Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 16. Setting a custom cryptographic policy by using the crypto-policies RHEL System Role
As an administrator, you can use the crypto_policies RHEL System Role to quickly and consistently configure custom cryptographic policies across many different systems using the Ansible Core package.
16.1. crypto_policies System Role variables and facts
In a crypto_policies System Role playbook, you can define the parameters for the crypto_policies configuration file according to your preferences and limitations.
If you do not configure any variables, the System Role does not configure the system and only reports the facts.
Selected variables for the crypto_policies System Role
crypto_policies_policy- Determines the cryptographic policy the System Role applies to the managed nodes. For details about the different crypto policies, see System-wide cryptographic policies .
crypto_policies_reload-
If set to
yes, the affected services, currently theipsec,bind, andsshdservices, reload after applying a crypto policy. Defaults toyes. crypto_policies_reboot_ok-
If set to
yes, and a reboot is necessary after the System Role changes the crypto policy, it setscrypto_policies_reboot_requiredtoyes. Defaults tono.
Facts set by the crypto_policies System Role
crypto_policies_active- Lists the currently selected policy.
crypto_policies_available_policies- Lists all available policies available on the system.
crypto_policies_available_subpolicies- Lists all available subpolicies available on the system.
16.2. Setting a custom cryptographic policy using the crypto_policies System Role
You can use the crypto_policies System Role to configure a large number of managed nodes consistently from a single control node.
Prerequisites
-
Access and permissions to one or more managed nodes, which are systems you want to configure with the
crypto_policiesSystem Role. Access and permissions to a control node, which is a system from which Red Hat Ansible Core configures other systems.
On the control node:
-
The
ansible-coreandrhel-system-rolespackages are installed.
-
The
RHEL 8.0-8.5 provided access to a separate Ansible repository that contains Ansible Engine 2.9 for automation based on Ansible. Ansible Engine contains command-line utilities such as ansible, ansible-playbook, connectors such as docker and podman, and many plugins and modules. For information about how to obtain and install Ansible Engine, see the How to download and install Red Hat Ansible Engine Knowledgebase article.
RHEL 8.6 and 9.0 have introduced Ansible Core (provided as the ansible-core package), which contains the Ansible command-line utilities, commands, and a small set of built-in Ansible plugins. RHEL provides this package through the AppStream repository, and it has a limited scope of support. For more information, see the Scope of support for the Ansible Core package included in the RHEL 9 and RHEL 8.6 and later AppStream repositories Knowledgebase article.
- An inventory file which lists the managed nodes.
Procedure
Create a new
playbook.ymlfile with the following content:--- - hosts: all tasks: - name: Configure crypto policies include_role: name: rhel-system-roles.crypto_policies vars: - crypto_policies_policy: FUTURE - crypto_policies_reboot_ok: trueYou can replace the FUTURE value with your preferred crypto policy, for example:
DEFAULT,LEGACY, andFIPS:OSPP.The
crypto_policies_reboot_ok: truevariable causes the system to reboot after the System Role changes the cryptographic policy.For more details, see crypto_policies System Role variables and facts .
Optional: Verify playbook syntax.
# ansible-playbook --syntax-check playbook.ymlRun the playbook on your inventory file:
# ansible-playbook -i inventory_file playbook.yml
Verification
On the control node, create another playbook named, for example,
verify_playbook.yml:- hosts: all tasks: - name: Verify active crypto policy include_role: name: rhel-system-roles.crypto_policies - debug: var: crypto_policies_activeThis playbook does not change any configurations on the system, only reports the active policy on the managed nodes.
Run the playbook on the same inventory file:
# ansible-playbook -i inventory_file verify_playbook.yml TASK [debug] ************************** ok: [host] => { "crypto_policies_active": "FUTURE" }The
"crypto_policies_active":variable shows the policy active on the managed node.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}