IBM-Security / isam-ansible-roles

DEPRECATED Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

update_management_ssl_cert role idempotency #98

Open sygilber opened 5 years ago

sygilber commented 5 years ago

We have identified one option to support idempotency for this role. Basically, we need to try updating the management ssl certificate (p12) only if it is different from the target. Since the rest-api does not allow one to download the actual management certificate in p12 format (like during the import process), we have found that working with Python packages that come pre-installed, that we are able to reach out to the certificate that is actually running/exposed on the LMI Appliance (pem format), and then compare this with the actual target x.509 certificate (pem format). It "may" require some actual code change in ibmsecurity, at which point if this is required, then we will advise.

Franclaf7 commented 5 years ago

We have managed to find a solution using openssl: "openssl pkcs12 [...]" and "openssl s_client -connect [...]". The first one lets us check the .p12 file from our folders to get the public certificate, while the second one lets us check the certificate from the appliance. We download each one in it's own file, and then use checksum (md5) to verify both.