Minimal configuration

Point to the correct repository

You will first need to install the correct trustbuilder-release version before you can install or update the

installer. Below an example for the 9.5.0 production trustbuilder-release.

environment=production
version=10.0.0
rpm -Uvh https://repository.trustbuilder.io/trustbuilder/${environment}/versions/${version}/trustbuilder-release-${version}.noarch.rpm 

Trustbuilder release contains only the correct trustbuilder.repo file for that version. Updating or changing

the version will not be done anymore from within the ansible.

Trustbuilder-installer

Start from an old appliance

Do you still have an appliance with trustbuilder-appliance installed? If not go directly to 3.2

Install the new installer next to the old one

Logon to the Linux server with a user with administrative privileges and execute

sudo yum install trustbuilder-installer

Start with a new appliance

Getting the latest installation files

Logon to the Linux server with a user with administrative privileges and execute

sudo yum update trustbuilder-installer 

Create an inventory directory

This is the working directory we will use during installation. All other paths mentioned in this document will be relative to this path.

#Open the installer directory
cd /opt/trustbuilder/installer
#make a copy of the directory default  as your inventory directory. The next yum update will NOT override these files.
cp -Rv default <environment> 
#Example: cp -Rv default development

Environment is also known as intentory inside ansible.

inventory_dir will display in this case /opt/trustbuilder/installer/development/

The certificates

Certificates need to be stored into /opt/trustbuilder/<environment>/files/certificates. There needs to be a certificate for EACH hostname (<hostname>.crt and <hostname>.key). If this is not done then the installer will stop unless you explicitly disabled SSL in the config files.

Generate certificates

You can generate certificates in the case that there are no certificates delivered. For this you can use the script /opt/trustbuilder/installer/<environment>/files/certificates/generate_self_signed . Parameters accepted by this script are:

Required:

generate_self_signed HOSTNAME


Optional:

Parameter Description
--aliases
Give the aliases for this certificate. Aliases need to be comma seperated!
--ca <filename>

The filename for the CA certificate to use or create.

Default: ca_bundle.crt

--ca-subject <string>
The subject to be used for generating the CA certificate. This is required when using --silent and no CA certificate is available
--crt-subject <string>
The subject to be used for generating the certificate. This is required when using –silent
--help
Displays this help menu
--nopass
Generate a private key without the use of a password
--pass <string>
The password to be used for generating or using the private key file.
--private-key <filename>

The file to be used or generated as private key.

Default: private.key

--silent
Do not ask for user input during the run of the script. This will check if all required parameters are given. Without the use of silent, required parameters will be asked during the process.
--version
Display the current version of the script

Examples:

#Generate CA certificate and Host certificate
generate_self_signed demo --crt-subject "/C=BE/O=TrustBuilderCorporation/CN=demo" --ca-subject "/C=BE/O=TrustBuilderCorporation/CN=TBCA" --nopass –silent
#Generate CA certificate and Host certificate but give aliasses for the host
generate_self_signed demo --crt-subject "/C=BE/O=TrustBuilderCorporation/CN=demo" --ca-subject "/C=BE/O=TrustBuilderCorporation/CN=TBCA" --nopass --silent --aliases "tb-demo.trustbuilder.io,demo.trustbuilder.io"
#Generate only Host certificate with provided CA certificate and private key
generate_self_signed demo --crt-subject "/C=BE/O=TrustBuilderCorporation/CN=demo" --ca-subject "/C=BE/O=TrustBuilderCorporation/CN=TBCA" --pass passphrase --ca my_ca_cert.crt --private-key the_private_key --silent

The hosts file

The host file contains all the servers where installations need to be executed on. You can only add or delete servers in this files. For no reason whatsoever you should delete a group name.

Always ask a TrustBuilder (partner) consultant for help in case you have a special installation. They will prepare this file for you.

vi ./hosts

How to define a localhost?

hostname ansible_connection=local

How to define a remote host?

hostname ansible_host=0.0.0.0 ansible_user=trustbuilder

Group Function
trustbuilder_repository
The servers that will contain the database
trustbuilder_arbitrator
The server that will be the arbitrator for the database cluster. ONLY in case there are an uneven total of database servers!
trustbuilder_orchestrator
The servers that will contain the TrustBuilder Orchestrator installation
trustbuilder_admin
The servers that will contain the TrustBuilder Administration installation (TBA).
trustbuilder_gateway_dmz
The servers that will be installed in DMZ and will be the once connecting to the orchestrators

A server can belong to multiple groups

Combination groups Function
trustbuilder_all
This group contains all the groups mentioned above and the extra groups you create. This is used in the script itself to calculate the total of servers that are going to be installed
trustbuilder_gateway

This group contains all the groups where we need to install the gateway functionality on.

You will see that orchestrators automatically get this installed. They have idhub admin by default enabled. Other gateways have idhub admin by default disabled.



trustbuilder_repository_allowed
This will contain all groups that have access to the database servers
trustbuilder_orchestrator_allowed
This will contain all groups that have access to the orchestrators tomcat ports
trustbuilder_galera_cluster_default
This group will contain all groups that need to create a database cluster. This is for example the default cluster.

Change the default passwords

Sensitive information (passwords, keys) used during Ansible installation is saved in an encrypted format (vault) and not in clear-text.

Change password from Ansible password file

Change the default password of the Ansible password file. This file contains all passwords used during installation.

ansible-vault rekey ./group_vars/trustbuilder_all.yml
  1. Type in the default Vault password, <ENTER>
  2. Type in a new Vault password that complies with the customer’s company password policy
  3.  Confirm the password by entering it again
  4. Upon success, ansible will display the message “Rekey successful”

Change default password of TrustBuilder components

Ansible sets passwords for various TrustBuilder components (Repository, Orchestrator, Gateway, Redis, …) during installation. Change these in accordance with the customer’s company password requirements.

ansible-vault edit ./group_vars/trustbuilder_all.yml

The variables

If installing on an existing appliance: The passwords need to be the same as currently used by TrustBuilder

General

Variable Function
add_node_password
The initial password for new nodes
trustbuilder_sudo_password
The password that you want the TrustBuilder user to have/use on live appliances
appliance_become_password
This password is the same as the ./group_vars/trustbuilder_sudo_password. Do not touch unless you know what you are changing.

repository.trustbuilder.io

Variable Function
repostiory_io_username
The username you received from TrustBuilder for logging on to repository.trustbuilder.io
repostiory_io_password
The password that you received from TrustBuilder for logging on to repository.trustbuilder.io

Database settings

Variable Function
repo_idhub_password
The password needed for connecting to the IDHUB database
repo_sst_password
The password used for cluster replication (NOT async)
repo_truststore_password
The password that will be used for protecting the certificates Truststore used by the orchestrator for connecting to the Database
repo_root_password
The password for the sql root user

Orchestrator settings

Variable Function
orch_keystore_password
The password used to protect orchestrator SSL certificates stored in the keystore
orch_redis_password
The password used to protect the sessionstore
orch_idhub_password

The password used for encrypting specific entries in the database.

In case of upgrades paste in the password found in /etc/idhub.password

Admin settings

Variable Function
admin_keystore_password
The password used to protect TBA SSL certificates stored in the keystore
admin_tba_password
The password used to enter TBA module.

Gateway settings

Variable Function
gw_password
Object that will contain intances and passwords
··default
The name of the instance that will be used
····redis_password
The password used to protect the sessionstore for the gateway

Install

Go back to the folder /opt/trustbuilder/installer and run ansible selecting the environment that you want.

ansible-playbook -i development trustbuilder.yml
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.