Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 6. Setting a custom cryptographic policy across systems

As an administrator, you can use the Crypto Policies System Role on RHEL to quickly and consistently configure custom cryptographic policies across many different systems using Red Hat Ansible Automation Platform.

6.1. Crypto Policies System Role variables and facts

In a Crypto Policies System Role playbook, you can define the parameters for the crypto policies configuration file according to your preferences and limitations.

If you do not configure any variables, the system role does not configure the system and only reports the facts.

Selected variables for the Crypto Policies System Role

crypto_policies_policy
Determines the cryptographic policy level the system role applies to the managed nodes. For details about the different crypto policy levels, see System-wide cryptographic policies .
crypto_policies_reload
If set to yes, the affected services, currently the ipsec, bind, and sshd services, reload after applying a crypto policy. Defaults to yes.
crypto_policies_reboot_ok
If set to yes, and a reboot is necessary after the system role changes the crypto policy, it sets crypto_policies_reboot_required to yes. Defaults to no.

Facts set by the Crypto Policies System Role

crypto_policies_active
Lists the currently selected policy.
crypto_policies_available_policies
Lists all available policy levels available on the system.
crypto_policies_available_modules
Lists all available subpolicy modules available on the system.

6.2. Setting a custom cryptographic policy using the Crypto Policies System Role

You can use the Crypto Policies System Role to configure a large number of managed nodes consistently from a single control node.

Prerequisites

  • Access and permissions to one or more managed nodes, which are systems you want to configure with the Crypto Policies System Role.
  • Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.

    On the control node:

    • Red Hat Ansible Engine is installed
    • The rhel-system-roles package is installed
    • An inventory file which lists the managed nodes.

Procedure

  1. Create a new playbook.yml file with the following content:

    ---
    - hosts: all
      tasks:
      - name: Configure crypto policies
        include_role:
          name: linux-system-roles.crypto_policies
        vars:
          - crypto_policies_policy: FUTURE
          - crypto_policies_reboot_ok: true

    You can replace the FUTURE value with your preferred crypto policy, for example: DEFAULT, LEGACY, and FIPS:OSPP.

    The crypto_policies_reboot_ok: true variable causes the system to reboot after the system role changes the crypto policy.

    For more details, see Crypto Policies System Role variables and facts .

  2. Optional: Verify playbook syntax.

    # ansible-playbook --syntax-check playbook.yml
  3. Run the playbook on your inventory file:

    # ansible-playbook -i inventory_file playbook.yml

Verification

  1. On the control node, create another playbook named, for example, verify_playbook.yml:

    - hosts: all
      tasks:
     - name: Verify active crypto policy
       include_role:
         name: linux-system-roles.crypto_policies
    
     - debug:
         var: crypto_policies_active

    This playbook does not change any configurations on the system, only reports the active policy on the managed nodes.

  2. Run the playbook on the same inventory file:

    # ansible-playbook -i inventory_file verify_playbook.yml
    
    TASK [debug] **************************
    ok: [host] => {
        "crypto_policies_active": "FUTURE"
    }

    The "crypto_policies_active": variable shows the policy active on the managed node.

6.3. Additional resources