From b39d08608f6bd648912f811ffab379e01660c9ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 21 Sep 2023 14:15:10 -0400 Subject: [PATCH] Add support for Security World client v13.4.4 This patch adds support for installing the latest Security World client software. The installation media format for that version is a zipped file containing an ISO. The mechanism for installing the source media was changed to expect this new format. The file is still downloaded to the target host and now unzip is used instead of tar to unarchive the ISO. The client software is now installed on the target host using the RPM files found in the ISO image. Change-Id: If00a8612cd50f492da833033a2ed3256585617bd --- README.rst | 26 +++--- defaults/main.yaml | 3 +- handlers/main.yaml | 3 +- ...security-world-v13.4-2cb8688bcc072db1.yaml | 9 +++ setup.cfg | 6 +- tasks/client.yaml | 80 ++++++++----------- tasks/main.yaml | 6 ++ vars.yaml.sample | 16 ++-- 8 files changed, 69 insertions(+), 80 deletions(-) create mode 100644 releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml diff --git a/README.rst b/README.rst index ba1089f..b1e828e 100644 --- a/README.rst +++ b/README.rst @@ -32,32 +32,23 @@ Role Variables - false - Whether the role should execute the RFS configuration tasks. * - thales_client_working_dir - - /tmp/thales_client_install + - /tmp/security_world_install - Working directory in the target host. * - thales_client_gid - 42481 - - Group ID for the thales group. + - Group ID for the nfast group. * - thales_client_uid - 42481 - - User ID for the thales user. - * - thales_client_tarball_name + - User ID for the nfast user. + * - security_world_iso_zip_url - None - - Filename for the Thales client software tarball. + - URL location of the Security World ISO ZIP file. * - thales_client_tarball_location - None - - Full URL where a copy of the client software tarball can be downloaded. - * - thales_client_path - - linux/libc6_11/amd64/nfast - - Path to the client software directory inside the tarball - * - thales_km_data_tarball_name - - None - - Filename for the KM Data tarball - * - thales_km_data_location - - None - - Full URL where a copy of the KM Data tarball can be downloaded. + - DEPRECATED: Use security_world_iso_zip_url instead. * - thales_rfs_ip_address - None - - IPv4 address for the Thales RFS host. + - IPv4 address for the RFS host. * - thales_client_ips - None - Whitespace separated list of IP addresses to be added to RFS config. @@ -74,3 +65,6 @@ Requirements ------------ - ansible >= 2.4 + - Security World Software v13.4.4 ISO ZIP file - The ISO file in ZIP format as + provided by Entrust. This should be hosted in an HTTPS server that can be + accessed from the target host. diff --git a/defaults/main.yaml b/defaults/main.yaml index 4ee3cbd..75696f7 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,7 +1,6 @@ --- thales_install_client: false thales_configure_rfs: false -thales_client_working_dir: /tmp/thales_client_install +thales_client_working_dir: /tmp/security_world_install thales_client_gid: 42481 thales_client_uid: 42481 -thales_client_path: linux/libc6_11/amd64/nfast diff --git a/handlers/main.yaml b/handlers/main.yaml index beda678..1dd787b 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -2,4 +2,5 @@ - name: Legacy vars warning ansible.builtin.debug: msg: "WARNING: Using legacy thales_hsm_ip_address and - thales_hsm_config_location variables. Please udpate your vars file." + thales_client_tarball_location variables. Please udpate your + vars file." diff --git a/releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml b/releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml new file mode 100644 index 0000000..c866871 --- /dev/null +++ b/releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + This version adds support for the latest Security World client software + (v13.4.4). Older security world versions are not supported. +deprecations: + - | + The variable `thales_client_tarball_location` has been deprecated. Use + `security_world_iso_zip_url` instead. diff --git a/setup.cfg b/setup.cfg index addba3c..a585d07 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,14 +1,14 @@ [metadata] name = ansible-role-thales-hsm -summary = ansible-role-thales-hsm - Ansible role to configure Thales HSM clients. +summary = ansible-role-thales-hsm - Ansible role to configure nShileld Connect HSM clients. description-file = README.rst author = TripleO Team author-email = alee@redhat.com -home-page = https://github.com/dmend/ansible-role-thales-hsm +home-page = https://opendev.org/openstack/ansible-role-thales-hsm classifier = License :: OSI Approved :: Apache Software License - Development Status :: 4 - Beta + Development Status :: 5 - Production/Stable Intended Audience :: Developers Intended Audience :: System Administrators Intended Audience :: Information Technology diff --git a/tasks/client.yaml b/tasks/client.yaml index 38b8b23..d6f26b5 100644 --- a/tasks/client.yaml +++ b/tasks/client.yaml @@ -5,12 +5,12 @@ state: directory mode: '755' -- name: Create thales group +- name: Create nfast group ansible.builtin.group: name: nfast gid: "{{ thales_client_gid }}" -- name: Create thales user +- name: Create nfast user ansible.builtin.user: name: nfast uid: "{{ thales_client_uid }}" @@ -25,61 +25,47 @@ persistent: true when: ansible_os_family | lower == 'redhat' -- name: Download Thales client tarball - ansible.builtin.get_url: - url: "{{ thales_client_tarball_location }}" - dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" - mode: '644' - force: false +- name: Ensure unzip is avaliable to unzip ISO file + ansible.builtin.yum: + name: unzip + state: present -- name: Unpack tarball to working directory +- name: Download and unzip Security World ISO file from given url ansible.builtin.unarchive: - src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" + src: "{{ security_world_iso_zip_url }}" dest: "{{ thales_client_working_dir }}" - creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}" remote_src: true -- name: Unpack tarball to /opt/nfast - ansible.builtin.shell: | - for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do - tar -C / -xvf $i ; - done - args: - creates: /opt/nfast/sbin/install +- name: Set Security World ISO file path + ansible.builtin.set_fact: + security_world_iso: "{{ thales_client_working_dir }}/{{ security_world_iso_zip_url | basename | splitext | first }}" -- name: Check for libnsl dependency - ansible.builtin.stat: - path: /lib64/libnsl.so.1 - register: st +- name: Extract RPMs and key from Security World ISO + community.general.iso_extract: + image: "{{ security_world_iso }}" + dest: "{{ thales_client_working_dir }}" + files: + - linux-rpms/amd64/nShield-hwsp.rpm + - linux-rpms/amd64/nShield-ctls.rpm + - linux-rpms/amd64/nShield-ncsnmp.rpm + - linux-rpms/amd64/pubkey.asc -- name: Ensure libnsl dependency is installed - ansible.builtin.package: - name: libnsl +- name: Import Security World RPM key + ansible.builtin.rpm_key: state: present - when: not st.stat.exists + key: "{{ thales_client_working_dir }}/pubkey.asc" + +- name: Install Security World RPMs + ansible.builtin.yum: + name: "{{ packages }}" + vars: + packages: + - "{{ thales_client_working_dir }}/nShield-hwsp.rpm" + - "{{ thales_client_working_dir }}/nShield-ctls.rpm" + - "{{ thales_client_working_dir }}/nShield-ncsnmp.rpm" - name: Run installer ansible.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install - args: - creates: /opt/nfast/kmdata - -- name: Get the security world data - ansible.builtin.get_url: - url: "{{ thales_km_data_location }}" - dest: "/root/{{ thales_km_data_tarball_name }}" - mode: '644' - force: false - -- name: Remove the old km_data - ansible.builtin.file: - path: /opt/nfast/kmdata - state: absent - -- name: Replace kmdata - ansible.builtin.unarchive: - src: "/root/{{ thales_km_data_tarball_name }}" - dest: /opt/nfast - remote_src: true - name: Create cknfastrc ansible.builtin.template: @@ -114,7 +100,7 @@ var: enquiry - name: Set up rfs_sync - ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }} + ansible.builtin.command: set -o pipefail && echo "yes" | /opt/nfast/bin/rfs-sync --setup {{ thales_rfs_server_ip_address }} - name: Get keys from rfs server ansible.builtin.command: /opt/nfast/bin/rfs-sync --update diff --git a/tasks/main.yaml b/tasks/main.yaml index e0ea755..5205370 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -7,6 +7,12 @@ when: nshield_hsms is not defined and thales_hsm_ip_address is defined notify: Legacy vars warning +- name: Allow deprecated tarball URL variable + ansible.builtin.set_fact: + security_world_iso_zip_url: "{{ thales_client_tarball_location }}" + when: security_world_iso_zip_url is not defined and thales_client_tarball_location is defined + notify: legacy vars warning + - name: Include RFS tasks ansible.builtin.include_tasks: rfs.yaml when: thales_configure_rfs diff --git a/vars.yaml.sample b/vars.yaml.sample index 28d7b41..a8f11c6 100644 --- a/vars.yaml.sample +++ b/vars.yaml.sample @@ -1,17 +1,11 @@ --- -thales_client_working_dir: /tmp/thales_client_install -thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz -thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz -thales_client_path: linux/libc6_11/amd64/nfast -thales_client_uid: 42481 -thales_client_gid: 42481 -thales_km_data_location: http://myserver.example.com/kmdata.tar.gz -thales_km_data_tarball_name: kmdata.tar.gz -thales_rfs_server_ip_address: 192.168.5.20 +thales_install_client: true +security_world_iso_zip_url: https://myhost.example.com/SecWorld_Lin64-13.4.4.iso.zip nshield_hsms: - name: "My HSM 1" ip: 192.168.1.1 - name: "My HSM 2" ip: 192.168.1.1 -thales_rfs_user: admin -thales_rfs_key: RSA Private key in PEM format used to log into RFS server. +thales_rfs_server_ip_address: 192.168.1.10 +thales_bootstrap_client: 192.168.100.1 +thales_client_ips: 192.168.100.1 192.168.100.2 192.168.100.3