thalesgroup.ciphertrust.interface_save module – Create or update an interface or service CipherTrust Manager is hosting

Note

This module is part of the thalesgroup.ciphertrust collection (version 1.0.0).

To install it, use: ansible-galaxy collection install thalesgroup.ciphertrust.

To use it in a playbook, specify: thalesgroup.ciphertrust.interface_save.

New in thalesgroup.ciphertrust 1.0.0

Synopsis

  • This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with interface management API

Parameters

Parameter

Comments

auto_gen_ca_id

string

Auto-generate a new server certificate on server startup using the identifier (URI) of a Local CA resource if the current server certificate is issued by a different Local CA.

This is especially useful when a new node joins the cluster. In this case, the existing data of the joining node is overwritten by the data in the cluster. A new server certificate is generated on the joining node using the existing Local CA of the cluster.

Auto-generation of the server certificate can be disabled by setting auto_gen_ca_id to an empty string (“”) to allow full control over the server certificate.

Default: "none"

auto_registration

boolean

Set auto registration to allow auto registration of KMIP clients.

Choices:

  • false

  • true

cert_user_field

string

Specifies how the user name is extracted from the client certificate.

Choices:

  • "CN"

  • "SN"

  • "E"

  • "E_ND"

  • "UID"

  • "OU"

Default: "none"

custom_uid_size

integer

This flag is used to define the custom uid size of managed object over the KMIP interface.

custom_uid_v2

boolean

This flag specifies which version of custom uid feature is to be used for KMIP interface. If it is set to true, new implementation i.e. Custom uid version 2 will be used.

Choices:

  • false

  • true

default_connection

string

The default connection may be “local_account” for local authentication or the LDAP domain for LDAP authentication. This value is applied when the username does not embed the connection name (e.g. “jdoe” effectively becomes “local_account|jdoe”). This value only applies to NAE only and is ignored if set for web and KMIP interfaces.

Default: "none"

interface_id

string

Identifier of the interface to be patched

interface_type

string

This parameter is used to identify the type of interface, what service to run on the interface.

Choices:

  • "web"

  • "kmip"

  • "nae" ← (default)

  • "snmp"

kmip_enable_hard_delete

integer

Enables hard delete of keys on KMIP Destroy operation, that is both meta-data and material will be removed from CipherTrust Manager for the key being deleted.

By default, only key material is removed and meta-data is preserved with the updated key state.

This setting applies only to KMIP interface.

Should be set to 1 for enabling the feature or 0 for returning to default behavior.

Choices:

  • 0 ← (default)

  • 1

local_auto_gen_attributes

dictionary

Local CSR parameters for interface’s certificate. These are for the local node itself, and they do not affect other nodes in the cluster. This gives user a convenient way to supply custom fields for automatic interface certification generation. Without them, the system defaults are used.

cn

string / required

Common name

Default: "none"

dns_names

list / elements=string

Subject Alternative Names (SAN) DNS names

Default: ["none"]

email_addresses

list / elements=string

Subject Alternative Names (SAN) Email addresses

Default: ["none"]

ip_addresses

list / elements=string

Subject Alternative Names (SAN) IP addresses

Default: ["none"]

names

list / elements=dictionary

Name fields like O, OU, L, ST, C

Default: []

uid

string

User ID

Default: "none"

localNode

dictionary / required

this holds the connection parameters required to communicate with an instance of CipherTrust Manager (CM)

holds IP/FQDN of the server, username, password, and port

password

string / required

admin password of CM

server_ip

string / required

CM Server IP or FQDN

server_port

integer / required

Port on which CM server is listening

Default: 5432

server_private_ip

string / required

internal or private IP of the CM Server, if different from the server_ip

user

string / required

admin username of CM

verify

boolean / required

if SSL verification is required

Choices:

  • false ← (default)

  • true

maximum_tls_version

string

Maximum TLS version to be configured for NAE or KMIP interface, default is latest maximum supported protocol.

Choices:

  • "tls_1_0"

  • "tls_1_1"

  • "tls_1_2"

  • "tls_1_3"

Default: "none"

meta

string

Meta information related to interface

Default: "none"

nae

dictionary

Meta information related to NAE interface

mask_system_groups

boolean

Flag for masking system groups in NAE requests

Choices:

  • false

  • true

minimum_tls_version

string

Minimum TLS version to be configured for NAE or KMIP interface, default is v1.2 (tls_1_2).

Choices:

  • "tls_1_0"

  • "tls_1_1"

  • "tls_1_2" ← (default)

  • "tls_1_3"

mode

string

The interface mode can be one of no-tls-pw-opt, no-tls-pw-req, unauth-tls-pw-opt, tls-cert-opt-pw-opt, tls-pw-opt, tls-pw-req, tls-cert-pw-opt, or tls-cert-and-pw. Default mode is no-tls-pw-opt.

Choices:

  • "no-tls-pw-opt" ← (default)

  • "no-tls-pw-req"

  • "unauth-tls-pw-opt"

  • "tls-cert-opt-pw-opt"

  • "tls-pw-opt"

  • "tls-pw-req"

  • "tls-cert-pw-opt"

  • "tls-cert-and-pw"

name

string

The name of the interface. Not valid for interface_type nae.

Default: "none"

network_interface

string

Defines what ethernet adapter the interface should listen to, use “all” for all.

Default: "none"

op_type

string / required

Operation to be performed

Choices:

  • "create"

  • "patch"

port

integer / required

The new interface will listen on the specified port. The port number should not be negative, 0 or the one already in-use.

registration_token

string

Registration token in case auto registration is true.

Default: "none"

tls_ciphers

dictionary

TLS Ciphers contain the list of cipher suites available in the system for the respective interfaces (KMIP, NAE & WEB) for TLS handshake.

cipher_suite

string / required

TLS cipher suite name.

Default: "none"

enabled

boolean / required

TLS cipher suite enabled flag. If set to true, cipher suite will be available for TLS handshake.

Choices:

  • false

  • true

trusted_cas

dictionary

Collection of local and external CA IDs to trust for client authentication. See section “Certificate Authority” for more details.

external

list / elements=string

A list of External CA IDs

Default: ["none"]

local

list / elements=string

A list of Local CA IDs

Default: ["none"]

Examples

- name: "Create Interface"
  thalesgroup.ciphertrust.interface_save:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create
    port: 9005
    auto_registration: false
    interface_type: nae
    mode: no-tls-pw-opt
    network_interface: all

Authors

  • Anurag Jain, Developer Advocate Thales Group