The PAM Ansible playbook update_webcerts.yml offers a simple mechanism to update PAM
web certificates for PAM master nodes, and propagate them to all remote worker nodes in the farm.
In this scheme, PAM certificates and passwords are maintained on the Ansible controller and pushed out to PAM master nodes as needed.
If a load balancer is in use for a PAM farm, new certificates on the PAM master nodes may need to be imported or white-listed in the load balancer. Otherwise they may not be trusted or recognized by the load balancer.
PAM web certificates should be stored in PFX, PKCS12, or
JKS file format. These files combine the SSL certificate along
with the private key in a single file. Files must be encrypted to protect the private key.
Each PAM master node may have its own certificate file, or all PAM master nodes may use the same certificate file (often a wildcard certificate).
If different certificate files are used for different PAM master nodes, the file encryption password may be the same or different between files.
The following variables control how certificates map to PAM master nodes:
| Variable | Notes |
|---|---|
| pam_webcert_file | Path to the certificate file on the Ansible controller. This is a required input. |
| pam_webcert_password | Certificate file encryption password. Either this or pam_webcert_password_file must be set. |
| pam_webcert_password_file | Path to a text file on the Ansible controller containing the certificate file encryption password. |
If a single certificate and password file is used for all PAM nodes, it may be set in
group_vars/all.yml like this:
pam_webcert_file: /path/to/pam/certs/pam.pfx pam_webcert_password_file: /path/to/pam/certs/private/pam.pfxpw
Standard Ansible substitution works, so if the certificates are stored in a folder relative to the inventory file:
pam_webcert_file: "{{inventory_dir}}/certs/pam.pfx"
pam_webcert_password_file: "{{inventory_dir}}/certs/pam.pfxpw"
If each PAM master node uses a different certificate, they can be set like this, if the filenames are derived from the hostnames:
pam_webcert_file: "{{inventory_dir}}/certs/{{inventory_hostname}}.pfx"
pam_webcert_password_file: "{{inventory_dir}}/certs/{{inventory_hostname}}.pfxpw"
The variable pam_webcert_password should not be set in a host_vars
or group_vars file. It may be set in an encrypted Ansible vault file instead, or read
from an environment variable:
pam_webcert_file: "{{inventory_dir}}/certs/web.pfx"
pam_webcert_password: "{{lookup('env', 'PAM_WEBCERT_PASSWORD')}}"
The update_webcerts.yml playbook can be run at any time. If there is no change in the
certificate files on the Ansible controller, there should be no corresponding change made to any PAM node. Example command:
ansible-playbook -i mypam.ini -e @mypam.vars -e @mypam.vault --ask-vault-pass playbooks/update_webcerts.yml
What this does:
catalina.properties with the certificate file and passwordSSLImport command against all PAM master nodes