Configure Ansible

perform the following tasks to configure ansible for your environment generate a key pair on the {{ch}} by using pkcs11 tool use ansible playbooks generate a key pair perform the following generation tasks to generate a key pair on the {{ch}} by using pkcs11 tool set {{futurex}} pkcs #11 environment variables generate a key pair on the {{ch}} by using pkcs11 tool set {{futurex}} environment variables perform the following steps to set {{futurex}} pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location where the libfxpkcs11 so and fxpkcs11 cfg files are stored on your system generate a key pair perform the following steps to generate a key pair on the {{ch}} by using pkcs11 tool in a terminal, run the following command to create a new rsa key pair on the {{ch}} by using pkcs11 tool pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "ansible rsa privatekey" id "123456" the preceding pkcs11 tool command prompts for the user pin enter the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file if successful, the command output lists the keys that pkcs11 tool generated on the {{ch}} use ansible playbooks ansible uses playbooks to carry out automated tasks within the playbook file, you can use the {{futurex}} pkcs #11 library to execute various functions by using the {{ch}} , including safeguarding, using ssh private keys, and signing data for more information on ansible playbooks, see the ansible documentation https //docs ansible com/ansible/latest/playbook guide/playbooks intro html the following examples demonstrate using playbook use {{futurex}} pkcs #11 with ansible ssh example perform the following steps to use {{futurex}} pkcs #11 with ansible ssh example create a working directory for a new ansible project mkdir /ansible project 01 go into the new ansible project 01 directory cd /ansible project 01 create an inventory file nano inventory the following example inventory file uses localhost \[local] localhost ansible connection=local create a playbook yml file nano playbook yml the following is an example ansible playbook file for testing an ssh connection using the private key created on the {{ch}} in the previous section ( ansible rsa privatekey ) \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" pkcs11 pin "safest" pkcs11 key id "ansible rsa privatekey" tasks \ name test connectivity command echo "hello, pkcs#11" \ name ssh to localhost using pkcs#11 command ssh i {{ pkcs11 module }} jtitus\@localhost echo "ssh with pkcs#11" register ssh result \ name show ssh result debug var ssh result stdout replace pkcs11 module with the location of the {{futurex}} pkcs #11 library on your system replace pkcs11 pin with the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file replace pkcs11 key id with the label of the key you set when creating the key pair via pkcs11 tool run the following command to execute the playbook while referencing the private key stored on the hsm during the ssh connection step sudo ansible playbook u \<your username> i inventory playbook yml k set the username, inventory, and playbook file information according to your setup when prompted for the become password, enter it in ansible, the become directive escalates privileges when running tasks, similar to using sudo in the command line the become password parameter is the password for the user specified in become user (which defaults to root if not specified) when prompted for the password of the user you are connecting to the machine with through ssh, enter it to complete the process if successful, you see a response similar to the following play \[local] task \[gathering facts] ok \[localhost] task \[test connectivity] changed \[localhost] task \[ssh to localhost using pkcs#11] user\@localhost's password changed \[localhost] task \[show ssh result] ok \[localhost] => { "ssh result stdout" "\<fxpkcs11 log output>" } play recap localhost ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 you can verify the successful pulling of the private key within the fxpkcs11 log file use {{futurex}} pkcs #11 with ansible signing data example perform the following steps to use {{futurex}} pkcs #11 with ansible signing data example create a working directory for a new ansible project sudo mkdir /ansible project 02 go into the new ansible project 02 directory cd /ansible project 02 create an inventory file nano inventory the following example inventory file uses localhost \[local] localhost ansible connection=local create a playbook yml file nano playbook yml the following is an example ansible playbook file for signing data by using the private key created on the {{ch}} ( ansible rsa privatekey ) \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" pkcs11 pin "safest" pkcs11 key id "ansible rsa privatekey" data to sign "sign this data" tasks \ name sign data using pkcs#11 shell | echo n "{{ data to sign }}" | openssl dgst engine pkcs11 keyform engine sign "pkcs11\ object={{ pkcs11 key id }}" out signed data bin register sign result environment pkcs11 module "{{ pkcs11 module }}" pkcs11 pin "{{ pkcs11 pin }}" \ name show signing result debug msg "data signed successfully" replace pkcs11 module with the location of the {{futurex}} pkcs #11 library on your system replace pkcs11 pin with the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file replace pkcs11 key id with the label of the key you set when creating the key pair in pkcs11 tool run the following command to execute the playbook, while referencing the private key stored on the {{ch}} to perform the signing operation sudo ansible playbook u \<your username> i inventory playbook yml k set the username, inventory, and playbook file information according to your setup when prompted for the become password, enter it in ansible, the become directive escalates privileges when running tasks, similar to using sudo in the command line the become password parameter is the password for the user specified in become user (which defaults to root if not specified) if successful, you see a response similar to the following play \[local] task \[gathering facts] ok \[localhost] task \[sign data using pkcs#11] changed \[localhost] task \[show signing result] ok \[localhost] => { "msg" "data signed successfully" } play recap localhost ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 you can verify the signing operations within the fxpkcs11 log file