-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #818 from Anand-Reddy7/anand-4171
Adding IBM Key Protect Support
- Loading branch information
Showing
22 changed files
with
500 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # Enabling Encryption with IBM® Key Protect on IBM Storage Scale | ||
|
|
||
| IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster. | ||
|
|
||
| ## Setting Up IBM Key Protect | ||
|
|
||
| The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about). | ||
|
|
||
| ## Configuring Cluster Nodes | ||
|
|
||
| To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include: | ||
|
|
||
| - `/var/mmfs/etc/RKM.conf` | ||
| - `/var/mmfs/etc/prefix.p12` | ||
|
|
||
| These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data. | ||
|
|
||
| ## Understanding Secure Storage and Data Protection | ||
|
|
||
| Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata. | ||
|
|
||
| IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator. | ||
|
|
||
| In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys). | ||
|
|
||
| ## Applying Encryption on the IBM Storage Scale | ||
|
|
||
| The `kp_encryption_apply` Ansible role simplifies the encryption process by automating the following tasks: | ||
|
|
||
| - Applying the encryption policy to the IBM Storage Scale cluster file system. | ||
| - Validating the encryption to ensure proper implementation. | ||
|
|
||
| ## Verifying Encryption on the File System | ||
|
|
||
| 1. Log in to any of the cluster nodes (storage or compute) using the following SSH command and switch to the `root` user: | ||
|
|
||
| ```bash | ||
| ssh -J root@BASTION_SERVER vpcuser@STORAGE_NODE | ||
| sudo -i | ||
| ``` | ||
|
|
||
| 2. Validate the policy applied to the cluster by running the following command: | ||
|
|
||
| ```bash | ||
| mmlspolicy FILESYSTEM_NAME -L | ||
| ``` | ||
|
|
||
| 3. Check the encryption status of a specific file by running the following command: | ||
|
|
||
| ```bash | ||
| mmlsattr -n gpfs.Encryption FILE_NAME | ||
| ``` | ||
|
|
||
| For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Apply Encryption Policy on IBM Storge Scale Cluster | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Check encryption policy for file system | ||
| command: mmlspolicy {{ filesystem_mountpoint }} -L | ||
| register: policy_output | ||
| ignore_errors: yes | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Check if encryption policy is applied | ||
| set_fact: | ||
| encryption_applied: "{{ 'KEYS' in policy_output.stdout }}" | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Check if KP.fsenc.pol file exists | ||
| stat: | ||
| path: /var/mmfs/etc/KP.fsenc.pol | ||
| register: fsenc_pol_stat | ||
| when: not encryption_applied | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Apply Policy | ||
| command: mmchpolicy {{ filesystem_mountpoint }} /var/mmfs/etc/KP.fsenc.pol | ||
| when: not encryption_applied | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Show Applied Policy | ||
| command: mmlspolicy {{ filesystem_mountpoint }} -L | ||
| register: policy_output | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Apply | Display Policy Output | ||
| debug: | ||
| msg: "{{ policy_output.stdout }}" | ||
| run_once: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
|
|
||
| # Import the 'apply_encryption.yml' task to Apply the Encryption on the Scale Cluster. | ||
|
|
||
| - import_tasks: apply_encryption.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Scale File System Mount Point | ||
| filesystem_mountpoint: "{{ filesystem_mountpoint }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Enabling Encryption with IBM® Key Protect on IBM Storage Scale | ||
|
|
||
| IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster. | ||
|
|
||
| ## Setting Up IBM Key Protect | ||
|
|
||
| The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about). | ||
|
|
||
| ## Configuring Cluster Nodes | ||
|
|
||
| To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include: | ||
|
|
||
| - `/var/mmfs/etc/RKM.conf` | ||
| - `/var/mmfs/etc/prefix.p12` | ||
|
|
||
| These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data. | ||
|
|
||
| ## Understanding Secure Storage and Data Protection | ||
|
|
||
| Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata. | ||
|
|
||
| IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator. | ||
|
|
||
| In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys). | ||
|
|
||
| ## Configuring Key Protect | ||
|
|
||
| The `kp_encryption_configure` Ansible role automates the distribution of essential files to streamline the encryption process: | ||
|
|
||
| - Distributing the `.p12` and `RKM.conf` files to all servers to enable encryption. | ||
|
|
||
|
|
||
| For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption). |
33 changes: 33 additions & 0 deletions
33
roles/kp_encryption_configure/tasks/copy_config_files_to_remote.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Distribute .p12 and RKM.conf files to all servers to apply encryption. | ||
|
|
||
| - block: | ||
| - name: KeyProtect Encryption | Encryption Configuration | Check .p12 | ||
| stat: | ||
| path: "/var/mmfs/etc/{{ kp_resource_prefix }}.p12" | ||
| register: p12_file_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Configuration | Copy .p12 | ||
| copy: | ||
| src: "{{ key_protect_cert_files_dir }}/{{ kp_resource_prefix }}.p12" | ||
| dest: "/var/mmfs/etc/{{ kp_resource_prefix }}.p12" | ||
| owner: root | ||
| group: root | ||
| mode: '0600' | ||
| when: not p12_file_stat.stat.exists | ||
| register: p12_copy_result | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Configuration | Check RKM.conf | ||
| stat: | ||
| path: "/var/mmfs/etc/RKM.conf" | ||
| register: rkm_conf_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Configuration | Copy RKM.conf | ||
| copy: | ||
| src: "{{ key_protect_cert_files_dir }}/RKM.conf" | ||
| dest: "/var/mmfs/etc/RKM.conf" | ||
| owner: root | ||
| group: root | ||
| mode: '0600' | ||
| when: not rkm_conf_stat.stat.exists | ||
|
|
||
| when: key_protect_cert_files_dir is defined and key_protect_cert_files_dir | length > 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
|
|
||
| # Import the 'copy_config_files_to_remote.yml' task to obtain the RKM.conf and .p12 certificate files and copy them to Bootstrap node. | ||
|
|
||
| - import_tasks: copy_config_files_to_remote.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Resource Prefix | ||
| kp_resource_prefix: "{{ kp_resource_prefix }}" | ||
|
|
||
| # Key Protect files path on Bootstrap node | ||
| key_protect_cert_files_dir: "/opt/IBM/ibm-spectrumscale-cloud-deploy/key_protect" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Enabling Encryption with IBM® Key Protect on IBM Storage Scale | ||
|
|
||
| IBM® Key Protect is a powerful service on IBM Cloud that simplifies the provisioning and storage of encrypted keys for applications across IBM Cloud services. By using IBM Key Protect, you can centralize the management of data encryption and efficiently oversee the entire key lifecycle, providing a robust foundation for securing your data on an IBM Storage Scale cluster. | ||
|
|
||
| ## Setting Up IBM Key Protect | ||
|
|
||
| The first step in enabling encryption for your Storage Scale cluster file system is to create a Key Protect service. Once the service is set up, you will generate an encryption key and apply an encryption policy to your desired file system within the cluster. For a detailed guide on setting up and managing your Key Protect service, refer to the [IBM Key Protect documentation](https://cloud.ibm.com/docs/key-protect?topic=key-protect-about). | ||
|
|
||
| ## Configuring Cluster Nodes | ||
|
|
||
| To ensure that every node in the cluster can access the encrypted file system, it's essential to have specific configuration files on each node. These include: | ||
|
|
||
| - `/var/mmfs/etc/RKM.conf` | ||
| - `/var/mmfs/etc/prefix.p12` | ||
|
|
||
| These files are critical for enabling secure access to the encrypted file system across the entire cluster. Without them, nodes will not be able to interact with the encrypted data. | ||
|
|
||
| ## Understanding Secure Storage and Data Protection | ||
|
|
||
| Secure storage relies on encryption to render data unreadable to unauthorized users. Data is encrypted while at rest (on disk) and decrypted only when accessed by authorized users. It's important to note that encryption protects only the data itself, not the associated metadata. | ||
|
|
||
| IBM GPFS encryption safeguards against various threats, including disk theft or improper disposal, and unprivileged user attacks in a multi-tenant cluster. However, it does not protect against malicious actions by a cluster administrator. | ||
|
|
||
| In addition to securing data, GPFS encryption facilitates secure data deletion. By leveraging encryption and key management, it ensures that once the master encryption keys are deleted from the key server, the data becomes irretrievable. For more details, refer to [Encryption keys](https://www.ibm.com/docs/en/STXKQY_5.1.8/com.ibm.spectrum.scale.v5r10.doc/bl1adv_encryptionkeys.html#encryptionkeys). | ||
|
|
||
| ## Preparation of the Key Protect service: | ||
|
|
||
| To streamline the encryption setup process, the `kp_encryption_prepare` Ansible role automates the following tasks: | ||
|
|
||
| - Creating a directory and password file for non-interactive deployment of Key Protect. | ||
| - Copying SSL certificates from the bootstrap node to the management node. | ||
| - Creating a `.p12` certificate store. | ||
| - Generating the encryption key. | ||
| - Creating a policy file. | ||
| - Updating the `RKM.conf` file. | ||
|
|
||
| For more in-depth information about encryption in IBM Spectrum Scale, including various encryption use cases, see the [Encryption documentation](https://www.ibm.com/docs/en/storage-scale/5.1.8?topic=administering-encryption). |
46 changes: 46 additions & 0 deletions
46
roles/kp_encryption_prepare/tasks/copy_encryption_files_to_ansible_master.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Get RKM.conf and .p12 cert | ||
|
|
||
| - block: | ||
| - name: KeyProtect Encryption | Encryption Prepare | Check .p12 exists | ||
| stat: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| register: p12_file_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Update permissions | ||
| file: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| mode: '0644' | ||
| when: p12_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Check RKM.conf | ||
| stat: | ||
| path: "{{ key_protect_dir }}/RKM.conf" | ||
| register: rkm_conf_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Copy RKM.comf | ||
| template: | ||
| src: "templates/RKM.conf.j2" | ||
| dest: "{{ key_protect_dir }}/RKM.conf" | ||
| owner: root | ||
| group: root | ||
| mode: '0600' | ||
| when: not rkm_conf_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Fetch .p12 | ||
| fetch: | ||
| src: "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| dest: "{{ key_protect_cert_files_dir }}/" | ||
| flat: yes | ||
| when: p12_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Fetch RKM.conf | ||
| fetch: | ||
| src: "{{ key_protect_dir }}/RKM.conf" | ||
| dest: "{{ key_protect_cert_files_dir }}/" | ||
| flat: yes | ||
| run_once: true | ||
|
|
||
| when: key_protect_dir is defined and key_protect_dir | length > 0 |
76 changes: 76 additions & 0 deletions
76
roles/kp_encryption_prepare/tasks/create_encryption_key.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # Create .p12 certificate and Create Encryption Key | ||
| # Create a Policy file | ||
|
|
||
| - block: | ||
| - name: KeyProtect Encryption | Encryption Prepare | Check if .p12 cert exists | ||
| stat: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| register: cert_file_stat | ||
|
|
||
| - name: Run mmgskkm store command | Encryption Prepare | Create a .p12 Store Cert | ||
| command: mmgskkm store --pwd "{{ scale_encryption_admin_password }}" --label "{{ resource_prefix }}" --cert "{{ key_protect_dir }}/{{ resource_prefix }}.cert" --priv "{{ key_protect_dir }}/{{ resource_prefix }}.key" --out "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| args: | ||
| chdir: "{{ key_protect_dir }}" | ||
| when: not cert_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: Run mmgskkm trust command | Encryption Prepare | Apply Trust on .p12 Cert | ||
| command: mmgskkm trust --prefix "{{ key_protect_dir }}/Key_Protect_Server.chain" --pwd "{{ scale_encryption_admin_password }}" --label "{{ resource_prefix }}" --out "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| args: | ||
| chdir: "{{ key_protect_dir }}" | ||
| register: p12cert | ||
| when: not cert_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: Sleep for 5 seconds | ||
| ansible.builtin.pause: | ||
| seconds: 5 | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Check if key creation has already performed | ||
| stat: | ||
| path: "{{ key_protect_dir }}/key_creation_done.flag" | ||
| register: flag_file_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Create Encryption Key | ||
| command: > | ||
| mmkmipkm createkey | ||
| --host "{{ vpc_region }}.kms.cloud.ibm.com" | ||
| --kmipport "{{ resource_prefix }}.port" | ||
| --keystore "{{ key_protect_dir }}/{{ resource_prefix }}.p12" | ||
| --keypass "{{ key_protect_dir }}/{{ resource_prefix }}.pwd" | ||
| --label "{{ resource_prefix }}" | ||
| args: | ||
| chdir: "{{ key_protect_dir }}" | ||
| register: createkey_output | ||
| when: p12cert is defined and not flag_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Debug createkey_output | ||
| debug: | ||
| var: createkey_output | ||
| when: createkey_output is defined | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Create flag to indicate key creation has been performed | ||
| file: | ||
| path: "{{ key_protect_dir }}/key_creation_done.flag" | ||
| state: touch | ||
| when: not flag_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Set Encryption key fact | ||
| set_fact: | ||
| encryption_key: "{{ createkey_output.stdout if createkey_output is defined and 'stdout' in createkey_output and createkey_output.stdout != '' }}" | ||
| when: not flag_file_stat.stat.exists | ||
| run_once: true | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Copy Policy file | ||
| template: | ||
| src: "templates/KP.fsenc.pol.j2" | ||
| dest: "/var/mmfs/etc/KP.fsenc.pol" | ||
| owner: root | ||
| group: root | ||
| mode: '0600' | ||
| when: encryption_key is defined and encryption_key != '' | ||
| run_once: true | ||
|
|
||
| when: key_protect_dir is defined and key_protect_dir | length > 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| # Creating directory and password file for non-interactive deployment for KeyProtect | ||
| # Copy SSL certs from Bootstrap node to Management node | ||
|
|
||
| - block: | ||
| - name: KeyProtect Encryption | Encryption Prepare | Check Directory | ||
| stat: | ||
| path: "{{ key_protect_dir }}" | ||
| register: key_protect_dir_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Create Directory | ||
| file: | ||
| path: "{{ key_protect_dir }}" | ||
| state: directory | ||
| owner: root | ||
| group: root | ||
| mode: '0755' | ||
| when: not key_protect_dir_stat.stat.exists | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Password File Check | ||
| stat: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.pwd" | ||
| register: password_file_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Password File Create | ||
| lineinfile: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.pwd" | ||
| line: "{{ scale_encryption_admin_password }}" | ||
| create: yes | ||
| when: not password_file_stat.stat.exists | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Port File Check | ||
| stat: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.port" | ||
| register: port_file_stat | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Port File Create | ||
| lineinfile: | ||
| path: "{{ key_protect_dir }}/{{ resource_prefix }}.port" | ||
| line: "{{ key_protect_port }}" | ||
| create: yes | ||
| when: not port_file_stat.stat.exists | ||
|
|
||
| - name: KeyProtect Encryption | Encryption Prepare | Copy Certs to Remote Server | ||
| copy: | ||
| src: "{{ item }}" | ||
| dest: "{{ key_protect_dir }}" | ||
| owner: root | ||
| group: root | ||
| with_fileglob: | ||
| - "{{ key_protect_cert_files_dir }}/*" | ||
| run_once: true | ||
|
|
||
| when: key_protect_dir is defined and key_protect_dir | length > 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Preparation tasks for enabling encryption with IBM Key Protect | ||
|
|
||
| # Import the 'get_ssl_certs.yml' task to retrieve SSL certificates from the Bootstrap node. | ||
| - import_tasks: get_ssl_certs.yml | ||
|
|
||
| # Import the 'create_encryption_key.yml' task to create the encryption key if it doesn't already exist. | ||
| - import_tasks: create_encryption_key.yml | ||
|
|
||
| # Import the 'copy_encryption_files_to_ansible_master.yml' task to obtain the RKM.conf and .p12 certificate files and copy them to Bootstrap node. | ||
| - import_tasks: copy_encryption_files_to_ansible_master.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| RULE 'EncPolicyGeneratorRule' ENCRYPTION 'RULE1' IS | ||
| ALGO 'DEFAULTNISTSP800131AFAST' | ||
| KEYS('{{ encryption_key }}:KP') | ||
| RULE 'Encrypt all files' SET ENCRYPTION 'RULE1' WHERE NAME LIKE '%' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| KP { | ||
| type = KMIP | ||
| kmipServerUri = tls://{{ vpc_region }}.kms.cloud.ibm.com:5696 | ||
| keyStore = /var/mmfs/etc/{{ resource_prefix }}.p12 | ||
| passphrase = {{ scale_encryption_admin_password }} | ||
| clientCertLabel = {{ resource_prefix }} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Key Protect Password | ||
| scale_encryption_admin_password: "{{ scale_encryption_admin_password }}" | ||
|
|
||
| # Resource Prefix | ||
| resource_prefix: "{{ kp_resource_prefix }}" | ||
|
|
||
| # Region Name | ||
| vpc_region: "{{ vpc_region }}" | ||
|
|
||
| # Directory to store Key Protect files | ||
| key_protect_dir: "/opt/key_protect" | ||
|
|
||
| # Key Protect Port | ||
| key_protect_port: "5696" | ||
|
|
||
| # Key Protect files path on Bootstrap node | ||
| key_protect_cert_files_dir: "/opt/IBM/ibm-spectrumscale-cloud-deploy/key_protect" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| # | ||
| # samples/playbook_kp_encrypion_apply.yml | ||
| # | ||
|
|
||
| # Playbook sample for deploying IBM Spectrum Scale (GPFS) cluster with IBM Key Protect encryption. | ||
| # Additional variables need to be defined for this, it | ||
| # is recommended to use Ansible group variables for this purpose: | ||
| # https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#assigning-a-variable-to-many-machines-group-variables | ||
|
|
||
| - hosts: scale_management_node | ||
| collections: | ||
| - ibm.spectrum_scale | ||
| any_errors_fatal: true | ||
| roles: | ||
| - kp_encryption_apply |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| # | ||
| # samples/playbook_kp_encrypion_configure.yml | ||
| # | ||
|
|
||
| # Playbook sample for deploying IBM Spectrum Scale (GPFS) cluster with IBM Key Protect encryption. | ||
| # Additional variables need to be defined for this, it | ||
| # is recommended to use Ansible group variables for this purpose: | ||
| # https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#assigning-a-variable-to-many-machines-group-variables | ||
|
|
||
| - hosts: cluster01 | ||
| collections: | ||
| - ibm.spectrum_scale | ||
| any_errors_fatal: true | ||
| roles: | ||
| - kp_encryption_configure |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| # | ||
| # samples/playbook_kp_encrypion_prepare.yml | ||
| # | ||
|
|
||
| # Playbook sample for deploying IBM Spectrum Scale (GPFS) cluster with IBM Key Protect encryption. | ||
| # Additional variables need to be defined for this, it | ||
| # is recommended to use Ansible group variables for this purpose: | ||
| # https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#assigning-a-variable-to-many-machines-group-variables | ||
|
|
||
| - hosts: scale_management_node | ||
| collections: | ||
| - ibm.spectrum_scale | ||
| any_errors_fatal: true | ||
| roles: | ||
| - kp_encryption_prepare |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Scale File System Mount Point | ||
| filesystem_mountpoint: "fs1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Resource Prefix | ||
| kp_resource_prefix: "hpc_key_protect" | ||
|
|
||
| # Key Protect files path on Bootstrap node | ||
| key_protect_cert_files_dir: "/opt/IBM/ibm-spectrumscale-cloud-deploy/key_protect" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Static Variables for Encryption | ||
|
|
||
| # Key Protect Password | ||
| scale_encryption_admin_password: "KeyProtect@123" | ||
|
|
||
| # Resource Prefix | ||
| resource_prefix: "hpc_key_protect" | ||
|
|
||
| # Region Name | ||
| vpc_region: "us-south" | ||
|
|
||
| # Directory to store Key Protect files | ||
| key_protect_dir: "/opt/key_protect" | ||
|
|
||
| # Key Protect Port | ||
| key_protect_port: "5696" | ||
|
|
||
| # Key Protect files path on Bootstrap node | ||
| key_protect_cert_files_dir: "/opt/IBM/ibm-spectrumscale-cloud-deploy/key_protect" |