Forge Home

ocpattrauth

Module for managing the OCP attribute authority service

7,029 downloads

6,759 latest version

1.9 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.0.2 (latest)
  • 0.0.1 (deleted)
released Feb 17th 2017
This version is compatible with:
  • Puppet Enterprise >= 3.0.0 < 2015.4.0
  • Puppet >= 3.0.0 < 5.0.0
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'infnpd-ocpattrauth', '0.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add infnpd-ocpattrauth
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install infnpd-ocpattrauth --version 0.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

infnpd/ocpattrauth — version 0.0.2 Feb 17th 2017

Puppet module for OCP Attribute Authority

This module installs and configures the OCP Attribute Authority service

Dependencies

Supported OS

  • RedHat, CentOS (version >= 7)
  • Ubuntu (version >= 14.04)

Configuration

Hiera parameters (mandatory):

  • ocp::aa::db::password: password for accessing the application database
  • ocp::aa::db::root_password: password for msyql administrator
  • ocp::tomcat::keystore::alias: the alias of the service credential inside the keystore file
  • ocp::tomcat::keystore::file: location of the keystore file containing the service credentials (format: PKCS12 or JKS)
  • ocp::tomcat::keystore::password: password protecting the keystore file

Hiera parameters (optional):

  • ocp::aa::entityid: SAML entity id for the application, default <host>:<port>:it.infn.security.saml
  • ocp::aa::host: host name for tomcat installation, default fully qualify host name from facter
  • ocp::aa::port: port for tomcat installation, default 443
  • ocp::aa::contacts: list of contact published via metadata, default empty list
  • ocp::aa::metadata_expiration: metadata lifetime in seconds, default 432000
  • ocp::aa::organization: hash table of the localized organization data, one key per language identifier (such as en), default empty hash
  • ocp::aa::war_file::url: URL of the application war file, default http://igi-01.pd.infn.it/mrepo/OCP/AttributeAuthority/saml2-attribute-authority.war
  • ocp::aa::db::host: host name of the application database, default fully qualify host name from facter
  • ocp::aa::db::name: name of the application database, default saml2aadb
  • ocp::aa::db::port: port of the application database, default 3306
  • ocp::aa::db::user: user for accessing the application database, default srvuser
  • ocp::aa::db::bind_address: bind address for the application database, default 0.0.0.0
  • ocp::aa::db::max_conn: maximun number of connections allowed for the application database, default 500
  • ocp::tomcat::keystore::type: type of the keystore, default JKS
  • ocp::tomcat::truststore::file: location of the truststore, default /etc/pki/ca-trust/extracted/java/cacerts
  • ocp::tomcat::truststore::password: password for the truststore, default changeit
  • ocp::tomcat::truststore::type: type of the truststore, default JKS

The contact object published via metadata is a hash table with the following keys:

  • type: object type (support, technical, administrative, billing), default support
  • givenname: contact first name, default unknown
  • surname: contact family name, default unknown
  • email: contact email address, default unknown
  • phone: contact phone number, default unknown

The localized organization data is a hash table with the following keys:

  • name: Short name for the organization
  • displayname: Description for the organization
  • url: URL of the organization home page

Example of stand-alone installation and configuration

Puppet setup

Check if the hostname and FQDN is correctly detected by puppet:

facter | grep hostname
facter | grep fqdn

In the following examples the FQHN will be myhost.mydomain

Install the OCP Attribute Authority module for puppet: puppet module install infnpd-ocpattrauth

Create the required directories: mkdir -p /etc/puppet/manifests /var/lib/hiera/node

Edit the file /etc/puppet/manifests/site.pp as:

node 'myhost.mydomain' {
  require ocpattrauth
}

Edit the file /etc/hiera.yaml as:

---
:backends:
  - yaml
:hierarchy:
  - "node/%{fqdn}"
:yaml:
  :datadir: /var/lib/hiera

Link the hiera configuration to puppet: ln -s /etc/hiera.yaml /etc/puppet/hiera.yaml

Edit the OCP Attribute Authority description file /var/lib/hiera/node/myhost.mydomain.yaml, an example of minimal configuration is:

---
ocp::aa::port :                    8443
ocp::aa::db::password :            aadb_pa$$word
ocp::aa::db::root_password :       rootdb_pa$$word
ocp::tomcat::keystore::file :      /etc/security/servicekeys.p12
ocp::tomcat::keystore::password :  keystore_pa$$phrase
ocp::tomcat::keystore::alias :     tomcat
ocp::tomcat::keystore::type :      PKCS12

ocp::aa::contacts : [
    {
        givenname : Michael,
        surname :   Knight,
        email :     micheal.night@example.com,
        phone :     +01 54235738543
    }
]

ocp::aa::organization : {
    en : {
        name :        "OCP",
        displayname : "OpenCityPlatform",
        url : "http://www.opencityplatform.it"
    }
}