-
Notifications
You must be signed in to change notification settings - Fork 0
/
search_and_renew.yml
162 lines (140 loc) · 7.24 KB
/
search_and_renew.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
###############################################################################
# © Copyright IBM Corporation 2020, 2021
###############################################################################
- hosts: all
collections:
- ibm.ibm_zos_core
gather_facts: false
environment: "{{ environment_vars }}"
vars:
cert_label: 'zosConnectServerCert2' # must be 8 char or less
cert_type: 'USER' # USER or SITE or CERTAUTH
sign_with: 'CERTAUTH' # blank or CERTAUTH
sign_label: 'IBM CA'
owner_id: 'STCUSR'
keyring_name: 'Keyring.ZOSCONN'
expiry_date: '2025-12-31'
cert_found: false
today: ''
tasks:
- name: Create temporary directory to store bank files
tempfile:
state: directory
path: /tmp
register: playbook_tmp_dir
- block:
- include_role:
name: issue_operator_cmd
vars:
task_description: 'Run Health Checker'
command: "F HZSPROC,RUN,CHECK=(IBMRACF,RACF_CERTIFICATE_EXPIRATION)"
- include_role:
name: print_hc_buffer
vars:
hc_check: 'IBMRACF,RACF_CERTIFICATE_EXPIRATION'
- name: search for {{cert_label}} in report
set_fact:
cert_found: true
with_items: "{{hc_job_output.jobs.0.ddnames}}"
# when: cert_label in item.content
when: item.content is search(cert_label)
- debug: msg="{{cert_label}} expiring - {{cert_found}}"
- command: "date '+%b%d%y'"
register: date_result
when: cert_found
- set_fact:
today: "{{ date_result.stdout }}"
when: cert_found
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Back up current certificate'
command:
- RACDCERT EXPORT(LABEL('{{cert_label}}')) DSN('{{ ansible_user }}.CERT.{{cert_type}}.BACKUP.{{today}}') {{cert_type}}
- RACDCERT CHECKCERT('{{ ansible_user }}.CERT.{{cert_type}}.BACKUP.{{today}}')
when: cert_found and not cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Back up current certificate'
command:
- RACDCERT EXPORT(LABEL('{{cert_label}}')) ID({{owner_id}}) DSN('{{ ansible_user }}.CERT.{{cert_type}}.BACKUP.{{today}}')
- RACDCERT CHECKCERT('{{ ansible_user }}.CERT.{{cert_type}}.BACKUP.{{today}}') ID({{owner_id}})
when: cert_found and cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Rekey and Generate new cert request for {{cert_type}}'
command:
- RACDCERT {{cert_type}} REKEY(LABEL('{{cert_label}}')) WITHLABEL('{{cert_label}}-NEW') NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} LIST(LABEL('{{cert_label}}-NEW'))
- RACDCERT {{cert_type}} GENREQ (LABEL('{{cert_label}}-NEW')) DSN('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}')
- RACDCERT {{cert_type}} DELETE(LABEL('{{ cert_label }}'))
when: cert_found and not cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Rekey and Generate new cert request for {{cert_type}}'
command:
- RACDCERT REKEY(LABEL('{{cert_label}}')) WITHLABEL('{{cert_label}}-NEW') ID({{ owner_id}}) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{ owner_id }}) LIST(LABEL('{{cert_label}}-NEW'))
- RACDCERT GENREQ (LABEL('{{cert_label}}-NEW')) ID({{owner_id}}) DSN('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}')
- RACDCERT ID({{owner_id}}) DELETE(LABEL('{{ cert_label }}'))
when: cert_found and cert_type == 'USER'
- name: Save new expiration date
ansible.builtin.set_fact:
new_cert_expiration_date: "{{ item }}"
with_items: "{{ tso_cmd_output.output.1.content }}"
when: tso_cmd_output is defined and item is search("End Date:")
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Install and connect local cert for {{cert_type}}'
command:
- RACDCERT {{cert_type}} GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} ALTER(LABEL('{{ cert_label}}-NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: cert_found and not sign_label == ' ' and not cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Install and connect local cert for {{cert_type}}'
command:
- RACDCERT ID({{owner_id}}) GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{sign_label}}')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{ owner_id}}) ALTER(LABEL('{{ cert_label}}-NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: cert_found and not sign_label == ' ' and cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Install and connect self-signed cert for {{cert_type}}'
command:
- RACDCERT {{cert_type}} GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_label}}NEW')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT {{cert_type}} ALTER(LABEL('{{ cert_label}}-NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT({{cert_type}} LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: cert_found and sign_label == ' ' and not cert_type == 'USER'
- include_role:
name: issue_tso_cmd
vars:
task_description: 'Install and connect self-signed cert for {{cert_type}}'
command:
- RACDCERT ID({{owner_id}}) GENCERT('{{ ansible_user }}.CSR.{{cert_type}}.{{today}}') SIGNWITH({{sign_with}} LABEL('{{cert_label}}NEW')) NOTAFTER(DATE({{expiry_date}}))
- RACDCERT ID({{ owner_id}}) ALTER(LABEL('{{ cert_label}}-NEW')) NEWLABEL('{{ cert_label}}')
- RACDCERT ID({{owner_id}}) CONNECT(LABEL('{{cert_label}}') RING({{keyring_name}}) DEFAULT USAGE(PERSONAL))
when: cert_found and sign_label == ' ' and cert_type == 'USER'
- include_role:
name: issue_operator_cmd
vars:
task_description: 'Run Health Check'
command: "F HZSPROC,RUN,CHECK=(IBMRACF,RACF_CERTIFICATE_EXPIRATION)"
when: cert_found
- name: Print new certificate expiration date
ansible.builtin.debug:
var: new_cert_expiration_date
always:
- name: Delete the temporary directory
file:
path: "{{ playbook_tmp_dir.path }}"
state: absent
vars:
uss_file_path: '{{ playbook_tmp_dir.path }}'