Try SpotterCreate or update an interface or service CipherTrust Manager is hosting
| "added in version" 1.0.0 of thalesgroup.ciphertrust"
Authors: Anurag Jain, Developer Advocate Thales Group
Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
collections:
- name: thalesgroup.ciphertrust
version: 1.0.0This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with interface management API
- name: "Create Interface"
thalesgroup.ciphertrust.interface_save:
localNode:
server_ip: "IP/FQDN of CipherTrust Manager"
server_private_ip: "Private IP in case that is different from above"
server_port: 5432
user: "CipherTrust Manager Username"
password: "CipherTrust Manager Password"
verify: false
op_type: create
port: 9005
auto_registration: false
interface_type: nae
mode: no-tls-pw-opt
network_interface: all
meta:
default: none
description: Meta information related to interface
required: false
suboptions:
nae:
description: Meta information related to NAE interface
required: false
suboptions:
mask_system_groups:
description: Flag for masking system groups in NAE requests
required: false
type: bool
type: dict
mode:
choices:
- no-tls-pw-opt
- no-tls-pw-req
- unauth-tls-pw-opt
- tls-cert-opt-pw-opt
- tls-pw-opt
- tls-pw-req
- tls-cert-pw-opt
- tls-cert-and-pw
default: no-tls-pw-opt
description:
- The interface mode can be one of no-tls-pw-opt, no-tls-pw-req, unauth-tls-pw-opt,
tls-cert-opt-pw-opt, tls-pw-opt, tls-pw-req, tls-cert-pw-opt, or tls-cert-and-pw.
Default mode is no-tls-pw-opt.
required: false
type: str
name:
default: none
description: The name of the interface. Not valid for interface_type nae.
required: false
type: str
port:
description:
- The new interface will listen on the specified port. The port number should not
be negative, 0 or the one already in-use.
required: true
type: int
op_type:
choices:
- create
- patch
description: Operation to be performed
required: true
type: str
localNode:
description:
- this holds the connection parameters required to communicate with an instance of
CipherTrust Manager (CM)
- holds IP/FQDN of the server, username, password, and port
required: true
suboptions:
password:
description: admin password of CM
required: true
type: str
server_ip:
description: CM Server IP or FQDN
required: true
type: str
server_port:
default: 5432
description: Port on which CM server is listening
required: true
type: int
server_private_ip:
description: internal or private IP of the CM Server, if different from the server_ip
required: true
type: str
user:
description: admin username of CM
required: true
type: str
verify:
default: false
description: if SSL verification is required
required: true
type: bool
type: dict
tls_ciphers:
default: null
description: TLS Ciphers contain the list of cipher suites available in the system
for the respective interfaces (KMIP, NAE & WEB) for TLS handshake.
required: false
suboptions:
cipher_suite:
default: none
description: TLS cipher suite name.
required: true
type: str
enabled:
default: null
description: TLS cipher suite enabled flag. If set to true, cipher suite will
be available for TLS handshake.
required: true
type: bool
type: dict
trusted_cas:
default: null
description:
- Collection of local and external CA IDs to trust for client authentication. See
section "Certificate Authority" for more details.
required: false
suboptions:
external:
default: none
description: A list of External CA IDs
elements: str
required: false
type: list
local:
default: none
description: A list of Local CA IDs
elements: str
required: false
type: list
type: dict
interface_id:
description:
- Identifier of the interface to be patched
required: false
type: str
custom_uid_v2:
default: null
description: This flag specifies which version of custom uid feature is to be used
for KMIP interface. If it is set to true, new implementation i.e. Custom uid version
2 will be used.
required: false
type: bool
auto_gen_ca_id:
default: none
description:
- Auto-generate a new server certificate on server startup using the identifier (URI)
of a Local CA resource if the current server certificate is issued by a different
Local CA.
- This is especially useful when a new node joins the cluster. In this case, the existing
data of the joining node is overwritten by the data in the cluster. A new server
certificate is generated on the joining node using the existing Local CA of the
cluster.
- Auto-generation of the server certificate can be disabled by setting auto_gen_ca_id
to an empty string ("") to allow full control over the server certificate.
required: false
type: str
interface_type:
choices:
- web
- kmip
- nae
- snmp
default: nae
description: This parameter is used to identify the type of interface, what service
to run on the interface.
required: false
type: str
cert_user_field:
choices:
- CN
- SN
- E
- E_ND
- UID
- OU
default: none
description:
- Specifies how the user name is extracted from the client certificate.
required: false
type: str
custom_uid_size:
default: null
description: This flag is used to define the custom uid size of managed object over
the KMIP interface.
required: false
type: int
auto_registration:
default: null
description:
- Set auto registration to allow auto registration of KMIP clients.
required: false
type: bool
network_interface:
default: none
description: Defines what ethernet adapter the interface should listen to, use "all"
for all.
required: false
type: str
default_connection:
default: none
description: The default connection may be "local_account" for local authentication
or the LDAP domain for LDAP authentication. This value is applied when the username
does not embed the connection name (e.g. "jdoe" effectively becomes "local_account|jdoe").
This value only applies to NAE only and is ignored if set for web and KMIP interfaces.
required: false
type: str
registration_token:
default: none
description: Registration token in case auto registration is true.
required: false
type: str
maximum_tls_version:
choices:
- tls_1_0
- tls_1_1
- tls_1_2
- tls_1_3
default: none
description: Maximum TLS version to be configured for NAE or KMIP interface, default
is latest maximum supported protocol.
required: false
type: str
minimum_tls_version:
choices:
- tls_1_0
- tls_1_1
- tls_1_2
- tls_1_3
default: tls_1_2
description: Minimum TLS version to be configured for NAE or KMIP interface, default
is v1.2 (tls_1_2).
required: false
type: str
kmip_enable_hard_delete:
choices:
- 0
- 1
default: 0
description:
- Enables hard delete of keys on KMIP Destroy operation, that is both meta-data and
material will be removed from CipherTrust Manager for the key being deleted.
- By default, only key material is removed and meta-data is preserved with the updated
key state.
- This setting applies only to KMIP interface.
- Should be set to 1 for enabling the feature or 0 for returning to default behavior.
required: false
type: int
local_auto_gen_attributes:
default: null
description: Local CSR parameters for interface's certificate. These are for the local
node itself, and they do not affect other nodes in the cluster. This gives user
a convenient way to supply custom fields for automatic interface certification generation.
Without them, the system defaults are used.
required: false
suboptions:
cn:
default: none
description: Common name
required: true
type: str
dns_names:
default: none
description: Subject Alternative Names (SAN) DNS names
elements: str
required: false
type: list
email_addresses:
default: none
description: Subject Alternative Names (SAN) Email addresses
elements: str
required: false
type: list
ip_addresses:
default: none
description: Subject Alternative Names (SAN) IP addresses
elements: str
required: false
type: list
names:
default: []
description: Name fields like O, OU, L, ST, C
elements: dict
required: false
type: list
uid:
default: none
description: User ID
required: false
type: str
type: dict