Using Centrify roles for Ansible

The following details advanced directory structure as recommended by Ansible best practices. This includes Ansible roles for Centrify that allow you to deploy and configure components easily into your environment.

Advanced Directory Structure

The top level of the directory would contain files and directories similar to the following:

Copy
production            # inventory file for production servers
staging               # inventory file for staging servers

group_vars/
   group1.yml         # here assign variables to particular groups
   group2.yml
hosts_vars/
   hostname1.yml      # here assign variables to particular systems
   hostname2.yml

site.yml              # master playbook

roles/
   common/            # this hierarchy represent a “role”
      tasks/          #
         main.yml     # <-- tasks file can include smaller files
      handlers/       #
         main.yml     # <-- handlers file
      templates/      # <-- files for use with the template resource
         ntp.conf.j2  # <-- templates end in .j2 (Jinja2 notation)
      files/          # <-- files for use with the template resource
         bar.txt      # <-- files for use with the copy resource
         foo.sh       # <-- script files for use with the script resource
      vars/           #
         main.yml     # <-- variables associated with this role
      defaults/       #
         main.yml     # <-- default lower priority variables for this role
      library/        # roles can include custom modules
      module_utils/   # roles can also include custom module_utils
      lookup_plugins/ # or other types of plugins, like lookup in this case

  centrify_audit/     # role for Centrify Audit and Monitoring Services
  centrify_auth/      # role for Centrify Authentication and Privilege Elevation Services
  centrify_vault/     # role for Centrify Privileged Access Service

Note:   There are alternative structures aiming to present inventory in a separate directory. This is particularly useful if your group_vars and host_vars don’t have that much in common in different environments. More on this can be learned by consulting the Ansible documentation.

Master playbook example

Copy
---
- hosts: all
roles:
- centrify_vault
- centrify_auth
- centrify_audit

Centrify Audit role

This Ansible role provides tasks and sample configuration file to deploy Centrify Audit agent and enable session auditing on target systems.

Directory structure

Copy
centrify_audit/
default/
main.yml    # default variables for Centrify Audit installation and enablement
tasks/
disable.yml # tasks for disabling Centrify Audit
enable.yml. # tasks for enabling Centrify Audit
install.yml # tasks for installation of the Centrify Audit agent
main.yml.   # tasks invoked when role is applied to system
remove.yml  # tasks for uninstallation of the Centrify Audit agent

Default variables sample

Copy
---
# file: roles/centrify_audit/default/main.yml
# Common variables
centrify_repo: /etc/yum.repos.d/centrify.repo

# Centrify Audit and Monitoring Services variables
installation_name: <AuditInstallationName>

Centrify Authentication role

This Ansible role provides tasks and sample configuration file to deploy Centrify Authentication and Privilege Elevation agent and join the target systems to Active Directory domain.

Directory structure

Copy
centrify_auth/
   default/
      main.yml              # default variables for Centrify Authentication Agent installation and enablement
   files/
      adjoin.keytab         # Keytab file for Kerberos join to Active Directory
      Join-CentrifyZone.ps1 # PowerShell script to join Windows system to Centrify Zone
      debian.repo           # Repository file for Aptitude
      redhat.repo           # Repository file for Yum
      suse.repo             # Repository file for Zypper
      krb5.conf             # Kerberos realm configuration file for Active Directory
   tasks/
      Debian-enroll.yml     # Tasks enabling Centrify Agent on Debian OS family
      Debian-install.yml    # Tasks installation of Centrify Agent on Debian OS family
      Debian-remove.yml     # Tasks uninstallation of the Centrify Agent on Debian OS family
      Debian-unenroll.yml   # Tasks disabling Centrify Agent on Debian OS family
      RedHat-enroll.yml     # Tasks enabling Centrify Agent on RedHat OS family
      RedHat-install.yml    # Tasks tasks for installation of Centrify Agent on RedHat OS family
      RedHat-remove.yml     # Tasks uninstallation of the Centrify Agent on RedHat OS family
      RedHat-unenroll.yml   # Tasks disabling Centrify Agent on RedHat OS family
      Suse-enroll.yml       # Tasks enabling Centrify Agent on SuSE OS family
      Suse-install.yml      # Tasks installation of Centrify Agent on SuSE OS family
      Suse-remove.yml       # Tasks uninstallation of the Centrify Agent on SuSE OS family
      Suse-unenroll.yml     # Tasks disabling Centrify Agent on SuSE OS family
      Windows-enroll.yml    # Tasks enabling Centrify Agent on Windows OS family
      Windows-install.yml   # Tasks installation of Centrify Agent on Windows OS family
      Windows-remove.yml    # Tasks uninstallation of the Centrify Agent on Windows OS family
      Windows-unenroll.yml  # Tasks disabling Centrify Agent on Windows OS family
      main.yml.             # Tasks invoked when role is applied to system

Configuring Authentication role

To start using this role, configure the default variables under roles/centrify_auth/defaults/main.yml or use them into Host_vars or Group_vars definition files. Generate or edit the following files under roles/centrify_auth/files:

File Action
adjoin.keytab You can generate a keytab file to use with Active Directory service account using the adkeytab commands on Linux (requires a Centrify joined Linux server).
Centrify Agent for Windows64.msi and Group Policy Deployment.mst Both those files should be copied from the software source of the Centrify Infrastructure Services for Windows in use. Those two files are located under /Agent folder.
Join-CentrifyZone.ps1 This PowerShell script is provided as example of how to join Windows systems to existing Centrify Zone. This script can be modified to satisfy any customisation of the join process in your environment.
krb5.conf You can copy the Kerberos config file of any of your Centrify joined Linux systems to the same Active Directory domain you plan to join using Ansible. Alternatively, you can manually create this file using Kerberos documentation.
debian.repo, redhat.repo, and suse.repo These files are provided as a sample and are using Centrify public repositories. You must edit and replace the user:password string with your Repo Credentials that can be found from the Centrify Download Center after creation of a Repo Key. You may also customise the information of the repo to point to an internal mirror in case systems targeted by Ansible may not have Internet access.

Default variables

Copy
---
## Common variables
# Default mode for running the playbook
# Possible values:
#  - install
#  - enroll
#  - unenroll
#  - remove
centrify_auth_run_option: enroll

# Repository configuration file to use on RedHat OS
# Default value:
#   centrify_auth_redhat_repo: /etc/yum.repos.d/centrify.repo
centrify_auth_redhat_repo: /etc/yum.repos.d/centrify.repo

# Repository configuration file and line to use on Debian OS
# Your Repo Credentials can be found from the Centrify Download Center after creation of a Repo Key.
# You may also edit the information of the debian_repo_config to point to an internal mirror in case systems targeted by Ansible may not have Internet access.
# Default values:
#   centrify_auth_debian_repo: /etc/apt/sources.list.d/centrify.list
centrify_auth_debian_repo: /etc/apt/sources.list.d/centrify.list

# Repository configuration file to use on SuSE OS
# Default value:
#   centrify_auth_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo
centrify_auth_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo

### Centrify Authentication and Privilege Elevation Services variables
# Active Directory domain name to use during join operations
# Example:
#   centrify_auth_domain: domain.com
centrify_auth_domain:

# Active Directory Service Account to use during join operations
# Example:
#   centrify_auth_service_principal: svc_centrifyadjoin@DOMAIN.COM
centrify_auth_service_principal:

# Location of the Kerberos Keytab file to use during join operations
# Default:
#   centrify_auth_service_keytab: /etc/adjoin.keytab
centrify_auth_service_keytab: /etc/adjoin.keytab

# Location of the Kerberos Realm configuration file to use during join operations
# Default:
#   centrify_auth_realm_config: /etc/krb5.conf
centrify_auth_realm_config: /etc/krb5.conf

# Active Directory container to use for Computers object during join operations
# Example:
#   centrify_auth_container: domain.com/Centrify/Computers
centrify_auth_container:

# Centrify Zone to use during join operations
# Example:
#   centrify_auth_zone: domain.com/Centrify/Zones/Global/Linux
centrify_auth_zone:

Executing tasks

When applying this role to systems in a playbook execution, Ansible will call the main tasks definition file roles/centrify_auth/tasks/main.yml This file uses Ansible variables to invoke the corresponding sub tasks based on the OS family and run options as detailed below:

Configuring custom tasks

Tasks files can be edited to customize operations.

Centrify Vault Role

This Ansible role provides tasks and sample configuration file to deploy Centrify Client and enrol target systems to your Centrify Privileged Access Service tenant.

Directory structure

Copy
centrify_vault/
   default/
      main.yml              # default variables for Centrify Vault Client installation and enablement
   files/
      debian.repo           # Repository file for Aptitude
      redhat.repo           # Repository file for Yum
      suse.repo             # Repository file for Zypper
   tasks/
      Debian-enroll.yml     # Tasks enabling Centrify Client on Debian OS family
      Debian-install.yml    # Tasks installation of Centrify Client on Debian OS family
      Debian-remove.yml     # Tasks uninstallation of the Centrify Client on Debian OS family
      Debian-unenroll.yml   # Tasks disabling Centrify Client on Debian OS family
      RedHat-enroll.yml     # Tasks enabling Centrify Client on RedHat OS family
      RedHat-install.yml    # Tasks tasks for installation of Centrify Client on RedHat OS family
      RedHat-remove.yml     # Tasks uninstallation of the Centrify Client on RedHat OS family
      RedHat-unenroll.yml   # Tasks disabling Centrify Client on RedHat OS family
      Suse-enroll.yml       # Tasks enabling Centrify Client on SuSE OS family
      Suse-install.yml      # Tasks installation of Centrify Client on SuSE OS family
      Suse-remove.yml       # Tasks uninstallation of the Centrify Client on SuSE OS family
      Suse-unenroll.yml     # Tasks disabling Centrify Client on SuSE OS family
      Windows-enroll.yml    # Tasks enabling Centrify Client on Windows OS family
      Windows-install.yml   # Tasks installation of Centrify Client on Windows OS family
      Windows-remove.yml    # Tasks uninstallation of the Centrify Client on Windows OS family
      Windows-unenroll.yml  # Tasks disabling Centrify Client on Windows OS family
      main.yml.             # Tasks invoked when role is applied to system

Configuring the Vault role

To start using this role, configure the default variables under roles/centrify_vault/defaults/main.yml or use them into Host_vars or Group_vars definition files. Generate or edit the following files under roles/centrify_vault/files:

File Action
debian.repo  
redhat.repo  
suse.repo These files are provided as a sample and are using Centrify public repositories. You must edit and replace the user:password string with your Repo Credentials that can be found from the Centrify Download Center after creation of a Repo Key. You may also customize the information of the repo to point to an internal mirror in case systems targeted by Ansible may not have Internet access.

Default variables

Copy
---
## Common variables
# Default mode for running the playbook
# Possible values:
#  - install
#  - enroll
#  - unenroll
#  - remove
centrify_vault_run_option: enroll

# Repository configuration file to use on RedHat OS
# Default value:
#   centrify_vault_redhat_repo: /etc/yum.repos.d/centrify.repo
centrify_vault_redhat_repo: /etc/yum.repos.d/centrify.repo

# Repository configuration file and line to use on Debian OS
# Your Repo Credentials can be found from the Centrify Download Center after creation of a Repo Key.
# You may also edit the information of the debian_repo_config to point to an internal mirror in case systems targeted by Ansible may not have Internet access.
# Default values:
#   centrify_vault_debian_repo: /etc/apt/sources.list.d/centrify.list
centrify_vault_debian_repo: /etc/apt/sources.list.d/centrify.list

# Repository configuration file to use on SuSE OS
# Default value:
#   centrify_vault_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo
centrify_vault_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo

### Centrify Privileged Access Services variables
# Centrify PAS Platform tenant URL to use
# Example:
#   centrify_vault_tenant_url: https://company.my.centrify.net
centrify_vault_tenant_url:

# URL to use to download the Centrify Client for Windows from PAS Platform.
# This URL can be found on the Download section of the Centrify PAS Portal.
# Default:
#   centrify_vault_cagent_url: http://edge.centrify.com/products/cloud-service/WindowsAgent/Centrify/cagentinstaller.msi
centrify_vault_cagent_url: http://edge.centrify.com/products/cloud-service/WindowsAgent/Centrify/cagentinstaller.msi

# Registration code to use for Centrify Client enrolment to the Centrify PAS Platform.
# This code must be generated by a System Administrator under section Settings > Enrollment > Enrollment Codes of the Centrify PAS Portal.
# Example:
#   centrify_vault_registration_code: 3JWTXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC8W1
centrify_vault_registration_code:

# Feature to enable at enrollment
# Possible values:
#  - all
#  - agentauth
#  - aapm
#  - dmc
centrify_vault_features: all

# Enable Local Account Password Management for system account (i.e. root)
# Possible values:
#  - true
#  - false
centrify_vault_lapm: true

# Temporary password value used for enabling management of local account passwords.
# Note that this value will be immediately changed by the Centrify Vault and only used once for the vaulting process.
# Example:
#   centrify_vault_tmp_password: T3mp0r4ryP4ssw0rd!
centrify_vault_tmp_password: T3mp0r4ryP4ssw0rd!

Executing tasks

When applying this role to systems in a playbook execution, Ansible will call the main tasks definition file roles/centrify_vault/tasks/main.yml. This file uses Ansible variables to invoke the corresponding sub tasks based on the OS family and run options as detailed below:

Configuring custom tasks

The task file roles/centrify_vault/tasks/post_enroll.yml contains tasks performed after successful enrollment of the Centrify Client. This file is provided by default with few tasks commonly executed after enrollment, and can be customized to add any additional tasks relevant to your environment. Additionally, tasks files can be edited to customize operations.