Configure Ansible
Perform the following tasks to configure Ansible for your environment:
Perform the following generation tasks:
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Be sure to modify the file path to match the location where the libfxpkcs11.so and fxpkcs11.cfg files are stored on your system.
In a terminal, run the following command to create a new RSA key pair on the using pkcs11-tool:
The above pkcs11-tool command prompts for the user PIN. Enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file. If successful, the command output will list the keys that pkcs11-tool generated on the .
Ansible uses Playbooks to carry out automated tasks. Within the Playbook file, you can use the PKCS #11 library to execute various functions by using the , including safeguarding, using SSH private keys, and signing data. For more information on Ansible Playbooks, see the Ansible documentation.
The following examples demonstrate using Playbook:
Create a working directory for a new Ansible project.
Go into the new ansible_project_01 directory.
Create an inventory file.
The following example inventory file uses localhost:
Create a playbook.yml file.
The following is an example Ansible Playbook file for testing an SSH connection using the private key created on the in the previous section (ansible_rsa_privatekey).
- Replace pkcs11_module with the location of the PKCS #11 library on your system.
- Replace pkcs11_pin with the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
- Replace pkcs11_key_id with the label of the key you set when creating the key pair via PKCS11-tool.
Run the following command to execute the playbook while referencing the private key stored on the HSM during the SSH connection step.
Set the username, inventory, and playbook file information according to your setup.
When prompted for the BECOME password, enter it.
In Ansible, the become directive escalates privileges when running tasks, similar to using sudo in the command line. The become_password parameter is the password for the user specified in become_user (which defaults to root if not specified).
When prompted for the password of the user you are connecting to the machine with through SSH, enter it to complete the process.
If successful, you see a response similar to the following:
You can verify the successful pulling of the private key within the FXPKCS11 log file.
Create a working directory for a new Ansible project.
Go into the new ansible_project_02 directory.
Create an inventory file.
The following example inventory file uses localhost:
Create a playbook.yml file.
The following is an example Ansible Playbook file for signing data by using the private key created on the (ansible_rsa_privatekey).
- Replace pkcs11_module with the location of the Futurex PKCS #11 library on your system.
- Replace pkcs11_pin with the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
- Replace pkcs11_key_id with the label of the key you set when creating the key pair in PKCS11-tool.
Run the following command to execute the playbook, while referencing the private key stored on the to perform the signing operation.
Set the username, inventory, and playbook file information according to your setup.
When prompted for the BECOME password, enter it.
In Ansible, the become directive escalates privileges when running tasks, similar to using sudo in the command line. The become_password parameter is the password for the user specified in become_user (which defaults to root if not specified).
If successful, you see a response similar to the following:
You can verify the signing operations within the FXPKCS11 log file.