Delinea Vault Role

This Ansible role provides tasks and a sample configuration file for deploying Delinea Client and enrolling target systems in your Delinea Privileged Access Service tenant.

Directory structure

Copy

centrify_vault/
   default/
      main.yml              # default variables for Delinea Vault Client installation and enablement
   files/
      debian.repo           # Repository file for Aptitude
      redhat.repo           # Repository file for Yum
      suse.repo             # Repository file for Zypper
   tasks/
      Debian-enroll.yml     # Tasks enabling Delinea Delinea on Debian OS family
      Debian-install.yml    # Tasks installation of Delinea Client on Debian OS family
      Debian-remove.yml     # Tasks uninstallation of the Delinea Client on Debian OS family
      Debian-unenroll.yml   # Tasks disabling Delinea Client on Debian OS family
      RedHat-enroll.yml     # Tasks enabling Delinea Client on RedHat OS family
      RedHat-install.yml    # Tasks tasks for installation of Delinea Client on RedHat OS family
      RedHat-remove.yml     # Tasks uninstallation of the Delinea Client on RedHat OS family
      RedHat-unenroll.yml   # Tasks disabling Delinea Client on RedHat OS family
      Suse-enroll.yml       # Tasks enabling Delinea Client on SuSE OS family
      Suse-install.yml      # Tasks installation of Delinea Client on SuSE OS family
      Suse-remove.yml       # Tasks uninstallation of the Delinea Client on SuSE OS family
      Suse-unenroll.yml     # Tasks disabling Delinea Client on SuSE OS family
      Windows-enroll.yml    # Tasks enabling Delinea Client on Windows OS family
      Windows-install.yml   # Tasks installation of Delinea Client on Windows OS family
      Windows-remove.yml    # Tasks uninstallation of the Delinea Client on Windows OS family
      Windows-unenroll.yml  # Tasks disabling Delinea Client on Windows OS family
      main.yml.             # Tasks invoked when role is applied to system

Configuring the Vault Role

To start using this role, configure the default variables under the roles/delinea_vault/defaults/main.yml or use them into Host_vars or Group_vars definition files. Generate or edit the following files under roles/delinea_vault/files:

Copy

| File | Action|
| ----- | ----- || ----- | ----- |
| debian.repo | |
| redhat.repo | |
| suse.repo | These files are provided as a sample and are using <span class="mc-variable global-vars.CompanyName variable">Delinea</span> public repositories. You must edit and replace the user:password string with your Repo Credentials that can be found from the <span class="mc-variable global-vars.CompanyName variable">Delinea</span> Download Center after creation of a Repo Key. You may also customize the information of the repo to point to an internal mirror in case systems targeted by Ansible may not have Internet access. |

Default variables

Copy

---
## Common variables
# Default mode for running the playbook
# Possible values:
#  - install
#  - enroll
#  - unenroll
#  - remove
delinea_vault_run_option: enroll

# Repository configuration file to use on RedHat OS
# Default value:
#   delinea_vault_redhat_repo: /etc/yum.repos.d/centrify.repo
delinea_vault_redhat_repo: /etc/yum.repos.d/centrify.repo

# Repository configuration file and line to use on Debian OS
# Your Repo Credentials can be found from the Delinea Download Center after creation of a Repo Key.
# You may also edit the information of the debian_repo_config to point to an internal mirror in case systems targeted by Ansible may not have Internet access.
# Default values:
#   delinea_vault_debian_repo: /etc/apt/sources.list.d/centrify.list
delinea_vault_debian_repo: /etc/apt/sources.list.d/centrify.list

# Repository configuration file to use on SuSE OS
# Default value:
#   delinea_vault_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo
delinea_vault_suse_repo: /etc/zypp/repos.d/centrify-rpm-suse.repo

### Delinea Privileged Access Services variables
# Delinea PAS Platform tenant URL to use
# Example:
#   delinea_vault_tenant_url: https://company.my.centrify.net
delinea_vault_tenant_url:

# URL to use to download the Delinea Client for Windows from PAS Platform.
# This URL can be found on the Download section of the Delinea PAS Portal.
# Default:
#   delinea_vault_cagent_url: http://edge.centrify.com/products/cloud-service/WindowsAgent/Centrify/cagentinstaller.msi
delinea_vault_cagent_url: http://edge.centrify.com/products/cloud-service/WindowsAgent/Centrify/cagentinstaller.msi

# Registration code to use for Centrify Client enrolment to the Delinea PAS Platform.
# This code must be generated by a System Administrator under section Settings > Enrollment > Enrollment Codes of the Delinea PAS Portal.
# Example:
#   delinea_vault_registration_code: 3JWTXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC8W1
delinea_vault_registration_code:

# Feature to enable at enrollment
# Possible values:
#  - all
#  - agentauth
#  - aapm
#  - dmc
delinea_vault_features: all

# Enable Local Account Password Management for system account (i.e. root)
# Possible values:
#  - true
#  - false
delinea_vault_lapm: true

# Temporary password value used for enabling management of local account passwords.
# Note that this value will be immediately changed by the Delinea Vault and only used once for the vaulting process.
# Example:
#   delinea_vault_tmp_password: T3mp0r4ryP4ssw0rd!
delinea_vault_tmp_password: T3mp0r4ryP4ssw0rd!

Executing Tasks

When applying this role to systems in a playbook execution, Ansible will call the main tasks definition file roles/delinea_vault/tasks/main.yml. This file uses Ansible variables to invoke the corresponding sub-tasks based on the OS family. The task file roles/delinea_vault/tasks/post_enroll.yml contains tasks performed after the Delinea Client is successfully enrolled. This file is provided by default with a few commonly executed tasks after enrollment, but it can be customized to add any additional tasks relevant to your environment. Additionally, task files can be edited to customize operations.