Customize the environment

All variables used during installation are defined in separate files in ./group_vars

  • all.yml
  • trustbuilder_repository.xml
  • trustbuilder_orchestrator.yml
  • trustbuilder_admin.yml
  • trustbuilder_gateway_dmz.yml

./group_vars/all.yml

Global environment variables that are shared by all TB components are set in this file.

Every component has it own configuration file that can override these settings.

Settings for TrustBuilder

Variable Function
tb_environment

By default set to “production”

changing the environment can only be done with explicit consent of a TB consultant!

tb_version
TB version
tb_version_major
Major release number
tb_version_minor
Minor release number

Repository settings

Variable Function
repo_truststore
Place where trust store (vault where all known trusted certificates are stored) can be set. Change this if the customer already has a trust store that he wants to use.
repo_idhub_user

The username of the user that will be used to connect to the IDHUB database.

Default: idhub

repo_database

The name of the IDHUB database that will be used

Default: IDHUB

repo_do_not_delete_other_files

Setting this on True will not delete files starting with CentOS or trustbuilder

Default: False

repo_ignore_tb_sources

Setting this on True will not update the trustbuilder.repo file. You can put your own repo files than in ./files/common/yum.repos.d/

Default: False

repo_client

··use_database

Set to True if client has his own database servers

Default: False

··servers
Comma separated list with IPs between [] from the client database servers

Orchestrator settings

Variable Function
orch_vasco_enabled

Set to True if you want to use DigiPass

Default: False

General

Variable Function
common_loaded

Do NOT change these values as they are enabled during Ansible installation!
orchestrator_loaded
admin_loaded
gateway_loaded

Appliance based

Variable Function
Timezone

Current  timezone

Default: Europe/Brussels

Settings for SSH

Variable Function
ssh_password_authentication

This will enable or disable the possibility to connect with a password through SSH. Setting this to false only allows certificates.

Default: True

Settings for NTP

Variable Function
ntp_enabled

Settings for time server

Default: True

ntp_servers
The servers used for time syncing

./group_vars/trustbuilder_repository.yml

Variable Function
repository_group

Group you want to use for installation (see hosts)

Default: trustbuilder_repository

Repository settings

Variable Function
repo_datacenter_name

points to cluster name. 

Default: default

repo_allow_database_version_upgrade

False if you want to disable upgrade of MariaDB

Default: True

repo_logrotate

··when

Options are: monthly, weekly, daily, hourly

Default: daily

··rotate

How many logfiles should be kept in archive

Default: 30

repo_port

Port repository listens on.

Default: 3306

repo_bind_interface

Interface repository listens on.

Default: *

repo_sst_user

username of user that keeps cluster in sync

Default: sst_user

repo_general_log

enable/disable repository logfiles.

Default: 0

repo_use_ssl

can be set to False if no certificates are provided. This is NOT recommended!

Default: True

repo_ssl_role_hostname

hostname that is defined in the certificate.

Default: repository_backend

Async

Variable Function
repo_async_source_group
The source from where we want to sync this server
repo_async_destination_group
The destination group where we want to sync the database to

./group_vars/trustbuilder_orchestrator.yml

Variable Function
orchestrator_group

Group you want to use for orchestrator installation (see hosts)

Default: trustbuilder_orchestrator

repository_group

The repository group where the orchestrator needs to connect to. In case of active/passive clustering

Default: trustbuilder_repository

Orchestrator settings

Variable Function
orch_tomcat_version

Version text to display when a Tomcat error is thrown. 

Default: “TrustBuilder {{ tb_version }}.{{ tb_version_major }}.{{ tb_version_minor }}"

orch_ssl_port

SSL-port orchestrator listens on 

Default: 8443

orch_port

Default (non-SSL) port orchestrator listens on

Default: 8080

orch_bind_interface

Interface the orchestrator will bind to

Default: *

orch_logrotate
··when

Options are: monthly, weekly, daily, hourly

Default: daily

··rotate

How many logfiles should be kept in archive

Default: 30

orch_redis_name_ext

name of the redis service. This will create 2 services

  • tb-{{ext}}-sessionstore
  • tb-{{ext}}-sessionstore-sentinel

Default: orch

orch_redis_port

Port that redis listens on.

Default: 6379

orch_redis_sentinel_port

Port that sentinel (cluster interface) listens on.

Default: 26379

orch_redis_cluster_name

Name of Redis cluster

Default: "{{ orchestrator_group }}”

orch_keystore_name

name of keystore (vault with private key certificates)

Default: "{{ orchestrator_group }}"

orch_use_ssl

False disable SSL on orchestrator

Default: True

orch_ssl_role_hostname

hostname set in the customer-provided certificate that is to be used on all TB servers. 

Default: TB

Gateway settings

Variable Function
gateway_group

Name of gateway group.

Default: "{{ orchestrator_group }}"

gw_instances

The instances that need to be installed on this gateway

Default: - default

gw_settings
Containing all the instances
··default
The instance and the containing settings
····port

Port the gateway listens on

Default: 80

····ssl_port

SSL- port the gateway listens on.

Default: 443

····bind_interface

Interface the gateway listens on.

Default: *

····redis_name_ext

name of the redis service. This will create 2 services

•    tb-{{ext}}-{{instance}}-sessionstore

•    tb-{{ext}}-{{instance}}-sessionstore-sentinel

Default: gw

····redis_port

Port Redis server listens on

Default: 46379

····redis_sentinel_disabled

This option can disable the installation of redis sentinel

Default: False

····redis_sentinel_port

Port Redis cluster service listens on

Default: 56379

····redis_bind_interface

Interface redis service listens on

Default: eth0

····logrotate

······when

Options are: monthly, weekly, daily, hourly

Default: daily

······rotate

How many logfiles should be kept in archive

Default: 30

····keystore_name

Name of keystore

Default: “{{ gateway_group }}”

····use_ssl

False do not use SSL

Default: True

····orchestrator_group

To which orchestrator group must this gateway connect

Default: trustbuilder_orchestrator

····admin_group

to which admin groups must this gateway connect

Default: trustbuilder_admin

····idhub_install_enabled

Should /install directory be available.

Default: True

····idhub_admin_enabled

Should admin module be enabled?

Default: True

····idhub_admin_api_enabled

Should admin api be available?

Default: True

····domain_cookie

 

Default: “”

····backend_url

address of the loadbalancer if the customer sets one between gateway and orchestrator

Default: “”

./group_vars/trustbuilder_admin.yml

Variable Function
admin_group

Group you want to use for admin installation

Default: trustbuilder_admin

orchestrator_group

Ansible will now preconfigure the orchestrators inside TBA.

ONLY FOR NEW INSTALLATIONS

Default: trustbuilder_orchestrator

Admin settings

Variable Function
admin_tomcat_version

Version text to display when a Tomcat error is thrown. 

Default: “TrustBuilder {{ tb_version }}.{{ tb_version_major }}.{{ tb_version_minor }}"

admin_ssl_port

SSL-port the admin server listens on.

Default: 18443

admin_port

(non-SSL) port the admin server listens on. 

Default: 18080

admin_bind_interface

Interface the admin server will bind to

Default: *

admin_logrotate

··when

Options are: monthly, weekly, daily, hourly

Default: daily

··rotate

How many logfiles should be kept in archive

Default: 30

admin_keystore_name

name of keystore (vault with private key certificates)

Default: "{{ admin _group }}"

admin _use_ssl

False disable SSL on admin server

Default: True

admin _ssl_role_hostname

hostname set in the customer-provided certificate that is to be used on all TB servers.  

Default: TB

./group_vars/trustbuilder gateway_dmz.yml

Variable Function
gateway_group

Group you want to use for gateway installation that are located in DMZ

Default: trustbuilder_gateway_dmz

Gateway settings

Variable Function
gw_instances

The instances that need to be installed on this gateway

Default: - default

gw_settings
Containing all the instances
··default
The instance and the containing settings
····port

Port the gateway listens on

Default: 80

····ssl_port

SSL- port the gateway listens on.

Default: 443

····bind_interface

Interface the gateway listens on.

Default: *

····redis_name_ext

name of the redis service. This will create 2 services

•    tb-{{ext}}-{{instance}}-sessionstore

•    tb-{{ext}}-{{instance}}-sessionstore-sentinel

Default: gw

····redis_port

Port Redis server listens on

Default: 46379

····redis_sentinel_disabled

This option can disable the installation of redis sentinel

Default: False

····redis_sentinel_port
Port Redis cluster service listens on

Default: 56379

····redis_bind_interface

Interface redis service listens on

Default: eth0

····logrotate

······when

Options are: monthly, weekly, daily, hourly

Default: daily

······rotate

How many logfiles should be kept in archive

Default: 30

····keystore_name

Name of keystore

Default: “{{ gateway_group }}”

····use_ssl

False do not use SSL

Default: True

····orchestrator_group

To which orchestrator group must this gateway connect

Default: trustbuilder_orchestrator

····admin_group

to which admin groups must this gateway connect

Default: trustbuilder_admin

····idhub_install_enabled

Should /install directory be available.

Default: False

····idhub_admin_enabled

Should admin module be enabled?

Default: False

····idhub_admin_api_enabled

Should admin api be available?

Default: False

····domain_cookie


Default: “”

····backend_url

address of the loadbalancer if the customer sets one between gateway and orchestrator

Default: “”

Provision data files

the directory ./files contains data files used during installation. Copy the relevant data into this directory.

Gateway

Here you can store the proxy and api SPs. These are now deployed from the ansible instead of manually in the SSH.

You will also find the template files for 00_secure_gateway.conf and server.conf. These are available here so you can set settings that are not possible with Ansible.


Note: Due to using this location, you will need to update/maintain these files yourself when a new update of the installer is released. Always check if we solved bugs in these files.


Orchestrator

Files that  may be extended by partners/customers (eg config files for Tomcat). TB needs a copy of these files so that we can make these available in the next (Ansible) build.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.