create_USER_cert.yml

###############################################################################
# © Copyright IBM Corporation 2024
###############################################################################

- name: Check if cert and keyring already exist. If not, create them and then run health check via TSO and operator commands.
  hosts: all
  gather_facts: false
  environment: "{{ environment_vars }}"

  tasks:
    - ansible.builtin.set_fact:
        owner_id: "{{ owner_id | default('STCUSR') }}"
        cert_label: "{{ cert_label | default('zosConnectServerCert2') }}"
        cert_type: "{{ cert_type | default('USER')}}" # CERTAUTH, SITE, or USER
        sign_with: "{{ sign_with | default('CERTAUTH') }}" # CERTAUTH, SITE, or Self
        sign_label: "{{ sign_label | default('IBM CA') }}" # Only required if sign_with is not 'Self'
        ou: "{{ ou | default('ANSIBLE CORE') }}"
        cn: "{{ cn | default('share.centers.ihost.com:19080') }}" # Will default to FQDN, if undefined.
        altname: "{{ altname | default('IP(192.148.8.225)') }}"
        country: "{{ country | default('US') }}"
        expiry_date: "{{ expiry_date | default('2024-11-16') }}"
        expiry_time: "{{ expiry_time | default('23:06:00') }}"
        keyring: "{{ keyring | default('zos.ZOSCONNECT') }}"
        check_name: "{{ check_name | default('IBMRACF,RACF_CERTIFICATE_EXPIRATION') }}"

    - name: Check if keyring to be created already exists.
      ibm.ibm_zos_core.zos_tso_command:
        commands:
          - RACDCERT LISTRING({{ keyring }}) ID({{ owner_id }})
      register: keyring_check
      changed_when: false
      failed_when: keyring_check.output[0].rc > 4

    - name: Create a new keyring via TSO commands, skip if it already exists.
      ibm.ibm_zos_core.zos_tso_command:
        commands:
          - RACDCERT ADDRING({{ keyring }}) ID({{ owner_id }})
          - RACDCERT LISTRING({{ keyring }}) ID({{ owner_id }})
      when: "'IRRD114I Ring ' + keyring + ' does not exist.' in keyring_check.output[0].content[0]"

    - name: Get hostname to use as common name variable, if undefined.
      when: cn is undefined
      block:
        - name: Get FQDN of this z/OS server from USS.
          ansible.builtin.command: hostname
          changed_when: false
          register: get_hostname

        - name: Set cn fact from previous task.
          ansible.builtin.set_fact:
            cn: "{{ get_hostname.stdout }}"

    - name: Check if certificate to be created already exists.
      vars:
        format_cert_type: "{{ 'ID(' + owner_id + ')' if cert_type == 'USER' else cert_type }}"
      ibm.ibm_zos_core.zos_tso_command:
        commands: "RACDCERT {{ format_cert_type }} LIST(LABEL('{{ cert_label }}'))"
      register: list_cert
      failed_when: false
      changed_when: false

    - name: Create new certificate if it doesn't exist already.
      vars:
        cert_not_found: "{{ true if list_cert.output[0].rc == 4 }}"
        format_cert_type: "{{ 'ID(' + owner_id + ')' if cert_type == 'USER' else cert_type }}"
      when: cert_not_found
      block:
        - name: Generate new certificate.
          tags: create_cert, gencert
          vars:
            format_sign_with: |-
              {{ " SIGNWITH(" + sign_with + " LABEL('" + sign_label + "')) " if sign_with != "Self" else " " }}
            format_expiration: "{{ 'NOTAFTER(DATE(' + expiry_date + ') TIME('+ expiry_time +') )' if expiry_date != '' else '' }}"
          ibm.ibm_zos_core.zos_tso_command:
            commands: RACDCERT GENCERT {{ format_cert_type }} {{ 'KEYUSAGE(CERTSIGN) ' if cert_type == 'CERTAUTH' else '' }}SUBJECTSDN(CN('{{ cn }}')
              OU('{{ ou }}') C('{{ country }}')) WITHLABEL('{{ cert_label }}'){{ format_sign_with }}{{ format_expiration }} ALTNAME({{altname}})
          notify: Setropts refresh

        - name: List chain for new certificate.
          tags: create_cert, listchain
          ibm.ibm_zos_core.zos_tso_command:
            commands: RACDCERT LISTCHAIN (LABEL('{{ cert_label }}')) {{ format_cert_type }}

        - name: Connect new certificate to keyring.
          tags: create_cert, connect
          vars:
            format_usage: "{{ 'PERSONAL' if cert_type == 'USER' else cert_type }}"
          ibm.ibm_zos_core.zos_tso_command:
            commands: RACDCERT ID({{ owner_id }}) CONNECT({{ format_cert_type }} LABEL('{{ cert_label }}')
              RING({{ keyring }}) DEFAULT USAGE({{ format_usage }}))
          notify: Setropts refresh

        - name: List keyring.
          tags: create_cert, listring
          ibm.ibm_zos_core.zos_tso_command:
            commands: 
              - RACDCERT ID({{owner_id}}) ALTER(LABEL('{{cert_label}}')) TRUST
              - RACDCERT LISTRING({{ keyring }}) ID({{ owner_id }})

        - name: Run Health Checker via operator command.
          tags: create_cert, run_hc
          ibm.ibm_zos_core.zos_operator:
            cmd: "F HZSPROC,RUN,CHECK=({{ check_name }})"

  handlers:
    - name: Setropts refresh
      ibm.ibm_zos_core.zos_tso_command:
        commands: SETROPTS RACLIST(DIGTCERT) REFRESH