diff --git a/README.rst b/README.rst index 15bec95..368507c 100644 --- a/README.rst +++ b/README.rst @@ -16,6 +16,14 @@ Thales Luna Network HSM. * - Name - Default Value - Description + * - lunasa_appliance_user: + - admin + - Appliance User account used to log into the HSM to manage clients + and parititon assignments. + * - lunasa_ssh_cipher: + - aes256-cbc + - `-c cipher_spec` argument passed to SSH/SCP when connecting to the HSM + as the `lunasa_appliance_user`. * - lunasa_client_working_dir - /tmp/lunasa_client_install - Working directory in the target host. @@ -28,6 +36,10 @@ Thales Luna Network HSM. * - lunasa_client_installer_path - None - Path to the instal.sh script inside the tarball. + * - lunasa_client_device + - sa + - Luna product parameter passed to the Luna client software install.sh + script. * - lunasa_client_pin - None - The HSM Partition Password (PKCS#11 PIN) to be used by the client. diff --git a/defaults/main.yaml b/defaults/main.yaml index a5f2ecf..1dcaa42 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,6 +1,9 @@ --- lunasa_client_working_dir: /tmp/lunasa_client_install lunasa_client_rotate_cert: false +lunasa_client_device: sa +lunasa_appliance_user: admin lunasa_ha_label: myHAgroup lunasa_user_id: 42493 lunasa_group_id: 42493 +lunasa_ssh_cipher: aes256-cbc diff --git a/tasks/main.yaml b/tasks/main.yaml index a180e4b..5136041 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -34,7 +34,7 @@ - name: Run the install.sh script ansible.builtin.shell: | - set -o pipefail && echo y | bash {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} -p sa -c sdk + set -o pipefail && echo y | bash {{ lunasa_client_working_dir }}/{{ lunasa_client_installer_path }} -p {{ lunasa_client_device }} -c sdk args: creates: /usr/lib/libCryptoki2_64.so become: true diff --git a/tasks/register_client.yaml b/tasks/register_client.yaml index bc62f96..a833c4c 100644 --- a/tasks/register_client.yaml +++ b/tasks/register_client.yaml @@ -3,11 +3,20 @@ ansible.builtin.debug: msg: "Registering client: {{ client_name }} [host: {{ client_host }}, CN: {{ client_cert_cn }}] with HSM: {{ hsm_hostname }}" +- name: Default to not passing a cipher to scp/ssh + ansible.builtin.set_fact: + luna_ssh_cipher_parameter: "" + +- name: Use ssh cipher when set + ansible.builtin.set_fact: + luna_ssh_cipher_parameter: "-c {{ lunasa_ssh_cipher }}" + when: lunasa_ssh_cipher + - name: Get the hsm server cert from the hsm_server ansible.builtin.shell: > sshpass -p '{{ hsm_admin_password }}' - scp -O -o StrictHostKeyChecking=false -c aes256-cbc - admin@{{ hsm_hostname }}:server.pem + scp -O -o StrictHostKeyChecking=false {{ luna_ssh_cipher_parameter }} + {{ lunasa_appliance_user }}@{{ hsm_hostname }}:server.pem /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem args: creates: /usr/safenet/lunaclient/bin/{{ hsm_hostname }}.pem @@ -26,8 +35,8 @@ - name: Check for existing clients ansible.builtin.shell: > sshpass -p '{{ hsm_admin_password }}' - ssh -o StrictHostKeyChecking=false -c aes256-cbc admin@{{ hsm_hostname }} - -C client list + ssh -o StrictHostKeyChecking=false {{ luna_ssh_cipher_parameter }} + {{ lunasa_appliance_user }}@{{ hsm_hostname }} -C client list register: client_list - name: Fail if client is already registered, but we don't have that cert @@ -40,8 +49,8 @@ - name: Delete existing client when rotating certs ansible.builtin.shell: > - sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }} - -C "client delete -f -c {{ client_name }}" + sshpass -p '{{ hsm_admin_password }}' ssh {{ luna_ssh_cipher_parameter }} + {{ lunasa_appliance_user }}@{{ hsm_hostname }} -C "client delete -f -c {{ client_name }}" when: - client_name in client_list.stdout - lunasa_client_rotate_cert @@ -52,13 +61,15 @@ block: - name: Copy the NTL client cert to the HSM ansible.builtin.shell: > - sshpass -p '{{ hsm_admin_password }}' scp -O -c aes256-cbc + sshpass -p '{{ hsm_admin_password }}' + scp -O {{ luna_ssh_cipher_parameter }} /usr/safenet/lunaclient/cert/client/{{ client_cert_cn }}.pem - admin@{{ hsm_hostname }}:{{ client_host }}.pem + {{ lunasa_appliance_user }}@{{ hsm_hostname }}:{{ client_host }}.pem - name: Register the client ansible.builtin.shell: > - sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }} + sshpass -p '{{ hsm_admin_password }}' + ssh {{ luna_ssh_cipher_parameter }} {{ lunasa_appliance_user }}@{{ hsm_hostname }} -C "client register -c {{ client_name }} {{ client_reg_opt }} {{ client_host }}" register: client_register failed_when: @@ -67,7 +78,8 @@ - name: Assign client to an HSM partition ansible.builtin.shell: | - sshpass -p '{{ hsm_admin_password }}' ssh -c aes256-cbc admin@{{ hsm_hostname }} \ + sshpass -p '{{ hsm_admin_password }}' ssh {{ luna_ssh_cipher_parameter }} \ + {{ lunasa_appliance_user }}@{{ hsm_hostname }} \ -C "client assignPartition -c {{ client_name }} -p {{ hsm_partition }}" register: assign_partition failed_when: diff --git a/tasks/unregister_client.yaml b/tasks/unregister_client.yaml index 64a95ae..2a58605 100644 --- a/tasks/unregister_client.yaml +++ b/tasks/unregister_client.yaml @@ -1,8 +1,17 @@ --- +- name: Default to not passing a cipher to scp/ssh + ansible.builtin.set_fact: + luna_ssh_cipher_parameter: "" + +- name: Use ssh cipher when set + ansible.builtin.set_fact: + luna_ssh_cipher_parameter: "-c {{ lunasa_ssh_cipher }}" + when: lunasa_ssh_cipher + - name: Delete clients from HSM ansible.builtin.shell: > sshpass -p '{{ item.admin_password }}' ssh -o StrictHostKeyChecking=false - -c aes256-cbc admin@{{ item.hostname }} + {{ luna_ssh_cipher_parameter }} {{ lunasa_appliance_user }}@{{ item.hostname }} -C "client delete -f -c {{ client_name }}" loop: "{{ lunasa_hsms }}" ignore_errors: true