Fix vtl verification

This patch fixes a couple of issues that were causing the NTLS
connection to fail:

* Changed the CN used in the client cert to be the FQDN to ensure that
  the CN and hostname match.

* Modified the scp commands to add the '-O' option to use the legacy scp
  protocol.

Change-Id: I8996872d917ba9cbeaeb2a1c9a25e9db98713252
(cherry picked from commit 5c101144bc)
(cherry picked from commit 757c2e0426)
(cherry picked from commit 0821d23814)
This commit is contained in:
Douglas Mendizábal 2023-10-06 11:53:47 -04:00
parent bbf8f858c1
commit d93586cc73
2 changed files with 3 additions and 3 deletions

View File

@ -30,7 +30,7 @@
client_name: "{{ ansible_facts['fqdn'] }}"
client_reg_opt: "-hostname"
client_host: "{{ ansible_facts['fqdn'] }}"
client_cert_cn: "{{ inventory_hostname }}"
client_cert_cn: "{{ ansible_facts['fqdn'] }}"
when: lunasa_client_ip is undefined
- name: set client facts for IP override

View File

@ -6,7 +6,7 @@
- name: Get the hsm server cert from the hsm_server
shell: >
sshpass -p '{{ hsm_admin_password }}'
scp -o StrictHostKeyChecking=false -c aes256-cbc
scp -O -o StrictHostKeyChecking=false -c aes256-cbc
admin@{{ hsm_hostname }}:server.pem
/usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
args:
@ -50,7 +50,7 @@
block:
- name: Copy the NTL client cert to the HSM
shell: >
sshpass -p '{{ hsm_admin_password }}' scp -c aes256-cbc
sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc
/usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem
admin@{{ hsm_hostname }}:{{ client_host }}.pem