Getting Started

The Itential Automation Service is a licensable capability of Itential Cloud that helps customers deploy and scale their automation needs.

The Automation Service is made up of two parts, one of which is a SaaS component of Itential Cloud, and the other of which is the Itential Automation Gateway 5 (IAG5), which you deploy in your automation environment. IAG5 is an application that allows you to organize, manage, and run your Ansible, Python, and OpenTofu based automation scripts. For more information on IAG5, please go here.

If your organization does not already have an Itential Automation Service account, you can sign up for a trial by visiting our trial signup page which will be available on November 6th, 2024.

Once you have received your Welcome email and verified your account, you can log in. Once you are logged in, you will need to get IAG5 and configure it before you can connect it to Automation Service.

Automation Service Architecture

This diagram illustrates the architecture of the simplest setup for an Automation Service:

Set Up Overview

Connectivity between IAG5 and the cloud component of Automation Service is initiated by IAG5 as gRPC carried over a WebSocket. The following high-level steps are required to ensure IAG5 can connect to the Automation Service - detailed steps follow after:

On your IAG5 you will:

1. Assign a unique Cluster ID to IAG5.
2. Configure IAG5 with a self-signed or CA-signed SSL certificate.
3. Configure IAG5 with the hostname and port number of the Automation Service cloud end-point.

In your Itential Cloud Automation Service account UI you will:

1. Upload the SSL certificate and its full trust chain.
2. Create a new Gateway resource
   1. Assign it the Cluster ID of the gateway
   2. Select the host SSL certificate you uploaded
   3. Associate, at least, one group to own and manage the Gateway resource

Once you have completed these steps and started IAG5, it will attempt to connect to Itential Cloud. You can monitor the IAG5 logs to verify that it was able to connect, or to get information to help you troubleshoot connectivity issues.

Cluster IDs

Each of your IAG5 deployments is called a Cluster. This is true regardless of whether you have a single IAG5 controller node, or several configured for high-availability. Each cluster has a unique cluster ID, and every node in the cluster shares that ID.

Itential recommends that you select a cluster ID that is meaningful. Once you have selected a cluster ID, Itential recommends that you do not change it. Changing a cluster ID results in your IAG5 cluster re-configuring itself; please refer to the IAG5 documentation on cluster IDs.

SSL Certificates

The Automation Service requires SSL certificates to authenticate the connection between each IAG5 node and the cloud service. You can choose between self-signed, CA-signed, and wildcard certificates. To get started quickly, you can ask IAG5 to generate a self-signed certificate and private key for you.

Once you have the SSL certificates, you will load them into the cloud service. When an IAG5 node connects to the cloud service, it presents its Cluster ID and SSL certificate. The cloud service uses these two pieces of information to identify and authenticate the IAG5 node.

Please refer to this section in the IAG5 documentation to learn how to generate a self-signed certificate.

Automation Service Cloud End-Point

Each Automation Service cloud account has a unique hostname to which each of your IAG5 clusters will connect. You will need to get the hostname from the cloud service UI:

1. Log into your Itential Cloud account.
2. Select Automation → Gateways from the portal sidebar.
3. Look for the hostname read-only text field and click the copy icon:

Configure the IAG5 cluster with the hostname and port number 443, and restart it; please see the IAG5 documentation for configuring the connection to the Automation Service cloud service.

Uploading the SSL Certificate

The cloud service will reject connections from an IAG5 node if the node does not present both a known Cluster ID and associated SSL certificate. You must configure a Gateway resource in the cloud service to prepare it to accept connections from IAG5.

As part of the configuring a new Gateway resource, you must upload the SSL certificate for that IAG5 node (note: for an HA IAG5 cluster, there may be several certificates).

Depending on how you got your SSL certificate, it might be a single certificate file, or it may be a collection of files which represent the certificate chain from the host to the root certificate. If there is a certificate chain, you must upload the entire chain, one file at a time:

1. Log into your Itential Cloud account.
2. Select Automation → Gateways from the portal sidebar.
3. Click the Upload Certificate button.
4. Follow the prompts to upload the certificate.
5. Repeat the process until you have uploaded all of the certificates.

The loaded certificates will appear on the right-hand side of the Gateways page:

If you the label “INVALID” on the certificate, then there is a problem with the certificate, which may be because it is expired, revoked, or most likely, that one or more of the intermediate certificates are missing.

Adding a New Gateway

The final step is to add a new Gateway resource to the cloud service. This resource defines the connectivity characteristics of the IAG5 cluster you are connecting, and also sets the basis for controlling which users can use the gateway, and what they can do on it. To add a new Gateway:

1. Log into your Itential Cloud account.
2. Select Automation → Gateways from the portal sidebar.
3. Click the Add Gateway button.
4. Provide the correct values in the dialog for:
   1. A unique name that will be given to the Gateway in the cloud service.
   2. The cluster ID of the IAG5 cluster
   3. Select the certificate(s) associated with the IAG5
   4. Select the user group(s) that will have access to the Gateway

Verifying the Configuration

You can verify that the steps have been done correctly by checking the logs on the IAG5. If IAG5 cannot connect to the cloud service, you should check if the host on which the IAG5 is running is configured to reach the Automation Service cloud end-point. IAG5 tries to create a web socket on port 443 to reach the cloud service.

Once you have verified the connectivity, any services that you created on your IAG5 will automatically appear in the Automation Service UI. You can check by going to the Automation → Automations page and looking for the automations in the table list, and verifying they are coming from your IAG5.

Troubleshooting

If you experience issues configuring IAG5, please refer to this troubleshooting guide.

If you experience issues configuring the Automation Service cloud service, please refer to this troubleshooting guide.