updated sso
diff --git a/README.md b/README.md
index e5b1845..ced58c6 100644
--- a/README.md
+++ b/README.md
@@ -6,29 +6,26 @@
Requirements
------------
-None
+This role requires elevated priviledge to install OpenSSL.
Role Variables
--------------
-
-edge_sso_installation_config_filename: edge-sso-installer-config.conf
-edge_sso_installation_config_file: "{{ opdk_installer_path }}/{{ edge_sso_installation_config_filename }}"
-
-verification_private_key: private_key.pem
-signing_public_key: public_key.pem
-
-saml_private_server_key: server.key
-saml_private_encryption_type: aes256
-saml_private_key_size: 1024
-
-saml_self_key_size: 2048
-saml_cert_signing_request: server.csr
-saml_cert_self_signed: server.crt
-saml_cert_encryption_type: sha256
-saml_cert_expiry_days: 365
-saml_cert_subject: "/C=US/O=google/OU=apigee/CN=apigee.com"
-
+| Variable Name | Description |
+| --- | --- |
+| edge_sso_installation_config_filename | edge-sso-installer-config.conf |
+| edge_sso_installation_config_file | "{{ opdk_installer_path }}/{{ edge_sso_installation_config_filename }}" |
+| verification_private_key | private_key.pem |
+| signing_public_key | public_key.pem |
+| saml_private_server_key | server.key |
+| saml_private_encryption_type | aes256 |
+| saml_private_key_size | 1024 |
+| saml_self_key_size | 2048 |
+| saml_cert_signing_request | server.csr |
+| saml_cert_self_signed | server.crt |
+| saml_cert_encryption_type | sha256 |
+| saml_cert_expiry_days | 365 |
+| saml_cert_subject | "/C=US/O=google/OU=apigee/CN=apigee.com" |
Dependencies
------------
diff --git a/defaults/main.yml b/defaults/main.yml
index ae8558c..b793997 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,19 +1,20 @@
---
# defaults file for apigee-opdk-setup-edge-sso
-
edge_sso_installation_config_filename: edge-sso-installer-config.conf
edge_sso_installation_config_file: "{{ opdk_installer_path }}/{{ edge_sso_installation_config_filename }}"
-verification_private_key: private_key.pem
-signing_public_key: public_key.pem
+jwt_key_folder: "{{ apigee_home }}/customer/application/apigee-sso/jwt-keys"
+jwt_private_key: private_key.pem
+jwt_public_key: public_key.pem
+jwt_key_size: 2048
-saml_private_server_key: server.key
+saml_folder: "{{ apigee_home }}/customer/application/apigee-sso/saml"
+saml_private_key: server.key
saml_private_encryption_type: aes256
saml_private_key_size: 1024
-saml_self_key_size: 2048
saml_cert_signing_request: server.csr
-saml_cert_self_signed: server.crt
+saml_cert_self_signed_cert: server.crt
saml_cert_encryption_type: sha256
saml_cert_expiry_days: 365
saml_cert_subject: "/C=US/O=google/OU=apigee/CN=apigee.com"
diff --git a/tasks/create-private-key-and-self-signed-cert.yml b/tasks/create-private-key-and-self-signed-cert.yml
index d4322d6..a197513 100644
--- a/tasks/create-private-key-and-self-signed-cert.yml
+++ b/tasks/create-private-key-and-self-signed-cert.yml
@@ -1,8 +1,4 @@
---
-- name: Set SAML folder path
- set_fact:
- saml_folder: "{{ apigee_home }}/customer/application/apigee-sso/saml"
-
- block:
- name: Create SAML folder
file:
@@ -18,33 +14,33 @@
register: passphrase
- name: Generate your private key with a passphrase
- command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ saml_private_server_key }} {{ saml_private_key_size }}"
+ command: "openssl genrsa -{{ saml_private_encryption_type }} -passout pass:{{ passphrase.stdout }} -out {{ saml_private_key }} {{ saml_private_key_size }}"
args:
chdir: "{{ saml_folder }}"
- - name: Prep to remove Passphrase from Key
+ - name: Prep to remove passphrase from Key
copy:
- dest: "{{ saml_folder }}/remove-passphrase-{{ saml_private_server_key }}"
- src: "{{ saml_folder }}/{{ saml_private_server_key }}"
+ dest: "{{ saml_folder }}/remove-passphrase-{{ saml_private_key }}"
+ src: "{{ saml_folder }}/{{ saml_private_key }}"
remote_src: yes
- name: Remove the passphrase from the key
- shell: "openssl rsa -in remove-passphrase-{{ saml_private_server_key }} -passin pass:{{ passphrase.stdout }} -out {{ saml_private_server_key }}"
+ shell: "openssl rsa -in remove-passphrase-{{ saml_private_key }} -passin pass:{{ passphrase.stdout }} -out {{ saml_private_key }}"
args:
chdir: "{{ saml_folder }}"
- - name: Delete Passphrase remove file
+ - name: Clean up passphrase removal file
file:
- path: "{{ saml_folder }}/remove-passphrase-{{ saml_private_server_key }}"
+ path: "{{ saml_folder }}/remove-passphrase-{{ saml_private_key }}"
state: absent
- name: Generate certificate signing request for CA
- shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }} -key {{ saml_private_server_key }} -out {{ saml_cert_signing_request }} -subj {{ saml_cert_subject }}"
+ shell: "openssl req -x509 -sha256 -new -passin pass:{{ passphrase.stdout }} -key {{ saml_private_key }} -out {{ saml_cert_signing_request }} -subj {{ saml_cert_subject }}"
args:
chdir: "{{ saml_folder }}"
- name: Generate self-signed certificate with 365 days expiry-time
- shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request }} -signkey {{ saml_private_server_key }} -out {{ saml_cert_self_signed }}"
+ shell: "openssl x509 -{{ saml_cert_encryption_type }} -days {{ saml_cert_expiry_days }} -in {{ saml_cert_signing_request }} -signkey {{ saml_private_key }} -out {{ saml_cert_self_signed_cert }}"
args:
chdir: "{{ saml_folder }}"
diff --git a/tasks/create-verification-and-signing-key.yml b/tasks/create-verification-and-signing-key.yml
index 8cb3569..0a4741c 100644
--- a/tasks/create-verification-and-signing-key.yml
+++ b/tasks/create-verification-and-signing-key.yml
@@ -1,41 +1,42 @@
---
-- name: Set jwt-keys path
- set_fact:
- jwt_key_folder: "{{ apigee_home }}/customer/application/apigee-sso/jwt-keys"
+- become:
+ - name: Create folder for jwt-keys
+ file:
+ path: "{{ jwt_key_folder }}"
+ state: directory
+ owner: "{{ opdk_user_name }}"
+ group: "{{ opdk_group_name }}"
-- name: Create folder for jwt-keys
- become: yes
- file:
- path: "{{ jwt_key_folder }}"
- state: directory
- owner: "{{ opdk_user_name }}"
- group: "{{ opdk_group_name }}"
+ - name: Generate a passphrase
+ command: "openssl rand -base64 48"
+ args:
+ chdir: "{{ jwt_key_folder }}"
+ register: passphrase
-- name: Create Signing Key
- become: yes
- shell: "openssl genrsa -out {{ verification_private_key }} {{ saml_self_key_size }}"
- args:
- chdir: "{{ jwt_key_folder }}"
+ - name: Create Signing Key
+ shell: "openssl genrsa -passout pass:{{ passphrase.stdout }} -out {{ jwt_private_key }} {{ jwt_key_size }}"
+ args:
+ chdir: "{{ jwt_key_folder }}"
-- name: Generate Verification Key
- become: yes
- shell: "openssl rsa -pubout -in {{ verification_private_key }} -out {{ signing_public_key }}"
- args:
- chdir: "{{ jwt_key_folder }}"
+ - name: Prep to remove passphrase from Key
+ copy:
+ dest: "{{ jwt_key_folder }}/remove-passphrase-{{ jwt_private_key }}"
+ src: "{{ jwt_key_folder }}/{{ jwt_private_key }}"
+ remote_src: yes
-#- name: Collect .pem files
-# find:
-# paths: "{{ jwt_key_folder }}"
-# patterns: '*.pem'
-# register: pems
+ - name: Remove the passphrase from the key
+ shell: "openssl rsa -in remove-passphrase-{{ jwt_private_key }} -passin pass:{{ passphrase.stdout }} -out {{ jwt_private_key }}"
+ args:
+ chdir: "{{ jwt_key_folder }}"
-#- name: Set ownship of certs
-# become: yes
-# file:
-# path: "{{ item.1.path }}"
-# state: touch
-# owner: "{{ opdk_user_name }}"
-# group: "{{ opdk_group_name }}"
-# with_subelements:
-# - "{{ pems.results }}"
-# - files
\ No newline at end of file
+ - name: Clean up passphrase removal file
+ file:
+ path: "{{ jwt_key_folder }}/remove-passphrase-{{ jwt_private_key }}"
+ state: absent
+
+ - name: Generate Verification Key
+ shell: "openssl rsa -pubout -in {{ jwt_private_key }} -out {{ jwt_public_key }}"
+ args:
+ chdir: "{{ jwt_key_folder }}"
+
+ become: yes
\ No newline at end of file
