Add new role for EJBCA cloud to automate the wizard and configure EJB…

…CA (#46)

ansible_ejbca_signsrv/README.md

@@ -81,6 +81,17 @@ ansible-playbook -i inventory -l ra01,pkiTlsCerts deployRa.yml --ask-become-pass
 ansible-playbook -i inventory -l eeVaServers,va01,pkiTlsCerts,pkiCsrCerts deployVa.yml --ask-become-pass
 ```
 
+### Configure EJBCA Cloud instance 
+Use this play to automate the configuration of an EJBCA Cloud instance with zero touch.
+
+1. Edit _group_vars/ecloudCaServers.yml_, _host_vars/ejbca-cloud-ca1.yml_, and _ecloud_inventory_.
+2. Edit _ansible.cfg_ and set or add: `host_key_checking = False`, this is only needed if the host key is not trusted yet.
+3. Run:
+
+```bash
+ansible-playbook -i ecloud_inventory -l ejbca-cloud-ca1 ecloudDeployCa.yml --ask-become-pass
+```
+
 ### Upgrade EJBCA Community or Enterprise
 1. Edit _group_vars/ceServers.yml_ or _group_vars/eeCaServers.yml_, _group_vars/eeRaServers.yml_, _group_vars/eeVaServers.yml_ and _inventory_.
 2. Run to upgrade Community:

ansible_ejbca_signsrv/ansible.cfg

@@ -4,6 +4,8 @@ inventory = ./inventory
 fact_caching = jsonfile
 fact_caching_connection = ~/ansible/ansibleCacheDir
 fact_caching_timeout = 86400
+# Set to false when working with cloud instances if you haven't connect to the instance yet.
+# host_key_checking = False
 
 ansible_managed = This file is managed by Ansible.%n
   template: {file}

ansible_ejbca_signsrv/ecloudDeployCa.yml

@@ -0,0 +1,10 @@
+---
+
+# ansible-playbook -i ecloud_inventory -l ejbca-cloud-ca1 ecloudDeployCa.yml
+
+- hosts: ecloudCaServers
+  become: yes
+  become_method: sudo
+  roles:
+    - ansible-ejbca-cloud-wizard-silence
+    - ansible-ejbca-deploy-cloud-ca-sample

ansible_ejbca_signsrv/ecloud_inventory

@@ -0,0 +1,14 @@
+---
+
+all:
+  hosts:
+  children:
+    ecloudCaServers:
+      hosts:
+        ejbca-cloud-ca1:
+          # IP or FQDN to access the cloud instance by
+          ansible_host: 
+          #Username for accessing the cloud instance via SSH. AWS uses ec2-user, Azure the name is chosen
+          ansible_user: ec2-user
+          # Set the private location if not using something fancier...
+          ansible_ssh_private_key_file: /Users/myuser/.ssh/cloud-ssh.pem

ansible_ejbca_signsrv/group_vars/ecloudCaServers.yml

@@ -0,0 +1,63 @@
+---
+
+# If enabled this will configure a publisher for OCSP, OCSP signer key update service, OSCP publishing queue, OCSP publisher to the certificate profiles,
+# create Peer connection, and create an auth key binding
+use_external_va: false
+
+# If enabled this will configure a Peer connection, and add the RA Peer role to EJBCA 
+use_external_ra: false
+
+# If enabled configures a Peer connectiona nd key binding for Sign Server
+use_external_ss: false
+
+# Initialize a CA using configdump instead of the CLI. This works for CA's that are not being signed by
+# an external CA. When using this option a crypto token is created in EJBCA, and then the CA is imported
+# using configdump and initialized. This can be used for the Management CA, Roots, and Sub CA's on the same
+# EJBCA node. As stated this cannot be used for externally signed CA's at this time.
+deploy_with_configdump: true
+configdump_directory_structure: "{{ configdump_dir_structure }}"
+configdump_import_files: "{{ configdump_files }}"
+
+# Add publishers to the CA's in EJBCA. CA's created before the publisher is added to EJBCA and want to leverage the publisher
+# should use this option to add the publisher to the CA.
+add_publshers_to_cas: false
+
+# EJBCA version and deployment info
+ejbca_version: 8.2.0
+
+# Enrollment protocols to disable on EJBCA
+disable_ejbca_protocols:
+  - name: MSAE
+  - name: 'ITS Certificate Management'
+  - name: 'REST Coap Management'
+  - name: Webdist
+  - name: 'Web Service'
+  #- name: 'RA Web'
+  #- name: 'Public Web' # No longer in EJBCA 8.0
+
+# Enrollment protocols to enable on EJBCA
+enable_ejbca_protocols:
+  - name: Certstore
+  - name: CRLstore
+  - name: 'REST CA Management'
+  - name: 'REST Certificate Management'
+  - name: 'REST Crypto Token Management'
+  - name: 'REST SSH V1'
+  - name: 'REST Certificate Management V2'
+  - name: 'REST Configdump'
+  - name: 'REST End Entity Management V2'
+  - name: 'REST End Entity Management'
+  - name: ACME
+  - name: CMP
+  - name: EST
+  - name: OCSP
+  - name: SCEP
+
+# CRL Update Service Worker Settings
+crl_service_time_int: 1
+crl_service_time_unit: HOURS
+
+# Configure the RA Peering requests
+ra_peer_max_parallel_reqs: 50
+ra_peer_min_parallel_reqs: 2
+