From 90da2784fdaa4df3c1b6c38bfc6637674a6e61e6 Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Fri, 8 Nov 2024 11:39:30 -0800 Subject: [PATCH 1/8] add create and delete playbook for demos Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/create_USER_cert.yml | 83 +++++++++++++++++++ ibm_concert/cert_renewal/delete_cert.yml | 51 ++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 ibm_concert/cert_renewal/create_USER_cert.yml create mode 100644 ibm_concert/cert_renewal/delete_cert.yml diff --git a/ibm_concert/cert_renewal/create_USER_cert.yml b/ibm_concert/cert_renewal/create_USER_cert.yml new file mode 100644 index 000000000..a295f0c1c --- /dev/null +++ b/ibm_concert/cert_renewal/create_USER_cert.yml @@ -0,0 +1,83 @@ +############################################################################### +# © Copyright IBM Corporation 2024 +############################################################################### + +- hosts: all + collections: + - ibm.ibm_zos_core + gather_facts: false + environment: "{{ environment_vars }}" + vars: + ansible_ssh_pipelining: true + owner_id: 'STCUSR' + cert_label: 'concertCertificateTest' + sign_label: 'IBM CA' + cn: 'share.centers.ihost.com:19999' + altname: 'IP(192.148.8.225)' + ou: 'Concert for Z' + country: 'US' + expiry_date: '2024-11-08' + expiry_time: '10:06:00' # UTC time + keyring: 'Keyring.CONCERT' + check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION' + + tasks: + - block: + - name: Clean up certs and keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT ADDRING({{keyring}}) ID({{owner_id}}) + - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) + register: tso_cmd_output + ignore_errors: true + + - name: Create new self-signed USER cert and connect to keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}}) + - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) + - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) + - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST + - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) + when: sign_label == ' ' and not expiry_date == '' + register: tso_cmd_output + + - name: Create new local-CA-signed USER cert and connect to keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}}) + - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) + - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) + - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST + - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) + when: not sign_label == ' ' and not expiry_date == '' + register: tso_cmd_output + + - name: Create new self-signed USER cert and connect to keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') ALTNAME({{altname}}) + - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) + - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) + - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST + - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) + when: sign_label == ' ' and expiry_date == '' + register: tso_cmd_output + + - name: Create new local-CA-signed USER cert and connect to keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) ALTNAME({{altname}}) + - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) + - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) + - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST + - RACDCERT LISTCHAIN (LABEL('{{cert_label}}')) ID({{owner_id}}) + when: not sign_label == ' ' and expiry_date == '' + register: tso_cmd_output + + - name: List keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) + ignore_errors: true + register: tso_cmd_output \ No newline at end of file diff --git a/ibm_concert/cert_renewal/delete_cert.yml b/ibm_concert/cert_renewal/delete_cert.yml new file mode 100644 index 000000000..10be988b1 --- /dev/null +++ b/ibm_concert/cert_renewal/delete_cert.yml @@ -0,0 +1,51 @@ +############################################################################### +# © Copyright IBM Corporation 2024 +############################################################################### + +- hosts: all + collections: + - ibm.ibm_zos_core + gather_facts: false + environment: "{{ environment_vars }}" + vars: + ansible_ssh_pipelining: true + owner_id: 'STCUSR' + cert_type: 'USER' + cert_label: 'concertCertificateTest' + keyring: 'Keyring.CONCERT' + + check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION' + + tasks: + - name: Deleting cert {{cert_label}} + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT ID({{ owner_id}}) DELETE(LABEL('{{cert_label}}')) + when: cert_type == 'USER' + register: tso_cmd_output + + - name: Deleting cert {{cert_label}} + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT CERTAUTH DELETE(LABEL('{{cert_label}}')) + when: cert_type == 'CERTAUTH' + register: tso_cmd_output + + - name: Deleting cert {{cert_label}} + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT SITE DELETE(LABEL('{{cert_label}}')) + when: cert_type == 'SITE' + register: tso_cmd_output + + - name: Issue setropts refresh + tags: refresh + ibm.ibm_zos_core.zos_tso_command: + commands: SETROPTS RACLIST(DIGTCERT) REFRESH + + - name: Display keyring + ibm.ibm_zos_core.zos_tso_command: + commands: + - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) + ignore_errors: true + register: tso_cmd_output \ No newline at end of file From 414895c66b4f051d35e57bb0fbeb16e518c83ec6 Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Fri, 8 Nov 2024 14:39:18 -0800 Subject: [PATCH 2/8] removing pipelining Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/create_USER_cert.yml | 1 - ibm_concert/cert_renewal/delete_cert.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/ibm_concert/cert_renewal/create_USER_cert.yml b/ibm_concert/cert_renewal/create_USER_cert.yml index a295f0c1c..525c97f78 100644 --- a/ibm_concert/cert_renewal/create_USER_cert.yml +++ b/ibm_concert/cert_renewal/create_USER_cert.yml @@ -8,7 +8,6 @@ gather_facts: false environment: "{{ environment_vars }}" vars: - ansible_ssh_pipelining: true owner_id: 'STCUSR' cert_label: 'concertCertificateTest' sign_label: 'IBM CA' diff --git a/ibm_concert/cert_renewal/delete_cert.yml b/ibm_concert/cert_renewal/delete_cert.yml index 10be988b1..36e4ec85f 100644 --- a/ibm_concert/cert_renewal/delete_cert.yml +++ b/ibm_concert/cert_renewal/delete_cert.yml @@ -8,7 +8,6 @@ gather_facts: false environment: "{{ environment_vars }}" vars: - ansible_ssh_pipelining: true owner_id: 'STCUSR' cert_type: 'USER' cert_label: 'concertCertificateTest' From 563f38ab28898da81114f97f3f94378c5e996563 Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Fri, 8 Nov 2024 15:13:05 -0800 Subject: [PATCH 3/8] send less data for demo Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/send_cert_data.yml | 39 +++++++++++---------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/ibm_concert/cert_renewal/send_cert_data.yml b/ibm_concert/cert_renewal/send_cert_data.yml index 459d02d5f..9f79f021a 100644 --- a/ibm_concert/cert_renewal/send_cert_data.yml +++ b/ibm_concert/cert_renewal/send_cert_data.yml @@ -66,25 +66,26 @@ 'cert_type': 'USER', 'cert_label': item[16:48]}]}}" loop: "{{report_lines}}" - when: item is search('E ID') - - - name: Search for CERTAUTH in report - ansible.builtin.set_fact: - expiring_certs: "{{ expiring_certs | default([]) + [{ - 'owner_id': '', - 'cert_type': 'CERTAUTH', - 'cert_label': item[16:48]}]}}" - loop: "{{report_lines}}" - when: item is search('CERTAUTH') - - - name: Search for SITE in report - ansible.builtin.set_fact: - expiring_certs: "{{ expiring_certs | default([]) + [{ - 'owner_id': '', - 'cert_type': 'SITE', - 'cert_label': item[16:48]}]}}" - loop: '{{report_lines}}' - when: item is search('SITE') + # when: item is search('E ID') + when: item is search('STCUSR') + + # - name: Search for CERTAUTH in report + # ansible.builtin.set_fact: + # expiring_certs: "{{ expiring_certs | default([]) + [{ + # 'owner_id': '', + # 'cert_type': 'CERTAUTH', + # 'cert_label': item[16:48]}]}}" + # loop: "{{report_lines}}" + # when: item is search('CERTAUTH') + + # - name: Search for SITE in report + # ansible.builtin.set_fact: + # expiring_certs: "{{ expiring_certs | default([]) + [{ + # 'owner_id': '', + # 'cert_type': 'SITE', + # 'cert_label': item[16:48]}]}}" + # loop: '{{report_lines}}' + # when: item is search('SITE') - ansible.builtin.debug: msg: "Num of expiring certs: {{expiring_certs | length}}" From 095b1d3a2451e17fbfff92afdc5b7b6ec524313e Mon Sep 17 00:00:00 2001 From: Bryant Panyarachun Date: Fri, 8 Nov 2024 16:52:35 -0800 Subject: [PATCH 4/8] change delimiter from @@@ to 000. Signed-off-by: Bryant Panyarachun --- ibm_concert/cert_renewal/renew_cert.yml | 2 +- ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml | 4 ++-- ibm_concert/cert_renewal/servicenow_script.js | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ibm_concert/cert_renewal/renew_cert.yml b/ibm_concert/cert_renewal/renew_cert.yml index d25fecdd4..ddf98f232 100644 --- a/ibm_concert/cert_renewal/renew_cert.yml +++ b/ibm_concert/cert_renewal/renew_cert.yml @@ -37,7 +37,7 @@ var: sn_short_desc - ansible.builtin.set_fact: - desc_list: "{{ sn_short_desc | split('@@@') }}" + desc_list: "{{ sn_short_desc | split('000') }}" - ansible.builtin.set_fact: ct_index: "{{ lookup('ansible.utils.index_of', desc_list, 'regex', '\\] Certificate') }}" diff --git a/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml b/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml index a284bbc29..45271a4a4 100644 --- a/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml +++ b/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml @@ -32,11 +32,11 @@ in_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', '.') }}" - ansible.builtin.set_fact: - cert_sn: "@@@{{role_cert.cert_type}}@@@{{role_cert.cert_label}}@@@" + cert_sn: "000{{role_cert.cert_type}}000{{role_cert.cert_label}}000" when: role_cert.cert_type == 'CERTAUTH' or role_cert.cert_type == 'SITE' - ansible.builtin.set_fact: - cert_sn: "@@@{{role_cert.owner_id | trim }}@@@{{role_cert.cert_label}}@@@" + cert_sn: "000{{role_cert.owner_id | trim }}000{{role_cert.cert_label}}000" when: role_cert.cert_type == 'USER' - ansible.builtin.set_fact: diff --git a/ibm_concert/cert_renewal/servicenow_script.js b/ibm_concert/cert_renewal/servicenow_script.js index b54242bc8..4847137e5 100644 --- a/ibm_concert/cert_renewal/servicenow_script.js +++ b/ibm_concert/cert_renewal/servicenow_script.js @@ -1,7 +1,7 @@ // Add extra_vars for Ansible template r.setRequestHeader('Content-Type', 'application/json'); var obj = {}; -var new_desc = current.number + "@@@" + current.short_description; +var new_desc = current.number + "000" + current.short_description; obj['sn_short_desc'] = new_desc; var final_obj = {}; final_obj['extra_vars']= obj; From c823ac979ed293a6d1be4641ecafeb76903cb9a9 Mon Sep 17 00:00:00 2001 From: Bryant Panyarachun Date: Fri, 8 Nov 2024 17:51:51 -0800 Subject: [PATCH 5/8] change cert env meta from prod to z/OS. Signed-off-by: Bryant Panyarachun --- ibm_concert/cert_renewal/renew_cert.yml | 2 +- ibm_concert/cert_renewal/send_cert_data.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ibm_concert/cert_renewal/renew_cert.yml b/ibm_concert/cert_renewal/renew_cert.yml index ddf98f232..018cd5e96 100644 --- a/ibm_concert/cert_renewal/renew_cert.yml +++ b/ibm_concert/cert_renewal/renew_cert.yml @@ -268,7 +268,7 @@ -H 'Authorization: {{ concert_api_key_type }} {{ concert_api_key }}' \ -F 'data_type=certificate' \ -F 'filename=@{{ playbook_dir }}/{{ concert_csv_file }}' \ - -F 'metadata={"env_name" : "prod"}' + -F 'metadata={"env_name" : "z/OS"}' delegate_to: localhost - name: Resolve incident in ServiceNow diff --git a/ibm_concert/cert_renewal/send_cert_data.yml b/ibm_concert/cert_renewal/send_cert_data.yml index 9f79f021a..1b7db18f7 100644 --- a/ibm_concert/cert_renewal/send_cert_data.yml +++ b/ibm_concert/cert_renewal/send_cert_data.yml @@ -164,7 +164,7 @@ -H 'Authorization: {{ concert_api_key_type }} {{ concert_api_key }}' \ -F 'data_type=certificate' \ -F 'filename=@{{ playbook_dir }}/{{ concert_csv_file }}' \ - -F 'metadata={"env_name" : "prod"}' + -F 'metadata={"env_name" : "z/OS"}' delegate_to: localhost always: From d74ae26061ae3839a2905dbbc5555c137902c14b Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Tue, 12 Nov 2024 12:52:14 -0800 Subject: [PATCH 6/8] change delimiter for SNOW ticket back to @@@ Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/renew_cert.yml | 11 +++++++---- ibm_concert/cert_renewal/servicenow_script.js | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ibm_concert/cert_renewal/renew_cert.yml b/ibm_concert/cert_renewal/renew_cert.yml index 018cd5e96..a88b03be9 100644 --- a/ibm_concert/cert_renewal/renew_cert.yml +++ b/ibm_concert/cert_renewal/renew_cert.yml @@ -37,19 +37,22 @@ var: sn_short_desc - ansible.builtin.set_fact: - desc_list: "{{ sn_short_desc | split('000') }}" + desc_list: "{{ sn_short_desc | split('@@@') }}" - ansible.builtin.set_fact: - ct_index: "{{ lookup('ansible.utils.index_of', desc_list, 'regex', '\\] Certificate') }}" + desc_list2: "{{ sn_short_desc | split('000') }}" + + - ansible.builtin.set_fact: + ct_index: "{{ lookup('ansible.utils.index_of', desc_list2, 'regex', '\\] Certificate') }}" - ansible.builtin.set_fact: sn_incident_number: "{{desc_list[0] | trim }}" - ansible.builtin.set_fact: - arg_cert_type: "{{desc_list[ct_index|int + 1] | trim }}" + arg_cert_type: "{{desc_list2[ct_index|int + 1] | trim }}" - ansible.builtin.set_fact: - cert_label: "{{desc_list[ct_index|int + 2] | trim }}" + cert_label: "{{desc_list2[ct_index|int + 2] | trim }}" - name: Build cert details for {{cert_label}} ansible.builtin.set_fact: diff --git a/ibm_concert/cert_renewal/servicenow_script.js b/ibm_concert/cert_renewal/servicenow_script.js index 4847137e5..b54242bc8 100644 --- a/ibm_concert/cert_renewal/servicenow_script.js +++ b/ibm_concert/cert_renewal/servicenow_script.js @@ -1,7 +1,7 @@ // Add extra_vars for Ansible template r.setRequestHeader('Content-Type', 'application/json'); var obj = {}; -var new_desc = current.number + "000" + current.short_description; +var new_desc = current.number + "@@@" + current.short_description; obj['sn_short_desc'] = new_desc; var final_obj = {}; final_obj['extra_vars']= obj; From 5884535ee882fd63f500bd9167f53ebb3f268e3e Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Wed, 13 Nov 2024 10:38:24 -0800 Subject: [PATCH 7/8] trim spaces in serial field Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml b/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml index 45271a4a4..5b7427f81 100644 --- a/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml +++ b/ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml @@ -32,11 +32,11 @@ in_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', '.') }}" - ansible.builtin.set_fact: - cert_sn: "000{{role_cert.cert_type}}000{{role_cert.cert_label}}000" + cert_sn: "000{{role_cert.cert_type}}000{{role_cert.cert_label | trim }}000" when: role_cert.cert_type == 'CERTAUTH' or role_cert.cert_type == 'SITE' - ansible.builtin.set_fact: - cert_sn: "000{{role_cert.owner_id | trim }}000{{role_cert.cert_label}}000" + cert_sn: "000{{role_cert.owner_id | trim }}000{{role_cert.cert_label | trim }}000" when: role_cert.cert_type == 'USER' - ansible.builtin.set_fact: From 5739dd0d04ae8159540448d4325af6cf23970b9c Mon Sep 17 00:00:00 2001 From: Andrew Nguyen Date: Wed, 13 Nov 2024 10:49:20 -0800 Subject: [PATCH 8/8] remove test playbooks and send all expired certs Signed-off-by: Andrew Nguyen --- ibm_concert/cert_renewal/create_USER_cert.yml | 82 ------------------- ibm_concert/cert_renewal/delete_cert.yml | 50 ----------- ibm_concert/cert_renewal/send_cert_data.yml | 39 +++++---- 3 files changed, 19 insertions(+), 152 deletions(-) delete mode 100644 ibm_concert/cert_renewal/create_USER_cert.yml delete mode 100644 ibm_concert/cert_renewal/delete_cert.yml diff --git a/ibm_concert/cert_renewal/create_USER_cert.yml b/ibm_concert/cert_renewal/create_USER_cert.yml deleted file mode 100644 index 525c97f78..000000000 --- a/ibm_concert/cert_renewal/create_USER_cert.yml +++ /dev/null @@ -1,82 +0,0 @@ -############################################################################### -# © Copyright IBM Corporation 2024 -############################################################################### - -- hosts: all - collections: - - ibm.ibm_zos_core - gather_facts: false - environment: "{{ environment_vars }}" - vars: - owner_id: 'STCUSR' - cert_label: 'concertCertificateTest' - sign_label: 'IBM CA' - cn: 'share.centers.ihost.com:19999' - altname: 'IP(192.148.8.225)' - ou: 'Concert for Z' - country: 'US' - expiry_date: '2024-11-08' - expiry_time: '10:06:00' # UTC time - keyring: 'Keyring.CONCERT' - check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION' - - tasks: - - block: - - name: Clean up certs and keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT ADDRING({{keyring}}) ID({{owner_id}}) - - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) - register: tso_cmd_output - ignore_errors: true - - - name: Create new self-signed USER cert and connect to keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}}) - - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) - - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) - - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST - - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) - when: sign_label == ' ' and not expiry_date == '' - register: tso_cmd_output - - - name: Create new local-CA-signed USER cert and connect to keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}}) - - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) - - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) - - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST - - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) - when: not sign_label == ' ' and not expiry_date == '' - register: tso_cmd_output - - - name: Create new self-signed USER cert and connect to keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') ALTNAME({{altname}}) - - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) - - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) - - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST - - RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}}) - when: sign_label == ' ' and expiry_date == '' - register: tso_cmd_output - - - name: Create new local-CA-signed USER cert and connect to keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) ALTNAME({{altname}}) - - RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT) - - RACDCERT LISTRING({{keyring}}) ID({{owner_id}}) - - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST - - RACDCERT LISTCHAIN (LABEL('{{cert_label}}')) ID({{owner_id}}) - when: not sign_label == ' ' and expiry_date == '' - register: tso_cmd_output - - - name: List keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) - ignore_errors: true - register: tso_cmd_output \ No newline at end of file diff --git a/ibm_concert/cert_renewal/delete_cert.yml b/ibm_concert/cert_renewal/delete_cert.yml deleted file mode 100644 index 36e4ec85f..000000000 --- a/ibm_concert/cert_renewal/delete_cert.yml +++ /dev/null @@ -1,50 +0,0 @@ -############################################################################### -# © Copyright IBM Corporation 2024 -############################################################################### - -- hosts: all - collections: - - ibm.ibm_zos_core - gather_facts: false - environment: "{{ environment_vars }}" - vars: - owner_id: 'STCUSR' - cert_type: 'USER' - cert_label: 'concertCertificateTest' - keyring: 'Keyring.CONCERT' - - check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION' - - tasks: - - name: Deleting cert {{cert_label}} - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT ID({{ owner_id}}) DELETE(LABEL('{{cert_label}}')) - when: cert_type == 'USER' - register: tso_cmd_output - - - name: Deleting cert {{cert_label}} - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT CERTAUTH DELETE(LABEL('{{cert_label}}')) - when: cert_type == 'CERTAUTH' - register: tso_cmd_output - - - name: Deleting cert {{cert_label}} - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT SITE DELETE(LABEL('{{cert_label}}')) - when: cert_type == 'SITE' - register: tso_cmd_output - - - name: Issue setropts refresh - tags: refresh - ibm.ibm_zos_core.zos_tso_command: - commands: SETROPTS RACLIST(DIGTCERT) REFRESH - - - name: Display keyring - ibm.ibm_zos_core.zos_tso_command: - commands: - - RACDCERT LISTRING({{keyring}}) ID({{ owner_id}}) - ignore_errors: true - register: tso_cmd_output \ No newline at end of file diff --git a/ibm_concert/cert_renewal/send_cert_data.yml b/ibm_concert/cert_renewal/send_cert_data.yml index 1b7db18f7..08b489f01 100644 --- a/ibm_concert/cert_renewal/send_cert_data.yml +++ b/ibm_concert/cert_renewal/send_cert_data.yml @@ -66,26 +66,25 @@ 'cert_type': 'USER', 'cert_label': item[16:48]}]}}" loop: "{{report_lines}}" - # when: item is search('E ID') - when: item is search('STCUSR') - - # - name: Search for CERTAUTH in report - # ansible.builtin.set_fact: - # expiring_certs: "{{ expiring_certs | default([]) + [{ - # 'owner_id': '', - # 'cert_type': 'CERTAUTH', - # 'cert_label': item[16:48]}]}}" - # loop: "{{report_lines}}" - # when: item is search('CERTAUTH') - - # - name: Search for SITE in report - # ansible.builtin.set_fact: - # expiring_certs: "{{ expiring_certs | default([]) + [{ - # 'owner_id': '', - # 'cert_type': 'SITE', - # 'cert_label': item[16:48]}]}}" - # loop: '{{report_lines}}' - # when: item is search('SITE') + when: item is search('E ID') + + - name: Search for CERTAUTH in report + ansible.builtin.set_fact: + expiring_certs: "{{ expiring_certs | default([]) + [{ + 'owner_id': '', + 'cert_type': 'CERTAUTH', + 'cert_label': item[16:48]}]}}" + loop: "{{report_lines}}" + when: item is search('CERTAUTH') + + - name: Search for SITE in report + ansible.builtin.set_fact: + expiring_certs: "{{ expiring_certs | default([]) + [{ + 'owner_id': '', + 'cert_type': 'SITE', + 'cert_label': item[16:48]}]}}" + loop: '{{report_lines}}' + when: item is search('SITE') - ansible.builtin.debug: msg: "Num of expiring certs: {{expiring_certs | length}}"