saltext.sap_pse._states.sap_pse#
SaltStack extension for sapgenpse Copyright (C) 2022 SAP UCC Magdeburg
sapgenpse state module#
SaltStack module that implements states based on sapgenpse functionality.
- codeauthor
Benjamin Wegener, Alexander Wilke
- maturity
new
- depends
N/A
- platform
Linux
This module implements states that utilize sapgenpse functionality and manages SAP PSEs (Personal Security Environment).
Note
This module can only run on linux platforms.
- saltext.sap_pse._states.sap_pse.managed(name, user=None, group=None, seclogons=None, pin=None, priv_key=None, priv_key_pw=None, pub_key=None, trusted_certs=None, backup=False, add_ca_bundle=True, dn=None, **kwargs)[source]#
Create or manage a SAP PSE keystore based on a public / private key pair. If not public / private key pair is given, a PSE with the given DN is managed.
- name
The path to the pse file.
- user
User to run all commands, e.g. sidadm. If not provided, will default to the either the owner of the PSE file or to user that runs the salt minion.
- group
Group under which all commands are run.
- seclogons:
List of users to store SSO credentials for. Empyty by default.
- pin
The pin of the keystore.
- priv_key
Private key file, e.g. be
/etc/pki/{{ __grains__["id"] }}.key
- priv_key_pw
Private key password, default is None
- pub_key
Public key file, e.g. be
/etc/pki/{{ __grains__["id"] }}.crt
- trusted_certs
List of trusted certificates that should be added to the PSE.
- backup
Set to True if a backup of an existing file should be made.
- add_ca_bundle
Set to False if the VMs CA bundle should not be added to the PSE during creation.
- dn
Distinguished Name of the PSE.
The intended use of this state is to take a previously signed X.509 keypair and create a PSE based on the these files. The PSE can then be consumed by other applications (e.g. Host Agent, HANA, NetWeaver etc.).
Note
Remember to inform the application of changes to the PSE (re-/created)!
Example:
SAP Host Agent PSE is managed: sap_pse.managed: - name: /usr/sap/hostctrl/exe/sec/SAPSSLS.pse - user: sapadm - group: sapsys - seclogons: - sapadm - pin: __slot__:salt:vault.read_secret(path="certstores/pse", key="/usr/sap/hostctrl/exe/sec/SAPSSLS.pse") - priv_key: /etc/pki/{{ grains["id"] }}.key - pub_key: /etc/pki/{{ grains["id"] }}.crt - backup: True
- saltext.sap_pse._states.sap_pse.absent(name, secudir=None, user=None, pin=None, **kwargs)[source]#
Ensure that a PSE is absent from the system.
- name
Name of the PSE file.
- secudir
SECUDIR variable, required to determine location of cred_v2 SSO credential files.
- user
User to run the command with.
- pin
The pin of the keystore.