Chapter 17. Setting a custom cryptographic policy by using the crypto-policies RHEL System Role
As an administrator, you can use the crypto_policies
RHEL System Role to quickly and consistently configure custom cryptographic policies across many different systems using the Ansible Core package.
17.1. Variables and facts of the crypto_policies
System Role
In a crypto_policies
System Role playbook, you can define the parameters for the crypto_policies
configuration file according to your preferences and limitations.
If you do not configure any variables, the System Role does not configure the system and only reports the facts.
Selected variables for the crypto_policies
System Role
crypto_policies_policy
- Determines the cryptographic policy the System Role applies to the managed nodes. For details about the different crypto policies, see System-wide cryptographic policies .
crypto_policies_reload
-
If set to
yes
, the affected services, currently theipsec
,bind
, andsshd
services, reload after applying a crypto policy. Defaults toyes
. crypto_policies_reboot_ok
-
If set to
yes
, and a reboot is necessary after the System Role changes the crypto policy, it setscrypto_policies_reboot_required
toyes
. Defaults tono
.
Facts set by the crypto_policies
System Role
crypto_policies_active
- Lists the currently selected policy.
crypto_policies_available_policies
- Lists all available policies available on the system.
crypto_policies_available_subpolicies
- Lists all available subpolicies available on the system.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.crypto_policies/README.md
file -
/usr/share/doc/rhel-system-roles/crypto_policies/
directory - Creating and setting a custom system-wide cryptographic policy
17.2. Setting a custom cryptographic policy by using the crypto_policies
System Role
You can use the crypto_policies
System Role to configure a large number of managed nodes consistently from a single control node.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Configure crypto policies hosts: managed-node-01.example.com tasks: - name: Configure crypto policies ansible.builtin.include_role: name: rhel-system-roles.crypto_policies vars: - crypto_policies_policy: FUTURE - crypto_policies_reboot_ok: true
You can replace the FUTURE value with your preferred crypto policy, for example:
DEFAULT
,LEGACY
, andFIPS:OSPP
.The
crypto_policies_reboot_ok: true
setting causes the system to reboot after the System Role changes the cryptographic policy.Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
On the control node, create another playbook named, for example,
verify_playbook.yml
:--- - name: Verification hosts: managed-node-01.example.com tasks: - name: Verify active crypto policy ansible.builtin.include_role: name: rhel-system-roles.crypto_policies - debug: var: crypto_policies_active
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/verify_playbook.yml
Run the playbook:
$ ansible-playbook ~/verify_playbook.yml TASK [debug] ************************** ok: [host] => { "crypto_policies_active": "FUTURE" }
The
crypto_policies_active
variable shows the policy active on the managed node.
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.crypto_policies/README.md
file -
/usr/share/doc/rhel-system-roles/crypto_policies/
directory