File ardana-tls-8.0+git.1534267264.6b1e899.obscpio of Package ardana-tls
07070100000000000081A40000000000000000000000015B730F8000000127000000000000000000000000000000000000003700000000ardana-tls-8.0+git.1534267264.6b1e899/.copyrightignore.copyrightignore
.rsync-filter
roles/tls-trust/files/openssl.cnf
roles/tls-trust/templates/ardana-openssl.cnf
roles/tls-trust/files/public/ardana-internal-cacert.crt
roles/tls-trust/files/public/frontend_cacert.pem
roles/tls-frontend/files/public/my-public-cert
roles/tls-trust/files/cacert.pem
07070100000001000081A40000000000000000000000015B730F800000007F000000000000000000000000000000000000003100000000ardana-tls-8.0+git.1534267264.6b1e899/.gitreview[gerrit]
host=gerrit.suse.provo.cloud
port=29418
project=ardana/tls-ansible.git
defaultremote=ardana
defaultbranch=stable/pike
07070100000002000081A40000000000000000000000015B730F800000000C000000000000000000000000000000000000003400000000ardana-tls-8.0+git.1534267264.6b1e899/.rsync-filter- ardana-ci
07070100000003000081A40000000000000000000000015B730F800000279F000000000000000000000000000000000000002E00000000ardana-tls-8.0+git.1534267264.6b1e899/LICENSE
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
07070100000004000081A40000000000000000000000015B730F80000006CF000000000000000000000000000000000000003000000000ardana-tls-8.0+git.1534267264.6b1e899/README.md#
# (c) Copyright 2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
Generate a self-signed CA
Note: In a production setting you will not perform this step. You will use your
company CA or a valid public CA.
This section demonstrates to how you can create your own self-signed CA and
then use this CA to sign server certificates. This CA can be thought of as a
Company IT internal CA that is self-signed and whose CA certificates are
deployed on the company machines. This way the server certificate becomes
legitimate.
export EXAMPLE_CA_KEY_FILE='example-CA.key'
export EXAMPLE_CA_CERT_FILE='example-CA.crt'
openssl req -x509 -batch -newkey rsa:2048 -nodes -out "${EXAMPLE_CA_CERT_FILE}" \
-keyout "${EXAMPLE_CA_KEY_FILE}" \
-subj "/C=DE/O=Micro Focus International/CN=Autogenerated Ardana Certificate Authority" \
-days 365
You can tweak the subj and days above to your needs. For instance, if you want
to test what happens when a CA expires, you can keep 'days' to very low values.
Note that the issuer has to be unique. So if you already installed a CA for a
particular DN (subj), make sure it's different the next time. For example:
-subj "/C=DE/O=Micro Focus International/CN=Autogenerated Ardana Certificate Authority 2" \
07070100000005000081A40000000000000000000000015B730F80000007A0000000000000000000000000000000000000003C00000000ardana-tls-8.0+git.1534267264.6b1e899/_tls-deploy-certs.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Bootstrap CA
- hosts: TLS-CA
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/bootstrap.yml
# Generate internal certificate from one ardana CA
- hosts: TLS-CA--first-member[0]
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/create_certs.yml
# Copy user provided certificates to temp
- hosts: TLS-CA--first-member[0]
roles:
- tls-frontend
tasks:
- include: roles/tls-frontend/tasks/bootstrap_certs.yml
# Install trust chains on all nodes except HyperV
- hosts: OPS-LMTGT:!*-HYP
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/install.yml
# Install trust chains on HyperV
- hosts: OPS-LMTGT:&*-HYP
roles:
- tls-trust
- win-install-package
tasks:
- include: roles/win-install-package/tasks/_setvars.yml
- include: roles/tls-trust/tasks/win_install.yml
# Update trust chains on Java keystores on hosts that
# are known to require Java
- hosts: MON-API
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/install_java.yml
# deploy certificates for ip-cluster
- hosts: FND-CLU
roles:
- tls-trust
- haproxy
tasks:
- include: roles/tls-trust/tasks/cert_deploy.yml
# Cleanup
- hosts: TLS-CA
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/cleanup.yml
07070100000006000081A40000000000000000000000015B730F8000000313000000000000000000000000000000000000004100000000ardana-tls-8.0+git.1534267264.6b1e899/_tls-terminator-config.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- hosts: FND-STN:&FND-CLU
roles:
- haproxy
- tls-trust
tasks:
- include: roles/tls-trust/tasks/config_service_termination.yml
07070100000007000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000002D00000000ardana-tls-8.0+git.1534267264.6b1e899/config07070100000008000081A40000000000000000000000015B730F800000031A000000000000000000000000000000000000004700000000ardana-tls-8.0+git.1534267264.6b1e899/config/tls-frontend-symlinks.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# The following relative symlinks are created under the
# my_cloud/config directory.
---
symlinks:
"tls/certs": "roles/tls-frontend/files/public"
07070100000009000081A40000000000000000000000015B730F8000000353000000000000000000000000000000000000004400000000ardana-tls-8.0+git.1534267264.6b1e899/config/tls-trust-symlinks.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# The following relative symlinks are created under the
# my_cloud/config directory.
---
symlinks:
"tls/cacerts": "roles/tls-trust/files/public"
"tls/trust-config": "roles/tls-trust/defaults/main.yml"
0707010000000A000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003500000000ardana-tls-8.0+git.1534267264.6b1e899/filter_plugins0707010000000B000081A40000000000000000000000015B730F800000046C000000000000000000000000000000000000004400000000ardana-tls-8.0+git.1534267264.6b1e899/filter_plugins/tls_filters.py#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Set of filters for TLS playbooks
# Get a list of certificate names and return a unique list
def get_cert_files(d):
ret = list()
for service in d.keys():
if 'networks' in d[service].keys():
for network in d[service]['networks']:
if 'cert_file' in network.keys():
ret.append(network['cert_file'])
return list(set(ret))
class FilterModule(object):
def filters(self):
return {'get_cert_files': get_cert_files}
0707010000000C000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000002E00000000ardana-tls-8.0+git.1534267264.6b1e899/library0707010000000D000081A40000000000000000000000015B730F800000142B000000000000000000000000000000000000003B00000000ardana-tls-8.0+git.1534267264.6b1e899/library/ardana_ca.py#!/usr/bin/python -tt
# -*- coding: utf-8 -*-
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
from subprocess import check_output, CalledProcessError
import os
def _ca(ca):
create_ca =[ "/usr/bin/openssl", "req",
"-new",
"-x509",
"-batch",
"-nodes",
"-key", ca["key"],
"-out", ca["cert"],
"-days", ca["days"],
"-subj", ca["subj"],
]
check_output(create_ca, stderr=subprocess.STDOUT)
def _csr(req, key, csr):
create_csr =[ "/usr/bin/openssl", "req",
"-newkey", "rsa:2048",
"-nodes",
"-keyout", key,
"-out", csr,
"-extensions", "v3_req",
"-config", req,
]
check_output(create_csr, stderr=subprocess.STDOUT)
def _sign(ca, csr, cert):
check_output("touch index.txt".split(), stderr=subprocess.STDOUT)
check_output("/usr/bin/openssl rand -hex -out serial 6".split(),
stderr=subprocess.STDOUT)
cert_sign =[ "/usr/bin/openssl", "ca",
"-batch",
"-notext",
"-in", csr,
"-out", cert,
"-config", ca["conf"],
"-extensions", "v3_req",
"-cert", ca["cert"],
"-keyfile", ca["key"],
]
check_output(cert_sign, stderr=subprocess.STDOUT)
def main():
module = AnsibleModule(
argument_spec = dict(
cacert = dict(required=True),
cakey = dict(required=True),
conf = dict(required=True),
subj = dict(required=True),
cert = dict(required=False, type='str'),
ca_days = dict(required=False, type='str'),
req = dict(required=False, type='str'),
csr = dict(required=False, type='str'),
key = dict(required=False, type='str'),
chdir = dict(required=False, type='str'),
combined = dict(required=False, type='bool'),
generate_ca = dict(required=False, type='bool'),
),
add_file_common_args=True,
supports_check_mode=True,
)
# Initialize return values
changed = False
# Change to the working directory
chdir = module.params['chdir']
if chdir:
chdir = os.path.abspath(os.path.expanduser(chdir))
os.chdir(chdir)
# Get CA credentials first
cakey = module.params['cakey']
if not os.path.exists(cakey) or not os.access(cakey, os.R_OK):
module.fail_json(msg="CA key file %s not found or not readable" % (cakey))
generate_CA = module.params['generate_ca']
cacert = module.params['cacert']
if not os.path.exists(cacert) or not os.access(cacert, os.R_OK):
generate_CA = True
ca_days = module.params['ca_days']
if not ca_days:
ca_days = "3650" # Ten years
ca = {"key": cakey,
"cert": cacert,
"days": ca_days,
"conf": module.params['conf'],
"subj": module.params['subj'],
}
# If CA is to be generated do it now
if generate_CA:
try:
_ca(ca)
changed = True
except CalledProcessError as err:
module.fail_json(msg=err.output, exit_status=err.returncode)
req = module.params['req']
if req: # User wants a cert generated
if not os.path.exists(req) or not os.access(req, os.R_OK):
module.fail_json(msg="Request file %s not found or not readable" % (req))
csr = module.params['csr']
if not csr:
csr = req + ".csr"
key = module.params['key']
if not key:
key = req + ".key"
cert = module.params['cert']
# Create CSR and Sign the cert
try:
_csr(req, key, csr)
_sign(ca, csr, cert)
changed = True
except CalledProcessError as err:
module.fail_json(msg=err.output, exit_status=err.returncode)
combined = module.params['combined']
if combined:
with open(cert, "a") as certfile, open(key, "r") as keyfile:
certfile.write(keyfile.read())
changed = True
module.exit_json(
changed = changed,
)
# import module snippets
from ansible.module_utils.basic import *
main()
0707010000000E000041ED0000000000000000000000055B730F8000000000000000000000000000000000000000000000002C00000000ardana-tls-8.0+git.1534267264.6b1e899/roles0707010000000F000041ED0000000000000000000000055B730F8000000000000000000000000000000000000000000000003900000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend07070100000010000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000004200000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/defaults07070100000011000081A40000000000000000000000015B730F800000039B000000000000000000000000000000000000004B00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/defaults/main.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
frontend_server_cert_directory: "/etc/ssl/private/"
tls_temp_dir: "/tmp/ardana_tls/"
tls_req_dir: "/tmp/ardana_tls/"
tls_req_file: "ardana-internal-req"
tls_certs_dir: "/tmp/ardana_tls_certs/"
install_vip_certs_items: "{{ FND_CLU.has_proxy | default({}) | get_cert_files }}"
07070100000012000041ED0000000000000000000000035B730F8000000000000000000000000000000000000000000000003F00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/files07070100000013000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000004600000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/files/public07070100000014000081A40000000000000000000000015B730F800000113F000000000000000000000000000000000000005500000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/files/public/my-public-cert-----BEGIN CERTIFICATE-----
MIIHpTCCBY2gAwIBAgIFDLQjcF8wDQYJKoZIhvcNAQELBQAwfjELMAkGA1UEBhMC
REUxEDAOBgNVBAgMB0JhdmFyaWExEjAQBgNVBAcMCU51cmVtYmVyZzEiMCAGA1UE
CgwZTWljcm8gRm9jdXMgSW50ZXJuYXRpb25hbDENMAsGA1UECwwEU1VTRTEWMBQG
A1UEAwwNQ2xvdWQgVGVzdCBDQTAeFw0xODAyMTIwMTE4NDZaFw0xOTAyMTIwMTE4
NDZaMBUxEzARBgNVBAMMCmFyZGFuYS12aXAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDUHGV6BUpshf60t66MkOw1wFyx+q9lxwDm7JIQIskIVBr5Y6xj
bh+W/d7IbfzF0drR5j8oYivf72O+g9lyvId5mEQl3TF8AJF6pE9RIrjyNIb0ae1+
8rdFRM0LGwqNJSkuL4wS2D4xAkpU9e4uRiN5q8FpfYv5YUEIvUZvsw5dW9h+g9A+
S0sEtqmRL7Y649ynrVphu7X40/SzHK5zl/mDOe+diLt3XNpLSLPes+6bI3M/ieWo
QJf2n/sxizWOjHvcwTxy21AvSGdk4SI7+Y/KlpZc9PxgabsecgG2z3Fw25tXj3Mb
2eiuThcFtLcY0YhUzTVtv428wZoUgicbrA+nAgMBAAGjggORMIIDjTAJBgNVHRME
AjAAMB0GA1UdDgQWBBSg2qwiplV3SU/3RbQU9pERZleQPjALBgNVHQ8EBAMCBeAw
ggNSBgNVHREEggNJMIIDRYINbXlhcmRhbmEudGVzdIInYXJkYW5hLWNjcC12aXAt
cHVibGljLUtFWU1HUi1BUEktZXh0YXBpgiRhcmRhbmEtY2NwLXZpcC1wdWJsaWMt
TE9HLUFQSS1leHRhcGmCJGFyZGFuYS1jY3AtdmlwLXB1YmxpYy1OT1YtQVBJLWV4
dGFwaYIkYXJkYW5hLWNjcC12aXAtcHVibGljLUtFWS1BUEktZXh0YXBpgiRhcmRh
bmEtY2NwLXZpcC1wdWJsaWMtU1dGLVBSWC1leHRhcGmCJGFyZGFuYS1jY3Atdmlw
LXB1YmxpYy1ERVMtQVBJLWV4dGFwaYIkYXJkYW5hLWNjcC12aXAtcHVibGljLU5P
Vi1WTkMtZXh0YXBpgiRhcmRhbmEtY2NwLXZpcC1wdWJsaWMtRlJFLUFQSS1leHRh
cGmCJGFyZGFuYS1jY3AtdmlwLXB1YmxpYy1NQUctQVBJLWV4dGFwaYIkYXJkYW5h
LWNjcC12aXAtcHVibGljLU1PTi1BUEktZXh0YXBpgiRhcmRhbmEtY2NwLXZpcC1w
dWJsaWMtSEVBLUFDRi1leHRhcGmCJGFyZGFuYS1jY3AtdmlwLXB1YmxpYy1PUFMt
V0VCLWV4dGFwaYIkYXJkYW5hLWNjcC12aXAtcHVibGljLUhFQS1BUEktZXh0YXBp
giRhcmRhbmEtY2NwLXZpcC1wdWJsaWMtTkVVLVNWUi1leHRhcGmCJGFyZGFuYS1j
Y3AtdmlwLXB1YmxpYy1BUkQtU1ZDLWV4dGFwaYIkYXJkYW5hLWNjcC12aXAtcHVi
bGljLUhFQS1BQ1ctZXh0YXBpgiRhcmRhbmEtY2NwLXZpcC1wdWJsaWMtR0xBLUFQ
SS1leHRhcGmCJGFyZGFuYS1jY3AtdmlwLXB1YmxpYy1DTkQtQVBJLWV4dGFwaYIk
YXJkYW5hLWNjcC12aXAtcHVibGljLUNFSS1BUEktZXh0YXBpgiRhcmRhbmEtY2Nw
LXZpcC1wdWJsaWMtSFpOLVdFQi1leHRhcGmCJGFyZGFuYS1jY3AtdmlwLXB1Ymxp
Yy1OT1YtUExDLWV4dGFwaYINMTkyLjE2OC4xMTQuNIcEwKhyBDANBgkqhkiG9w0B
AQsFAAOCAgEAcBAWamX+wp8ln362mf838iLeBr+lPoFU5e7HPxrhLVGldBb+ihwq
g6qa50JnkkzzTCI8hikvJrQPuZ7FUZzN7quee217Fce7M+8HKE9jKuTYZ5xNwfTZ
8IAIpaCZGqRy/azPJgxhS19U+tpEx29XtGmnMiNaP4XPIwqCEfQNj0Nf9t3REJSm
sGuP3ukiEPkaITYMSvR2rMIfQcPpNF7/diZCa1/6ZKstR3gLfGH+VlnBELQgZMXm
y9wTV+bo+BVS6FedL5WwimQ1eeSB1tE/KQmC2X+ESnwDMsrmDjlxEart4tzXYP29
4SAuVg8ZvhC8Ehk2VOpWqIdDDx2H0FID+BJUq6nfe7P0NCLYZcF04goZj5WurYeA
9UMjS0KZMFAjM9/EKSuCEQuXM9vG7SQKcxUnA2xDKZ1on/gJTptc4vh+ymlp7EQl
CMcOabZ6qo1Iej+IoCYYheSIpJhBg2W7YJryRirDHe+yaWVut4AOJuW8uve/uoD/
twzHT5VE+R0JL/8UZG8e8o7GJJ7l9c1hPSVfg8VtE2qQ0WOCzjohc1Vt8oOI3l3h
bUxFmegat56w74M+FJO5co8s41VDAAZOJH7ClJJm9jwUh/8pODMhYqM7qAhlNU5N
Lgwiwy9I4J+1/cEvpbW59PDUPeR1kD9y/WAbQDupcQI26VFLU55WbRA=
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUHGV6BUpshf60
t66MkOw1wFyx+q9lxwDm7JIQIskIVBr5Y6xjbh+W/d7IbfzF0drR5j8oYivf72O+
g9lyvId5mEQl3TF8AJF6pE9RIrjyNIb0ae1+8rdFRM0LGwqNJSkuL4wS2D4xAkpU
9e4uRiN5q8FpfYv5YUEIvUZvsw5dW9h+g9A+S0sEtqmRL7Y649ynrVphu7X40/Sz
HK5zl/mDOe+diLt3XNpLSLPes+6bI3M/ieWoQJf2n/sxizWOjHvcwTxy21AvSGdk
4SI7+Y/KlpZc9PxgabsecgG2z3Fw25tXj3Mb2eiuThcFtLcY0YhUzTVtv428wZoU
gicbrA+nAgMBAAECggEBALFdIVmcLPR8Q1S4N2PhFzOHK7vDpIEVm+J9NVH61GF7
eqbJOvBVuGKY3H56wiBkb3aO8ocBODDjy2MWe3DexuXddja3NFa9XujPlmeBAme9
lo+wN+CscqWgd1hu/y6xQTMWnSlw2ug+QwuyLb1R9v4Zqfxc9/vK4Ae/xbNHZZ6X
1LA+kdW9cxzFNT1zXjEC/bv4HbwCCJNfPDYa7o5tm7JY1B5m1V9l96Ia50qM6X0G
oiDE2YmVAFqtdcZab+D+lmbYoAXH7icXZ3xt5CqYZhFTZnrQYWPKFt8Wq20E3F7I
/RWYbPBiB1aP4VTpFNaS4boECHUroC7cFWZXevIJBnECgYEA+xHlnpKkPUkEWzSe
iWMdqdWMMHxtYDbZzEtkx76W2aPQ6qlrm/fOQntxkLDJyvWLbmHkqZJnBNOzAKvj
ogBnZUPCqB6imMM++QPaN0q2JAlMpUYioi4wPC7CkdEbqHMntucbYWpDHQRdQDw6
k4OFaQcyyxSAI6W9einHeKQCUy8CgYEA2EaoFBSC3oqL9UiJqkdfzmYd9d6GLe6G
ZYnubr4ahcfRJMw5eG6lEAIEwJO1jEOjPmglBoB37+dODJZjAMy54G9SAeVZgXUV
NIdRLn+mr6Mau6bF41D/czSXXz/rrVs8x8b3Wl0XkLiuzwAthhUQEJMVLvugeK+X
++94p2gOTQkCgYEA6XV+2rDo38PhtR18vavYjW/w57ULz4exhnIkyEfE5aOaRFo9
oc4PkWpP84cwXPVuLboBclycRrTDokAzbxSJEHStsL6r2vjSuaKHaxqhu2iaSKSq
17uzRoMEkaqr2TsbFsxXfYHd3kGMpIpcvYZyq3LyHDx32q3nPo1S2i9HqikCgYA8
ls7PkU94eOfst32ZrpUwhXsvPj/o7kHIgHPDoo5bnDcDUBNpodWsPmSGbtsViH1b
JmH5CFSRaQN8k0T5HGGWdplK3q3Mjrh6Fs6vcCOKYO9EUtxtamumIr2leYrU7hKB
BUSWlC3d5V9TroESZyQxAIOWvfee19KESfpLK+OVwQKBgCcU5nowEfMf8OALvuaM
E93+W1bHJUIx5Sy0faGgBYfiVY9qV5lJG0+8kF0C4JCy0XI8libr9rlSiIK5KAuY
80FgwYdQ8PdtmuwLGU/dXAmCvCLQzvKLVUfwRg7/I8eAKI4clyEnpivHkh8A8jeI
t3JBMfxPE2tG7ok5rJYeWY2q
-----END PRIVATE KEY-----
07070100000015000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003F00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/tasks07070100000016000081A40000000000000000000000015B730F800000041F000000000000000000000000000000000000005300000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/tasks/bootstrap_certs.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-frontend | bootstrap_certs | Create source cert directory
file:
path: "{{ tls_certs_dir }}"
state: directory
mode: 0755
run_once: true
delegate_to: localhost
- name: tls-frontend | bootstrap_certs | Bootstrap user supplied certs
copy:
src: "{{ item }}"
dest: "{{ tls_certs_dir }}"
mode: 0600
with_fileglob:
- public/*
run_once: true
delegate_to: localhost
07070100000017000081A40000000000000000000000015B730F80000002FB000000000000000000000000000000000000004B00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/tasks/cleanup.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-frontend | cleanup | Delete temporary certs dir
file:
path: "{{ tls_certs_dir }}"
state: absent
07070100000018000081A40000000000000000000000015B730F80000003CF000000000000000000000000000000000000004B00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-frontend/tasks/install.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-frontend | install | install vip certificates
copy:
src: "{{ tls_certs_dir }}/{{ item }}"
dest: "{{ frontend_server_cert_directory }}/{{ item }}"
owner: root
group: root
mode: 0440
with_items: "{{ install_vip_certs_items }}"
become: yes
register: ardana_notify_haproxy_restart_required
07070100000019000041ED0000000000000000000000075B730F8000000000000000000000000000000000000000000000003600000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust0707010000001A000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003F00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/defaults0707010000001B000081A40000000000000000000000015B730F80000007A1000000000000000000000000000000000000004800000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/defaults/main.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# The variable below will be referred to by horizon
external_cacert_filename: "/etc/ssl/certs/ardana_frontend_cacert.pem"
node_cert_directory: "/etc/ssl/private/"
tls_temp_dir: "/tmp/ardana_tls/"
tls_req_dir: "/tmp/ardana_tls/"
tls_req_file: "ardana-internal-req"
tls_certs_dir: "/tmp/ardana_tls_certs/"
tls_cacerts_dir: "/tmp/ardana_tls_cacerts/"
tls_certs:
cert_name: ardana-node-cert
haproxy_conf_dir: "/etc/haproxy/ardana-conf.d"
ip_cluster_certs: "{{ cert_data.services.FND_CLU | default([]) }}"
_internal_ca_info: "{{ TLS_CA.vars.ardana_internal_ca }}"
ardana_internal_ca:
private: "{{ _internal_ca_info.private }}"
public: "{{ _internal_ca_info.public }}"
days: 3650
key: "ardana-internal-ca.key"
cert: "ardana-internal-{{ inventory_hostname }}-ca.crt"
subj: "/CN={{ inventory_hostname }}"
conf: "ardana-openssl.cnf"
tls_expiry_check: "2592000" #30 days
tls_force_cert_regeneration: False
tls_java_ca:
keystore: /usr/lib/jvm/default-java/jre/lib/security/cacerts
storepass: changeit
tls_mysql:
certs: "{{ cert_data.services.FND_MDB | default([]) }}"
tls_rmq:
certs: "{{ cert_data.services.FND_RMQ | default([]) }}"
tls_facts_dir: /etc/ansible/facts.d
tls_int_ca_fact: ardana_int_ca_first_crt
tls_fact_file: "{{ tls_facts_dir}}/{{ tls_int_ca_fact }}.fact"
0707010000001C000041ED0000000000000000000000035B730F8000000000000000000000000000000000000000000000003C00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files0707010000001D000081A40000000000000000000000015B730F8000000567000000000000000000000000000000000000004700000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files/cacert.pem-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAOTDLJ8fbnGVMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRIwEAYDVQQHDAlOdXJlbWJlcmcxIjAg
BgNVBAoMGU1pY3JvIEZvY3VzIEludGVybmF0aW9uYWwxDTALBgNVBAsMBFNVU0Ux
FjAUBgNVBAMMDUNsb3VkIFRlc3QgQ0EwHhcNMTgwMjEyMDEzMTE2WhcNMjgwMjEw
MDEzMTE2WjB+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTESMBAGA1UE
BwwJTnVyZW1iZXJnMSIwIAYDVQQKDBlNaWNybyBGb2N1cyBJbnRlcm5hdGlvbmFs
MQ0wCwYDVQQLDARTVVNFMRYwFAYDVQQDDA1DbG91ZCBUZXN0IENBMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eNNniTSlUuRhsQLDTFG3rULa+UmzZ5v
pngtlqd2SQ4bmxBplHrWugRVxpNsNwMUt5ygw+tAdyTha/pSd8ZC4yK/mwahWrCh
wgd9RJsmNycKMtsn3m/oqmE/czpz6JiVqNehhH4l650GdrxVJub2HxGghl+LNRiG
2bXQXaBqdXA0tdvKRCFrTBdp0luprTs3mowUcYwVYihKjwfTpXyIMKgcVk0t9nDC
DTzUoTdQAJuJ6sNK7Sp0vKWUFUk8CqybsMvMph+IGBUUYgwHVcUVJubUhxDsd+3a
Youpb0pssKxxlkJThqpXgRPjS5fxZI9JwTCK92O8sjz+VhTiPk6DGwIDAQABo1Aw
TjAdBgNVHQ4EFgQU+eRtmMLOyzuPjUOywXE6tyYXa7YwHwYDVR0jBBgwFoAU+eRt
mMLOyzuPjUOywXE6tyYXa7YwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAfD//xGe1R+SFWZq7mQMHsEait/kHVHt8FO48r5x1c0OtMAtuk531oA3P8CaL
aSS0noacyOV2NQvpp80XZ67qMixCnYz+5DX/mbEFaOK6kSUT9aNZkklazVrEbJP8
vIYeMwmcviYN4MUZT3N9FSKeuQq/lQCZStvOAkQ9D6FpgG2v/lc/P5ZknYhtqrpS
2uD4cx9gPk402AuF16ER8drC1NAwrAaiaj29wGNIzxNu8q4/6Ys9IR/TM1Cr3oqe
mAuMYBSxCbxzpCdYtv1R+EM1XILIVBEPIkLCEb9EJ+7zDrobxne1av0HoJET4MsA
2/N6udjz7+WrNsfoKLlTzRFqAA==
-----END CERTIFICATE-----
0707010000001E000081A40000000000000000000000015B730F80000006A8000000000000000000000000000000000000004600000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files/cakey.pem-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDV402eJNKVS5GG
xAsNMUbetQtr5SbNnm+meC2Wp3ZJDhubEGmUeta6BFXGk2w3AxS3nKDD60B3JOFr
+lJ3xkLjIr+bBqFasKHCB31EmyY3Jwoy2yfeb+iqYT9zOnPomJWo16GEfiXrnQZ2
vFUm5vYfEaCGX4s1GIbZtdBdoGp1cDS128pEIWtMF2nSW6mtOzeajBRxjBViKEqP
B9OlfIgwqBxWTS32cMINPNShN1AAm4nqw0rtKnS8pZQVSTwKrJuwy8ymH4gYFRRi
DAdVxRUm5tSHEOx37dpii6lvSmywrHGWQlOGqleBE+NLl/Fkj0nBMIr3Y7yyPP5W
FOI+ToMbAgMBAAECggEABznEl4Ea9Bw3cFwTG4D8qe1n019MbknZ77/DmoFRx6oI
WLa3OmLj+ijHVQwJ7dnWy1UpQTUjWmMOkn1EZ/N0swOrgWs57DxnWoyyOK0dH2Pc
PleVAzi4nXjnkdb5r3PoKmoOdNFmKo2FeGFoZwYKboZD7AYyR7rqY1R3E5Klxg3S
hSSFjTbBQJQiPFzMeEneMOBaFFCeiWOMEkPRV+UzzOj6gjuyyY9Mt3Yosnf/S73s
PmjfUuDJX5HzdbXM+RESJY7UwqXafdrazQIQRQVmNTcp284cQ01OIcFAdBLBUgZN
8WjMv/RSkbU85zQGkd1oo6EI+pZ+hpNK420KO1wV0QKBgQD2d1j4QIpGnpgpqWRF
gbZFCAacWxtllMftA90opw7BnJWLNshYv5mvc0V9PL8/iiBasLygJYCaQaeS5N4I
AbWlFvvB08RvvYApVBwFW/+mEf/z/+9Qq6MbK63LzFITXzmLv6CRPvQWS1rNb+Y/
7b3ENdv5fOYTL4gPilha968pnwKBgQDeKVimzL9T7lHUkZsGJ4yGBwLuLqQohEo6
LuiS+fjLpy06fk9LeLzop/i150eHIItfwHzenCy3DpyG5OI4j1G02f0ZrqvnIU5P
NDncnjt2pFphdN2cj0pZkg169+60ziOUs2UmygQgmWqeerDLYJ7RgeLzkxCcqvdd
e/YmkJZtBQKBgQCgWXmK2gKce2YoBMr15bQ+KUCTzTp/1lJUQ6VJY5bYJBWvIw8p
nk5QtcBKAJG0txrhpgaycnO+6GQrz7cconAZXmCg9DPjNvkA6nXojrg+xYsuph5+
74wIi1xhMSdc7yEzaJMArGKFdrU230x/3x8NXrUlFjth1BTDd5CQboCJpQKBgGkK
raL4TkKV/VT/n4fybSv15rnNjcqmeh42jbrovG02V1k/3ag2p0NuIFeJyjUm+x9D
+QacWzwWiYXydM//W8eiBlz9TMRU6Bzk+bLJkh4PqbhItHvQ+HuPZhZNYi1VBlfJ
1rrXa8oqH9Jc+ni+73jp6+/1Cja5U4p9ES680JMtAoGAeEq5FdS4t3s9UVnLnwtM
A2nhEvT1fLTEFStBSArVDMTiCU+bI6E7dmVq2Z2ajZ6xajNQg79aSeKBmVIIYkpe
FUm6qfZeVLcaN6FKIIv5XvCyy3Ngy5qDQOZYp3S+d67O1CqsqqActwbdSKtJt1Yd
vObzdWseu+dvY6VQexeg4T8=
-----END PRIVATE KEY-----
0707010000001F000081A40000000000000000000000015B730F8000000C76000000000000000000000000000000000000004800000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files/openssl.cnf# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/
certificate = $dir/cacert.pem
private_key = $dir/cakey.pem
unique_subject = no
default_crl_days = 365
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
# NOTE(dprince): stateOrProvinceName must be 'supplied' or 'optional' to
# work around a stateOrProvince printable string UTF8 mismatch on
# RHEL 6 and Fedora 14 (using openssl-1.0.0-4.el6.x86_64 or
# openssl-1.0.0d-1.fc14.x86_64)
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = Micro Focus International
organizationalUnitName_default = SUSE
localityName_default = Nuremberg
stateOrProvinceName_default = Bavaria
countryName_default = DE
commonName_default = Cloud Test CA
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
[ alt_names ]
07070100000020000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000004300000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files/public07070100000021000081A40000000000000000000000015B730F8000000567000000000000000000000000000000000000005E00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/files/public/ardana-internal-cacert.crt-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAOTDLJ8fbnGVMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
BAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMRIwEAYDVQQHDAlOdXJlbWJlcmcxIjAg
BgNVBAoMGU1pY3JvIEZvY3VzIEludGVybmF0aW9uYWwxDTALBgNVBAsMBFNVU0Ux
FjAUBgNVBAMMDUNsb3VkIFRlc3QgQ0EwHhcNMTgwMjEyMDEzMTE2WhcNMjgwMjEw
MDEzMTE2WjB+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTESMBAGA1UE
BwwJTnVyZW1iZXJnMSIwIAYDVQQKDBlNaWNybyBGb2N1cyBJbnRlcm5hdGlvbmFs
MQ0wCwYDVQQLDARTVVNFMRYwFAYDVQQDDA1DbG91ZCBUZXN0IENBMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eNNniTSlUuRhsQLDTFG3rULa+UmzZ5v
pngtlqd2SQ4bmxBplHrWugRVxpNsNwMUt5ygw+tAdyTha/pSd8ZC4yK/mwahWrCh
wgd9RJsmNycKMtsn3m/oqmE/czpz6JiVqNehhH4l650GdrxVJub2HxGghl+LNRiG
2bXQXaBqdXA0tdvKRCFrTBdp0luprTs3mowUcYwVYihKjwfTpXyIMKgcVk0t9nDC
DTzUoTdQAJuJ6sNK7Sp0vKWUFUk8CqybsMvMph+IGBUUYgwHVcUVJubUhxDsd+3a
Youpb0pssKxxlkJThqpXgRPjS5fxZI9JwTCK92O8sjz+VhTiPk6DGwIDAQABo1Aw
TjAdBgNVHQ4EFgQU+eRtmMLOyzuPjUOywXE6tyYXa7YwHwYDVR0jBBgwFoAU+eRt
mMLOyzuPjUOywXE6tyYXa7YwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAfD//xGe1R+SFWZq7mQMHsEait/kHVHt8FO48r5x1c0OtMAtuk531oA3P8CaL
aSS0noacyOV2NQvpp80XZ67qMixCnYz+5DX/mbEFaOK6kSUT9aNZkklazVrEbJP8
vIYeMwmcviYN4MUZT3N9FSKeuQq/lQCZStvOAkQ9D6FpgG2v/lc/P5ZknYhtqrpS
2uD4cx9gPk402AuF16ER8drC1NAwrAaiaj29wGNIzxNu8q4/6Ys9IR/TM1Cr3oqe
mAuMYBSxCbxzpCdYtv1R+EM1XILIVBEPIkLCEb9EJ+7zDrobxne1av0HoJET4MsA
2/N6udjz7+WrNsfoKLlTzRFqAA==
-----END CERTIFICATE-----
07070100000022000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003C00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks07070100000023000081A40000000000000000000000015B730F8000000D57000000000000000000000000000000000000004A00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/bootstrap.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Clean directories (TODO: secure delete)
- name: tls-trust | bootstrap | Clean working directory
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ tls_temp_dir }}"
# Create directories
- name: tls-trust | bootstrap | Create working directory
file:
path: "{{ item }}"
state: directory
mode: 0755
with_items:
- "{{ tls_temp_dir }}"
# Create directories on deployer
- name: tls-trust | bootstrap | Create cert source directory
file:
path: "{{ item }}"
state: directory
mode: 0755
with_items:
- "{{ tls_certs_dir }}"
- "{{ tls_cacerts_dir }}"
run_once: true
delegate_to: localhost
- name: tls-trust | bootstrap | Get CA private key from CP
template:
src: "{{ ardana_internal_ca.key }}"
dest: "{{ tls_temp_dir }}"
mode: 0600
- name: tls-trust | bootstrap | Check modulus of the CA key
command: >
/usr/bin/openssl rsa -in {{ ardana_internal_ca.key }} -noout -modulus
args:
chdir: "{{ tls_temp_dir }}"
register: _tls_ca_modulus_result
- name: tls-trust | bootstrap | Check for existing internal CA on deployer
stat:
path: "{{ tls_cacerts_dir }}/{{ ardana_internal_ca.cert }}"
register: _tls_deployer_cacert_stat_result
delegate_to: localhost
- name: tls-trust | bootstrap | Check modulus of the CA cert on deployer
command: >
/usr/bin/openssl x509 -in {{ ardana_internal_ca.cert }} -noout -modulus
args:
chdir: "{{ tls_cacerts_dir }}"
register: _tls_cacert_modulus_result
delegate_to: localhost
when: _tls_deployer_cacert_stat_result.stat.exists
- name: tls-trust | bootstrap | Create Internal CA cert if modules differ
ardana_ca:
chdir: "{{ tls_temp_dir }}"
cakey: "{{ ardana_internal_ca.key }}"
cacert: "{{ ardana_internal_ca.cert }}"
conf: "{{ ardana_internal_ca.conf }}"
ca_days: "{{ ardana_internal_ca.days }}"
subj: "{{ ardana_internal_ca.subj }}"
combined: False
generate_ca: True
register: _tls_cacert_result
when: >
not _tls_deployer_cacert_stat_result.stat.exists or
_tls_cacert_modulus_result.stdout != _tls_ca_modulus_result.stdout
- name: tls-trust | bootstrap | Fetch new Internal CA to deployer
fetch:
src: "{{ tls_temp_dir }}/{{ ardana_internal_ca.cert }}"
dest: "{{ tls_cacerts_dir }}"
flat: yes
validate_checksum: no
when: _tls_cacert_result.changed
- name: tls-trust | bootstrap | Copy user CA
copy:
src: "{{ item }}"
dest: "{{ tls_cacerts_dir }}"
mode: 0644
with_fileglob:
- "public/*.crt"
run_once: true
delegate_to: localhost
- name: tls-trust | bootstrap | Copy openssl config
template:
src: "{{ item }}"
dest: "{{ tls_temp_dir }}/{{ item }}"
mode: 0644
with_items:
- "{{ ardana_internal_ca.conf }}"
07070100000024000081A40000000000000000000000015B730F8000000415000000000000000000000000000000000000004900000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/cert_csr.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | cert_csr | search for the req file fetched from server
shell: find {{ tls_req_dir }} -name {{ tls_req_file }}
register: req_file_result
- name: tls-trust | cert_csr | create the csr
command: /usr/bin/openssl req -newkey rsa:2048 -nodes -keyout key.pem -out
csr.pem -extensions v3_req -config {{ req_file_result.stdout }}
args:
chdir: "{{ tls_temp_dir }}"
07070100000025000081A40000000000000000000000015B730F8000000FC7000000000000000000000000000000000000004C00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/cert_deploy.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# First check if cert directories exist on the deployer
# and fail if not
- name: tls-trust | cert_deploy | Check cert source directory
stat:
path: "{{ tls_certs_dir }}"
delegate_to: localhost
register: _tls_certs_dir_result
- name: tls-trust | cert_deploy | Fail if certs not available
fail:
msg: "TLS certs missing on deployer. Run with TLS-CA in the hosts list"
when: not _tls_certs_dir_result.stat.exists | bool
- name: tls-trust | cert_deploy | Check CA source directory
stat:
path: "{{ tls_cacerts_dir }}"
delegate_to: localhost
register: _tls_cacerts_dir_result
- name: tls-trust | cert_deploy | Fail if certs not available
fail:
msg: "TLS CA certs missing on deployer. Run with TLS-CA in the hosts list"
when: not _tls_cacerts_dir_result.stat.exists | bool
- name: tls-trust | cert_deploy | install vip cert requests
copy:
src: "{{ tls_certs_dir }}/{{ item }}.req"
dest: "{{ frontend_server_cert_directory }}/{{ item }}.req"
owner: root
group: root
mode: 0440
with_items:
- "{{ install_vip_certs_items }}"
- "ardana-node-cert"
become: yes
register: cert_request_copy_result
- name: tls-trust | cert_deploy | install vip certificates
copy:
src: "{{ tls_certs_dir }}/{{ item }}"
dest: "{{ frontend_server_cert_directory }}/{{ item }}"
owner: root
group: root
mode: 0440
with_items:
- "{{ install_vip_certs_items }}"
- "ardana-node-cert"
become: yes
register: ardana_notify_haproxy_restart_required
# Find out if there are certs about to expire
- name: tls-trust | cert_deploy | check expiry
command: "openssl x509 -in {{ item }} -checkend {{ tls_expiry_check }}"
args:
chdir: "{{ frontend_server_cert_directory }}"
with_items:
- "{{ install_vip_certs_items }}"
- "ardana-node-cert"
register: _expiry_checks_result
become: yes
ignore_errors: yes
- name: tls-trust | cert_deploy | replace expiring certificates
copy:
src: "{{ tls_certs_dir }}/{{ item.item }}"
dest: "{{ frontend_server_cert_directory }}/{{ item.item }}"
owner: root
group: root
mode: 0440
with_items:
- "{{ _expiry_checks_result.results }}"
when: item.rc == 1
become: yes
register: ardana_notify_haproxy_restart_required
# Finally, if we are told to regenerate all certs
- name: tls-trust | cert_deploy | install vip cert requests
file:
path: "{{ frontend_server_cert_directory }}/{{ item }}.req"
state: absent
with_items:
- "{{ install_vip_certs_items }}"
- "ardana-node-cert"
become: yes
when: tls_force_cert_regeneration
- name: tls-trust | cert_deploy | install vip cert requests
copy:
src: "{{ tls_certs_dir }}/{{ item }}.req"
dest: "{{ frontend_server_cert_directory }}/{{ item }}.req"
owner: root
group: root
mode: 0440
with_items:
- "{{ install_vip_certs_items }}"
- "ardana-node-cert"
become: yes
register: _cert_request_copy_result
when: tls_force_cert_regeneration
- name: tls-trust | cert_deploy | install vip certificates
copy:
src: "{{ tls_certs_dir }}/{{ item.item }}"
dest: "{{ frontend_server_cert_directory }}/{{ item.item }}"
owner: root
group: root
mode: 0440
with_items:
- "{{ _cert_request_copy_result.results }}"
when: item.changed and tls_force_cert_regeneration
become: yes
register: ardana_notify_haproxy_restart_required
07070100000026000081A40000000000000000000000015B730F800000037D000000000000000000000000000000000000004A00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/cert_sign.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | cert_sign | Sign the server certificate
command: /usr/bin/openssl ca -batch -notext -md sha256 -in
csr.pem -out cert.pem -config openssl.cnf -extensions
v3_req
args:
chdir: "{{ tls_temp_dir }}"
07070100000027000081A40000000000000000000000015B730F800000032A000000000000000000000000000000000000004800000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/cleanup.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | cleanup | Delete certs working dir
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ tls_temp_dir }}"
ignore_errors: yes
07070100000028000081A40000000000000000000000015B730F800000041D000000000000000000000000000000000000005B00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/config_service_termination.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | config_service_termination | Make sure conf.d exists
become: yes
file:
path: "{{ haproxy_conf_dir }}"
state: directory
mode: 0755
- name: tls-trust | config_service_termination | Add config snippet
become: yes
template:
src: tls-terminator
dest: "{{ haproxy_conf_dir }}/20-TLS-terminator.cfg"
mode: 0644
register: ardana_notify_haproxy_restart_required
07070100000029000081A40000000000000000000000015B730F8000000C1B000000000000000000000000000000000000004D00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/create_certs.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | create_certs | Create vip cert requests
template:
src: "ardana-vip-temp.req"
dest: "{{ tls_temp_dir }}/{{ item.cert_name }}.req"
mode: 0644
with_items:
- "{{ ip_cluster_certs }}"
- name: tls-trust | create_certs | Create node cert requests
template:
src: "{{ item.cert_name }}.req"
dest: "{{ tls_temp_dir }}/{{ item.cert_name }}.req"
mode: 0644
with_items:
- "{{ tls_certs }}"
- name: tls-trust | create_certs | Create mysql cert requests
template:
src: "mysql-admin.req"
dest: "{{ tls_temp_dir }}/{{ item.cert_name }}.req"
mode: 0644
with_items:
- "{{ tls_mysql.certs }}"
- name: tls-trust | create_certs | Create mysql cert requests
template:
src: "rmq-internal.req"
dest: "{{ tls_temp_dir }}/{{ item.cert_name }}.req"
mode: 0644
with_items:
- "{{ tls_rmq.certs }}"
- name: tls-trust | create_certs | create vip certs
ardana_ca:
req: "{{ item.cert_name }}.req"
cert: "{{ item.cert_name }}"
chdir: "{{ tls_temp_dir }}"
cakey: "{{ ardana_internal_ca.key }}"
cacert: "{{ ardana_internal_ca.cert }}"
conf: "{{ ardana_internal_ca.conf }}"
subj: "{{ ardana_internal_ca.subj }}"
combined: True
with_items:
- "{{ ip_cluster_certs }}"
- "{{ tls_certs }}"
- "{{ tls_mysql.certs }}"
- "{{ tls_rmq.certs }}"
- name: tls-trust | create_certs | Create ansible facts directory on deployer
file:
path: "{{ tls_facts_dir }}"
owner: root
group: root
mode: 0755
state: directory
delegate_to: localhost
become: yes
- name: tls-trust | create_certs | Create internal certificate fact on deployer
copy:
content: "{{ ardana_internal_ca.cert | to_json }}"
dest: "{{ tls_fact_file }}"
mode: 0644
delegate_to: localhost
become: yes
- name: tls-trust | create_certs | fetch certs to deployer
fetch:
src: "{{ tls_temp_dir }}/{{ item.cert_name }}"
dest: "{{ tls_certs_dir }}"
flat: yes
validate_checksum: no
with_items:
- "{{ ip_cluster_certs }}"
- "{{ tls_certs }}"
- "{{ tls_mysql.certs }}"
- "{{ tls_rmq.certs }}"
- name: tls-trust | create_certs | fetch reqs to deployer
fetch:
src: "{{ tls_temp_dir }}/{{ item.cert_name }}.req"
dest: "{{ tls_certs_dir }}"
flat: yes
validate_checksum: no
with_items:
- "{{ ip_cluster_certs }}"
- "{{ tls_certs }}"
- "{{ tls_mysql.certs }}"
- "{{ tls_rmq.certs }}"
0707010000002A000081A40000000000000000000000015B730F8000000A11000000000000000000000000000000000000004800000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/install.yml#
# (c) Copyright 2015-2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | install | Set os-specific variables
include_vars: "{{ ansible_os_family | lower }}.yml"
- name: tls-trust | install | Install ca-certificates
become: yes
package:
name: "{{ item }}"
state: present
with_items:
- ca-certificates
- name: tls-trust | install | Create local cert directory
become: yes
file:
path: "{{ local_cert_directory }}"
state: directory
mode: 0755
- name: tls-trust | install | Install ca certificates
become: yes
copy:
src: "{{ item }}"
dest: "{{ local_cert_directory }}/{{ item | basename }}"
owner: root
group: root
mode: 0644
with_fileglob:
- "{{ tls_cacerts_dir }}/*.crt"
register: _tls_cacerts_copy_result
- name: tls-trust | install | Update cacert store on RedHat
become: yes
shell: |
set -eu
update-ca-trust force-enable
update-ca-trust extract
when: _tls_cacerts_copy_result.changed and ansible_os_family == "RedHat"
register: ardana_notify_certs_updated
- name: tls-trust | install | Update cacert store
become: yes
shell: /usr/sbin/update-ca-certificates --fresh
when: _tls_cacerts_copy_result.changed and ansible_os_family != "RedHat"
register: ardana_notify_certs_updated
- name: tls-trust | install | Make RedHat compatible with the certifi package
become: yes
file:
src: /etc/ssl/certs/ca-bundle.trust.crt
dest: /etc/ssl/ca-bundle.pem
state: link
when: ansible_os_family == "RedHat"
- name: tls-trust | install | Create ansible facts directory
file:
path: "{{ tls_facts_dir }}"
owner: root
group: root
mode: 0755
state: directory
become: yes
- name: tls-trust | install | Copy internal cert fact from deployer to nodes
copy:
src: "{{ tls_fact_file }}"
dest: "{{ tls_fact_file }}"
mode: 0644
become: yes
- name: tls-trust | install | Reread local facts to pick up internal cert
setup: filter=ansible_local
0707010000002B000081A40000000000000000000000015B730F8000000695000000000000000000000000000000000000004D00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/install_java.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
# Re-import into java keystore since update-ca-certificates doesn't
# detect modulus change. Note that we don't care if there's no java
# since a service that installs it later will get the java hook
# of update-ca-certificates triggered. We handle the updating of
# CA here.
- name: tls-trust | install_java | Remove CA from Java keystore
become: yes
command: >
keytool -keystore {{ tls_java_ca.keystore }} -storepass
{{ tls_java_ca.storepass }} -delete -alias
debian:{{ item | basename | regex_replace('^(.*).crt$', '\\1.pem') }}
ignore_errors: yes
with_fileglob:
- "{{ tls_cacerts_dir }}/*.crt"
- name: tls-trust | install_java | Import CA to Java keystore
become: yes
command: >
keytool -keystore {{ tls_java_ca.keystore }} -storepass
{{ tls_java_ca.storepass }} -alias
debian:{{ item | basename | regex_replace('^(.*).crt$', '\\1.pem') }} -file
{{ local_cert_directory }}/{{ item | basename }} -importcert -noprompt
ignore_errors: yes
with_fileglob:
- "{{ tls_cacerts_dir }}/*.crt"
0707010000002C000081A40000000000000000000000015B730F8000000447000000000000000000000000000000000000004C00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/tasks/win_install.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- name: tls-trust | win_install | Delete old cert file on Windows
win_file:
path: "{{ win_certs_path }}"
state: absent
- name: tls-trust | win_install | Create new cert file on Windows
raw: powershell New-Item '{{ win_certs_path }}' -t file
- name: tls-trust | win_install | Install ca certificate on windows
win_lineinfile:
dest: "{{ win_certs_path }}"
line: "{{ lookup('file', item ) }}"
with_fileglob:
- "public/*.crt"
0707010000002D000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000004000000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates0707010000002E000081A40000000000000000000000015B730F8000000021000000000000000000000000000000000000005700000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/ardana-internal-ca.key{{ ardana_internal_ca.private }}
0707010000002F000081A40000000000000000000000015B730F800000036D000000000000000000000000000000000000005500000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/ardana-node-cert.req#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = "ardana-node"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
07070100000030000081A40000000000000000000000015B730F8000000CA1000000000000000000000000000000000000005300000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/ardana-openssl.cnf# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/
certificate = $dir/{{ ardana_internal_ca.cert }}
private_key = $dir/{{ ardana_internal_ca.key }}
unique_subject = no
default_crl_days = 366
default_days = 365
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
copy_extensions = copy
# NOTE(dprince): stateOrProvinceName must be 'supplied' or 'optional' to
# work around a stateOrProvince printable string UTF8 mismatch on
# RHEL 6 and Fedora 14 (using openssl-1.0.0-4.el6.x86_64 or
# openssl-1.0.0d-1.fc14.x86_64)
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = Micro Focus International
organizationalUnitName_default = SUSE
localityName_default = Nuremberg
stateOrProvinceName_default = Bavaria
countryName_default = DE
commonName_default = Cloud Test CA
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
[ alt_names ]
07070100000031000081A40000000000000000000000015B730F80000004FB000000000000000000000000000000000000004F00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/ardana-vip-req#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = "ardana-vip"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
{% if item.names or item.ips %}
subjectAltName = @alt_names
[ alt_names ]
{% set service = item %}
{% for name in service.names %}
DNS.{{ loop.index }} = "{{ name }}"
{% endfor %}
{% set offset = service.names | length %}
{% for ip in service.ips %}
DNS.{{ loop.index + offset }} = "{{ ip }}"
{% endfor %}
{% for ip in service.ips %}
IP.{{ loop.index }} = "{{ ip }}"
{% endfor %}
{% endif %}
07070100000032000081A40000000000000000000000015B730F800000062A000000000000000000000000000000000000005400000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/ardana-vip-temp.req#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = "ardana-vip"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
{% if item.names or item.ips %}
subjectAltName = @alt_names
[ alt_names ]
{% set dns_offset = 0 %}
{% set ip_offset = 0 %}
{% for server in cert_data.services.FND_CLU %}
{% if server.cert_name == item.cert_name %}
{% for name in server.names %}
DNS.{{ loop.index + dns_offset }} = "{{ name }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.names | length) %}
{% for ip in server.ips %}
DNS.{{ loop.index + dns_offset }} = "{{ ip }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.ips | length) %}
{% for ip in server.ips %}
IP.{{ loop.index + ip_offset }} = "{{ ip }}"
{% endfor %}
{% set ip_offset = ip_offset + (server.ips | length) %}
{% endif %}
{% endfor %}
{% endif %}
07070100000033000081A40000000000000000000000015B730F800000062C000000000000000000000000000000000000005000000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/mysql-admin.req#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = "ardana-mysql"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
{% if item.names or item.ips %}
subjectAltName = @alt_names
[ alt_names ]
{% set dns_offset = 0 %}
{% set ip_offset = 0 %}
{% for server in cert_data.services.FND_MDB %}
{% if server.cert_name == item.cert_name %}
{% for name in server.names %}
DNS.{{ loop.index + dns_offset }} = "{{ name }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.names | length) %}
{% for ip in server.ips %}
DNS.{{ loop.index + dns_offset }} = "{{ ip }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.ips | length) %}
{% for ip in server.ips %}
IP.{{ loop.index + ip_offset }} = "{{ ip }}"
{% endfor %}
{% set ip_offset = ip_offset + (server.ips | length) %}
{% endif %}
{% endfor %}
{% endif %}
07070100000034000081A40000000000000000000000015B730F800000062F000000000000000000000000000000000000005100000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/rmq-internal.req#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = "ardana-rabbitmq"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
{% if item.names or item.ips %}
subjectAltName = @alt_names
[ alt_names ]
{% set dns_offset = 0 %}
{% set ip_offset = 0 %}
{% for server in cert_data.services.FND_RMQ %}
{% if server.cert_name == item.cert_name %}
{% for name in server.names %}
DNS.{{ loop.index + dns_offset }} = "{{ name }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.names | length) %}
{% for ip in server.ips %}
DNS.{{ loop.index + dns_offset }} = "{{ ip }}"
{% endfor %}
{% set dns_offset = dns_offset + (server.ips | length) %}
{% for ip in server.ips %}
IP.{{ loop.index + ip_offset }} = "{{ ip }}"
{% endfor %}
{% set ip_offset = ip_offset + (server.ips | length) %}
{% endif %}
{% endfor %}
{% endif %}
07070100000035000081A40000000000000000000000015B730F800000015D000000000000000000000000000000000000004F00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/templates/tls-terminator{% for service in host.tls_in %}
{% if loop.first %}
listen {{ service.name }}
mode http
bind {{ service.accept.ip_address }}:{{ service.accept.port }} ssl crt /etc/ssl/private/ardana-node-cert
server {{ service.name }} {{ service.connect.ip_address }}:{{ service.connect.port }} check inter 2000 rise 2 fall 5
{% endif %}
{% endfor %}
07070100000036000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003B00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/vars07070100000037000081A40000000000000000000000015B730F80000002BC000000000000000000000000000000000000004600000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/vars/debian.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
local_cert_directory: "/usr/local/share/ca-certificates"
07070100000038000081A40000000000000000000000015B730F80000002BC000000000000000000000000000000000000004600000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/vars/redhat.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
local_cert_directory: "/etc/pki/ca-trust/source/anchors"
07070100000039000081A40000000000000000000000015B730F80000002B2000000000000000000000000000000000000004400000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-trust/vars/suse.yml#
# (c) Copyright 2017 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
local_cert_directory: /etc/pki/trust/anchors
0707010000003A000041ED0000000000000000000000035B730F8000000000000000000000000000000000000000000000003500000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-vars0707010000003B000041ED0000000000000000000000025B730F8000000000000000000000000000000000000000000000003E00000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-vars/defaults0707010000003C000081A40000000000000000000000015B730F80000002B9000000000000000000000000000000000000004700000000ardana-tls-8.0+git.1534267264.6b1e899/roles/tls-vars/defaults/main.yml#
# (c) Copyright 2015-2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017-2018 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
trusted_ca_bundle: "/etc/ssl/ca-bundle.pem"
0707010000003D000081A40000000000000000000000015B730F80000002D0000000000000000000000000000000000000003500000000ardana-tls-8.0+git.1534267264.6b1e899/tls-deploy.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _tls-deploy-certs.yml
- include: _tls-terminator-config.yml
0707010000003E000081A40000000000000000000000015B730F800000029E000000000000000000000000000000000000003A00000000ardana-tls-8.0+git.1534267264.6b1e899/tls-pre-upgrade.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: tls-upgrade.yml
0707010000003F000081A40000000000000000000000015B730F80000002CB000000000000000000000000000000000000003A00000000ardana-tls-8.0+git.1534267264.6b1e899/tls-reconfigure.yml#
# (c) Copyright 2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _tls-deploy-certs.yml
- include: _tls-terminator-config.yml
07070100000040000081A40000000000000000000000015B730F800000032A000000000000000000000000000000000000003B00000000ardana-tls-8.0+git.1534267264.6b1e899/tls-trust-deploy.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Installs CA certs on the local host
---
- hosts: localhost
connection: local
roles:
- tls-trust
tasks:
- include: roles/tls-trust/tasks/install.yml
07070100000041000081A40000000000000000000000015B730F80000002D0000000000000000000000000000000000000003600000000ardana-tls-8.0+git.1534267264.6b1e899/tls-upgrade.yml#
# (c) Copyright 2015,2016 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
---
- include: _tls-deploy-certs.yml
- include: _tls-terminator-config.yml
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!175 blocks
