Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge latest code #297

Merged
merged 12 commits into from
Jan 18, 2025
Merged

Merge latest code #297

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
17d1bc0
include RACF serial number in key for uniqueness
adn1107 Dec 4, 2024
428b000
send less data for demo
adn1107 Dec 4, 2024
b90958d
output log in yaml for readability
adn1107 Dec 4, 2024
f76974c
adding test playbooks back
adn1107 Dec 4, 2024
ad33550
track caller
adn1107 Dec 4, 2024
af8e130
use old Serial number when update Concert
adn1107 Dec 4, 2024
7c991b9
set caller type
adn1107 Dec 4, 2024
f62dbb6
set caller type
adn1107 Dec 4, 2024
f17b127
remove test data
adn1107 Dec 4, 2024
410dcb1
send all cert data
adn1107 Jan 14, 2025
7f875a9
Merge branch 'main' into ibm_concert
adn1107 Jan 14, 2025
69b76e6
change cert details
adn1107 Jan 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ibm_concert/cert_renewal/ansible.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
[defaults]
forks = 25
display_skipped_hosts = no
stdout_callback = yaml
remote_tmp = /tmp

[ssh_connection]
Expand Down
82 changes: 82 additions & 0 deletions ibm_concert/cert_renewal/create_USER_cert.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
###############################################################################
# © Copyright IBM Corporation 2024
###############################################################################

- hosts: all
collections:
- ibm.ibm_zos_core
gather_facts: false
environment: "{{ environment_vars }}"
vars:
owner_id: 'STCUSR'
cert_label: 'concertCertificateTest'
sign_label: 'IBM CA'
cn: 'share.centers.ihost.com:19999'
adn1107 marked this conversation as resolved.
Show resolved Hide resolved
altname: 'IP(192.148.8.225)'
ou: 'Concert for Z'
country: 'US'
expiry_date: '2024-11-08'
expiry_time: '10:06:00' # UTC time
keyring: 'Keyring.CONCERT'
check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION'

tasks:
- block:
- name: Clean up certs and keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT ADDRING({{keyring}}) ID({{owner_id}})
- RACDCERT LISTRING({{keyring}}) ID({{ owner_id}})
register: tso_cmd_output
ignore_errors: true

- name: Create new self-signed USER cert and connect to keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}})
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT)
- RACDCERT LISTRING({{keyring}}) ID({{owner_id}})
- RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST
- RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}})
when: sign_label == ' ' and not expiry_date == ''
register: tso_cmd_output

- name: Create new local-CA-signed USER cert and connect to keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}) TIME({{expiry_time}}) ) ALTNAME({{altname}})
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT)
- RACDCERT LISTRING({{keyring}}) ID({{owner_id}})
- RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST
- RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}})
when: not sign_label == ' ' and not expiry_date == ''
register: tso_cmd_output

- name: Create new self-signed USER cert and connect to keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') ALTNAME({{altname}})
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT)
- RACDCERT LISTRING({{keyring}}) ID({{owner_id}})
- RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST
- RACDCERT LISTCHAIN(LABEL('{{cert_label}}')) ID({{owner_id}})
when: sign_label == ' ' and expiry_date == ''
register: tso_cmd_output

- name: Create new local-CA-signed USER cert and connect to keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT GENCERT ID({{owner_id}}) SUBJECTSDN(CN('{{cn}}') OU('{{ou}}') C('{{country}}')) WITHLABEL('{{cert_label}}') SIGNWITH(CERTAUTH LABEL('{{sign_label}}')) ALTNAME({{altname}})
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring}}) DEFAULT)
- RACDCERT LISTRING({{keyring}}) ID({{owner_id}})
- RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST
- RACDCERT LISTCHAIN (LABEL('{{cert_label}}')) ID({{owner_id}})
when: not sign_label == ' ' and expiry_date == ''
register: tso_cmd_output

- name: List keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT LISTRING({{keyring}}) ID({{ owner_id}})
ignore_errors: true
register: tso_cmd_output
50 changes: 50 additions & 0 deletions ibm_concert/cert_renewal/delete_cert.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
###############################################################################
# © Copyright IBM Corporation 2024
###############################################################################

- hosts: all
collections:
- ibm.ibm_zos_core
gather_facts: false
environment: "{{ environment_vars }}"
vars:
owner_id: 'STCUSR'
cert_type: 'USER'
cert_label: 'concertCertificateTest'
keyring: 'Keyring.CONCERT'

check_name: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION'

tasks:
- name: Deleting cert {{cert_label}}
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT ID({{ owner_id}}) DELETE(LABEL('{{cert_label}}'))
when: cert_type == 'USER'
register: tso_cmd_output

- name: Deleting cert {{cert_label}}
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT CERTAUTH DELETE(LABEL('{{cert_label}}'))
when: cert_type == 'CERTAUTH'
register: tso_cmd_output

- name: Deleting cert {{cert_label}}
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT SITE DELETE(LABEL('{{cert_label}}'))
when: cert_type == 'SITE'
register: tso_cmd_output

- name: Issue setropts refresh
tags: refresh
ibm.ibm_zos_core.zos_tso_command:
commands: SETROPTS RACLIST(DIGTCERT) REFRESH

- name: Display keyring
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT LISTRING({{keyring}}) ID({{ owner_id}})
ignore_errors: true
register: tso_cmd_output
16 changes: 14 additions & 2 deletions ibm_concert/cert_renewal/renew_cert.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
owner_id: ''
cert_type: 'USER' # defautl to USER
cert_label: ''
cert_sn: ''
sign_with: 'CERTAUTH' # blank or CERTAUTH
keyring_name: ''
expiry_date: '2025-12-31'
Expand Down Expand Up @@ -54,6 +55,9 @@
- ansible.builtin.set_fact:
cert_label: "{{desc_list2[ct_index|int + 2] | trim }}"

- ansible.builtin.set_fact:
cert_sn: "{{desc_list2[ct_index|int + 3] | trim }}"

- name: Build cert details for {{cert_label}}
ansible.builtin.set_fact:
'cert_type': 'SITE'
Expand Down Expand Up @@ -99,7 +103,8 @@
cert_args: "{{ cert_args | default({}) | combine ({
'owner_id': arg_cert_type,
'cert_type': cert_type,
'cert_label': cert_label
'cert_label': cert_label,
'cert_sn': cert_sn
}) }}"
owner_id: "{{arg_cert_type}}"
when: cert_type == 'USER'
Expand All @@ -109,7 +114,8 @@
cert_args: "{{ cert_args | default({}) | combine ({
'owner_id': '',
'cert_type': cert_type,
'cert_label': cert_label
'cert_label': cert_label,
'cert_sn': cert_sn
}) }}"
when: cert_type != 'USER'

Expand All @@ -129,6 +135,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT ID({{ cert_args.owner_id}}) LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'USER'
Expand All @@ -138,6 +145,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT CERTAUTH LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'CERTAUTH'
Expand All @@ -147,6 +155,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT SITE LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'SITE'
Expand Down Expand Up @@ -221,6 +230,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT ID({{ cert_args.owner_id}}) LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'USER'
Expand All @@ -230,6 +240,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT CERTAUTH LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'CERTAUTH'
Expand All @@ -239,6 +250,7 @@
vars:
task_description: 'Displaying cert {{cert_args.cert_label}}'
role_cert: "{{cert_args}}"
caller: 'renewal'
tso_command:
- RACDCERT SITE LIST(LABEL('{{cert_args.cert_label}}'))
when: cert_type is defined and cert_type == 'SITE'
Expand Down
7 changes: 5 additions & 2 deletions ibm_concert/cert_renewal/roles/get_cert_detail/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,14 @@
in_index: "{{ lookup('ansible.utils.index_of', buffer, 'regex', '.') }}"

- ansible.builtin.set_fact:
cert_sn: "000{{role_cert.cert_type}}000{{role_cert.cert_label | trim }}000"
cert_sn: "{{ buffer[sn_index | int + 1] | trim if caller == 'send-data' else cert_args.cert_sn }}"

- ansible.builtin.set_fact:
cert_sn: "000{{role_cert.cert_type}}000{{role_cert.cert_label | trim }}000{{cert_sn}}000"
when: role_cert.cert_type == 'CERTAUTH' or role_cert.cert_type == 'SITE'

- ansible.builtin.set_fact:
cert_sn: "000{{role_cert.owner_id | trim }}000{{role_cert.cert_label | trim }}000"
cert_sn: "000{{role_cert.owner_id | trim }}000{{role_cert.cert_label | trim }}000{{cert_sn}}000"
when: role_cert.cert_type == 'USER'

- ansible.builtin.set_fact:
Expand Down
1 change: 1 addition & 0 deletions ibm_concert/cert_renewal/roles/get_cert_detail/vars/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
tso_command: ''
role_cert: {}
task_description: 'Get certificate detail'
caller: ''
3 changes: 3 additions & 0 deletions ibm_concert/cert_renewal/send_cert_data.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@
vars:
task_description: 'Displaying cert {{item.cert_label}}'
role_cert: "{{item}}"
caller: 'send-data'
tso_command:
- RACDCERT ID({{ item.owner_id}}) LIST(LABEL('{{item.cert_label}}'))
loop: "{{expiring_certs}}"
Expand All @@ -120,6 +121,7 @@
vars:
task_description: 'Displaying cert {{item.cert_label}}'
role_cert: "{{item}}"
caller: 'send-data'
tso_command:
- RACDCERT CERTAUTH LIST(LABEL('{{item.cert_label}}'))
loop: "{{expiring_certs}}"
Expand All @@ -130,6 +132,7 @@
vars:
task_description: 'Querying cert {{item.cert_label}}'
role_cert: "{{item}}"
caller: 'send-data'
tso_command:
- RACDCERT SITE LIST(LABEL('{{item.cert_label}}'))
loop: "{{expiring_certs}}"
Expand Down
Loading