Ansible role to manage Thales Hardware Security Module (HSM) client software
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

125 lines
3.1 KiB

---
- name: Create working directory
file:
path: "{{ thales_client_working_dir }}"
state: directory
mode: 0755
- name: create thales group
group:
name: nfast
gid: "{{ thales_client_gid }}"
- name: create thales user
user:
name: nfast
uid: "{{ thales_client_uid }}"
group: "{{ thales_client_gid }}"
create_home: true
home: /opt/nfast
- name: set selinux bool to allow barbican containers to access /opt/nfast
seboolean:
name: os_barbican_write_pki
state: yes
persistent: yes
when: ansible_os_family | lower == 'redhat'
- name: Download Thales client tarball
get_url:
url: "{{ thales_client_tarball_location }}"
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
force: no
- name: Unpack tarball to working directory
unarchive:
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
dest: "{{ thales_client_working_dir }}"
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
remote_src: yes
- name: Unpack tarball to /opt/nfast
shell: |
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
tar -C / -xvf $i ;
done
args:
creates: /opt/nfast/sbin/install
- name: check for libnsl dependency
stat:
path: /lib64/libnsl.so.1
register: st
- name: ensure libnsl dependency is installed
package:
name: libnsl
state: present
when: not st.stat.exists
- name: run installer # noqa 306
shell: echo "1" | /opt/nfast/sbin/install
args:
creates: /opt/nfast/kmdata
- name: Get the security world data
get_url:
url: "{{ thales_km_data_location }}"
dest: "/root/{{ thales_km_data_tarball_name }}"
force: no
- name: remove the old km_data
file:
path: /opt/nfast/kmdata
state: absent
- name: replace kmdata
unarchive:
src: "/root/{{ thales_km_data_tarball_name }}"
dest: /opt/nfast
remote_src: yes
- name: run anonkneti to get hash
command: /opt/nfast/bin/anonkneti "{{ thales_hsm_ip_address }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: create cknfastrc
copy:
dest: /opt/nfast/cknfastrc
content: |
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness
force: no
mode: 0644
- name: create snmp.conf
copy:
dest: /opt/nfast/etc/snmp/snmp.conf
content: |
defaultPort 21161
force: yes
mode: 0644
- name: enroll client to HSM
command: /opt/nfast/bin/nethsmenroll --force {{ thales_hsm_ip_address }} {{ anonkneti.stdout_lines[0] }}
- name: set selinux contexts for /opt/nfast
command: restorecon -R /opt/nfast
- name: restart hardserver
command: /opt/nfast/sbin/init.d-ncipher restart
- name: do an enquiry to confirm connection
command: /opt/nfast/bin/enquiry
register: enquiry
- name: enquiry result
debug: var=enquiry
- name: set up rfs_sync
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
- name: get keys from rfs server
command: /opt/nfast/bin/rfs-sync --update