57 lines
2.0 KiB
YAML
57 lines
2.0 KiB
YAML
---
|
|
- debug:
|
|
msg: "Registering the following HSM: {{ hsm_name }}"
|
|
|
|
- name: Get the hsm server cert from the hsm_server
|
|
shell: |
|
|
sshpass -p '{{ hsm_admin_password }}' \
|
|
scp -o StrictHostKeyChecking=false admin@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
|
|
become: true
|
|
|
|
- name: Register the HSM server cert with the client
|
|
shell: |
|
|
/usr/safenet/lunaclient/bin/vtl addServer -n {{ hsm_hostname }} \
|
|
-c /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem
|
|
register: add_server
|
|
become: true
|
|
failed_when:
|
|
- add_server.rc != 0
|
|
- '"This server is already registered" not in add_server.stdout'
|
|
|
|
- name: Set the cert file name
|
|
set_fact:
|
|
client_name: "{{ inventory_hostname }}"
|
|
|
|
- name: Create a client cert for NTL
|
|
command: /usr/safenet/lunaclient/bin/vtl createCert -n "{{ client_ip }}"
|
|
args:
|
|
creates: "/usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem"
|
|
become: true
|
|
|
|
- name: Copy the NTL client cert to the HSM
|
|
shell: |
|
|
sshpass -p '{{ hsm_admin_password }}' scp /usr/safenet/lunaclient/cert/client/{{ client_ip }}.pem \
|
|
admin@{{ hsm_hostname }}:{{ client_ip }}.pem
|
|
become: true
|
|
|
|
# A client with the same hostname has already been registered
|
|
- name: Register the client certificate on the hsm_server
|
|
shell: |
|
|
sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \
|
|
-C "client register -c {{ client_name }} -ip {{ client_ip }}"
|
|
register: client_register
|
|
failed_when:
|
|
- client_register.rc != 0
|
|
- "'client with the same IP address has already been registered' not in client_register.stdout"
|
|
become: true
|
|
|
|
- name: Assign client to an HSM partition
|
|
shell: |
|
|
sshpass -p '{{ hsm_admin_password }}' ssh admin@{{ hsm_hostname }} \
|
|
-C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}"
|
|
register: assign_partition
|
|
failed_when:
|
|
- assign_partition.rc != 0
|
|
- "'client already has access' not in assign_partition.stdout"
|
|
become: true
|