thalesgroup.ciphertrust.interface_save module – Create or update an interface or service CipherTrust Manager is hosting
Note
This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).
To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust
.
To use it in a playbook, specify: thalesgroup.ciphertrust.interface_save
.
New in thalesgroup.ciphertrust 1.0.0
Synopsis
This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with interface management API
Parameters
Parameter |
Comments |
---|---|
Auto-generate a new server certificate on server startup using the identifier (URI) of a Local CA resource if the current server certificate is issued by a different Local CA. This is especially useful when a new node joins the cluster. In this case, the existing data of the joining node is overwritten by the data in the cluster. A new server certificate is generated on the joining node using the existing Local CA of the cluster. Auto-generation of the server certificate can be disabled by setting auto_gen_ca_id to an empty string (“”) to allow full control over the server certificate. Default: |
|
Set auto registration to allow auto registration of KMIP clients. Choices:
|
|
Specifies how the user name is extracted from the client certificate. Choices:
Default: |
|
This flag is used to define the custom uid size of managed object over the KMIP interface. |
|
This flag specifies which version of custom uid feature is to be used for KMIP interface. If it is set to true, new implementation i.e. Custom uid version 2 will be used. Choices:
|
|
The default connection may be “local_account” for local authentication or the LDAP domain for LDAP authentication. This value is applied when the username does not embed the connection name (e.g. “jdoe” effectively becomes “local_account|jdoe”). This value only applies to NAE only and is ignored if set for web and KMIP interfaces. Default: |
|
Identifier of the interface to be patched |
|
This parameter is used to identify the type of interface, what service to run on the interface. Choices:
|
|
Enables hard delete of keys on KMIP Destroy operation, that is both meta-data and material will be removed from CipherTrust Manager for the key being deleted. By default, only key material is removed and meta-data is preserved with the updated key state. This setting applies only to KMIP interface. Should be set to 1 for enabling the feature or 0 for returning to default behavior. Choices:
|
|
Local CSR parameters for interface’s certificate. These are for the local node itself, and they do not affect other nodes in the cluster. This gives user a convenient way to supply custom fields for automatic interface certification generation. Without them, the system defaults are used. |
|
Common name Default: |
|
Subject Alternative Names (SAN) DNS names Default: |
|
Subject Alternative Names (SAN) Email addresses Default: |
|
Subject Alternative Names (SAN) IP addresses Default: |
|
Name fields like O, OU, L, ST, C Default: |
|
User ID Default: |
|
this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM) holds IP/FQDN of the server, username, password, and port |
|
admin password of CM |
|
CM Server IP or FQDN |
|
Port on which CM server is listening Default: |
|
internal or private IP of the CM Server, if different from the server_ip |
|
admin username of CM |
|
if SSL verification is required Choices:
|
|
Maximum TLS version to be configured for NAE or KMIP interface, default is latest maximum supported protocol. Choices:
Default: |
|
Meta information related to interface Default: |
|
Meta information related to NAE interface |
|
Flag for masking system groups in NAE requests Choices:
|
|
Minimum TLS version to be configured for NAE or KMIP interface, default is v1.2 (tls_1_2). Choices:
|
|
The interface mode can be one of no-tls-pw-opt, no-tls-pw-req, unauth-tls-pw-opt, tls-cert-opt-pw-opt, tls-pw-opt, tls-pw-req, tls-cert-pw-opt, or tls-cert-and-pw. Default mode is no-tls-pw-opt. Choices:
|
|
The name of the interface. Not valid for interface_type nae. Default: |
|
Defines what ethernet adapter the interface should listen to, use “all” for all. Default: |
|
Operation to be performed Choices:
|
|
The new interface will listen on the specified port. The port number should not be negative, 0 or the one already in-use. |
|
Registration token in case auto registration is true. Default: |
|
TLS Ciphers contain the list of cipher suites available in the system for the respective interfaces (KMIP, NAE & WEB) for TLS handshake. |
|
TLS cipher suite name. Default: |
|
TLS cipher suite enabled flag. If set to true, cipher suite will be available for TLS handshake. Choices:
|
|
Collection of local and external CA IDs to trust for client authentication. See section “Certificate Authority” for more details. |
|
A list of External CA IDs Default: |
|
A list of Local CA IDs Default: |
Examples
- name: "Create Interface"
thalesgroup.ciphertrust.interface_save:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
port: 9005
auto_registration: false
interface_type: nae
mode: no-tls-pw-opt
network_interface: all