Add support for Security World client v13.4.4

This patch adds support for installing the latest Security World client software. The installation media format for that version is a zipped file containing an ISO. The mechanism for installing the source media was changed to expect this new format. The file is still downloaded to the target host and now unzip is used instead of tar to unarchive the ISO. The client software is now installed on the target host using the RPM files found in the ISO image. Change-Id: If00a8612cd50f492da833033a2ed3256585617bd
openstack · Oct 2, 2023 · b39d086 · b39d086
1 parent 8779341
commit b39d086
Show file tree

Hide file tree

Showing 8 changed files with 71 additions and 82 deletions.
diff --git a/README.rst b/README.rst
@@ -32,32 +32,23 @@ Role Variables
      - false
      - Whether the role should execute the RFS configuration tasks.
    * - thales_client_working_dir
-     - /tmp/thales_client_install
+     - /tmp/security_world_install
      - Working directory in the target host.
    * - thales_client_gid
      - 42481
-     - Group ID for the thales group.
+     - Group ID for the nfast group.
    * - thales_client_uid
      - 42481
-     - User ID for the thales user.
-   * - thales_client_tarball_name
+     - User ID for the nfast user.
+   * - security_world_iso_zip_url
      - None
-     - Filename for the Thales client software tarball.
+     - URL location of the Security World ISO ZIP file.
    * - thales_client_tarball_location
      - None
-     - Full URL where a copy of the client software tarball can be downloaded.
-   * - thales_client_path
-     - linux/libc6_11/amd64/nfast
-     - Path to the client software directory inside the tarball
-   * - thales_km_data_tarball_name
-     - None
-     - Filename for the KM Data tarball
-   * - thales_km_data_location
-     - None
-     - Full URL where a copy of the KM Data tarball can be downloaded.
+     - DEPRECATED: Use security_world_iso_zip_url instead.
    * - thales_rfs_ip_address
      - None
-     - IPv4 address for the Thales RFS host.
+     - IPv4 address for the RFS host.
    * - thales_client_ips
      - None
      - Whitespace separated list of IP addresses to be added to RFS config.
@@ -74,3 +65,6 @@ Requirements
 ------------
 
  - ansible >= 2.4
+ - Security World Software v13.4.4 ISO ZIP file - The ISO file in ZIP format as
+   provided by Entrust.  This should be hosted in an HTTPS server that can be
+   accessed from the target host.
diff --git a/defaults/main.yaml b/defaults/main.yaml
@@ -1,7 +1,6 @@
 ---
 thales_install_client: false
 thales_configure_rfs: false
-thales_client_working_dir: /tmp/thales_client_install
+thales_client_working_dir: /tmp/security_world_install
 thales_client_gid: 42481
 thales_client_uid: 42481
-thales_client_path: linux/libc6_11/amd64/nfast
diff --git a/handlers/main.yaml b/handlers/main.yaml
@@ -2,4 +2,5 @@
 - name: Legacy vars warning
   ansible.builtin.debug:
     msg: "WARNING: Using legacy thales_hsm_ip_address and
-         thales_hsm_config_location variables.  Please udpate your vars file."
+         thales_client_tarball_location variables.  Please udpate your
+         vars file."
diff --git a/releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml b/releasenotes/notes/add-support-for-security-world-v13.4-2cb8688bcc072db1.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    This version adds support for the latest Security World client software
+    (v13.4.4).  Older security world versions are not supported.
+deprecations:
+  - |
+    The variable `thales_client_tarball_location` has been deprecated.  Use
+    `security_world_iso_zip_url` instead.
diff --git a/setup.cfg b/setup.cfg
@@ -1,14 +1,14 @@
 [metadata]
 name = ansible-role-thales-hsm
-summary = ansible-role-thales-hsm - Ansible role to configure Thales HSM clients.
+summary = ansible-role-thales-hsm - Ansible role to configure nShileld Connect HSM clients.
 description-file =
     README.rst
 author = TripleO Team
 author-email = [email protected]
-home-page = https://github.com/dmend/ansible-role-thales-hsm
+home-page = https://opendev.org/openstack/ansible-role-thales-hsm
 classifier =
   License :: OSI Approved :: Apache Software License
-  Development Status :: 4 - Beta
+  Development Status :: 5 - Production/Stable
   Intended Audience :: Developers
   Intended Audience :: System Administrators
   Intended Audience :: Information Technology

diff --git a/tasks/client.yaml b/tasks/client.yaml
@@ -5,12 +5,12 @@
     state: directory
     mode: '755'
 
-- name: Create thales group
+- name: Create nfast group
   ansible.builtin.group:
     name: nfast
     gid: "{{ thales_client_gid }}"
 
-- name: Create thales user
+- name: Create nfast user
   ansible.builtin.user:
     name: nfast
     uid: "{{ thales_client_uid }}"
@@ -25,61 +25,47 @@
     persistent: true
   when: ansible_os_family | lower == 'redhat'
 
-- name: Download Thales client tarball
-  ansible.builtin.get_url:
-    url: "{{ thales_client_tarball_location }}"
-    dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
-    mode: '644'
-    force: false
+- name: Ensure unzip is avaliable to unzip ISO file
+  ansible.builtin.yum:
+    name: unzip
+    state: present
 
-- name: Unpack tarball to working directory
+- name: Download and unzip Security World ISO file from given url
   ansible.builtin.unarchive:
-    src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
+    src: "{{ security_world_iso_zip_url }}"
     dest: "{{ thales_client_working_dir }}"
-    creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
     remote_src: true
 
-- name: Unpack tarball to /opt/nfast
-  ansible.builtin.shell: |
-    for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
-        tar -C / -xvf $i ;
-    done
-  args:
-    creates: /opt/nfast/sbin/install
-
-- name: Check for libnsl dependency
-  ansible.builtin.stat:
-    path: /lib64/libnsl.so.1
-  register: st
-
-- name: Ensure libnsl dependency is installed
-  ansible.builtin.package:
-    name: libnsl
+- name: Set Security World ISO file path
+  ansible.builtin.set_fact:
+    security_world_iso: "{{ thales_client_working_dir }}/{{ security_world_iso_zip_url | basename | splitext | first }}"
+
+- name: Extract RPMs and key from Security World ISO
+  community.general.iso_extract:
+    image: "{{ security_world_iso }}"
+    dest: "{{ thales_client_working_dir }}"
+    files:
+      - linux-rpms/amd64/nShield-hwsp.rpm
+      - linux-rpms/amd64/nShield-ctls.rpm
+      - linux-rpms/amd64/nShield-ncsnmp.rpm
+      - linux-rpms/amd64/pubkey.asc
+
+- name: Import Security World RPM key
+  ansible.builtin.rpm_key:
     state: present
-  when: not st.stat.exists
+    key: "{{ thales_client_working_dir }}/pubkey.asc"
+
+- name: Install Security World RPMs
+  ansible.builtin.yum:
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - "{{ thales_client_working_dir }}/nShield-hwsp.rpm"
+      - "{{ thales_client_working_dir }}/nShield-ctls.rpm"
+      - "{{ thales_client_working_dir }}/nShield-ncsnmp.rpm"
 
 - name: Run installer
   ansible.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
-  args:
-    creates: /opt/nfast/kmdata
-
-- name: Get the security world data
-  ansible.builtin.get_url:
-    url: "{{ thales_km_data_location }}"
-    dest: "/root/{{ thales_km_data_tarball_name }}"
-    mode: '644'
-    force: false
-
-- name: Remove the old km_data
-  ansible.builtin.file:
-    path: /opt/nfast/kmdata
-    state: absent
-
-- name: Replace kmdata
-  ansible.builtin.unarchive:
-    src: "/root/{{ thales_km_data_tarball_name }}"
-    dest: /opt/nfast
-    remote_src: true
 
 - name: Create cknfastrc
   ansible.builtin.template:
@@ -114,7 +100,7 @@
     var: enquiry
 
 - name: Set up rfs_sync
-  ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
+  ansible.builtin.command: set -o pipefail && echo "yes" | /opt/nfast/bin/rfs-sync --setup {{ thales_rfs_server_ip_address }}
 
 - name: Get keys from rfs server
   ansible.builtin.command: /opt/nfast/bin/rfs-sync --update
diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -7,6 +7,12 @@
   when: nshield_hsms is not defined and thales_hsm_ip_address is defined
   notify: Legacy vars warning
 
+- name: Allow deprecated tarball URL variable
+  ansible.builtin.set_fact:
+    security_world_iso_zip_url: "{{ thales_client_tarball_location }}"
+  when: security_world_iso_zip_url is not defined and thales_client_tarball_location is defined
+  notify: legacy vars warning
+
 - name: Include RFS tasks
   ansible.builtin.include_tasks: rfs.yaml
   when: thales_configure_rfs

diff --git a/vars.yaml.sample b/vars.yaml.sample
@@ -1,17 +1,11 @@
 ---
-thales_client_working_dir: /tmp/thales_client_install
-thales_client_tarball_location: http://myserver.example.com/CipherTools-linux64-dev-12.40.2.tgz
-thales_client_tarball_name: CipherTools-linux64-dev-12.40.2.tgz
-thales_client_path: linux/libc6_11/amd64/nfast
-thales_client_uid:  42481
-thales_client_gid:  42481
-thales_km_data_location: http://myserver.example.com/kmdata.tar.gz
-thales_km_data_tarball_name: kmdata.tar.gz
-thales_rfs_server_ip_address: 192.168.5.20
+thales_install_client: true
+security_world_iso_zip_url: https://myhost.example.com/SecWorld_Lin64-13.4.4.iso.zip
 nshield_hsms:
   - name: "My HSM 1"
     ip: 192.168.1.1
   - name: "My HSM 2"
     ip: 192.168.1.1
-thales_rfs_user: admin
-thales_rfs_key: RSA Private key in PEM format used to log into RFS server.
+thales_rfs_server_ip_address: 192.168.1.10
+thales_bootstrap_client: 192.168.100.1
+thales_client_ips: 192.168.100.1 192.168.100.2 192.168.100.3