diff --git a/README.rst b/README.rst index f93e895..ba1089f 100644 --- a/README.rst +++ b/README.rst @@ -48,23 +48,16 @@ Role Variables - Full URL where a copy of the client software tarball can be downloaded. * - thales_client_path - linux/libc6_11/amd64/nfast - - Path tho the client software directory inside the tarball + - Path to the client software directory inside the tarball * - thales_km_data_tarball_name - None - Filename for the KM Data tarball * - thales_km_data_location - None - Full URL where a copy of the KM Data tarball can be downloaded. - * - thales_hsm_ip_address - - None - - IPv4 address for the Thales HSM. * - thales_rfs_ip_address - None - IPv4 address for the Thales RFS host. - * - thales_hsm_config_location - - None - - Unique hsm diretory name where the RFS configuration is stored. - (e.g. hsm-XXX-XXX-XXX) * - thales_client_ips - None - Whitespace separated list of IP addresses to be added to RFS config. @@ -72,6 +65,9 @@ Role Variables - None - Bootstrap client IP address. This IP will be allowed to update RFS server. + * - nshield_hsms + - None + - List of one or more HSM devices Requirements diff --git a/files/add_ips.py b/files/add_ips.py index e560d54..b733a4a 100644 --- a/files/add_ips.py +++ b/files/add_ips.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 # # Copyright 2018 Red Hat, Inc. # diff --git a/handlers/main.yaml b/handlers/main.yaml new file mode 100644 index 0000000..d2b1d0b --- /dev/null +++ b/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: legacy vars warning + debug: + msg: "WARNING: Using legacy thales_hsm_ip_address and + thales_hsm_config_location variables. Please udpate your vars file." diff --git a/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml b/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml new file mode 100644 index 0000000..1fa6dc9 --- /dev/null +++ b/releasenotes/notes/add-ha-c41f45eaa1aba077.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + This version adds support for using more than one nshield HSM in load + sharing mode. There is a new variable `nshield_hsms` that accepts + a list of HSM IP addresses. See `vars.yaml.sample` for an example. + Note that HSM Pools are not supported at this time. +deprecations: + - | + Two variables have been deprecated: `thales_hsm_ip_address` and + `thales_hsm_config_location`. You should use the new `nshield_hsms` list + to specify these values instead. See `vars.yaml.sample` for an example. diff --git a/tasks/client.yaml b/tasks/client.yaml index 9fb12e8..996c6d5 100644 --- a/tasks/client.yaml +++ b/tasks/client.yaml @@ -79,19 +79,10 @@ dest: /opt/nfast remote_src: yes -- name: run anonkneti to get hash - command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}" - register: anonkneti - -- name: output of anonkneti - debug: var=anonkneti.stdout_lines - - name: create cknfastrc - copy: + template: + src: cknfastrc.j2 dest: /opt/nfast/cknfastrc - content: | - CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness - force: no mode: 0644 - name: create snmp.conf @@ -102,8 +93,9 @@ force: yes mode: 0644 -- name: enroll client to HSM - command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }} +- name: enroll client to hsms + include_tasks: client_enroll.yaml + loop: "{{ nshield_hsms }}" - name: set selinux contexts for /opt/nfast command: restorecon -R /opt/nfast diff --git a/tasks/client_enroll.yaml b/tasks/client_enroll.yaml new file mode 100644 index 0000000..94abcf1 --- /dev/null +++ b/tasks/client_enroll.yaml @@ -0,0 +1,10 @@ +--- +- name: run anonkneti to get hash for "{{ item.ip }}" + command: /opt/nfast/bin/anonkneti "{{ item.ip }}" + register: anonkneti + +- name: output of anonkneti + debug: var=anonkneti.stdout_lines + +- name: enroll client to HSM "{{ item.ip }}" + command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }} diff --git a/tasks/main.yaml b/tasks/main.yaml index ea8e574..405572a 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,8 +1,17 @@ --- -- name: Include client installation tasks - include_tasks: client.yaml - when: thales_install_client +- name: allow using legacy variables for backwards compatibility + set_fact: + args: + nshield_hsms: + - name: Legacy variables HSM + ip: "{{ thales_hsm_ip_address }}" + when: nshield_hsms is not defined and thales_hsm_ip_address is defined + notify: legacy vars warning - name: Include RFS tasks include_tasks: rfs.yaml when: thales_configure_rfs + +- name: Include client installation tasks + include_tasks: client.yaml + when: thales_install_client diff --git a/tasks/rfs.yaml b/tasks/rfs.yaml index c1f1ca8..3e6b083 100644 --- a/tasks/rfs.yaml +++ b/tasks/rfs.yaml @@ -1,14 +1,9 @@ --- # This role adds a new IP address to the RFS conf file -- name: run script to add {{ thales_client_ips }} to config.new - script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config --ips {{ thales_client_ips }}" - -- name: push new config to the HSM and check that it was successful - shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ thales_hsm_ip_address }} /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config /opt/nfast/kmdata/{{ thales_hsm_config_location }}/config/config.new" # noqa 204 - register: result - until: result.rc == 0 - retries: 10 +- name: add client ips to hsms + include_tasks: rfs_register_client.yaml + loop: "{{ nshield_hsms }}" - name: allow bootstrap server to update the RFS server command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}" diff --git a/tasks/rfs_register_client.yaml b/tasks/rfs_register_client.yaml new file mode 100644 index 0000000..59d897f --- /dev/null +++ b/tasks/rfs_register_client.yaml @@ -0,0 +1,21 @@ +--- +- name: run anonkneti to get esn for "{{ item.ip }}" + command: /opt/nfast/bin/anonkneti "{{ item.ip }}" + register: anonkneti + +- name: output of anonkneti + debug: var=anonkneti.stdout_lines + +- name: get the esn + set_fact: + esn: "{{ anonkneti.stdout_lines[0].split()[0] }}" + +- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}" + script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}" + +- name: push new config to the HSM and check that it was successful + shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204 + register: result + until: result.rc == 0 + retries: 10 + diff --git a/templates/cknfastrc.j2 b/templates/cknfastrc.j2 new file mode 100644 index 0000000..3b31314 --- /dev/null +++ b/templates/cknfastrc.j2 @@ -0,0 +1,4 @@ +CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness +{% if nshield_hsms|length > 1 %} +CKNFAST_LOADSHARING=1 +{% endif %} diff --git a/vars.yaml.sample b/vars.yaml.sample new file mode 100644 index 0000000..28d7b41 --- /dev/null +++ b/vars.yaml.sample @@ -0,0 +1,17 @@ +--- +thales_client_working_dir: /tmp/thales_client_install +thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz +thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz +thales_client_path: linux/libc6_11/amd64/nfast +thales_client_uid: 42481 +thales_client_gid: 42481 +thales_km_data_location: http://myserver.example.com/kmdata.tar.gz +thales_km_data_tarball_name: kmdata.tar.gz +thales_rfs_server_ip_address: 192.168.5.20 +nshield_hsms: + - name: "My HSM 1" + ip: 192.168.1.1 + - name: "My HSM 2" + ip: 192.168.1.1 +thales_rfs_user: admin +thales_rfs_key: RSA Private key in PEM format used to log into RFS server.