Skip to content

Commit

Permalink
fix renewal logic
Browse files Browse the repository at this point in the history 
Signed-off-by: Andrew Nguyen <[email protected]>
  • Loading branch information
@adn1107
adn1107 committed Oct 15, 2024
1 parent 7f96569 commit ed0e303
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 18 deletions.
31 changes: 18 additions & 13 deletions ibm_concert/cert_renewal/renew_cert.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
sn_username: ""
sn_pwd: ""
sn_incident_number: ""
sn_short_desc: ""
sn_short_desc: "INC0013870@@@[From: IBM Concert] [Environment: prod] Certificate @@@SITE@@@TIV4 - Cert @@@ has expired"

# IBM Concert info
concert_hostname: ""
Expand All @@ -29,8 +29,8 @@
cert_type: 'USER' # defautl to USER
cert_label: ''
sign_with: 'CERTAUTH' # blank or CERTAUTH
sign_label: 'IBM CA'
keyring_name: 'Keyring.ZOSCONN'
# sign_label: 'IBM CA'
keyring_name: ''
expiry_date: '2025-12-31'
cert_detail: {}
cert_args: {}
Expand Down Expand Up @@ -161,6 +161,9 @@
- RACDCERT SITE LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'SITE'

- debug:
var: cert_args

- ansible.builtin.include_role:
name: issue_tso_cmd
vars:
Expand Down Expand Up @@ -213,20 +216,20 @@
vars:
task_description: 'Install and connect local cert for {{cert_type}}'
command:
- RACDCERT {{cert_type}} GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_args.cert_signer}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} ALTER(LABEL('{{ cert_label}} NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT {{ cert_type }} CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: not sign_label == ' ' and not cert_type == 'USER'
when: not cert_args.cert_signer == ' ' and not cert_type == 'USER'
# - RACDCERT {{ cert_type }} CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))

- ansible.builtin.include_role:
name: issue_tso_cmd
vars:
task_description: 'Install and connect local cert for {{cert_type}}'
command:
- RACDCERT ID({{owner_id}}) GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{owner_id}}) GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_args.cert_signer}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{ owner_id}}) ALTER(LABEL('{{ cert_label}} NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: not sign_label == ' ' and cert_type == 'USER'
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{ cert_args.cert_ring }}) DEFAULT USAGE(PERSONAL))
when: not cert_args.cert_signer == ' ' and cert_type == 'USER'

- ansible.builtin.include_role:
name: issue_tso_cmd
Expand All @@ -235,8 +238,8 @@
command:
- RACDCERT {{cert_type}} GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_label}}NEW')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} ALTER(LABEL('{{ cert_label}} NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT {{ cert_type }} CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: sign_label == ' ' and not cert_type == 'USER'
- RACDCERT ID({{ cert_args.cert_ring_owner }}) CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{ cert_args.cert_ring }}) DEFAULT USAGE(PERSONAL))
when: cert_args.cert_signer == ' ' and not cert_type == 'USER'

- ansible.builtin.include_role:
name: issue_tso_cmd
Expand All @@ -245,8 +248,8 @@
command:
- RACDCERT ID({{owner_id}}) GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_label}}NEW')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{ owner_id}}) ALTER(LABEL('{{ cert_label}} NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: sign_label == ' ' and cert_type == 'USER'
- RACDCERT ID({{ cert_args.cert_ring_owner }}) CONNECT(LABEL('{{cert_label}}') RING({{ cert_args.cert_ring }}) DEFAULT USAGE(PERSONAL))
when: cert_args.cert_signer == ' ' and cert_type == 'USER'

- ansible.builtin.include_role:
name: get_cert_detail
Expand Down Expand Up @@ -294,6 +297,8 @@
to: ISO8859-1
flat: true

- meta: end_host

- name: Send cert data to IBM Concert
ansible.builtin.shell: |
/usr/bin/curl -k -X POST https://{{ concert_hostname }}/ingestion/api/v1/upload_files \
Expand Down
27 changes: 22 additions & 5 deletions ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,23 +27,25 @@
vf_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', 'Start Date') }}"
vt_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', 'End Date') }}"
tp_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', 'Fingerprint') }}"
ro_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', 'Ring Owner:') }}"
kr_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', 'Ring:') }}"
in_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', '.') }}"

- ansible.builtin.set_fact:
cert_sn: "@@@{{role_cert.cert_type}}@@@{{role_cert.cert_label}}@@@"
when: role_cert.cert_type == 'CERTAUTH' or role_cert.cert_type == 'SITE'

- ansible.builtin.set_fact:
cert_sn: "@@@{{role_cert. owner_id | trim }}@@@{{role_cert.cert_label}}@@@"
cert_sn: "@@@{{role_cert.owner_id | trim }}@@@{{role_cert.cert_label}}@@@"
when: role_cert.cert_type == 'USER'

- ansible.builtin.set_fact:
cert_name: "{{ role_cert.cert_label | regex_replace(' ', '') }}"
cert_name: "{{ role_cert.cert_label }}"
cert_subject: ""
cert_cn: "{{ buffer[sb_index | int + 1] }}"
cert_issuer: "{{ buffer[is_index | int + 1] | regex_replace(' ', '') }}"
cert_algo: "{{ buffer[ka_index | int][21:] | regex_replace(' ', '') }}"
cert_key_size: " {{ buffer[ks_index | int][12:] | regex_replace(' ', '') }}"
cert_issuer: "{{ buffer[is_index | int + 1] }}"
cert_algo: "{{ buffer[ka_index | int][21:] }}"
cert_key_size: " {{ buffer[ks_index | int][12:] }}"
cert_sans: ""
cert_valid_from: "{{ buffer[vf_index | int][14:] }}"
cert_valid_to: "{{ buffer[vt_index | int][14:] }}"
Expand All @@ -57,6 +59,21 @@
cert_pri_owner: "{{ role_cert.owner_id }}"
cert_sec_owner: ""
cert_ns: ""
cert_ring_owner: " {{ buffer [ro_index | int][16:23] }}"
cert_ring: " {{ buffer [kr_index | int + 1] }}"

- ansible.builtin.set_fact:
new_issuer: "{{ cert_issuer | split('.') }}"
- ansible.builtin.set_fact:
final_issuer: "{{ new_issuer[0] | split('=') }}"

- name: Build cert details for {{cert_label}}
ansible.builtin.set_fact:
cert_args: "{{ cert_args | default({}) | combine ({
'cert_ring_owner': cert_ring_owner | trim,
'cert_ring': cert_ring | regex_replace('[><]', '') | trim,
'cert_signer': final_issuer[1]
}) }}"

# Serial Number,Name,Subject,CN,Issuer,Key Algorithm,Key Size,SANS,ValidFrom,Valid To,Thumbprint,Certificate Hosts,System Reference Id,DN,ParentDN,Certificate Type,CreatedOn,Primary Owner,Secondary Owner,Namespace
- name: Build CSV record for {{role_cert.cert_label}}
Expand Down
2 changes: 2 additions & 0 deletions ibm_concert/cert_renewal/send_cert_data.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@
to: ISO8859-1
flat: true

- meta: end_host

- name: Send cert data to IBM Concert
ansible.builtin.shell: |
/usr/bin/curl -k -X POST https://{{ concert_hostname }}/ingestion/api/v1/upload_files \
Expand Down

0 comments on commit ed0e303

Please sign in to comment.