thalesgroup.ciphertrust.cte_client module – Manage CTE clients
Note
This module is part of the thalesgroup.ciphertrust collection (version 1.0.2).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.
To use it in a playbook, specify: thalesgroup.ciphertrust.cte_client.
New in thalesgroup.ciphertrust 1.0.0
Synopsis
Create, manage, and perform operations on a CTE client
A client is a computer system where the data needs to be protected.
A compatible CTE Agent software is installed on the client.
The CTE Agent can protect data on the client or devices connected to it.
A client can be associated with multiple GuardPoints for encryption of various paths.
Parameters
Parameter |
Comments |
|---|---|
Array of authorized binaries in the privilege-filename pair JSON format. |
|
ID of the ClientGroup from which client settings will be inherited. |
|
IDs of the clients to be deleted The IDs could be the name, ID, URI, or slug of the clients. |
|
Whether the CTE client is locked The default value is false Enable this option to lock the configuration of the CTE Agent on the client Set to true to lock the configuration, set to false to unlock Locking the Agent configuration prevents updates to any policies on the client Choices:
|
|
Whether MFA is enabled on the client Choices:
|
|
Type of CTE Client The default value is FS Valid values are CTE-U and FS Choices:
|
|
Whether communication with the client is enabled The default value is false Can be set to true only if registration_allowed is true Choices:
|
|
Whether data classification (tagging) is enabled Enabled by default if the aligned policy contains ClassificationTags Supported for Standard and LDT policies. Choices:
|
|
Whether data lineage (tracking) is enabled Enabled only if data classification is enabled Supported for Standard and LDT policies Choices:
|
|
Whether to mark the client for deletion from the CipherTrust Manager The default value is false Choices:
|
|
Description to identify the client. |
|
Client capability to be disabled Only EKP (Encryption Key Protection) can be disabled |
|
Array of parameters to be updated after the client is registered Specify the parameters in the name-value pair JSON format strings Make sure to specify all the parameters even if you want to update one or more parameters |
|
Whether to enable early access on the GuardPoint Choices:
|
|
Whether domain sharing is enabled for the client. Choices:
|
|
Client capabilities to be enabled Separate values with comma Choices are LDT, EKP or ES |
|
Deletes the client forcefully from the CipherTrust Manager. Set the value to true. WARNING! Use the force_del_client option with caution It does not wait for any response from the CTE Agent before deleting the client’s entry from the CipherTrust Manager This action is irreversible Choices:
|
|
Guard Point ID to be patched or updated within a CTE client |
|
Whether the GuardPoint is enabled. Choices:
|
|
List of GuardPaths to be created |
|
IDs of the GuardPoints to be dissociated from the client The IDs can be the name, ID, URI, or slug of the GuardPoints. |
|
Parameters for creating a GuardPoint. |
|
Whether automount is enabled with the GuardPoint Supported for Standard and LDT policies Choices:
|
|
Whether to enable CIFS Available on LDT enabled windows clients only The default value is false If you enable the setting, it cannot be disabled Supported for only LDT policies. Choices:
|
|
Whether data classification (tagging) is enabled Enabled by default if the aligned policy contains ClassificationTags Supported for Standard and LDT policies. Choices:
|
|
Whether data lineage (tracking) is enabled Enabled only if data classification is enabled Supported for Standard and LDT policies. Choices:
|
|
Name of the disk if the selected raw partition is a member of an Oracle ASM disk group |
|
Name of the disk group if the selected raw partition is a member of an Oracle ASM disk group |
|
Whether secure start (early access) is turned on Secure start is applicable to Windows clients only Supported for Standard and LDT policies The default value is false Choices:
|
|
Type of the GuardPoint. Choices:
|
|
Flag to enable intelligent protection for this GuardPoint This flag is valid for GuardPoints with classification based policy only Can only be set during GuardPoint creation Choices:
|
|
Whether the device where GuardPoint is applied is IDT capable or not Supported for IDT policies. Choices:
|
|
Whether MFA is enabled Choices:
|
|
ID/Name of the credentials if the GuardPoint is applied to a network share Supported for only LDT policies. |
|
ID of the policy applied with this GuardPoint This parameter is not valid for Ransomware GuardPoints as they will not be associated with any CTE policy |
|
Whether to preserve sparse file regions Available on LDT enabled clients only The default value is true If you disable the setting, it cannot be enabled again Supported for only LDT policies. Choices:
|
|
CTE Client ID to be patched or updated |
|
this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port |
|
user’s domain path |
|
admin password of CM |
|
CM Server IP or FQDN |
|
Port on which CM server is listening |
|
internal or private IP of the CM Server, if different from the server_ip |
|
admin username of CM |
|
if SSL verification is required Choices:
|
|
Maximum number of logs to cache |
|
Maximum space for the cached logs |
|
Whether MFA is enabled Choices:
|
|
Name to uniquely identify the client This name will be visible on the CipherTrust Manager Also can be name of the CTE client to be unenrolled |
|
ID/Name of the credentials if the GuardPoint is applied to a network share Supported for only LDT policies. |
|
Operation to be performed Choices:
|
|
Password for the client Required when password_creation_method is MANUAL |
|
Password creation method for the client Valid values are MANUAL and GENERATE The default value is GENERATE. Choices:
|
|
Suspend/resume the rekey operation on an LDT GuardPoint Set the value to true to pause (suspend) the rekey Set the value to false to resume rekey. Choices:
|
|
ID of the profile that contains logger, logging, and QOS configuration |
|
Identifier of the Client Profile to be associated with the client If not provided, the default profile will be linked |
|
Whether to re-sign the client settings. Choices:
|
|
Whether client’s registration with the CipherTrust Manager is allowed The default value is false. Set to true to allow registration Choices:
|
|
List of domains in which the client needs to be shared |
|
Whether the system is locked The default value is false Enable this option to lock the important operating system files of the client When enabled, patches to the operating system of the client will fail due to the protection of these files Choices:
|
|
User space client Choices:
|
Examples
- name: "Create CTE Client"
thalesgroup.ciphertrust.cte_client:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: create
name: "CTE-Client-Ans-001"
description: "Created via Ansible"
communication_enabled: false
client_type: FS
register: client
- name: "Add Guard Point to the CTE Client"
thalesgroup.ciphertrust.cte_client:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
auth_domain_path:
op_type: add_guard_point
guard_paths:
- "/opt/path1/"
- "/opt/path2/"
guard_point_params:
guard_point_type: directory_auto
policy_id: TestPolicy
data_classification_enabled: false
data_lineage_enabled: false
early_access: true
preserve_sparse_regions: true
id: "{{ client['response']['id'] }}"