Add support for Security World client v13.4.4
This patch adds support for installing the latest Security World client software. The installation media format for that version is a zipped file containing an ISO. The mechanism for installing the source media was changed to expect this new format. The file is still downloaded to the target host and now unzip is used instead of tar to unarchive the ISO. The client software is now installed on the target host using the RPM files found in the ISO image. Change-Id: If00a8612cd50f492da833033a2ed3256585617bd (cherry picked from commitb39d08608f) (cherry picked from commit71f904f650) (cherry picked from commitf98f83c7b1) (cherry picked from commitf0ff0c6619) This patch also includes: Use shell instead of command for rfs-sync setup The command module doesn't understand the pipefail setting used for piping a response to the rfs-sync setup script. Change-Id: Ifb1e70d47f312f44abd603f21ce6fbf8733d9dc4 (cherry picked from commited676be778) (cherry picked from commitb53b695516) (cherry picked from commitfc3f008baf) (cherry picked from commit69177770c9) (cherry picked from commit1a010eb733) (cherry picked from commit21aacdfdfe)
This commit is contained in:
Douglas Mendizábal
26
README.rst
26
README.rst
@@ -32,32 +32,23 @@ Role Variables
|
||||
- false
|
||||
- Whether the role should execute the RFS configuration tasks.
|
||||
* - thales_client_working_dir
|
||||
- /tmp/thales_client_install
|
||||
- /tmp/security_world_install
|
||||
- Working directory in the target host.
|
||||
* - thales_client_gid
|
||||
- 42481
|
||||
- Group ID for the thales group.
|
||||
- Group ID for the nfast group.
|
||||
* - thales_client_uid
|
||||
- 42481
|
||||
- User ID for the thales user.
|
||||
* - thales_client_tarball_name
|
||||
- User ID for the nfast user.
|
||||
* - security_world_iso_zip_url
|
||||
- None
|
||||
- Filename for the Thales client software tarball.
|
||||
- URL location of the Security World ISO ZIP file.
|
||||
* - thales_client_tarball_location
|
||||
- None
|
||||
- Full URL where a copy of the client software tarball can be downloaded.
|
||||
* - thales_client_path
|
||||
- linux/libc6_11/amd64/nfast
|
||||
- Path to the client software directory inside the tarball
|
||||
* - thales_km_data_tarball_name
|
||||
- None
|
||||
- Filename for the KM Data tarball
|
||||
* - thales_km_data_location
|
||||
- None
|
||||
- Full URL where a copy of the KM Data tarball can be downloaded.
|
||||
- DEPRECATED: Use security_world_iso_zip_url instead.
|
||||
* - thales_rfs_ip_address
|
||||
- None
|
||||
- IPv4 address for the Thales RFS host.
|
||||
- IPv4 address for the RFS host.
|
||||
* - thales_client_ips
|
||||
- None
|
||||
- Whitespace separated list of IP addresses to be added to RFS config.
|
||||
@@ -74,3 +65,6 @@ Requirements
|
||||
------------
|
||||
|
||||
- ansible >= 2.4
|
||||
- Security World Software v13.4.4 ISO ZIP file - The ISO file in ZIP format as
|
||||
provided by Entrust. This should be hosted in an HTTPS server that can be
|
||||
accessed from the target host.
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
---
|
||||
thales_install_client: false
|
||||
thales_configure_rfs: false
|
||||
thales_client_working_dir: /tmp/thales_client_install
|
||||
thales_client_working_dir: /tmp/security_world_install
|
||||
thales_client_gid: 42481
|
||||
thales_client_uid: 42481
|
||||
thales_client_path: linux/libc6_11/amd64/nfast
|
||||
|
||||
@@ -2,4 +2,5 @@
|
||||
- name: legacy vars warning
|
||||
debug:
|
||||
msg: "WARNING: Using legacy thales_hsm_ip_address and
|
||||
thales_hsm_config_location variables. Please udpate your vars file."
|
||||
thales_client_tarball_location variables. Please udpate your
|
||||
vars file."
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
This version adds support for the latest Security World client software
|
||||
(v13.4.4). Older security world versions are not supported.
|
||||
deprecations:
|
||||
- |
|
||||
The variable `thales_client_tarball_location` has been deprecated. Use
|
||||
`security_world_iso_zip_url` instead.
|
||||
@@ -1,14 +1,14 @@
|
||||
[metadata]
|
||||
name = ansible-role-thales-hsm
|
||||
summary = ansible-role-thales-hsm - Ansible role to configure Thales HSM clients.
|
||||
summary = ansible-role-thales-hsm - Ansible role to configure nShileld Connect HSM clients.
|
||||
description-file =
|
||||
README.rst
|
||||
author = TripleO Team
|
||||
author-email = alee@redhat.com
|
||||
home-page = https://github.com/dmend/ansible-role-thales-hsm
|
||||
home-page = https://opendev.org/openstack/ansible-role-thales-hsm
|
||||
classifier =
|
||||
License :: OSI Approved :: Apache Software License
|
||||
Development Status :: 4 - Beta
|
||||
Development Status :: 5 - Production/Stable
|
||||
Intended Audience :: Developers
|
||||
Intended Audience :: System Administrators
|
||||
Intended Audience :: Information Technology
|
||||
|
||||
@@ -1,97 +1,85 @@
|
||||
---
|
||||
- name: Create working directory
|
||||
file:
|
||||
path: "{{ thales_client_working_dir }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
path: "{{ thales_client_working_dir }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: create thales group
|
||||
group:
|
||||
name: nfast
|
||||
gid: "{{ thales_client_gid }}"
|
||||
- name: Create nfast group
|
||||
ansible.builtin.group:
|
||||
name: nfast
|
||||
gid: "{{ thales_client_gid }}"
|
||||
|
||||
- name: create thales user
|
||||
user:
|
||||
name: nfast
|
||||
uid: "{{ thales_client_uid }}"
|
||||
group: "{{ thales_client_gid }}"
|
||||
create_home: true
|
||||
home: /opt/nfast
|
||||
- name: Create nfast user
|
||||
ansible.builtin.user:
|
||||
name: nfast
|
||||
uid: "{{ thales_client_uid }}"
|
||||
group: "{{ thales_client_gid }}"
|
||||
create_home: true
|
||||
home: /opt/nfast
|
||||
|
||||
- name: set selinux bool to allow barbican containers to access /opt/nfast
|
||||
seboolean:
|
||||
name: os_barbican_write_pki
|
||||
state: yes
|
||||
persistent: yes
|
||||
name: os_barbican_write_pki
|
||||
state: yes
|
||||
persistent: yes
|
||||
when: ansible_os_family | lower == 'redhat'
|
||||
|
||||
- name: Download Thales client tarball
|
||||
get_url:
|
||||
url: "{{ thales_client_tarball_location }}"
|
||||
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
force: no
|
||||
|
||||
- name: Unpack tarball to working directory
|
||||
unarchive:
|
||||
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
dest: "{{ thales_client_working_dir }}"
|
||||
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
||||
remote_src: yes
|
||||
|
||||
- name: Unpack tarball to /opt/nfast
|
||||
shell: |
|
||||
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
||||
tar -C / -xvf $i ;
|
||||
done
|
||||
args:
|
||||
creates: /opt/nfast/sbin/install
|
||||
|
||||
- name: check for libnsl dependency
|
||||
stat:
|
||||
path: /lib64/libnsl.so.1
|
||||
register: st
|
||||
|
||||
- name: ensure libnsl dependency is installed
|
||||
package:
|
||||
name: libnsl
|
||||
- name: Ensure unzip is avaliable to unzip ISO file
|
||||
ansible.builtin.yum:
|
||||
name: unzip
|
||||
state: present
|
||||
when: not st.stat.exists
|
||||
|
||||
- name: run installer # noqa 306
|
||||
shell: echo "1" | /opt/nfast/sbin/install
|
||||
args:
|
||||
creates: /opt/nfast/kmdata
|
||||
- name: Download and unzip Security World ISO file from given url
|
||||
ansible.builtin.unarchive:
|
||||
src: "{{ security_world_iso_zip_url }}"
|
||||
dest: "{{ thales_client_working_dir }}"
|
||||
remote_src: true
|
||||
|
||||
- name: Get the security world data
|
||||
get_url:
|
||||
url: "{{ thales_km_data_location }}"
|
||||
dest: "/root/{{ thales_km_data_tarball_name }}"
|
||||
force: no
|
||||
- name: Set Security World ISO file path
|
||||
ansible.builtin.set_fact:
|
||||
security_world_iso: "{{ thales_client_working_dir }}/{{ security_world_iso_zip_url | basename | splitext | first }}"
|
||||
|
||||
- name: remove the old km_data
|
||||
file:
|
||||
path: /opt/nfast/kmdata
|
||||
state: absent
|
||||
- name: Extract RPMs and key from Security World ISO
|
||||
community.general.iso_extract:
|
||||
image: "{{ security_world_iso }}"
|
||||
dest: "{{ thales_client_working_dir }}"
|
||||
files:
|
||||
- linux-rpms/amd64/nShield-hwsp.rpm
|
||||
- linux-rpms/amd64/nShield-ctls.rpm
|
||||
- linux-rpms/amd64/nShield-ncsnmp.rpm
|
||||
- linux-rpms/amd64/pubkey.asc
|
||||
|
||||
- name: replace kmdata
|
||||
unarchive:
|
||||
src: "/root/{{ thales_km_data_tarball_name }}"
|
||||
dest: /opt/nfast
|
||||
remote_src: yes
|
||||
- name: Import Security World RPM key
|
||||
ansible.builtin.rpm_key:
|
||||
state: present
|
||||
key: "{{ thales_client_working_dir }}/pubkey.asc"
|
||||
|
||||
- name: Install Security World RPMs
|
||||
ansible.builtin.yum:
|
||||
name: "{{ packages }}"
|
||||
vars:
|
||||
packages:
|
||||
- "{{ thales_client_working_dir }}/nShield-hwsp.rpm"
|
||||
- "{{ thales_client_working_dir }}/nShield-ctls.rpm"
|
||||
- "{{ thales_client_working_dir }}/nShield-ncsnmp.rpm"
|
||||
|
||||
- name: Run installer
|
||||
ansible.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
|
||||
|
||||
- name: create cknfastrc
|
||||
template:
|
||||
src: cknfastrc.j2
|
||||
dest: /opt/nfast/cknfastrc
|
||||
mode: 0644
|
||||
src: cknfastrc.j2
|
||||
dest: /opt/nfast/cknfastrc
|
||||
mode: 0644
|
||||
|
||||
- name: create snmp.conf
|
||||
copy:
|
||||
dest: /opt/nfast/etc/snmp/snmp.conf
|
||||
content: |
|
||||
defaultPort 21161
|
||||
force: yes
|
||||
mode: 0644
|
||||
dest: /opt/nfast/etc/snmp/snmp.conf
|
||||
content: |
|
||||
defaultPort 21161
|
||||
force: yes
|
||||
mode: 0644
|
||||
|
||||
- name: enroll client to hsms
|
||||
include_tasks: client_enroll.yaml
|
||||
@@ -110,8 +98,8 @@
|
||||
- name: enquiry result
|
||||
debug: var=enquiry
|
||||
|
||||
- name: set up rfs_sync
|
||||
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
||||
- name: Set up rfs_sync
|
||||
ansible.builtin.shell: set -o pipefail && echo "yes" | /opt/nfast/bin/rfs-sync --setup {{ thales_rfs_server_ip_address }}
|
||||
|
||||
- name: get keys from rfs server
|
||||
command: /opt/nfast/bin/rfs-sync --update
|
||||
|
||||
@@ -8,6 +8,12 @@
|
||||
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
|
||||
notify: legacy vars warning
|
||||
|
||||
- name: Allow deprecated tarball URL variable
|
||||
ansible.builtin.set_fact:
|
||||
security_world_iso_zip_url: "{{ thales_client_tarball_location }}"
|
||||
when: security_world_iso_zip_url is not defined and thales_client_tarball_location is defined
|
||||
notify: legacy vars warning
|
||||
|
||||
- name: Include RFS tasks
|
||||
include_tasks: rfs.yaml
|
||||
when: thales_configure_rfs
|
||||
|
||||
@@ -1,17 +1,11 @@
|
||||
---
|
||||
thales_client_working_dir: /tmp/thales_client_install
|
||||
thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
|
||||
thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
|
||||
thales_client_path: linux/libc6_11/amd64/nfast
|
||||
thales_client_uid: 42481
|
||||
thales_client_gid: 42481
|
||||
thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
|
||||
thales_km_data_tarball_name: kmdata.tar.gz
|
||||
thales_rfs_server_ip_address: 192.168.5.20
|
||||
thales_install_client: true
|
||||
security_world_iso_zip_url: https://myhost.example.com/SecWorld_Lin64-13.4.4.iso.zip
|
||||
nshield_hsms:
|
||||
- name: "My HSM 1"
|
||||
ip: 192.168.1.1
|
||||
- name: "My HSM 2"
|
||||
ip: 192.168.1.1
|
||||
thales_rfs_user: admin
|
||||
thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
|
||||
thales_rfs_server_ip_address: 192.168.1.10
|
||||
thales_bootstrap_client: 192.168.100.1
|
||||
thales_client_ips: 192.168.100.1 192.168.100.2 192.168.100.3
|
||||
|
||||
Reference in New Issue
Block a user