saltext.sap_pse._modules.sap_pse#

sapgenpse execution module#

SaltStack execution module that wraps sapgenpse functions.

codeauthor: Benjamin Wegener, Alexander Wilke
maturity: new
depends: yaml
platform: Linux

It is assumed that the program sapgenpse is in the PATH of the user executing the function. If not, it is assumed that the SAP Host Agent is installed and that /usr/sap/hostctrl/exe/sapgenpse can be acessed by the executing user. If the executing user is not provided, the user under which the salt minion runs is used (usually root).

saltext.sap_pse._modules.sap_pse.__virtual__()[source]#: Only work on POSIX-like systems

saltext.sap_pse._modules.sap_pse.gen_pse(pse_file, dn, pse_pwd=None, algo='RSA:2048:SHA512', runas=None, groupas=None, add_ca_bundle=True, **kwargs)[source]#

Wrapper for the function gen_pse of the CLI tool sapgenpse.

Create a new PSE. This will not create a signing request.

pse_file: Equivalent to -p <pse-file>, i.e. the path for the PSE.
dn: Distinguished name.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for the PSE. Default is no PIN.
algo: Equivalent to -a <algo>, i.e. the algorithm used for the PSE, e.g. DSA, ECDSA or RSA (default is RSA:2048:SHA512).
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
add_ca_bundle: If False, will not add the OpenSSL CA bundle returned by salt.utils.http.get_ca_bundle() which is all certificate authorities that are trusted by the operating system.

Returns True / False based on success.

CLI Example:

salt "*" sap_pse.gen_pse pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLA.pse" dn="cn=ANONYMOUS"

saltext.sap_pse._modules.sap_pse.import_p8(pse_file, pub_key, priv_key, pse_pwd=None, priv_key_pwd=None, add_certs=None, runas=None, groupas=None, add_ca_bundle=True, **kwargs)[source]#

Wrapper for the function import_p8 of the CLI tool sapgenpse.

This function creates a new PSE file from a PKCS#8 format private key (optionally protected by PKCS#5 password-based encryption) along with all necessary X.509 certs.

You will have to supply the X.509 certificate matching the private key plus all intermediate and root CA certificates which might be necessary to build a certificate chain that ends with a self-signed certificate.

pse_file: Equivalent to -p <pse-file>, i.e. the path for the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for the PSE. Default is no PIN.
pub_key: Equivalent to -c <cert(s)-file>, i.e. a X.509 certificate containing the public key.
priv_key: Path to the X.509 certificate containing the private key.
priv_key_pwd: Equivalent to -z <password>, i.e. the Password/Passphrase for decryption of private key. Default is no password.
add_certs: Equivalent to -r <file2>, i.e. additional certificate(s) for an incomplete PKCS#8 file. This list can contain to 10 additional files for building complete certification path up to the RootCA (PEM, Base64 or DER binary). Default is no additional certificates.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
add_ca_bundle: If False, will not add the OpenSSL CA bundle returned by salt.utils.http.get_ca_bundle() which is all certificate authorities that are trusted by the operating system.

Returns True / False based on success.

CLI Example:

salt "*" sap_pse.import_p8 pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" pub_key="/etc/pki/cert.crt" priv_key="/etc/pki/cert.key"

saltext.sap_pse._modules.sap_pse.export_p8(pse_file, pem_file, pem_pwd, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#

Wrapper for the function export_p8 of the CLI tool sapgenpse.

Exports the key of a PSE into PKCS#8 transfer format (PEM-File) for transfer/export to software of other vendors.

The private key and its corresponding certificat plus forward certificate chain up to and including the RootCA’s certificate are written into a PEM file.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pem_file: Path to the PEM file which will contain both public and private key.
pem_pwd: Equivalent to -z <password>, i.e. the Password/Passphrase for the encryption of the PEM-file.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

Returns True / False based on success.

CLI Example:

salt "*" sap_pse.export_p8 pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" pem_file="/etc/pki/pse.crt" pem_pwd=Abcd1234

saltext.sap_pse._modules.sap_pse.get_my_name(pse_file, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#

Wrapper for the function get_my_name of the CLI tool sapgenpse.

Displays the attributes/properties of the user/owner certificate in a PSE.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.get_my_name pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

saltext.sap_pse._modules.sap_pse.maintain_pk_add(pse_file, certs, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#

Wrapper for the function maintain_pk of the CLI tool sapgenpse.

Adds certificates to the PK list of a PSE.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
certs: Equivalent to -m <cert-file>, i.e. add multiple certificates from <file>. Must be a list.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.maintain_pk_add pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" certs=["/etc/pki/trust/anchors/ca.crt"]

saltext.sap_pse._modules.sap_pse.maintain_pk_delete(pse_file, del_cert, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#

Wrapper for the function maintain_pk of the CLI tool sapgenpse.

Delete certificates from the PKList of a PSE.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
del_cert: Equivalent to "-d <num> (delete certificate/key number <num> from PKList) or -d <string> (delete certificates/keys from PKList containing <string>)
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.maintain_pk_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" del_cert=0

saltext.sap_pse._modules.sap_pse.maintain_pk_list(pse_file, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#

Wrapper for the function maintain_pk of the CLI tool sapgenpse.

List certificates from the PKList of a PSE.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.maintain_pk_list pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

saltext.sap_pse._modules.sap_pse.seclogin_add(pse_file, pse_pwd=None, user=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#

Wrapper for the function seclogin of the CLI tool sapgenpse.

Creates Single Sign-On (SSO) credentials for a PSE / user.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
user: Equivalent to -O <username>, i.e. create SSO-credential for OTHER user <username>. Will be set to runas or salt minion user if None.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.seclogin_add pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" user="sapadm"

saltext.sap_pse._modules.sap_pse.seclogin_contains(pse_file, pse_pwd=None, user=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#

Wrapper for the function seclogin of the CLI tool sapgenpse.

Returns success and if Single Sign-On (SSO) credentials for user already exist.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
user: Equivalent to -O <username>, i.e. create SSO-credential for OTHER user <username>. Will be set to runas or salt minion user if None.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.seclogin_contains pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" user="sapadm"

saltext.sap_pse._modules.sap_pse.seclogin_count(pse_file, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#

Wrapper for the function seclogin of the CLI tool sapgenpse.

Returns success and the count of SSO credentials for the given PSE.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.seclogin_count pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

saltext.sap_pse._modules.sap_pse.seclogin_delete(pse_file, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#

Wrapper for the function seclogin of the CLI tool sapgenpse.

Removes all SSO credentials for a PSE file.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
pse_pwd: Equivalent to -x <pin>, i.e. the PIN/Passphrase for PSE file. Default is no PIN.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.
secudir: SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.

CLI Example:

salt "*" sap_pse.seclogin_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"

saltext.sap_pse._modules.sap_pse.gen_verify_pse(pse_file=None, runas=None, groupas=None, **kwargs)[source]#

Wrapper for the function gen_verify_pse of the CLI tool sapgenpse.

Create a new PSE for verification without own key pair.

pse_file: Equivalent to -p <pse-file>, i.e. the path of the PSE.
runas: User that will run the command, default is the user that runs the salt minion.
groupas: Group that will run the command, default is the group that runs the salt minion.

Note

This will utilze the OpenSSL CA bundle returned by salt.utils.http.get_ca_bundle().

CLI Example:

salt "*" sap_pse.seclogin_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"