--- - name: Create working directory file: path: "{{ lunasa_client_working_dir }}" state: directory mode: 0755 - name: Download Lunasa client tarball get_url: url: "{{ lunasa_client_tarball_location }}" dest: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}" force: no - name: Unpack tarball to working directory # noqa 208 unarchive: src: "{{ lunasa_client_working_dir }}/{{ lunasa_client_tarball_name }}" dest: "{{ lunasa_client_working_dir }}" creates: "{{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }}" remote_src: yes - name: Run the install.sh script shell: | set -o pipefail && echo y | {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} \ -p sa -c sdk args: creates: /usr/lib/libCryptoki2_64.so become: true - name: set client facts for fqdn set_fact: client_name: "{{ ansible_facts['fqdn'] }}" client_reg_opt: "-hostname" client_host: "{{ ansible_facts['fqdn'] }}" client_cert_cn: "{{ inventory_hostname }}" when: lunasa_client_ip is undefined - name: set client facts for IP override set_fact: client_name: "{{ ansible_facts['fqdn'] }}" client_reg_opt: "-ip" client_host: "{{ lunasa_client_ip }}" client_cert_cn: "{{ lunasa_client_ip }}" when: lunasa_client_ip is defined - name: Check for existing client cert stat: path: "/usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem" register: client_cert - name: Generate a new client cert for NTL command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_cert_cn }}" become: true register: created_cert when: not client_cert.stat.exists or lunasa_client_rotate_cert - name: Note when a new cert is created set_fact: client_new_cert: "{{ created_cert.changed }}" - name: register the client on each HSM include_tasks: register_client.yaml vars: hsm_hostname: "{{ item.hostname }}" hsm_admin_password: "{{ item.admin_password }}" hsm_partition: "{{ item.partition }}" loop: "{{ lunasa_hsms }}" - name: verify the NTL connection command: /usr/safenet/lunaclient/bin/vtl verify become: true register: vtl_verify - name: Fail if NTL connection doesn't verify fail: msg: > ERROR: 'vtl verify' failed. This is commonly due to network NAT between the client and the HSM. Try disabling client IP checking in the HSM when: "'Error: Unable to find any Luna SA slots/partitions' in vtl_verify.stdout" - name: create hsm ha partition when: lunasa_hsms | length > 1 become: true block: - name: create ha partition shell: | echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup createGroup \ -label {{ lunasa_ha_label }} \ -serialNumber {{ lunasa_hsms[0].partition_serial }} \ -password {{ lunasa_client_pin }} register: result failed_when: - "'Command Result : No Error' not in result.stdout" - "'for the new group has already been used' not in result.stdout" - name: add other hsms to the ha group shell: | echo 'copy' | /usr/safenet/lunaclient/bin/lunacm -c hagroup addMember \ -group {{ lunasa_ha_label }} \ -serialNumber {{ item.partition_serial }} \ -password {{ lunasa_client_pin }} loop: "{{ lunasa_hsms }}" loop_control: extended: yes when: not ansible_loop.first register: result failed_when: - "'Command Result : No Error' not in result.stdout" - "'The member you specified is already part of an' not in result.stdout" - name: Check the HA group expect: command: /usr/safenet/lunaclient/bin/lunacm -c hagroup listgroups responses: password: "\r" register: result failed_when: "'Command Result : No Error' not in result.stdout" - name: Register the HA Slot ID shell: | set -o pipefail && echo "{{ result.stdout }}" | grep 'HA Group Slot ID' | awk '{ print $NF }' register: slot_result - name: Set HA Slot fact for use by the playbook calling this role set_fact: lunasa_ha_slot: "{{ slot_result.stdout }}" - name: Log the HA Slot ID used debug: var: lunasa_ha_slot