Ansible configuration

this section details the steps to configure the ansible instance to integrate with the {{futurex}} pkcs #11 library create a key pair on the vectera plus perform the following two tasks to create a key pair set futurex pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location of libfxpkcs11 so and fxpkcs11 cfg on your system create a key pair on the vectera plus by using pkcs11 tool in a terminal, run the following command to create a new ecc key pair on the {{vectera}} by using pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "ansible rsa privatekey" id "123456" when prompted for the user pin, enter the password of the identity configured in the fxpkcs11 cfg file if successful, the command output lists the keys that pkcs11 tool created on the {{vectera}} ansible playbooks in ansible, playbooks perform automated tasks you can reference the {{futurex}} pkcs #11 library when performing these tasks inside the playbook file to perform various functions, including ssh and signing data use futurex pkcs #11 with ansible ssh example run the following commands to create an ansible project working directory and switch to it sudo mkdir /ansible project cd /ansible project run the following command to create an inventory file sudo nano inventory the following shows an example inventory file using localhost \[local] localhost ansible connection=local run the following command to create a playbook yml file sudo nano playbook yml the following shows an example ansible playbook file for testing ssh referencing the private key created in the previous section (ansible rsa privatekey) \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" pkcs11 pin "safest" pkcs11 key id "ansible rsa privatekey" tasks \ name test connectivity command echo "hello, pkcs#11" \ name ssh to localhost using pkcs#11 command ssh i {{ pkcs11 module }} jtitus\@localhost echo "ssh with pkcs#11" register ssh result \ name show ssh result debug var ssh result stdout replace pkcs11 module with the location of the futurex pkcs #11 library on your system replace pkcs11 pin with the password you configured for the identity created for this integration replace pkcs11 key id with the label of the key you set when creating the key pair via pkcs11 tool to execute the playbook and reference the private key stored on the hsm during the ssh connection, run the following command, setting the username, inventory, and playbook file information according to your setup sudo ansible playbook u \<your username> i inventory playbook yml k when prompted for the become password in ansible, use the become directive to escalate privileges when running tasks, similar to using sudo in the command line the become password is the user password specified in become user (which defaults to root if not specified) when prompted, enter the password of the user you are connecting to the machine with through ssh after entering the password, the process completes if successful, you see a response similar to the following play \[local] task \[gathering facts] ok \[localhost] task \[test connectivity] changed \[localhost] task \[ssh to localhost using pkcs#11] user\@localhost's password changed \[localhost] task \[show ssh result] ok \[localhost] => { "ssh result stdout" "\<fxpkcs11 log output>" } play recap localhost ok=4 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 you can verify the successful pull of the private key within the fxpkcs11 log file or the log output shown in the command response use futurex pkcs #11 with ansible encrypting and signing data example run the following commands to create an ansible project working directory and switch to it sudo mkdir /ansible project cd /ansible project run the following command to create an inventory file sudo nano inventory the following example shows an inventory file using localhost \[local] localhost ansible connection=local run the following command to create a playbook yml file sudo nano playbook yml the following example shows an ansible playbook file you can copy and use for encrypting data and signing data referencing the private key created in the previous section (ansible rsa privatekey) replace pkcs11 module with the location of the futurex pkcs #11 library on your system replace pkcs11 pin with the password you configured for the identity created for this integration replace pkcs11 key id with the label of the key you set when creating the key pair via pkcs11 tool \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" pkcs11 pin "safest" pkcs11 key id "ansible rsa privatekey" data to encrypt "hello, pkcs#11" data to sign "sign this data" tasks \ name encrypt data using pkcs#11 shell | echo n "{{ data to encrypt }}" | openssl pkeyutl engine pkcs11 keyform engine inkey "pkcs11\ object={{ pkcs11 key id }}" sign out encrypted data bin register encrypt result environment pkcs11 module "{{ pkcs11 module }}" pkcs11 pin "{{ pkcs11 pin }}" \ name show encryption result debug msg "data encrypted successfully" \ name sign data using pkcs#11 shell | echo n "{{ data to sign }}" | openssl dgst engine pkcs11 keyform engine sign "pkcs11\ object={{ pkcs11 key id }}" out signed data bin register sign result environment pkcs11 module "{{ pkcs11 module }}" pkcs11 pin "{{ pkcs11 pin }}" \ name show signing result debug msg "data signed successfully" to execute the playbook and reference the private key stored on the hsm during the ssh connection, run the following command, setting the username, inventory, and playbook file information according to your setup sudo ansible playbook u \<your username> i inventory playbook yml k when prompted for the become password in ansible, use the become directive to escalate privileges when running tasks, similar to using sudo in the command line the become password is the password for the user specified in become user (which defaults to root if not specified) if successful, you should see a response similar to the following play \[local] task \[gathering facts] ok \[localhost] task \[encrypt data using pkcs#11] changed \[localhost] task \[show encryption result] ok \[localhost] => { "msg" "data encrypted successfully" } task \[sign data using pkcs#11] changed \[localhost] task \[show signing result] ok \[localhost] => { "msg" "data signed successfully" } play recap localhost ok=5 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 you can verify the signing and encryption operations within the fxpkcs11 log file or by checking the contents of the output file