cert kdb cleanup fails to list kdb to resolve failures

[rfransix]

Hi, i'm using the following to loop through the cert kdb's and delete expired certs, however, on failure the play exits without displaying the current kdb id name. How do i code to output the kdb id on every query so i know where to focus troubleshooting? Thank you.

I can output the kdb id names on "Get All Cert KDB Names", yet when it 'changes', 'skips', or on 'failure' the output does not include the id kdb name. Here is an example error:

TASK [delete_certdb_personal_cert_cg : Get list of Personal Certificates in Keystore] *** fatal: [hostname.com]: FAILED! => {"changed": false, "log": "[2019-11-25 13:43:51,195] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: {\"firmware_label\":\"isam_9.0.4.0_20171201-2325\",\"firmware_build\":\"20171201-2325\",\"firmware_version\":\"9.0.4.0\",\"product_description\":\"IBM Security Access Manager\",\"deployment_model\":\"Appliance\",\"product_name\":\"isam\"}\n[2019-11-25 13:43:51,320] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: { \"configured\": true}\n[2019-11-25 13:43:51,454] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: [{\"name\":\"ISAM Base Appliance\",\"description\":\"IBM Security Access Manager Base Appliance\",\"id\":\"wga\",\"enabled\":\"True\"}, {\"name\":\"ISAM Advanced Access Control\",\"description\":\"IBM Security Access Manager Advanced Access Control\",\"id\":\"mga\",\"enabled\":\"True\"}, {\"name\":\"ISAM Federation\",\"description\":\"IBM Security Access Manager Federation\",\"id\":\"federation\",\"enabled\":\"True\"}]\n[2019-11-25 13:43:52,112] [PID:9329 TID:140155918956352] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():64] text: {\"message\":\"DPWAP0039E An error occured in the GSKKM_OpenKeyDbX(&dbInfo, &dbh) system function: GSKKM_ERR_NULL_PARAMETER\"}\n", "msg": "('HTTP Return code: 500', u'{\"message\":\"DPWAP0039E An error occured in the GSKKM_OpenKeyDbX(&dbInfo, &dbh) system function: GSKKM_ERR_NULL_PARAMETER\"}')", "name": "ibmsecurity.isam.base.ssl_certificates.personal_certificate.get_all"}

---

Create a Report on Junctions

###########################################################################################################

Set the timestamp variable to be used in create snapshot comment

###########################################################################################################

• name: Set variables for rest of playbook hosts: localhost tasks:
  • set_fact: timestamp: "{{ lookup('pipe', 'date +%m-%d-%Y') }}" tags: ["setup"]

###########################################################################################################

Set the timestamp variable to be used in create snapshot comment

###########################################################################################################

• name: Create Snapshot hosts: primary connection: local roles:
  • role: create_snapshot create_snapshot_comment: "Prior to running delete expired certificates script {{hostvars['localhost']['timestamp']}}" tags: ["snapshot"]

###########################################################################################################

Get a list of the certificate databases from the primary appliance.

###########################################################################################################

• name: Get All Cert KDBs hosts: primary no_log: False connection: local vars: log_level: "CRITICAL" roles:

  • role: start_config

  • role: get_cert_dbs_cg

###########################################################################################################

Check to see if personal certificates in KDB are expired and delete if expired.

###########################################################################################################

• name: Get Personal Certificate Details hosts: primary connection: local tasks:

  • name: Get Personal Certificate Details include_role: name: delete_certdb_personal_cert_cg vars: cert_db_id: "{{ outer_item['id'] }}" with_items: "{{ certdbs_ret_obj['data'] | default([]) }}" loop_control: loop_var: outer_item

###########################################################################################################

Check to see if signer certificates in KDB are expired and delete if expired.

###########################################################################################################

• name: Get Signer Certificate Details hosts: primary connection: local tasks:

  • name: Get Signer Certificate Details include_role: name: delete_certdb_signer_cert_cg vars: cert_db_id: "{{ outer2_item['id'] }}" with_items: "{{ certdbs_ret_obj['data'] | default([]) }}" loop_control: loop_var: outer2_item

---

here is the get_cert_dbs_cg

• name: Get Certificate Databases ID/Names isam: appliance: "{{ inventory_hostname }}" username: "{{ username }}" password: "{{ password }}" lmi_port: "{{ lmi_port }}" log: "{{ log_level }}" force: "{{ force }}" action: ibmsecurity.isam.base.ssl_certificates.certificate_databases.get_all register: ret_obj

• name: Set variable for use by rest of playbook set_fact: certdbs_ret_obj: "{{ ret_obj }}"

• name: Output debug: msg="{{ item['id'] }}" with_items: "{{ certdbs_ret_obj['data'] }}"

[ram-ibm]

I suspect using ignore_errors flag in the task that is failing should let me proceed to the "Output" task?

[ram-ibm]

block:
rescue:
always:

https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html The above might be better solution to handling errors?