Ansible server
Ansible configuration
Download
CODEvid-ansible5.2.17.zip
, transfer over scp to Ansible Node and unzip in the deployment directory ( eg: /home/veridiumid directory)After finishing the installation of the packages listed above on their designated nodes, connect on the Ansible node in order to start the configuration.The following variable will be used during the following steps:
Variable | Description |
---|---|
$ANSIBLE_PATH | The full path of the vid_ansible directory, where the Ansible scripts are located |
Where $ANSIBLE_PATH can be /home/veridiumid/vid_ansible
Create SSH for the veridiumid user
Login as the veridiumid user on the Ansible node and run the following command to generate a new SSH key:
- CODE
ssh-keygen
After the key has been generated copy the value of
/home/veridiumid/.ssh/id_rsa.pub
and add it to the
/home/veridiumid/.ssh/authorized_keys
file on all other nodes.
Test the SSH connectivity between the Ansible node and all other nodes.
Setup environment hosts
Setup environment hosts
The environment hosts file describes the structure of the deployment. In this file, for each Ansible role, the user provides the IP address(es) of the node(s).
Moreover, in order to work properly, the inventory file requires a Python executable path, that needs to be included in the environment hosts file.
For our deployment, the default path is:
/usr/bin/python3
(provided by the VeridiumID Python package).
To configure this file, edit the following:
$ANSIBLE_PATH/environments_hosts/inventory
For multi-node deployments, you will also need to alter the IP addresses in
$ANSIBLE_PATH/environments_hosts/inventory
using the guiding information already there.
Ansible configuration file
Ansible configuration file ($ANSIBLE_PATH/ansible.cfg) contains the following variables:
Variable | Default value | Description |
---|---|---|
remote_user | veridiumid | The user that will be used by Ansible for SSH connections to target nodes |
private_key_file | ~/.ssh/id_rsa | Path to the SSH key used to connect to target nodes |
ask_pass | FALSE | If the user will be asked for an SSH password when connecting to target nodes |
ask_sudo_pass | FALSE | If the user will be asked for a password when using sudo commands |
library | library | Path to the folder from ANSIBLE_PATH containing proprietary VeridiumID python modules |
deprecation_warnings | FALSE | Configuration used to disable deprecation log messages |
command_warnings | FALSE | Configuration used to disable Ansible log command messages |
system_warnings | FALSE | Configuration used to disable Ansible log of system warnings. |
display_skipped_hosts | FALSE | Configuration used to disable Ansible log of skipped hosts |
remote_tmp | /tmp | Path of temporary folder used by Ansible |
vault_password_file | ./pass.txt | Path of password file that will be used for Ansible Vault encryptions |
callback_plugins | ./plugins/callback | Path to Ansible callbacks |
stdout_callback | skippy | Name of callback used for disabling log of tasks that are not executed by Ansible, during an inventory play |
ansible_python_interpreter | /usr/bin/python3 | The path to the Python version that will be used by Ansible |
Create the password file
In the list above we have set the value for vault_password_file. This file will be used for Ansible encryption functions of CA certificates.
To create this file, use the following command:
echo "PASSWORD" > $ANSIBLE_PATH/pass.txt
Where PASSWORD is a random password string selected for this installation.
Setup VeridiumID system configuration parameters
The default variable file used by Ansible is the following: $ANSIBLE_PATH/mandatory_vars.yml
Variable | Default value | Description |
---|---|---|
HAPROXY_SNI | TRUE | Set HAPROXY_SNI to False for Ports Deployment or to True for SNI deployment |
JAVA_HOME | /usr/java/jdk1.8.0_172-amd64 | The path of the installed JAVA version (example /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre) |
DATACENTER_TAG | DC1 | The name used for the Cassandra |
ROOT_ACCESS | FALSE | If the root user will be used by the Ansible script |
DEFAULT_SERVICE | TRUE | If we are using the default service: bash command example: service SERVICE_NAME stop/start |
PRIVILEGE_ESCALATION | TRUE | If the user can gain root privileges |
ENVIRONMENT | test | The environment name (should be lower case) |
DOMAIN_NAME | The environment’s domain name (should be lower case) | |
LDAP_URL | ldap://127.0.0.1:389 | LDAP url |
LDAP_CREDENTIALS_PASSWORD | default | The LDAP user password |
LDAP_SECURITY_PROTOCOL | plain | The LDAP security protocol |
LDAP_CREDENTIALS_USERNAME | Administrator@test.local | The LDAP user |
LDAP_BASE_DN | DC=test,DC=local | The LDAP connection’s base DN |
TOMCAT_RAM | 2g | The memory limit for Tomcat service |
ZOOKEEPER_RAM | 2g | The memory limit for Zookeeper service |
CASSANDRA_RAM | 2g | The memory limit for Cassandra service |
KAKFA_RAM | 1g | The memory limit for Kafka service |
FIDO_RAM | 1g | The memory limit for Fido service |
SELFSERVICE_RAM | 1g | The memory limit for Self Service Portal service |
WEBSECADMIN_RAM | 1g | The memory limit for Admin Dashboard service |
NOTIFICATIONS_RAM | 1g | The memory limit for Notifications service |
STATISTICS_RAM | 256m | The memory limit for each of the six Statistics services |
DATA_RETENTION_RAM | 1g | The memory limit for Data Retention service |
CA_DAYS | 3650 | Validity of the self signed CA certificate |
CA_COUNTRY | RO | Country parameter of the CA certificate |
CA_CITY | Bucharest | City parameter of the CA certificate |
CA_STATE | Bucharest | State parameter of the CA certificate |
CA_EMAIL | Email parameter of the CA certificate | |
CA_ORG_UNIT | VeridiumID | Organization Unit parameter of the CA certificate |
CA_ORGANISATION | VeridiumID | Organization parameter of the CA certificate |
CA_CN_NAME | {{ ENVIRONMENT }}-DC1-ROOT-CA-{{ CA_ORGANISATION }} | Common Name parameter of the CA certificate |
where red values from above should be updated with customer preferred values
HaProxy domain configuration
The Ansible role in charge of configuring HaProxy can add the client’s domain certificate during the configuration. To use an existing domain certificate please create the following directory path:
mkdir -p $ANSIBLE_PATH/group_files/DOMAIN_NAME
Where DOMAIN_NAME is the name of the client’s domain (and is the value set during the last step). In this directory please copy the private key and public certificate extracted from the domain certificate. The files must have the following names:
privateKey.pem
publicCert.pem
To extract the private key and public certificate from a PKCS12 certificate please run the following commands:
openssl pkcs12 -in domain.p12 -nocerts -nodes -out privateKey.pem
openssl pkcs12 -in domain.p12 -nokeys -out publicCert.pem
Ansible connectivity check
To check the connectivity between the Ansible nodes and the other nodes run the following command from the $ANSIBLE_PATH directory:
ansible -i $ANSIBLE_PATH/environments_hosts/inventory all -m ping