Ansible for IBM Z

  • 1.  Help with TLS certs for ibm.zhmc module connectity

    Posted Mon May 13, 2024 08:05 AM

    Hello all ..  I am trying to get the zhmc collection to work with our Z CPC's.    We have installed  CA signed certs on all of our HMC's so it seems like zhmcclient is being called by the playbook just fine but ends up getting a connection error - I assume because it needs to be using a CA signed cert for the https call.    How/Where do I install the certificate on my Ansible system so zhmclient uses our CA signed cert for the connection?   Thanks .. 



    ------------------------------
    Dan Hines
    UPS
    Alpharetta GA
    7707537407
    ------------------------------


  • 2.  RE: Help with TLS certs for ibm.zhmc module connectity

    Posted Tue May 28, 2024 10:24 AM

    Hi Dan - the way I got it to work (using RHEL) iwas to download the full certificate path via openssl and copy them (in crt format)  into the /etc/pki/ca-trust/source/whitelist directory if you are using the curl certificate store, and then run a 'update-ca-trust' command import it. To check if it works, enter a 'openssl s_client -connect example.com:443' command as an example with your hmc url and you should get a valid response back.

    Finally in your playbook, set verify to true and in the following line define 'ca_certs: /etc/pki/tls/certs/ca-bundle.crt' to look in your curl certificate whitelist for authentication.

    Hope that helps!



    ------------------------------
    Ian Ellis
    ------------------------------

    Original Message


  • 3.  RE: Help with TLS certs for ibm.zhmc module connectity

    Posted Tue May 28, 2024 05:52 PM

    Hi Dan,

    Thanks for using our ibm.zhmc modules for automation. 

    You can install the certificate in any directory and use one of the method to expose this certificate path using the "ca_certs" and "verify" Parameters mentioned in our ibnm.zhmc modules documentation. 
    E.g., Refer here :  https://zhmcclient.github.io/zhmc-ansible-modules/modules/zhmc_session.html. 

    To answer your question in short, these are the ways you can try:
    *         verify=true (default), ca_certs omitted: path in REQUESTS_CA_BUNDLE, path in CURL_CA_BUNDLE path, or certifi package is used for validation
    *         verify=false, ca_certs omitted: no validation
    *         verify=true, ca_certs specified: path in ca_certs is used for validation

    Please let us know if you have any questions.

    Regards,


    Kathir

    -------------------------------------------
    KATHIRAVAN VELUSAMY,
    IBM India Systems Development Lab,
    E-mail: kathir.velu@in.ibm.com

    -------------------------------------------



    ------------------------------
    KATHIRAVAN VELUSAMY
    ------------------------------

    Original Message