Chapter 17. Setting a custom cryptographic policy by using the crypto-policies RHEL System Role

As an administrator, you can use the crypto_policies RHEL System Role to quickly and consistently configure custom cryptographic policies across many different systems using the Ansible Core package.

17.1. Variables and facts of the crypto_policies System Role

In a crypto_policies System Role playbook, you can define the parameters for the crypto_policies configuration file according to your preferences and limitations.

If you do not configure any variables, the System Role does not configure the system and only reports the facts.

Selected variables for the crypto_policies System Role

crypto_policies_policy
Determines the cryptographic policy the System Role applies to the managed nodes. For details about the different crypto policies, see System-wide cryptographic policies .
crypto_policies_reload
If set to yes, the affected services, currently the ipsec, bind, and sshd services, reload after applying a crypto policy. Defaults to yes.
crypto_policies_reboot_ok
If set to yes, and a reboot is necessary after the System Role changes the crypto policy, it sets crypto_policies_reboot_required to yes. Defaults to no.

Facts set by the crypto_policies System Role

crypto_policies_active
Lists the currently selected policy.
crypto_policies_available_policies
Lists all available policies available on the system.
crypto_policies_available_subpolicies
Lists all available subpolicies available on the system.

Additional resources

17.2. Setting a custom cryptographic policy by using the crypto_policies System Role

You can use the crypto_policies System Role to configure a large number of managed nodes consistently from a single control node.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Configure crypto policies
      hosts: managed-node-01.example.com
      tasks:
        - name: Configure crypto policies
          ansible.builtin.include_role:
            name: rhel-system-roles.crypto_policies
          vars:
            - crypto_policies_policy: FUTURE
            - crypto_policies_reboot_ok: true

    You can replace the FUTURE value with your preferred crypto policy, for example: DEFAULT, LEGACY, and FIPS:OSPP.

    The crypto_policies_reboot_ok: true setting causes the system to reboot after the System Role changes the cryptographic policy.

  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  1. On the control node, create another playbook named, for example, verify_playbook.yml:

    ---
    - name: Verification
      hosts: managed-node-01.example.com
      tasks:
        - name: Verify active crypto policy
          ansible.builtin.include_role:
            name: rhel-system-roles.crypto_policies
        - debug:
            var: crypto_policies_active
  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/verify_playbook.yml
  3. Run the playbook:

    $ ansible-playbook ~/verify_playbook.yml
    TASK [debug] **************************
    ok: [host] => {
        "crypto_policies_active": "FUTURE"
    }

    The crypto_policies_active variable shows the policy active on the managed node.

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.crypto_policies/README.md file
  • /usr/share/doc/rhel-system-roles/crypto_policies/ directory