-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsearch_and_renew.yml
129 lines (109 loc) · 5.69 KB
/
search_and_renew.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
###############################################################################
# © Copyright IBM Corporation 2024
###############################################################################
- name: Search for expiring certificate and renew it.
hosts: all
gather_facts: false
environment: "{{ environment_vars }}"
vars:
cert_found: false
today: ''
tasks:
- name: Set variables
ansible.builtin.set_fact:
cert_label: "{{ cert_label | default('zosConnectServerCert2') }}"
cert_type: "{{ cert_type | default('USER') }}" # CERTAUTH, SITE, or USER
sign_with: "{{ sign_with | default('CERTAUTH') }}" # CERTAUTH, SITE or Self
sign_label: "{{ sign_label | default('IBM CA') }}" # Only required if sign_with is not 'Self'
owner_id: "{{ owner_id | default('STCUSR') }}"
keyring: "{{ keyring | default('Keyring.ZOSCONN') }}"
new_expiry_date: "{{ new_expiry_date | default('2025-12-31') }}"
- name: Run health check via operator command.
tags: search_and_renew, search, run_hc
ibm.ibm_zos_core.zos_operator:
cmd: "F HZSPROC,RUN,CHECK=(IBMRACF,RACF_CERTIFICATE_EXPIRATION)"
- name: Get sysname.
tags: search_and_renew, search, search_hc
ansible.builtin.command:
cmd: sysvar SYSNAME
changed_when: false
register: sysname
- name: Submit job to pull health check report.
tags: search_and_renew, search, search_hc
ibm.ibm_zos_core.zos_job_submit:
src: "{{ playbook_dir }}/templates/HZPRINT.j2"
location: local
wait_time_s: 60
register: hc_job_output
- name: 'Search report for {{ cert_label }}.'
tags: search_and_renew, search, search_hc
ansible.builtin.set_fact:
cert_found: true
with_items: "{{ hc_job_output.jobs.0.ddnames }}"
when: item.content is search(cert_label)
- name: Print whether or not certificate is expiring.
tags: search_and_renew, search, search_hc
ansible.builtin.debug:
msg: "{{ cert_label }} expiring - {{ cert_found }}"
- name: Renew certificate if it is expiring.
when: cert_found
block:
- name: Get date for timestamps.
tags: always
ansible.builtin.command: "date '+%b%d%y'"
register: date_result
changed_when: false
- name: Set variables for use in the rest of this block of tasks.
tags: always
ansible.builtin.set_fact:
today: "{{ date_result.stdout }}"
format_cert_type: "{{ 'ID(' + owner_id + ')' if cert_type == 'USER' else cert_type }}"
format_check_cert: "{{ 'ID(' + owner_id + ')' if cert_type == 'USER' else '' }}"
format_expiration: "{{ 'NOTAFTER(DATE(' + new_expiry_date + '))' if new_expiry_date != '' else '' }}"
- name: Back up current certificate.
tags: search_and_renew, renew, backup
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT EXPORT(LABEL('{{ cert_label }}')) {{ format_cert_type }} DSN('{{ ansible_user }}.CERT.{{ cert_type }}.BACKUP.{{ today }}')
- name: Check backup certificate.
tags: search_and_renew, renew, backup
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT CHECKCERT('{{ ansible_user }}.CERT.{{ cert_type }}.BACKUP.{{ today }}') {{ format_check_cert }}
- name: Rekey certificate with new temporary label.
tags: search_and_renew, renew, rekey
ibm.ibm_zos_core.zos_tso_command:
commands: "RACDCERT {{ format_cert_type }} REKEY(LABEL('{{ cert_label }}')) WITHLABEL('{{ cert_label }}-NEW') {{ format_expiration }}"
- name: List new certificate with temporary label.
tags: search_and_renew, renew, list_new
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} LIST(LABEL('{{ cert_label }}-NEW'))
- name: Generate signing request for new certificate.
tags: search_and_renew, renew, genreq
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} GENREQ (LABEL('{{ cert_label }}-NEW')) DSN('{{ ansible_user }}.CSR.{{ cert_type }}.{{ today }}')
when: sign_with != 'Self'
- name: Sign new certificate, if not self-signed.
tags: search_and_renew, renew, gencert
ibm.ibm_zos_core.zos_tso_command:
commands:
- RACDCERT {{ format_cert_type }} GENCERT ('{{ ansible_user }}.CSR.{{ cert_type }}.{{ today }}') SIGNWITH({{ sign_with }} LABEL('{{ sign_label }}')) {{ format_expiration }}
when: sign_with != 'Self'
- name: Rollover certificate.
tags: search_and_renew, renew, rollover
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} ROLLOVER(LABEL('{{ cert_label }}')) NEWLABEL('{{ cert_label }}-NEW')
- name: Delete old certificate.
tags: search_and_renew, renew, delete
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} DELETE(LABEL('{{ cert_label }}'))
- name: Relabel new certificate to old name.
tags: search_and_renew, renew, relabel
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} ALTER(LABEL('{{ cert_label }}-NEW')) NEWLABEL('{{ cert_label }}')
- name: Issue setropts refresh
tags: refresh
ibm.ibm_zos_core.zos_tso_command:
commands: SETROPTS RACLIST(DIGTCERT) REFRESH
- name: List renewed certificate with old label.
tags: search_and_renew, renew, list_old_label
ibm.ibm_zos_core.zos_tso_command:
commands: RACDCERT {{ format_cert_type }} LIST(LABEL('{{ cert_label }}'))