Ansible role to manage Thales Hardware Security Module (HSM) client software
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

124 lines
3.1 KiB

  1. ---
  2. - name: Create working directory
  3. file:
  4. path: "{{ thales_client_working_dir }}"
  5. state: directory
  6. mode: 0755
  7. - name: create thales group
  8. group:
  9. name: nfast
  10. gid: "{{ thales_client_gid }}"
  11. - name: create thales user
  12. user:
  13. name: nfast
  14. uid: "{{ thales_client_uid }}"
  15. group: "{{ thales_client_gid }}"
  16. create_home: true
  17. home: /opt/nfast
  18. - name: set selinux bool to allow barbican containers to access /opt/nfast
  19. seboolean:
  20. name: os_barbican_write_pki
  21. state: yes
  22. persistent: yes
  23. when: ansible_os_family | lower == 'redhat'
  24. - name: Download Thales client tarball
  25. get_url:
  26. url: "{{ thales_client_tarball_location }}"
  27. dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
  28. force: no
  29. - name: Unpack tarball to working directory
  30. unarchive:
  31. src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
  32. dest: "{{ thales_client_working_dir }}"
  33. creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
  34. remote_src: yes
  35. - name: Unpack tarball to /opt/nfast
  36. shell: |
  37. for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
  38. tar -C / -xvf $i ;
  39. done
  40. args:
  41. creates: /opt/nfast/sbin/install
  42. - name: check for libnsl dependency
  43. stat:
  44. path: /lib64/libnsl.so.1
  45. register: st
  46. - name: ensure libnsl dependency is installed
  47. package:
  48. name: libnsl
  49. state: present
  50. when: not st.stat.exists
  51. - name: run installer # noqa 306
  52. shell: echo "1" | /opt/nfast/sbin/install
  53. args:
  54. creates: /opt/nfast/kmdata
  55. - name: Get the security world data
  56. get_url:
  57. url: "{{ thales_km_data_location }}"
  58. dest: "/root/{{ thales_km_data_tarball_name }}"
  59. force: no
  60. - name: remove the old km_data
  61. file:
  62. path: /opt/nfast/kmdata
  63. state: absent
  64. - name: replace kmdata
  65. unarchive:
  66. src: "/root/{{ thales_km_data_tarball_name }}"
  67. dest: /opt/nfast
  68. remote_src: yes
  69. - name: run anonkneti to get hash
  70. command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
  71. register: anonkneti
  72. - name: output of anonkneti
  73. debug: var=anonkneti.stdout_lines
  74. - name: create cknfastrc
  75. copy:
  76. dest: /opt/nfast/cknfastrc
  77. content: |
  78. CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
  79. force: no
  80. - name: create snmp.conf
  81. copy:
  82. dest: /opt/nfast/etc/snmp/snmp.conf
  83. content: |
  84. defaultPort 21161
  85. force: yes
  86. - name: enroll client to HSM
  87. command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
  88. - name: set selinux contexts for /opt/nfast
  89. command: restorecon -R /opt/nfast
  90. - name: restart hardserver
  91. command: /opt/nfast/sbin/init.d-ncipher restart
  92. - name: do an enquiry to confirm connection
  93. command: /opt/nfast/bin/enquiry
  94. register: enquiry
  95. - name: enquiry result
  96. debug: var=enquiry
  97. - name: set up rfs_sync
  98. command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
  99. - name: get keys from rfs server
  100. command: /opt/nfast/bin/rfs-sync --update