saltext.sap_pse._modules.sap_pse#
SaltStack extension for sapgenpse Copyright (C) 2022 SAP UCC Magdeburg
sapgenpse execution module#
SaltStack execution module that wraps sapgenpse functions.
- codeauthor
Benjamin Wegener, Alexander Wilke
- maturity
new
- depends
yaml
- platform
Linux
It is assumed that the program sapgenpse
is in the PATH
of the user executing the function.
If not, it is assumed that the SAP Host Agent is installed and that /usr/sap/hostctrl/exe/sapgenpse
can be acessed by the executing user. If the executing user is not provided, the user under which
the salt minion runs is used (usually root
).
- saltext.sap_pse._modules.sap_pse.gen_pse(pse_file, dn, pse_pwd=None, algo='RSA:2048:SHA512', runas=None, groupas=None, add_ca_bundle=True, **kwargs)[source]#
Wrapper for the function
gen_pse
of the CLI toolsapgenpse
.Create a new PSE. This will not create a signing request.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path for the PSE.- dn
Distinguished name.
- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for the PSE. Default is no PIN.- algo
Equivalent to
-a <algo>
, i.e. the algorithm used for the PSE, e.g. DSA, ECDSA or RSA (default isRSA:2048:SHA512
).- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- add_ca_bundle
If False, will not add the OpenSSL CA bundle returned by
salt.utils.http.get_ca_bundle()
which is all certificate authorities that are trusted by the operating system.
Returns True / False based on success.
CLI Example:
salt "*" sap_pse.gen_pse pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLA.pse" dn="cn=ANONYMOUS"
- saltext.sap_pse._modules.sap_pse.import_p8(pse_file, pub_key, priv_key, pse_pwd=None, priv_key_pwd=None, add_certs=None, runas=None, groupas=None, add_ca_bundle=True, **kwargs)[source]#
Wrapper for the function
import_p8
of the CLI toolsapgenpse
.This function creates a new PSE file from a PKCS#8 format private key (optionally protected by PKCS#5 password-based encryption) along with all necessary X.509 certs.
You will have to supply the X.509 certificate matching the private key plus all intermediate and root CA certificates which might be necessary to build a certificate chain that ends with a self-signed certificate.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path for the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for the PSE. Default is no PIN.- pub_key
Equivalent to
-c <cert(s)-file>
, i.e. a X.509 certificate containing the public key.- priv_key
Path to the X.509 certificate containing the private key.
- priv_key_pwd
Equivalent to
-z <password>
, i.e. the Password/Passphrase for decryption of private key. Default is no password.- add_certs
Equivalent to
-r <file2>
, i.e. additional certificate(s) for an incomplete PKCS#8 file. This list can contain to 10 additional files for building complete certification path up to the RootCA (PEM, Base64 or DER binary). Default is no additional certificates.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- add_ca_bundle
If False, will not add the OpenSSL CA bundle returned by
salt.utils.http.get_ca_bundle()
which is all certificate authorities that are trusted by the operating system.
Returns True / False based on success.
CLI Example:
salt "*" sap_pse.import_p8 pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" pub_key="/etc/pki/cert.crt" priv_key="/etc/pki/cert.key"
- saltext.sap_pse._modules.sap_pse.export_p8(pse_file, pem_file, pem_pwd, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#
Wrapper for the function
export_p8
of the CLI toolsapgenpse
.Exports the key of a PSE into PKCS#8 transfer format (PEM-File) for transfer/export to software of other vendors.
The private key and its corresponding certificat plus forward certificate chain up to and including the RootCA’s certificate are written into a PEM file.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pem_file
Path to the PEM file which will contain both public and private key.
- pem_pwd
Equivalent to
-z <password>
, i.e. the Password/Passphrase for the encryption of the PEM-file.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
Returns True / False based on success.
CLI Example:
salt "*" sap_pse.export_p8 pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" pem_file="/etc/pki/pse.crt" pem_pwd=Abcd1234
- saltext.sap_pse._modules.sap_pse.get_my_name(pse_file, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#
Wrapper for the function
get_my_name
of the CLI toolsapgenpse
.Displays the attributes/properties of the user/owner certificate in a PSE.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.get_my_name pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
- saltext.sap_pse._modules.sap_pse.maintain_pk_add(pse_file, certs, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#
Wrapper for the function
maintain_pk
of the CLI toolsapgenpse
.Adds certificates to the PK list of a PSE.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- certs
Equivalent to
-m <cert-file>
, i.e. add multiple certificates from <file>. Must be a list.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.maintain_pk_add pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" certs=["/etc/pki/trust/anchors/ca.crt"]
- saltext.sap_pse._modules.sap_pse.maintain_pk_delete(pse_file, del_cert, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#
Wrapper for the function
maintain_pk
of the CLI toolsapgenpse
.Delete certificates from the PKList of a PSE.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- del_cert
Equivalent to
"-d <num>
(delete certificate/key number <num> from PKList) or-d <string>
(delete certificates/keys from PKList containing <string>)- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.maintain_pk_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" del_cert=0
- saltext.sap_pse._modules.sap_pse.maintain_pk_list(pse_file, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#
Wrapper for the function
maintain_pk
of the CLI toolsapgenpse
.List certificates from the PKList of a PSE.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.maintain_pk_list pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
- saltext.sap_pse._modules.sap_pse.seclogin_add(pse_file, pse_pwd=None, user=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#
Wrapper for the function
seclogin
of the CLI toolsapgenpse
.Creates Single Sign-On (SSO) credentials for a PSE / user.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- user
Equivalent to
-O <username>
, i.e. create SSO-credential for OTHER user <username>. Will be set to runas or salt minion user if None.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.seclogin_add pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" user="sapadm"
- saltext.sap_pse._modules.sap_pse.seclogin_contains(pse_file, pse_pwd=None, user=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#
Wrapper for the function
seclogin
of the CLI toolsapgenpse
.Returns success and if Single Sign-On (SSO) credentials for user already exist.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- user
Equivalent to
-O <username>
, i.e. create SSO-credential for OTHER user <username>. Will be set to runas or salt minion user if None.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.seclogin_contains pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse" user="sapadm"
- saltext.sap_pse._modules.sap_pse.seclogin_count(pse_file, runas=None, groupas=None, pse_pwd=None, secudir=None, **kwargs)[source]#
Wrapper for the function
seclogin
of the CLI toolsapgenpse
.Returns success and the count of SSO credentials for the given PSE.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.seclogin_count pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
- saltext.sap_pse._modules.sap_pse.seclogin_delete(pse_file, pse_pwd=None, runas=None, groupas=None, secudir=None, **kwargs)[source]#
Wrapper for the function
seclogin
of the CLI toolsapgenpse
.Removes all SSO credentials for a PSE file.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- pse_pwd
Equivalent to
-x <pin>
, i.e. the PIN/Passphrase for PSE file. Default is no PIN.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
- secudir
SECUDIR to use. If not defined, the path of the PSE file will be set as SECUDIR.
CLI Example:
salt "*" sap_pse.seclogin_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"
- saltext.sap_pse._modules.sap_pse.gen_verify_pse(pse_file=None, runas=None, groupas=None, **kwargs)[source]#
Wrapper for the function
gen_verify_pse
of the CLI toolsapgenpse
.Create a new PSE for verification without own key pair.
- pse_file
Equivalent to
-p <pse-file>
, i.e. the path of the PSE.- runas
User that will run the command, default is the user that runs the salt minion.
- groupas
Group that will run the command, default is the group that runs the salt minion.
Note
This will utilze the OpenSSL CA bundle returned by
salt.utils.http.get_ca_bundle()
.CLI Example:
salt "*" sap_pse.seclogin_delete pse_file="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse"