The ThalesGroup CipherTrust collection includes a variety of Ansible modules to help automate the configuration of Thales CipherTrust Manager as well as the configuration of various CipherTrust Data Security Platform (CDSP) connectors such as CipherTrust Transparent Encryption (CTE) and Data Protection Gateway (DPG). This collection is maintained by the ThalesGroup Developer Advocacy team.
The primary purpose of this collection is to simplify the configuration of CipherTrust Data Security Platform connectors as well as management of cryptography keys through automation. By leveraging this collection, organizations can automate security related tasks like definining access and protection policies, user and group based data access management and thus reducing manual intervention, minimizing errors, and ensuring consistent and repeatable deployments. This leads to increased efficiency, faster deployments, and a more agile IT infrastructure.
Tested with the Ansible Core >= 2.15.0 versions, and the current development version of Ansible. Ansible Core versions prior to 2.15.0 are not supported.
Tested with Python version 3.7 and above
Tested with Thales CipherTrust Manager version 2.17.0.12772 and higher
Before using this collection, you need to install it with the Ansible Galaxy command-line tool:
ansible-galaxy collection install thalesgroup.ciphertrust
You can also include it in a requirements.yml file and install it with ansible-galaxy collection install -r requirements.yml, using the format:
collections:
- name: thalesgroup.ciphertrustNote that if you install any collections from Ansible Galaxy, they will not be upgraded automatically when you upgrade the Ansible package. To upgrade the collection to the latest available version, run the following command:
ansible-galaxy collection install thalesgroup.ciphertrust --upgrade
You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax to install version 1.0.0:
ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0
See using Ansible collections for more details.
This collection expects a running instance of Thales CipherTrust Manager Community Edition or any other version.
You can use CipherTrust to automate some of redundant tasks desired by security experts or developers to protect their data in data stores such as databases or other cloud or local data stores or file systems. Some of the use cases include -
Authenticating with CipherTrust Manager using CM IP/FQDN and username plus password along with other details
- name: "Create new user"
thalesgroup.ciphertrust.usermgmt_users_save:
localNode:
server_ip: "192.168.2.100"
server_private_ip: ""
server_port: "5432"
user: "admin"
password: "StrongPwd_1!"
verify: False
auth_domain_path: ""
- name: "Create new user"
thalesgroup.ciphertrust.usermgmt_users_save:
localNode:
server_ip: "192.168.2.100"
server_private_ip: ""
server_port: "5432"
user: "admin"
password: "StrongPwd_1!"
verify: False
auth_domain_path: ""
op_type: "create"
username: "john.doe"
password: "StrongPassword_123!"
email: "john.doe@example.com"
name: "John Doe"
The above task creates a new user on CipherTrust Manager with username john.doe and password StrongPassword_123!
- name: "Create Key"
thalesgroup.ciphertrust.vault_keys2_save:
op_type: create
name: dpgKey
algorithm: aes
size: 256
usageMask: 3145740
unexportable: false
undeletable: false
meta:
ownerId: admin
versionedKey: true
localNode:
server_ip: "192.168.2.100"
server_private_ip: ""
server_port: "5432"
user: "admin"
password: "StrongPwd_1!"
verify: False
auth_domain_path: ""
The above task creates a new key on CipherTrust Manager with details like AES algorith and key size of 256. It will also make the key exportable and deletable on CM and make the user admin as the owner of the key
- name: "Create Protection Policy"
thalesgroup.ciphertrust.dpg_protection_policy_save:
localNode:
server_ip: "192.168.2.100"
server_private_ip: ""
server_port: "5432"
user: "admin"
password: "StrongPwd_1!"
verify: False
auth_domain_path: ""
op_type: create
access_policy_name: protectionPolicy
masking_format_id: "masking_format"
name: protectionPolicy
key: dpgKey
tweak: "1628462495815733"
tweak_algorithm: "SHA1"
algorithm: "FPE/AES/UNICODE"
character_set_id: "charset"
The above task creates a new protection policy on CipherTrust Manager with details like what masking format to use and what algorithm to use to protect the data. Check ThalesDocs to know more about protection policies on CipherTrust Manager
This collection is tested for the following -
| Jobs | Description | Python Version | Ansible Version | CipherTrust Manager Version |
|---|---|---|---|---|
| changelog | Checks for the presence of Changelog | 3.10.12 | 2.16.5 | |
| Linters | Runs python and YAML lint | 3.10.12 | 2.16.5 | |
| Sanity | Runs ansible sanity checks | 3.10.12 | 2.15+ | |
| Integration | Executes teh integration test suites | 2.17 |
We welcome community contributions to this collection. If you find problems, please open an issue or create a PR against the this repository.
You can use GitHub issues page and Thales Community Forum for getting support on the community.
See the rendered changelog
Thales Community Forum YouTube Channel Thales CipherTrust Platform Community Edition
[MIT] (https://github.com/ThalesGroup/CDSP-Orchestration-Ansible/blob/main/LICENSE)