Chapter 16. Setting a custom cryptographic policy by using the crypto-policies RHEL System Role
As an administrator, you can use the crypto_policies
RHEL System Role to quickly and consistently configure custom cryptographic policies across many different systems using the Ansible Core package.
16.1. crypto_policies
System Role variables and facts
In a crypto_policies
System Role playbook, you can define the parameters for the crypto_policies
configuration file according to your preferences and limitations.
If you do not configure any variables, the System Role does not configure the system and only reports the facts.
Selected variables for the crypto_policies
System Role
crypto_policies_policy
- Determines the cryptographic policy the System Role applies to the managed nodes. For details about the different crypto policies, see System-wide cryptographic policies .
crypto_policies_reload
-
If set to
yes
, the affected services, currently theipsec
,bind
, andsshd
services, reload after applying a crypto policy. Defaults toyes
. crypto_policies_reboot_ok
-
If set to
yes
, and a reboot is necessary after the System Role changes the crypto policy, it setscrypto_policies_reboot_required
toyes
. Defaults tono
.
Facts set by the crypto_policies
System Role
crypto_policies_active
- Lists the currently selected policy.
crypto_policies_available_policies
- Lists all available policies available on the system.
crypto_policies_available_subpolicies
- Lists all available subpolicies available on the system.
Additional resources
16.2. Setting a custom cryptographic policy using the crypto_policies
System Role
You can use the crypto_policies
System Role to configure a large number of managed nodes consistently from a single control node.
Prerequisites
-
Access and permissions to one or more managed nodes, which are systems you want to configure with the
crypto_policies
System Role. Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.
On the control node:
-
The
ansible-core
andrhel-system-roles
packages are installed.
-
The
RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible
, ansible-playbook
, connectors such as docker
and podman
, and many plugins and modules. For information about how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.
RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core
package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.
- An inventory file which lists the managed nodes.
Procedure
Create a new
playbook.yml
file with the following content:--- - hosts: all tasks: - name: Configure crypto policies include_role: name: rhel-system-roles.crypto_policies vars: - crypto_policies_policy: FUTURE - crypto_policies_reboot_ok: true
You can replace the FUTURE value with your preferred crypto policy, for example:
DEFAULT
,LEGACY
, andFIPS:OSPP
.The
crypto_policies_reboot_ok: true
variable causes the system to reboot after the System Role changes the cryptographic policy.For more details, see crypto_policies System Role variables and facts .
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.yml
Run the playbook on your inventory file:
# ansible-playbook -i inventory_file playbook.yml
Verification
On the control node, create another playbook named, for example,
verify_playbook.yml
:- hosts: all tasks: - name: Verify active crypto policy include_role: name: rhel-system-roles.crypto_policies - debug: var: crypto_policies_active
This playbook does not change any configurations on the system, only reports the active policy on the managed nodes.
Run the playbook on the same inventory file:
# ansible-playbook -i inventory_file verify_playbook.yml TASK [debug] ************************** ok: [host] => { "crypto_policies_active": "FUTURE" }
The
"crypto_policies_active":
variable shows the policy active on the managed node.
16.3. Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.crypto_policies/README.md
file. -
ansible-playbook(1)
man page. - Preparing a control node and managed nodes to use RHEL System Roles.