5.2. Ensuring the presence of an asymmetric service vault in IdM using Ansible

You can use an Ansible playbook to create a service vault container with one or more private vaults to securely store sensitive information. In the example used in the procedure below, the administrator creates an asymmetric vault named secret_vault. This ensures that the vault members have to authenticate using a private key to retrieve the secret in the vault. The vault members will be able to retrieve the file from any IdM client.

Prerequisites

You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

Navigate to the ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```

Obtain the public key of the service instance. For example, using the openssl utility:

Generate the service-private.pem private key.

$ openssl genrsa -out service-private.pem 2048
Generating RSA private key, 2048 bit long modulus
.+++
...........................................+++
e is 65537 (0x10001)

Generate the service-public.pem public key based on the private key.

$ openssl rsa -in service-private.pem -out service-public.pem -pubout
writing RSA key

Make a copy of the ensure-asymmetric-vault-is-present.yml Ansible playbook file from the relevant collections directory. For example:

$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/ensure-asymmetric-vault-is-present.yml ensure-asymmetric-service-vault-is-present-copy.yml

Open the ensure-asymmetric-vault-is-present-copy.yml file for editing.
Add a task that copies the service-public.pem public key from the Ansible controller to the server.idm.example.com server.

Modify the rest of the file by setting the following variables in the freeipa.ansible_freeipa.ipavault task section:

Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
Define the name of the vault using the name variable, for example secret_vault.
Set the vault_type variable to asymmetric.
Set the service variable to the principal of the service that owns the vault, for example HTTP/webserver1.idm.example.com.
Set the public_key_file to the location of your public key.
This is the modified Ansible playbook file for the current example:

---
- name: Tests
  hosts: ipaserver
  gather_facts: false
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Copy public key to ipaserver.
    copy:
      src: /path/to/service-public.pem
      dest: /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/service-public.pem
      mode: 0600
  - name: Add data to vault, from a LOCAL file.
    freeipa.ansible_freeipa.ipavault:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: secret_vault
      vault_type: asymmetric
      service: HTTP/webserver1.idm.example.com
      public_key_file: /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/vault/service-public.pem

Save the file.

Run the playbook:

$ ansible-playbook --vault-password-file=password_file -v -i inventory.file ensure-asymmetric-service-vault-is-present-copy.yml

5.2. Ensuring the presence of an asymmetric service vault in IdM using Ansible

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 소개

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 문서 정보

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links