40 rhel 9 support and ejbca7.11 template updates (#40)

* RHEL 9 Support and EJBCA 7.11 Template Updates * RHEL 9 Support and EJBCA 7.11 Template Updates * RHEL 9 Support and EJBCA 7.11 Template Updates * updating CaServers to reflect previous configs * Revert DB key size
Keyfactor · Apr 28, 2023 · 31033b1 · 31033b1
1 parent c1fc465
commit 31033b1
Show file tree

Hide file tree

Showing 13 changed files with 30 additions and 8 deletions.
diff --git a/ansible_ejbca_signsrv/README.md b/ansible_ejbca_signsrv/README.md
@@ -61,7 +61,7 @@ ansible-playbook -i inventory -l ss01,ssTlsCerts,ssCsrCerts deploySS.yml --ask-b
 2. Run:
 
 ```bash
-ansible-playbook -i inventory -l ca01 deployCA.yml --ask-become-pass
+ansible-playbook -i inventory -l ca01 deployCa.yml --ask-become-pass
 ```
 
 ### Deploy an Enterprise external RA

diff --git a/ansible_ejbca_signsrv/deployCa.yml b/ansible_ejbca_signsrv/deployCa.yml
@@ -1,6 +1,6 @@
 ---
 
-# ansible-playbook -i inventory -l ca01 deployCA.yml
+# ansible-playbook -i inventory -l ca01 deployCayml
 
 - hosts: pkiServers
   become: yes

diff --git a/ansible_ejbca_signsrv/group_vars/eeCaServers.yml b/ansible_ejbca_signsrv/group_vars/eeCaServers.yml
@@ -23,21 +23,21 @@ configdump_import_files: "{{ configdump_files }}"
 add_publshers_to_cas: true
 
 # EJBCA version and deployment info
-ejbca_version: 7.10.0.1
+ejbca_version: 7.11.0.1
 # If enabled Ansible controller is used as software repository for Apache Ant, EJBCA, and JDBC driver
 use_local_repository: false
-ejbca_remote_dir: ~/Downloads/PK-Software/ejbca_ee_7_10_0_1.zip
+ejbca_remote_dir: ~/Downloads/PK-Software/ejbca_ee_7_11_0_1.zip
 # EJBCA URL to download the zip release file
-ejbca_software_url: http://172.16.170.133:8080/ejbca/ejbca_ee_7_10_0_1.zip
-ejbca_src_dir_name: ejbca_ee_7_10_0_1
+ejbca_software_url: http://172.16.170.133:8080/ejbca/ejbca_ee_7_11_0_1.zip
+ejbca_src_dir_name: ejbca_ee_7_11_0_1
 ejbca_type: CA
 
 # EJBCA Upgrade version
 ejbca_upgrade_version: 7.11.0
 # EJBCA Upgrade version URL to download the zip release file
-ejbca_upgrade_software_url: http://172.16.170.133:8080/ejbca/ejbca_ee_7_11_0.zip
+ejbca_upgrade_software_url: http://172.16.170.133:8080/ejbca_ee_7_12_0.zip
 # Directory name of EJBCA Upgrade version
-ejbca_upgrade_src_dir: ejbca_ee_7_11_0
+ejbca_upgrade_src_dir: ejbca_ee_7_12_0
 
 # Variables to confgure the Widfly datasource for connecting to the applicable DB
 appsrv_datasources:

diff --git a/ansible_ejbca_signsrv/host_vars/ca01.yml b/ansible_ejbca_signsrv/host_vars/ca01.yml
@@ -181,6 +181,7 @@ management_add_certification_authorities:
     #certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3dManagementCA%2cOU%3dCertification+Authorities%2cO%3d{{ organizationNameCRL }}%2cC%3d{{ countryName }}&level=1"
     authorityInformationAccess: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationName | lower }}-mgmtca.crt"
     certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationName | lower }}-mgmtca.crt"
+    revocationchanging: false
     crlPeriod: 259200000
     crl_overlap_time: 600000
     crlIssueInterval: 86400000
@@ -242,6 +243,7 @@ management_add_certification_authorities:
     #certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3d{{ organizationNameCRL }}+Root+CA+G1%2cOU%3dCertification+Authorities%2cO%3d{{ organizationNameCRL }}%2cC%3d{{ countryName }}&level=1"
     authorityInformationAccess: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-rootca-g1.crt"
     certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/{{ organizationNameShort | lower }}-rootca-g1.crt"
+    revocationchanging: false
     crlPeriod: 15552000000
     crlPeriod_yml: 6mo
     crlIssueInterval: 0
@@ -325,6 +327,7 @@ sub_add_certification_authorities:
     #certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3d{{ organizationNameCRL }}+Issuing+CA+G1%2cOU%3dCertification+Authorities%2cO%3d{{ organizationNameCRL }}%2cC%3d{{ countryName }}&level=1"
     authorityInformationAccess: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-subca-g1.crt"
     certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-subca-g1.crt"
+    revocationchanging: false
     crlPeriod: 259200000
     crlPeriod_yml: 3d
     crlIssueInterval: 86400000

diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cnfdump-stage/templates/acme-alias-1.yaml.j2 b/ansible_ejbca_signsrv/roles/ansible-ejbca-cnfdump-stage/templates/acme-alias-1.yaml.j2
@@ -22,4 +22,7 @@ Require External Account Binding: false
 {% if ejbca_version is version('7.7.0', '>=') %}
 Approval Profile for newAccount: -1
 Approval Profile for keyChange: -1
+{% endif %}
+{% if ejbca_version is version('7.11.0', '>=') %}
+Require Client Authentication: false
 {% endif %}
diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cnfdump-stage/templates/ca-template.yml.j2 b/ansible_ejbca_signsrv/roles/ansible-ejbca-cnfdump-stage/templates/ca-template.yml.j2
@@ -49,6 +49,9 @@ Delta CRL Period: {{ item.delta_crl_period }}
 {% if ejbca_version is version('7.5.0', '>=') %}
 Generate CRL Upon Revocation: {{ item.generate_crl_upon_revocation | default('false') }}
 {% endif %}
+{% if ejbca_version is version('7.11.0', '>=') and item.revocationchanging is defined %}
+Allow Changing Revocation Reason: {{ item.revocationchanging }}
+{% endif %}
 Default CRL Distribution Point: {{ item.defaultCRLDP }}
 OCSP Service Default URI: {{ item.defaultOCSPServiceLocator }}
 AIA CA Issuer URIs:

diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-pkc11-client/tasks/install_softhsm.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-pkc11-client/tasks/install_softhsm.yml
@@ -24,6 +24,7 @@
   when: 
     - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+      (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
       (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8")
 
 - name: Install SoftHSM on Alma or Rocky Linux

diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-prep/tasks/install.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-prep/tasks/install.yml
@@ -15,6 +15,7 @@
     state: present
   when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+        (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
         (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")

diff --git a/ansible_ejbca_signsrv/roles/ansible-pki-ss-httpd/tasks/configure.yml b/ansible_ejbca_signsrv/roles/ansible-pki-ss-httpd/tasks/configure.yml
@@ -77,6 +77,7 @@
       when: 
         - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
           (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+          (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
           (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
           (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
           (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")
@@ -123,6 +124,7 @@
       tags: reverse-proxy
       when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
             (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")

diff --git a/ansible_ejbca_signsrv/roles/ansible-role-mariadb/tasks/config.yml b/ansible_ejbca_signsrv/roles/ansible-role-mariadb/tasks/config.yml
@@ -65,6 +65,7 @@
       when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
             (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+            (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
             (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
             (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")
@@ -163,6 +164,7 @@
   when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
         (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+        (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
         (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")

diff --git a/ansible_ejbca_signsrv/roles/ansible-role-mariadb/tasks/install.yml b/ansible_ejbca_signsrv/roles/ansible-role-mariadb/tasks/install.yml
@@ -34,6 +34,7 @@
   when: 
     - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+      (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
       (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or 
       (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")
@@ -65,6 +66,7 @@
   when: 
     - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+      (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
       (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or 
       (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")
diff --git a/ansible_ejbca_signsrv/roles/ansible-role-rds/tasks/install.yml b/ansible_ejbca_signsrv/roles/ansible-role-rds/tasks/install.yml
@@ -11,6 +11,7 @@
   when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7") or
         (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or 
+        (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
         (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8")
 
@@ -24,6 +25,7 @@
   tags: mariadb
   when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or 
+        (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
         (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") 
 
 - name: Install packages CentOS 7
@@ -50,5 +52,6 @@
   tags: mariadb
   when: (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or 
+        (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
         (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or
         (ansible_facts['distribution'] == "Rocy" and ansible_facts['distribution_major_version'] == "8")
diff --git a/ansible_ejbca_signsrv/roles/ansible-ss-prep/tasks/install.yml b/ansible_ejbca_signsrv/roles/ansible-ss-prep/tasks/install.yml
@@ -7,6 +7,7 @@
   when: 
     - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+      (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
       (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or 
       (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8") or
@@ -20,6 +21,7 @@
   when: 
     - (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "8") or
+      (ansible_facts['distribution'] == "RedHat" and ansible_facts['distribution_major_version'] == "9") or
       (ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "8") or 
       (ansible_facts['distribution'] == "Rocky" and ansible_facts['distribution_major_version'] == "8") or
       (ansible_facts['distribution'] == "AlmaLinux" and ansible_facts['distribution_major_version'] == "8")