openstack/ansible-role-thales-hsm
Code Issues Proposed changes
b39d08608f
ansible-role-thales-hsm/tasks/client.yaml
Douglas Mendizábal b39d08608f Add support for Security World client v13.4.4 
This patch adds support for installing the latest Security World client
software.  The installation media format for that version is a zipped
file containing an ISO.

The mechanism for installing the source media was changed to expect this
new format.  The file is still downloaded to the target host and now
unzip is used instead of tar to unarchive the ISO.

The client software is now installed on the target host using the RPM files
found in the ISO image.

Change-Id: If00a8612cd50f492da833033a2ed3256585617bd
2023-10-02 14:50:11 -04:00

107 lines
3.0 KiB
YAML
Raw Blame History

---
- name: Create working directory
ansible.builtin.file:
path: "{{ thales_client_working_dir }}"
state: directory
mode: '755'
- name: Create nfast group
ansible.builtin.group:
name: nfast
gid: "{{ thales_client_gid }}"
- name: Create nfast user
ansible.builtin.user:
name: nfast
uid: "{{ thales_client_uid }}"
group: "{{ thales_client_gid }}"
create_home: true
home: /opt/nfast
- name: Set selinux bool to allow barbican containers to access /opt/nfast
ansible.posix.seboolean:
name: os_barbican_write_pki
state: true
persistent: true
when: ansible_os_family | lower == 'redhat'
- name: Ensure unzip is avaliable to unzip ISO file
ansible.builtin.yum:
name: unzip
state: present
- name: Download and unzip Security World ISO file from given url
ansible.builtin.unarchive:
src: "{{ security_world_iso_zip_url }}"
dest: "{{ thales_client_working_dir }}"
remote_src: true
- name: Set Security World ISO file path
ansible.builtin.set_fact:
security_world_iso: "{{ thales_client_working_dir }}/{{ security_world_iso_zip_url | basename | splitext | first }}"
- name: Extract RPMs and key from Security World ISO
community.general.iso_extract:
image: "{{ security_world_iso }}"
dest: "{{ thales_client_working_dir }}"
files:
- linux-rpms/amd64/nShield-hwsp.rpm
- linux-rpms/amd64/nShield-ctls.rpm
- linux-rpms/amd64/nShield-ncsnmp.rpm
- linux-rpms/amd64/pubkey.asc
- name: Import Security World RPM key
ansible.builtin.rpm_key:
state: present
key: "{{ thales_client_working_dir }}/pubkey.asc"
- name: Install Security World RPMs
ansible.builtin.yum:
name: "{{ packages }}"
vars:
packages:
- "{{ thales_client_working_dir }}/nShield-hwsp.rpm"
- "{{ thales_client_working_dir }}/nShield-ctls.rpm"
- "{{ thales_client_working_dir }}/nShield-ncsnmp.rpm"
- name: Run installer
ansible.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
- name: Create cknfastrc
ansible.builtin.template:
src: cknfastrc.j2
dest: /opt/nfast/cknfastrc
mode: '644'
- name: Create snmp.conf
ansible.builtin.copy:
dest: /opt/nfast/etc/snmp/snmp.conf
content: |
defaultPort 21161
force: true
mode: '644'
- name: Enroll client to hsms
ansible.builtin.include_tasks: client_enroll.yaml
loop: "{{ nshield_hsms }}"
- name: Set selinux contexts for /opt/nfast
ansible.builtin.command: restorecon -R /opt/nfast
- name: Restart hardserver
ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart
- name: Do an enquiry to confirm connection
ansible.builtin.command: /opt/nfast/bin/enquiry
register: enquiry
- name: Enquiry result
ansible.builtin.debug:
var: enquiry
- name: Set up rfs_sync
ansible.builtin.command: set -o pipefail && echo "yes" | /opt/nfast/bin/rfs-sync --setup {{ thales_rfs_server_ip_address }}
- name: Get keys from rfs server
ansible.builtin.command: /opt/nfast/bin/rfs-sync --update
View Git Blame Copy Permalink