From 6c98e5ef2a6b5a0683274bbdee3122020e20d99c Mon Sep 17 00:00:00 2001 From: Sven <61806451+svenska-primekey@users.noreply.github.com> Date: Wed, 28 Feb 2024 15:42:03 +0530 Subject: [PATCH] Add new role for EJBCA cloud to automate the wizard and configure EJBCA (#46) --- ansible_ejbca_signsrv/README.md | 11 + ansible_ejbca_signsrv/ansible.cfg | 2 + ansible_ejbca_signsrv/ecloudDeployCa.yml | 10 + ansible_ejbca_signsrv/ecloud_inventory | 14 + .../group_vars/ecloudCaServers.yml | 63 +++ .../host_vars/ejbca-cloud-ca1.yml | 380 ++++++++++++++++++ .../README.md | 38 ++ .../defaults/main.yml | 2 + .../handlers/main.yml | 2 + .../meta/main.yml | 52 +++ .../tasks/main.yml | 49 +++ .../templates/params.json.j2 | 14 + .../tests/inventory | 2 + .../tests/test.yml | 5 + .../vars/main.yml | 2 + .../README.md | 38 ++ .../defaults/main.yml | 2 + .../handlers/main.yml | 2 + .../meta/main.yml | 52 +++ .../tasks/main.yml | 258 ++++++++++++ .../tests/inventory | 2 + .../tests/test.yml | 5 + .../vars/main.yml | 2 + 23 files changed, 1007 insertions(+) create mode 100644 ansible_ejbca_signsrv/ecloudDeployCa.yml create mode 100644 ansible_ejbca_signsrv/ecloud_inventory create mode 100644 ansible_ejbca_signsrv/group_vars/ecloudCaServers.yml create mode 100644 ansible_ejbca_signsrv/host_vars/ejbca-cloud-ca1.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/README.md create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/defaults/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/handlers/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/meta/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tasks/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/templates/params.json.j2 create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/inventory create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/test.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/vars/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/README.md create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/defaults/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/handlers/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/meta/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tasks/main.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/inventory create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/test.yml create mode 100644 ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/vars/main.yml diff --git a/ansible_ejbca_signsrv/README.md b/ansible_ejbca_signsrv/README.md index face73e..e9eb0d9 100644 --- a/ansible_ejbca_signsrv/README.md +++ b/ansible_ejbca_signsrv/README.md @@ -81,6 +81,17 @@ ansible-playbook -i inventory -l ra01,pkiTlsCerts deployRa.yml --ask-become-pass ansible-playbook -i inventory -l eeVaServers,va01,pkiTlsCerts,pkiCsrCerts deployVa.yml --ask-become-pass ``` +### Configure EJBCA Cloud instance +Use this play to automate the configuration of an EJBCA Cloud instance with zero touch. + +1. Edit _group_vars/ecloudCaServers.yml_, _host_vars/ejbca-cloud-ca1.yml_, and _ecloud_inventory_. +2. Edit _ansible.cfg_ and set or add: `host_key_checking = False`, this is only needed if the host key is not trusted yet. +3. Run: + +```bash +ansible-playbook -i ecloud_inventory -l ejbca-cloud-ca1 ecloudDeployCa.yml --ask-become-pass +``` + ### Upgrade EJBCA Community or Enterprise 1. Edit _group_vars/ceServers.yml_ or _group_vars/eeCaServers.yml_, _group_vars/eeRaServers.yml_, _group_vars/eeVaServers.yml_ and _inventory_. 2. Run to upgrade Community: diff --git a/ansible_ejbca_signsrv/ansible.cfg b/ansible_ejbca_signsrv/ansible.cfg index 4ba74d5..ad1a068 100644 --- a/ansible_ejbca_signsrv/ansible.cfg +++ b/ansible_ejbca_signsrv/ansible.cfg @@ -4,6 +4,8 @@ inventory = ./inventory fact_caching = jsonfile fact_caching_connection = ~/ansible/ansibleCacheDir fact_caching_timeout = 86400 +# Set to false when working with cloud instances if you haven't connect to the instance yet. +# host_key_checking = False ansible_managed = This file is managed by Ansible.%n template: {file} diff --git a/ansible_ejbca_signsrv/ecloudDeployCa.yml b/ansible_ejbca_signsrv/ecloudDeployCa.yml new file mode 100644 index 0000000..e7ca9dd --- /dev/null +++ b/ansible_ejbca_signsrv/ecloudDeployCa.yml @@ -0,0 +1,10 @@ +--- + +# ansible-playbook -i ecloud_inventory -l ejbca-cloud-ca1 ecloudDeployCa.yml + +- hosts: ecloudCaServers + become: yes + become_method: sudo + roles: + - ansible-ejbca-cloud-wizard-silence + - ansible-ejbca-deploy-cloud-ca-sample \ No newline at end of file diff --git a/ansible_ejbca_signsrv/ecloud_inventory b/ansible_ejbca_signsrv/ecloud_inventory new file mode 100644 index 0000000..c34f8c2 --- /dev/null +++ b/ansible_ejbca_signsrv/ecloud_inventory @@ -0,0 +1,14 @@ +--- + +all: + hosts: + children: + ecloudCaServers: + hosts: + ejbca-cloud-ca1: + # IP or FQDN to access the cloud instance by + ansible_host: + #Username for accessing the cloud instance via SSH. AWS uses ec2-user, Azure the name is chosen + ansible_user: ec2-user + # Set the private location if not using something fancier... + ansible_ssh_private_key_file: /Users/myuser/.ssh/cloud-ssh.pem \ No newline at end of file diff --git a/ansible_ejbca_signsrv/group_vars/ecloudCaServers.yml b/ansible_ejbca_signsrv/group_vars/ecloudCaServers.yml new file mode 100644 index 0000000..19bf811 --- /dev/null +++ b/ansible_ejbca_signsrv/group_vars/ecloudCaServers.yml @@ -0,0 +1,63 @@ +--- + +# If enabled this will configure a publisher for OCSP, OCSP signer key update service, OSCP publishing queue, OCSP publisher to the certificate profiles, +# create Peer connection, and create an auth key binding +use_external_va: false + +# If enabled this will configure a Peer connection, and add the RA Peer role to EJBCA +use_external_ra: false + +# If enabled configures a Peer connectiona nd key binding for Sign Server +use_external_ss: false + +# Initialize a CA using configdump instead of the CLI. This works for CA's that are not being signed by +# an external CA. When using this option a crypto token is created in EJBCA, and then the CA is imported +# using configdump and initialized. This can be used for the Management CA, Roots, and Sub CA's on the same +# EJBCA node. As stated this cannot be used for externally signed CA's at this time. +deploy_with_configdump: true +configdump_directory_structure: "{{ configdump_dir_structure }}" +configdump_import_files: "{{ configdump_files }}" + +# Add publishers to the CA's in EJBCA. CA's created before the publisher is added to EJBCA and want to leverage the publisher +# should use this option to add the publisher to the CA. +add_publshers_to_cas: false + +# EJBCA version and deployment info +ejbca_version: 8.2.0 + +# Enrollment protocols to disable on EJBCA +disable_ejbca_protocols: + - name: MSAE + - name: 'ITS Certificate Management' + - name: 'REST Coap Management' + - name: Webdist + - name: 'Web Service' + #- name: 'RA Web' + #- name: 'Public Web' # No longer in EJBCA 8.0 + +# Enrollment protocols to enable on EJBCA +enable_ejbca_protocols: + - name: Certstore + - name: CRLstore + - name: 'REST CA Management' + - name: 'REST Certificate Management' + - name: 'REST Crypto Token Management' + - name: 'REST SSH V1' + - name: 'REST Certificate Management V2' + - name: 'REST Configdump' + - name: 'REST End Entity Management V2' + - name: 'REST End Entity Management' + - name: ACME + - name: CMP + - name: EST + - name: OCSP + - name: SCEP + +# CRL Update Service Worker Settings +crl_service_time_int: 1 +crl_service_time_unit: HOURS + +# Configure the RA Peering requests +ra_peer_max_parallel_reqs: 50 +ra_peer_min_parallel_reqs: 2 + diff --git a/ansible_ejbca_signsrv/host_vars/ejbca-cloud-ca1.yml b/ansible_ejbca_signsrv/host_vars/ejbca-cloud-ca1.yml new file mode 100644 index 0000000..524fd64 --- /dev/null +++ b/ansible_ejbca_signsrv/host_vars/ejbca-cloud-ca1.yml @@ -0,0 +1,380 @@ +--- + +# EJBCA Cloud Wizard Answer file settings: +# Hostname used in the TLS cert and the subject alt name +ecloud_hostname: ecloudca1.keyfactor.demo +# Include a DNS SAN in the TLS certificate +ecloud_sanCheckbox: yes +# Create the initial CA, allowed values are: importmca, createmca +ecloud_create_ca_radio: createmca +# Common name for the first CA to create in EJBCA. Defacto is to call it ManagementCA +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_CA_CN: ManagementCA +# Organizationl Unit to use in the CA DN +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_CA_OU: Certification Authorities +# Organization to use in the CA DN +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_CA_O: Keyfactor Automation +# Key size for the first CA +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_CA_key_size: 3072 +# Common name for the initial Admin entity +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_init_admin_name: SuperAdmin +# Password for the initial Admin entity +# Use ONLY when ecloud_create_ca_radio is createmca +ecloud_init_admin_passwd: foo123 +# Common name from the initial Admin entity certificate. +# Use ONLY when ecloud_create_ca_radio is importmca and this +# should match the ecloud_init_admin_name value. +ecloud_init_admin_CN: + +# CA Certificate to upload when importmca option is used with the wizard +# Use ONLY when ecloud_create_ca_radio is importmca +ecloud_cacrt_file: + +# Username for accessing the cloud instance via SSH. AWS uses ec2-user, Azure the name is chosen +ecloud_ejbca_user: ec2-user +ecloud_ejbca_group: ec2-user + +# Configure the Orgnaization variables used for templating DN's and FQDN's +organizationName: "Keyfactor Demo" +organizationNameShort: "KeyfactorDemo" +organizationNameCRL: "{{ organizationNameShort }}" +organizationDomainName: keyfactor.demo +countryName: US +sharedVarsLocation: ~/ansible/ansibleCacheDir + +# If enabled configures Approval Profiles in EJBCA +use_approval_profiles: false + +# List of certification authorities that should be added using CLI +# caname: CA name +# certprofile: Certificate profile +# dn: CA distinguished name +# subjectaltname: CA subject alt name +# validity: Validity time or end date +# policy: "null" or policy oid +# keytype: RSA, DSA or ECDSA +# keyspec: Size of RSA keys, size of DSA keys or name of curve for ECDSA keys +# signalg: Signature algorithm +# tokentype: "soft" or "org.cesecore.keys.token.PKCS11CryptoToken" or "org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken" +# tokenpass: Password for the CA token +# pkcs11_token: Dict of parameters needed for PKCS11 token +# slot_identifier_type: "SLOT_LABEL", "SLOT_INDEX" or "SLOT_NUMBER" +# slot_identifier_value: Slot identifier +# signkey_label: Signing key label +# defaultkey_label: Default (encryption) key label +# testkey_label: Test key label +# The order must be Management CA and then Root CA +management_add_certification_authorities: + - caname: "{{ organizationNameShort }}-Root-CA" + certprofile: "RootCA-{{ organizationNameShort }}-G1" + dn: "CN={{ organizationName }} Root CA G1,OU=Certification Authorities,O={{ organizationName }},C={{ countryName }}" + subjectaltname: "" + validity: "9125" + validity_yml: "25y" + policy: "null" + signalg: "SHA512WithRSA" + serial_number_octet_size: 20 + pre_produce_ocsp_responses: false + store_responses_on_demand: false + ocsp_gen_iss_rev: false + use_append_only_table: false + use_utf8_in_policy_notice_text: false + defaultCRLDP: "http://crl.{{ organizationDomainName }}/CRLs/{{ organizationNameShort | lower }}-rootca-g1.crl" + #defaultCRLDP: "http://crl.{{ organizationDomainName }}/ejbca/publicweb/crls + defaultOCSPServiceLocator: "http://ocsp.{{ organizationDomainName }}/ocsp" + authorityInformationAccess: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-rootca-g1.crt" + certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/{{ organizationNameShort | lower }}-rootca-g1.crt" + revocationchanging: false + crlPeriod: 15552000000 + crlPeriod_yml: 6mo + crlIssueInterval: 0 + crlIssueInterval_yml: 0m + crl_overlap_time: 600000 + crl_overlap_time_yml: 10m + delta_crl_period: 0m + useLdapDnOrder: false + enforce_unique_public_keys: true + enforce_key_renewal: false + enforce_unique_dn: true + user_storage: true + certificate_storage: true + accept_revocations_for_non_existing_entries: false + finish_user: true + ca_healthcheck_enabled: true + request_processor: null + cryptotoken_enable_auto_activate: true + #tokentype: "org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken" + tokentype: "soft" + tokenpass: "{{ encrypted_rootca_token_pin | default('foo123') }}" + slot_identifier_type: "SLOT_LABEL" + slot_identifier_value: "Root_CA_SLOT" + force_used_slots: true + crypto_token: + - key_label: "signKey0001" + key_size: 4096 + key_type: "RSA" + type: sign + - key_label: "defaultKey0001" + key_size: 4096 + key_type: "RSA" + type: default + - key_label: "testKey" + key_size: 1024 + key_type: "RSA" + type: test + publishers: + - validationAuthorityPeerPub-OCSP-01 + +# List of certification authorities that should be added using CLI +# caname: CA name +# certprofile: Certificate profile +# dn: CA distinguished name +# subjectaltname: CA subject alt name +# validity: Validity time or end date +# policy: "null" or policy oid +# keytype: RSA, DSA or ECDSA +# keyspec: Size of RSA keys, size of DSA keys or name of curve for ECDSA keys +# signalg: Signature algorithm +# tokentype: "soft" or "org.cesecore.keys.token.PKCS11CryptoToken" or "org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken" +# tokenpass: Password for the CA token +# pkcs11_token: Dict of parameters needed for PKCS11 token +# slot_identifier_type: "SLOT_LABEL", "SLOT_INDEX" or "SLOT_NUMBER" +# slot_identifier_value: Slot identifier +# signkey_label: Signing key label +# defaultkey_label: Default (encryption) key label +# testkey_label: Test key label +sub_add_certification_authorities: + - caname: "{{ organizationNameShort }}-Sub-CA" + certprofile: "SubCA-{{ organizationNameShort }}-G1" + dn: "CN={{ organizationName }} Issuing CA G1,OU=Certification Authorities,O={{ organizationName }},C={{ countryName }}" + rootDn: "CN={{ organizationName }} Root CA G1,OU=Certification Authorities,O={{ organizationName }},C={{ countryName }}" + root_ca_name: "{{ organizationNameShort }}-Root-CA" + subjectaltname: "" + validity: "3650" + validity_yml: "10y" + policy: "null" + signalg: "SHA384WithRSA" + serial_number_octet_size: 20 + pre_produce_ocsp_responses: false + store_responses_on_demand: false + ocsp_gen_iss_rev: false + use_append_only_table: false + use_utf8_in_policy_notice_text: false + defaultCRLDP: "http://crl.{{ organizationDomainName }}/CRLs/{{ organizationNameShort | lower }}-subca-g1.crl" + defaultOCSPServiceLocator: "http://ocsp.{{ organizationDomainName }}/ocsp" + authorityInformationAccess: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-subca-g1.crt" + certificateAiaDefaultCaIssuerUri: "http://aia.{{ organizationDomainName }}/AIA/{{ organizationNameShort | lower }}-subca-g1.crt" + revocationchanging: false + crlPeriod: 259200000 + crlPeriod_yml: 3d + crlIssueInterval: 86400000 + crlIssueInterval_yml: 1d + crl_overlap_time: 600000 + crl_overlap_time_yml: 10m + delta_crl_period: 0m + useLdapDnOrder: false + enforce_unique_public_keys: true + enforce_key_renewal: false + enforce_unique_dn: false + user_storage: true + certificate_storage: true + accept_revocations_for_non_existing_entries: false + finish_user: true + ca_healthcheck_enabled: true + request_processor: null + cryptotoken_enable_auto_activate: true + #tokentype: "org.cesecore.keys.token.p11ng.cryptotoken.Pkcs11NgCryptoToken" + tokentype: "soft" + tokenpass: "{{ encrypted_subca_token_pin | default('foo123') }}" + slot_identifier_type: "SLOT_LABEL" + slot_identifier_value: "Sub_CA_SLOT" + force_used_slots: true + crypto_token: + - key_label: "signKey0001" + key_size: 3072 + key_type: "RSA" + type: sign + - key_label: "defaultKey0001" + key_size: 3072 + key_type: "RSA" + type: default + - key_label: "testKey" + key_size: 1024 + key_type: "RSA" + type: test + publishers: + - validationAuthorityPeerPub-OCSP-01 + +configdump_dir_structure: + - "{{ ejbca_home }}/dump/dump1/certificate-profiles" + - "{{ ejbca_home }}/dump/dump1/extended-key-usage" + - "{{ ejbca_home }}/dump/dump1/certification-authorities" + - "{{ ejbca_home }}/dump/dump2/certificate-profiles" + - "{{ ejbca_home }}/dump/dump2/certification-authorities" + - "{{ ejbca_home }}/dump/dump2/end-entity-profiles" + - "{{ ejbca_home }}/dump/dump2/services" + - "{{ ejbca_home }}/dump/dump2/custom-certificate-extensions" + - "{{ ejbca_home }}/dump/dump3/admin-roles" + - "{{ ejbca_home }}/dump/dump3/certificate-profiles" + - "{{ ejbca_home }}/dump/dump3/end-entity-profiles" + - "{{ ejbca_home }}/dump/dump3/services" + - "{{ ejbca_home }}/dump/dump3/publishers" + - "{{ ejbca_home }}/dump/dump3/acme-config" + - "{{ ejbca_home }}/dump/dump3/est-config" + - "{{ ejbca_home }}/dump/dump3/scep-config" + - "{{ ejbca_home }}/dump/va/services" + - "{{ ejbca_home }}/dump/va/publishers" + - "{{ ejbca_home }}/dump/ra/admin-roles" + +configdump_files: + - src: 'cp-RootCA-G1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump1/certificate-profiles/RootCA-{{ organizationNameShort }}-G1.yaml' + - src: 'cp-managementCA.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump1/certificate-profiles/ManagementCA.yaml' + - src: 'extended-key-usages.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump1/extended-key-usage/extended-key-usages.yaml' + - src: 'cp-EccRootCa-G1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump1/certificate-profiles/EccRootCA-{{ organizationNameShort }}-G1.yaml' + # Files for the 2nd dump import + - src: 'cp-SubCA-G1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/certificate-profiles/SubCA-{{ organizationNameShort }}-G1.yaml' + - src: 'cp-EccSubCa-G1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/certificate-profiles/EccSubCA-{{ organizationNameShort }}-G1.yaml' + - src: 'cp-HashiCorp-SubCA-G1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/certificate-profiles/HashiCorp-SubCA-G1.yaml' + - src: 'cp-tlsPeerConnector.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/certificate-profiles/tlsPeerConnector.yaml' + - src: 'ee-tlsPeerConnMgmt.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/end-entity-profiles/tlsPeerConnMgmt.yaml' + - src: 'service-DailyCRLUpdate.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/services/DailyCRLUpdate.yaml' + - src: 'service-HSM_Keepalive.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/services/HSM_Keepalive.yaml' + - src: 'ext-id-piv-NACI.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/custom-certificate-extensions/id-piv-NACI.yaml' + - src: 'ext-certTempInfo.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump2/custom-certificate-extensions/certTempInfo.yaml' + # Files for the 3rd dump import + - src: 'global-acme-configuration.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/acme-config/global-acme-configuration.yaml' + - src: 'acme-alias-1.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/acme-config/acme-alias-1.yaml' + - src: 'acme-alias-2.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/acme-config/acme-alias-2.yaml' + - src: 'ee-AdminInternal.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/AdminInternal.yaml' + - src: 'ee-tlsServerAcme.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/tlsServerAcme.yaml' + - src: 'ee-tlsServerOrg.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/tlsServer{{ organizationNameShort }}.yaml' + - src: 'ee-ocspSigner.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/ocspSigner.yaml' + - src: 'ee-tlsServerMgmt.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/tlsServerMgmt.yaml' + - src: 'ee-userAuthentication.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/userAuthentication.yaml' + - src: 'ee-userDigitalSignature.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/userDigitalSignature.yaml' + - src: 'ee-userEncryption.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/userEncryption.yaml' + - src: 'ee-intuneDevice.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/intuneDevice.yaml' + - src: 'ee-tlsServerApprovalOrg.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/tlsServerApproval{{ organizationNameShort }}.yaml' + - src: 'ee-codeSigning.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/codeSigning.yaml' + - src: 'ee-domainController.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/domainController.yaml' + - src: 'ee-estDevice.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/estDevice.yaml' + - src: 'ee-remoteDesktopAuth.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/remoteDesktopAuth.yaml' + - src: 'ee-scepDevice.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/scepDevice.yaml' + - src: 'ee-signersOrg.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/signers{{ organizationNameShort }}.yaml' + - src: 'ee-timeStampingAuthority.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/timeStampingAuthority.yaml' + - src: 'ee-vpnFirewall.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/vpnFirewall.yaml' + - src: 'ee-workstations.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/end-entity-profiles/workstations.yaml' + - src: 'cp-tlsServerMgmtCA.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerMgmtCA.yaml' + - src: 'cp-AdminNoCDPMgmtCA.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/AdminNoCDPMgmtCA.yaml' + - src: 'cp-tlsClientAuth.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsClientAuth.yaml' + - src: 'cp-tlsServerAuth.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerAuth.yaml' + - src: 'cp-tlsServerClientAuth.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerClientAuth.yaml' + - src: 'cp-adminMgmtCA.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/adminMgmtCA.yaml' + - src: 'cp-DigitalSignature-2048.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/DigitalSignature-2048.yaml' + - src: 'cp-Authentication-2048.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/Authentication-2048.yaml' + - src: 'cp-Encryption-2048.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/Encryption-2048.yaml' + - src: 'cp-tlsServerAuthAcme90d.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerAuthAcme90d.yaml' + - src: 'cp-ocspSigner.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/ocspSigner.yaml' + - src: 'cp-ocspSignerEcc-15d.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/ocspSignerEcc-15d.yaml' + - src: 'cp-intuneClientAuth-1y.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/intuneClientAuth-1y.yaml' + - src: 'cp-tlsServerAuthApproval.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerAuthApproval.yaml' + - src: 'cp-tlsClientAuthApproval.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsClientAuthApproval.yaml' + - src: 'cp-tlsServerClientAuthApproval.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/tlsServerClientAuthApproval.yaml' + - src: 'cp-signerCodeSigning.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/signerCodeSigning.yaml' + - src: 'cp-signerTimeStampAuthority.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/signerTimeStampAuthority.yaml' + - src: 'cp-signerPdf-3y.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/signerPdf-3y.yaml' + - src: 'cp-signer-3y.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/signer-3y.yaml' + - src: 'cp-domainController.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/domainController.yaml' + - src: 'cp-remoteDesktopAuth.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/remoteDesktopAuth.yaml' + - src: 'cp-vpnFirewall.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/vpnFirewall.yaml' + - src: 'cp-workstation.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/certificate-profiles/workstation.yaml' + - src: 'est-device.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/est-config/device.yam' + - src: 'est-firewall.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/est-config/firewall.yaml' + - src: 'scep-device.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/scep-config/device.yaml' + - src: 'scep-firewall.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/scep-config/firewall.yaml' + - src: 'role-userEnrollment.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/admin-roles/role-userEnrollment.yaml' + - src: 'role-ra-est.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/admin-roles/role-ra-est.yaml' + - src: 'role-ra-vault.yaml.j2' + dest: '{{ ejbca_home }}/dump/dump3/admin-roles/role-ra-vault.yaml' + # Files for External VA + - src: 'service-ocspService.yaml.j2' + dest: '{{ ejbca_home }}/dump/va/services/ocspService.yaml' + # Files for External RA + - src: 'role-ra-peer-connection.yaml.j2' + dest: '{{ ejbca_home }}/dump/ra/admin-roles/role-ra-peer-connection.yaml' + +configdump_approval_dir_structure: + - "{{ ejbca_home }}/dump/dumpApp/approval-profiles" + +configdump_approval_files: + - src: 'ap-tlsCertificateApproval.yaml.j2' + dest: '{{ ejbca_home }}/dump/dumpApp/approval-profiles/tlsCertificateApproval.yaml' \ No newline at end of file diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/README.md b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/defaults/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/defaults/main.yml new file mode 100644 index 0000000..843254f --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/ansible-ejbca-cloud-wizard-silence diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/handlers/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/handlers/main.yml new file mode 100644 index 0000000..624b44e --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/ansible-ejbca-cloud-wizard-silence diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/meta/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tasks/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tasks/main.yml new file mode 100644 index 0000000..6a1712b --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tasks/main.yml @@ -0,0 +1,49 @@ +--- +# tasks file for roles/ansible-ejbca-cloud-wizard-silence + +- name: Check if the wizard install service is running + ansible.builtin.systemd: + name: "install.service" + register: wizard_svc_status + +#- debug: +# var: wizard_svc_status + +- name: Block to do these tasks :-) + block: + + - name: Check if external ManagementCA is used + ansible.builtin.stat: + path: "{{ ecloud_cacrt_file }}" + register: does_ca_file_exist + changed_when: false + when: + - ecloud_cacrt_file is not none | default('') + + - name: Upload CA certificate file when using external ManagementCA + ansible.builtin.copy: + src: "{{ ecloud_cacrt_file }}" + dest: "/home/{{ cloud_ejbca_user }}/confwizard/managementca.ca-mgmt.pem" + owner: "{{ ecloud_ejbca_user }}" + group: "{{ ecloud_ejbca_group }}" + register: ca_crt_copy_up + when: + - does_ca_file_exist.stat.exists is defined + - not does_ca_file_exist.stat.exists + + - name: Upload wizard answers file to the EJBCA instance + ansible.builtin.template: + src: params.json.j2 + dest: "/home/{{ ecloud_ejbca_user }}/confwizard/params.json" + owner: "{{ ecloud_ejbca_user }}" + group: "{{ ecloud_ejbca_group }}" + mode: 0644 + + - name: Wait for EJBCA node to initialize + ansible.builtin.wait_for: + delay: 15 + path: /var/log/install.log + search_regex: "^.*The system is now installed" + + when: + - wizard_svc_status.status.ActiveState == "active" \ No newline at end of file diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/templates/params.json.j2 b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/templates/params.json.j2 new file mode 100644 index 0000000..dd229cc --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/templates/params.json.j2 @@ -0,0 +1,14 @@ +{ + "Host_Name":"{{ ecloud_hostname | default('cloud-ejbca.cloud') }}", + "sanCheckbox":"{{ ecloud_sanCheckbox }}", + "SAN_Name":"{{ ecloud_hostname }}", + "managementcaradio":"{{ ecloud_create_ca_radio }}", + "Common_Name":"{{ ecloud_CA_CN }}", + "ManagementCA_OU":"{{ ecloud_CA_OU }}", + "ManagementCA_O":"{{ ecloud_CA_O }}", + "mcakeyspec-input":"{{ ecloud_CA_key_size }}", + "SuperAdmin_Common_Name":"{{ ecloud_init_admin_name }}", + "SuperAdmin_Password":"{{ ecloud_init_admin_passwd }}", + "Confirm_SuperAdmin_Password":"{{ ecloud_init_admin_passwd }}", + "Cert_Common_Name":"" +} diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/inventory b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/test.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/test.yml new file mode 100644 index 0000000..1bcc6e7 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - roles/ansible-ejbca-cloud-wizard-silence diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/vars/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/vars/main.yml new file mode 100644 index 0000000..3ab500a --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-cloud-wizard-silence/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/ansible-ejbca-cloud-wizard-silence diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/README.md b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/defaults/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/defaults/main.yml new file mode 100644 index 0000000..dc48b12 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for roles/ansible-ejbca-deploy-cloud-ca-sample diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/handlers/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/handlers/main.yml new file mode 100644 index 0000000..0b63e55 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for roles/ansible-ejbca-deploy-cloud-ca-sample diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/meta/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tasks/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tasks/main.yml new file mode 100644 index 0000000..e815eb8 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tasks/main.yml @@ -0,0 +1,258 @@ +--- + +# tasks file for roles/ansible-ejbca-deploy-cloud-ca-sample + +- name: Install acl package + package: + name: acl + state: present + +- name: Prepare configdump template files + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: config_configdump + +- name: Use Configdump to create the Management & Root CA's + block: + + - name: Create crypto token for the Root CA's + include_role: + name: ansible-ejbca-crypto-token + tasks_from: add_crypto_token + loop: "{{ management_add_certification_authorities }}" + no_log: true + + - name: Generate keys for Root CA's on crypto token + include_role: + name: ansible-ejbca-crypto-token + tasks_from: generate_keys + loop: "{{ management_add_certification_authorities |subelements('crypto_token') }}" + loop_control: + label: "{{ key_item.0.caname }}" + loop_var: key_item + no_log: true + tags: key_generation + + - name: Stage Management & Root CA to create with configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_ca + vars: + dump_dest: "{{ ejbca_home }}/dump/dump1/certification-authorities/{{ item.caname }}.yaml" + loop: "{{ management_add_certification_authorities }}" + loop_control: + label: "{{ item.caname }}" + no_log: true + + - name: Intialize Root CA's with configdump + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/dump1 + --initialize + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + + when: + - deploy_with_configdump|bool and management_add_certification_authorities[0] is defined + +- name: Use Configdump to create the Sub CA's + block: + + - name: Create crypto tokens for Sub CA's + include_role: + name: ansible-ejbca-crypto-token + tasks_from: add_crypto_token + loop: "{{ sub_add_certification_authorities }}" + no_log: true + + - name: Generate keys for Suborindated CA's on crypto token + include_role: + name: ansible-ejbca-crypto-token + tasks_from: generate_keys + loop: "{{ sub_add_certification_authorities |subelements('crypto_token') }}" + loop_control: + label: "{{ key_item.0.caname }}" + loop_var: key_item + no_log: true + tags: key_generation + #when: + # - ("soft" in key_item.0.tokentype) + + - name: Stage Sub CA's to create with configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_ca + vars: + dump_dest: "{{ ejbca_home }}/dump/dump2/certification-authorities/{{ item.caname }}.yaml" + loop: "{{ sub_add_certification_authorities }}" + no_log: true + + - name: Intialize Sub CA's with configdump + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/dump2 + --initialize + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + + when: + - deploy_with_configdump|bool + - sub_add_certification_authorities[0] is defined + +- name: Create Key Binding for Peering + include_role: + name: ansible-ejbca-key-binding + vars: + key_bindings: "{{ ejbca_keybinding }}" + auth_key_bind: true + when: + - use_external_va|bool or use_external_ra|bool or use_external_ss|bool + +- name: Create Peer Connector + include_role: + name: ansible-ejbca-peer-connector + when: + - use_external_va|bool or use_external_ra|bool or use_external_ss|bool + +- name: Add External VA setup to EJBCA + block: + + - name: Create External VA Publisher template files to import with configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_external_va_publisher + loop: "{{ ejbca_peerConnector }}" + loop_control: + label: "{{ item.name }}" + when: + - ("ocsp" in item.type) + + - name: Create External VA OCSP key update service template files to import with configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_external_va_key_update + loop: "{{ ejbca_peerConnector }}" + loop_control: + label: "{{ item.name }}" + when: + - ("ocsp" in item.type) + - item.remote_key_update|bool + + - name: Create external VA services and publisher with configdump + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/va + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + + when: + - use_external_va is defined + - use_external_va|bool + +- name: Configure SCP Publisher + include_role: + name: ansible-ejbca-scp-publisher + when: + - management_known_hosts[0] is defined or management_scp_localhost_receiving_users[0] is defined or management_scp_localhost_archive_dirs[0] is defined + +- name: Approval Profiles + block: + + - name: Import Approval Profiles for EJBCA <= 7.8.0 + include_role: + name: ansible-ejbca-legacy-app-profs + when: + - ( ejbca_version is version('7.8.0', '<=')) + + - name: Import Approval Profiles for EJBCA >= 7.7.0 + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_app_profile + when: + - ( ejbca_version is version('7.7.0', '>=')) + + when: + - use_approval_profiles is defined + - use_approval_profiles|bool + +- name: Add AWS S3 Publishers + block: + + - name: Create AWS S3 Publisher template files to import with configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: stage_aws_s3_publisher + loop: "{{ aws_s3_publishers }}" + loop_control: + label: "{{ item.s3_publisher_name }}" + + - name: Create AWS S3 publishers with configdump + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/awsS3 + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + + when: + - use_aws_s3_publisher is defined + - use_aws_s3_publisher|bool + +- name: Import configdump of profiles, services, & publishers + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/dump3 + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + +- name: Update CA's to use Publishers using configdump + include_role: + name: ansible-ejbca-cnfdump-stage + tasks_from: add_publishers_to_ca + when: + - add_publshers_to_cas is defined + - add_publshers_to_cas|bool + +- name: Create external RA role with configdump + command: > + ./configdump.sh import + --ignore-errors + --overwrite update + --non-interactive continue + -l {{ ejbca_home }}/dump/ra + args: + chdir: "{{ ejbca_home }}/dist/configdump" + become: yes + become_user: "{{ ejbca_user }}" + when: + - use_external_ra|bool + +- name: Configure EJBCA Enrollment protocols + include_role: + name: ansible-ejbca-enroll-protocols + when: + - disable_ejbca_protocols[0] is defined or enable_ejbca_protocols[0] is defined diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/inventory b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/test.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/test.yml new file mode 100644 index 0000000..bbec991 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - roles/ansible-ejbca-deploy-cloud-ca-sample diff --git a/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/vars/main.yml b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/vars/main.yml new file mode 100644 index 0000000..36ab688 --- /dev/null +++ b/ansible_ejbca_signsrv/roles/ansible-ejbca-deploy-cloud-ca-sample/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for roles/ansible-ejbca-deploy-cloud-ca-sample