saltext.sap_pse._states.sap_pse#

SaltStack extension for sapgenpse Copyright (C) 2022 SAP UCC Magdeburg

sapgenpse state module#

SaltStack module that implements states based on sapgenpse functionality.

codeauthor

Benjamin Wegener, Alexander Wilke

maturity

new

depends

N/A

platform

Linux

This module implements states that utilize sapgenpse functionality and manages SAP PSEs (Personal Security Environment).

Note

This module can only run on linux platforms.

saltext.sap_pse._states.sap_pse.managed(name, user=None, group=None, seclogons=None, pin=None, priv_key=None, priv_key_pw=None, pub_key=None, trusted_certs=None, backup=False, add_ca_bundle=True, dn=None, **kwargs)[source]#

Create or manage a SAP PSE keystore based on a public / private key pair. If not public / private key pair is given, a PSE with the given DN is managed.

name

The path to the pse file.

user

User to run all commands, e.g. sidadm. If not provided, will default to the either the owner of the PSE file or to user that runs the salt minion.

group

Group under which all commands are run.

seclogons:

List of users to store SSO credentials for. Empyty by default.

pin

The pin of the keystore.

priv_key

Private key file, e.g. be /etc/pki/{{ __grains__["id"] }}.key

priv_key_pw

Private key password, default is None

pub_key

Public key file, e.g. be /etc/pki/{{ __grains__["id"] }}.crt

trusted_certs

List of trusted certificates that should be added to the PSE.

backup

Set to True if a backup of an existing file should be made.

add_ca_bundle

Set to False if the VMs CA bundle should not be added to the PSE during creation.

dn

Distinguished Name of the PSE.

The intended use of this state is to take a previously signed X.509 keypair and create a PSE based on the these files. The PSE can then be consumed by other applications (e.g. Host Agent, HANA, NetWeaver etc.).

Note

Remember to inform the application of changes to the PSE (re-/created)!

Example:

SAP Host Agent PSE is managed:
  sap_pse.managed:
    - name: /usr/sap/hostctrl/exe/sec/SAPSSLS.pse
    - user: sapadm
    - group: sapsys
    - seclogons:
      - sapadm
    - pin: __slot__:salt:vault.read_secret(path="certstores/pse", key="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse")
    - priv_key: /etc/pki/{{ grains["id"] }}.key
    - pub_key: /etc/pki/{{ grains["id"] }}.crt
    - backup: True
saltext.sap_pse._states.sap_pse.absent(name, secudir=None, user=None, pin=None, **kwargs)[source]#

Ensure that a PSE is absent from the system.

name

Name of the PSE file.

secudir

SECUDIR variable, required to determine location of cred_v2 SSO credential files.

user

User to run the command with.

pin

The pin of the keystore.