thalesgroup.ciphertrust.cte_client module – Manage CTE clients

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.cte_client.

New in thalesgroup.ciphertrust 1.0.0

Synopsis 

Create, manage, and perform operations on a CTE client
A client is a computer system where the data needs to be protected. A compatible CTE Agent software is installed on the client. The CTE Agent can protect data on the client or devices connected to it. A client can be associated with multiple GuardPoints for encryption of various paths.

Parameters 

Parameter	Comments
auth_binaries string	Array of authorized binaries in the privilege-filename pair JSON format.
client_auth_binaries_from string	ID of the ClientGroup from which client settings will be inherited.
client_id_list list / elements=string	IDs of the clients to be deleted. The IDs could be the name, ID (a UUIDv4), URI, or slug of the clients.
client_locked boolean	Whether the CTE client is locked. The default value is false. Enable this option to lock the configuration of the CTE Agent on the client. Set to true to lock the configuration, set to false to unlock. Locking the Agent configuration prevents updates to any policies on the client. Choices: `false` `true`
client_mfa_enabled boolean	Whether MFA is enabled on the client Choices: `false` `true`
client_type string	Type of CTE Client. The default value is FS. Valid values are CTE-U and FS. Choices: `"CTE-U"` `"FS"`
communication_enabled boolean	Whether communication with the client is enabled. The default value is false. Can be set to true only if registration_allowed is true Choices: `false` `true`
data_classification_enabled boolean	Whether data classification (tagging) is enabled. Enabled by default if the aligned policy contains ClassificationTags. Supported for Standard and LDT policies. Choices: `false` `true`
data_lineage_enabled boolean	Whether data lineage (tracking) is enabled. Enabled only if data classification is enabled. Supported for Standard and LDT policies Choices: `false` `true`
del_client boolean	Whether to mark the client for deletion from the CipherTrust Manager. The default value is false Choices: `false` `true`
description string	Description to identify the client.
disable_capability string	Client capability to be disabled. Only EKP - Encryption Key Protection can be disabled
dynamic_parameters string	Array of parameters to be updated after the client is registered. Specify the parameters in the name-value pair JSON format strings. Make sure to specify all the parameters even if you want to update one or more parameters.
early_access boolean	Whether to enable early access on the GuardPoint Choices: `false` `true`
enable_domain_sharing boolean	Whether domain sharing is enabled for the client. Choices: `false` `true`
enabled_capabilities string	Client capabilities to be enabled. Separate values with comma. Choices: `"LDT"` `"EKP"` `"ES"`
force_del_client boolean	Deletes the client forcefully from the CipherTrust Manager. Set the value to true. WARNING! Use the force_del_client option with caution. It does not wait for any response from the CTE Agent before deleting the client’s entry from the CipherTrust Manager. This action is irreversible. Choices: `false` `true`
gp_id string	Guard Point ID to be patched or updated within a CTE client
guard_enabled boolean	Whether the GuardPoint is enabled. Choices: `false` `true`
guard_paths list / elements=string	List of GuardPaths to be created.
guard_point_id_list list / elements=string	IDs of the GuardPoints to be dissociated from the client. The IDs can be the name, ID (a UUIDv4), URI, or slug of the GuardPoints.
guard_point_params dictionary	Parameters for creating a GuardPoint.
id string	CTE Client ID to be patched or updated
localNode dictionary / required	this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port
password string / required	admin password of CM
server_ip string / required	CM Server IP or FQDN
server_port integer / required	Port on which CM server is listening Default: `5432`
server_private_ip string / required	internal or private IP of the CM Server, if different from the server_ip
user string / required	admin username of CM
verify boolean / required	if SSL verification is required Choices: `false` ← (default) `true`
max_num_cache_log integer	Maximum number of logs to cache
max_space_cache_log integer	Maximum space for the cached logs
mfa_enabled boolean	Whether MFA is enabled Choices: `false` `true`
name string	Name to uniquely identify the client. This name will be visible on the CipherTrust Manager. Also can be name of the CTE client to be unenrolled.
network_share_credentials_id string	ID/Name of the credentials if the GuardPoint is applied to a network share. Supported for only LDT policies.
op_type string / required	Operation to be performed Choices: `"create"` `"patch"` `"add_guard_point"` `"unenroll"` `"delete"` `"delete_id"` `"auth_binaries"` `"ldt_pause"` `"patch_guard_point"` `"gp_unguard"` `"gp_enable_early_access"`
password string	Password for the client. Required when password_creation_method is MANUAL
password_creation_method string	Password creation method for the client. Valid values are MANUAL and GENERATE. The default value is GENERATE. Choices: `"MANUAL"` `"GENERATE"`
paused boolean	Suspend/resume the rekey operation on an LDT GuardPoint. Set the value to true to pause (suspend) the rekey. Set the value to false to resume rekey. Choices: `false` `true`
profile_id string	ID of the profile that contains logger, logging, and QOS configuration
profile_identifier string	Identifier of the Client Profile to be associated with the client. If not provided, the default profile will be linked.
re_sign boolean	Whether to re-sign the client settings. Choices: `false` `true`
registration_allowed boolean	Whether client’s registration with the CipherTrust Manager is allowed. The default value is false. Set to true to allow registration. Choices: `false` `true`
shared_domain_list list / elements=string	List of domains in which the client needs to be shared
system_locked boolean	Whether the system is locked. The default value is false. Enable this option to lock the important operating system files of the client. When enabled, patches to the operating system of the client will fail due to the protection of these files. Choices: `false` `true`
user_space_client string	TBD

Examples 

- name: "Create CTE Client"
  thalesgroup.ciphertrust.cte_client:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create
    name: "CTE-Client-Ans-001"
    description: "Created via Ansible"
    communication_enabled: false
    client_type: FS
  register: client

- name: "Add Guard Point to the CTE Client"
  thalesgroup.ciphertrust.cte_client:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: add_guard_point
    guard_paths:
      - "/opt/path1/"
      - "/opt/path2/"
    guard_point_params:
      guard_point_type: directory_auto
      policy_id: TestPolicy
      data_classification_enabled: false
      data_lineage_enabled: false
      early_access: true
      preserve_sparse_regions: true
    id: "{{ client['response']['id'] }}"

Authors

Anurag Jain, Developer Advocate Thales Group

Collection links

Issue Tracker Homepage Repository (Sources)