.
Click Create inventory → Create inventory.
Configure the inventory:
Name: z/OS EDA Inventory
Organization: Select your organization
Click Save.
Navigate to the Hosts tab.
Click Add.
Select the host created in the previous step.
Click Save.
Create a job template
Navigate to Automation Controller → Templates.
Click Create template → Create job template.
Configure the job template:
Basic Information:
Name:
zSecure - Respond to Group Authority ChangeJob Type: Run
Inventory: Select
z/OS EDA InventoryProject: Select
IBM EDA z/OS CollectionPlaybook:
playbooks/security/<playbook_name>.ymlCredentials: Select the z/OS machine credential.
Extra Variables:
# Email configuration security_alert_recipients: <security-team-email> security_alert_sender: <eda-alerts-email> smtp_server: <your-smtp-relay> smtp_server_port: <your-smtp-port>
Example:
# Email configuration security_alert_recipients: security-team@example.com security_alert_sender: eda-alerts@example.com smtp_server: smtp.example.com smtp_server_port: 587
Click Save.
Tip
Test the job template manually before activating the rulebook to ensure proper configuration. Select the checkbox to enable prompt on launch.
Step 6: Rulebook setup in Event-Driven Ansible Controller
Configure the Event-Driven Ansible Controller to listen for events and trigger automation.
Create a rulebook activation
Navigate to Event-Driven Ansible → Rulebook Activations.
Click Create rulebook activation.
Configure the rulebook activation:
Basic Information:
Name:
zSecure Group Authority MonitorDescription: Monitors Kafka for zSecure group authority change alerts
Organization: Default (or your organization)
Project: Select
IBM EDA z/OS CollectionRulebook: Select the appropriate rulebook from the dropdown.
Path:
extensions/eda/rulebooks/security/<rulebook-name>.yml
Credentials:
Red Hat Ansible Automation Platform: Select the AAP credential created in Step 3.
Decision Environment:
Select an appropriate decision environment that includes:
Kafka Python libraries
Required Ansible collections
SSL certificate support
Extra Variables:
ssl_cafile: <path-to-ca-cert-file> kafka_host: <your-kafka-broker> kafka_port: <your-kafka-ssl-port> kafka_topic: <your-kafka-topic> security_protocol: SSL
Example:
ssl_cafile: /etc/pki/tls/certs/kafka-ca.crt kafka_host: kafka.example.com kafka_port: 9093 kafka_topic: zsecure-alerts security_protocol: SSL
Click Create rulebook activation.
Important
The rulebook activation starts listening for events immediately upon creation if enabled.