dellemc.openmanage.idrac_secure_boot module – Configure attributes, import, or export secure boot certificate, and reset keys.
Note
This module is part of the dellemc.openmanage collection (version 9.8.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install dellemc.openmanage
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: dellemc.openmanage.idrac_secure_boot
.
New in dellemc.openmanage 9.6.0
Synopsis
This module allows you to perform the following operations.`
Import or Export Secure Boot certificate.
Enable or disable Secure Boot mode.
Configure Platform Key (PK) and Key Exchange Key (KEK) policies
Configure Allow Database (DB) and Disallow Database (DBX) certificates.
Reset UEFI Secure Boot keys.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.9.6
Parameters
Parameter |
Comments |
---|---|
Boot mode of the iDRAC.
Choices:
|
|
The Privacy Enhanced Mail (PEM) file that contains a CA certificate to be used for the validation. |
|
A list of absolute paths of the Allow Database(DB) certificate file for UEFI secure boot. Directory path with write permission when export_certificates is |
|
A list of absolute paths of the Disallow Database(DBX) certificate file for UEFI secure boot. Directory path with write permission when export_certificates is |
|
Export all the available certificates in the specified directory for the given keys. export_cetificates is mutually exclusive with import. export_cetificates is Choices:
|
|
Determines whether the system BIOS loads the legacy video (INT 10h) option ROM from the video controller. This parameter is supported only in UEFI boot mode. If UEFI Secure Boot mode is enabled, you cannot enable this parameter.
Choices:
|
|
iDRAC IP Address. |
|
iDRAC user password. If the password is not provided, then the environment variable Example: export IDRAC_PASSWORD=password |
|
iDRAC port. Default: |
|
iDRAC username. If the username is not provided, then the environment variable Example: export IDRAC_USERNAME=username |
|
Import all the specified key certificates. When import_certificates is Choices:
|
|
Whether to wait till completion of the secure boot certificate operation. This is applicable when restart is Choices:
|
|
The maximum wait time of job_wait in seconds. The job is tracked only for this duration. This option is applicable when job_wait is Default: |
|
A list of absolute paths of the Key Exchange Key (KEK) certificate file for UEFI secure boot. Directory path with write permission when export_certificates is |
|
The absolute path of the Platform key certificate file for UEFI secure boot. Directory path with write permission when export_certificates is |
|
Resets the UEFI Secure Boot keys.
Choices:
|
|
Secure boot certificate import operation requires a server restart. This parameter provides an option to restart the server.
restart is applicable when import_certificates is restart will be ignored only when export_certificates is Choices:
|
|
Restart type of the server.
restart_type is applicable when restart is Choices:
|
|
UEFI Secure Boot. The secure_boot can be
Choices:
|
|
The UEFI Secure Boot mode configures how to use the Secure Boot Policy.
Choices:
|
|
The following are the types of Secure Boot policy.
When the Secure Boot Policy is set to Custom, you can perform following operations such as viewing, exporting, importing, deleting, deleting all, and resetting policies. Choices:
|
|
The socket level timeout in seconds. Default: |
|
If Configure Prior to collection version Choices:
|
|
Authentication token. If the x_auth_token is not provided, then the environment variable Example: export IDRAC_X_AUTH_TOKEN=x_auth_token |
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Runs task to validate without performing action on the target machine. |
|
Support: none |
Runs the task to report the changes made or to be made. |
Notes
Note
This module will always report changes found to be applied for import_certificates when run in
check mode
.This module does not support idempotency when reset_type or export_certificates or import_certificates is provided.
To configure the secure boot settings, the idrac_secure_boot module performs the following order of operations set attributes, export certificate, reset keys, import certificate, and restart iDRAC.
export_certificate will export all the certificates of the key defined in the playbook.
This module considers values of restart and job_wait only for the last operation in the sequence.
This module supports IPv4 and IPv6 addresses.
Only reset_keys is supported on iDRAC8.
Examples
---
- name: Enable Secure Boot.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
secure_boot: "Enabled"
- name: Set Secure Boot mode, Secure Boot policy, and restart iDRAC.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
secure_boot: "Enabled"
secure_boot_mode: "UserMode"
secure_boot_policy: "Custom"
restart: true
restart_type: "GracefulRestart"
- name: Reset Secure Boot certificates.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
reset_keys: "ResetAllKeysToDefault"
- name: Export multiple Secure Boot certificate.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
export_certificates: true
platform_key: /user/name/export_cert/pk
KEK:
- /user/name/export_cert/kek
database:
- /user/name/export_cert/db
disallow_database:
- /user/name/export_cert/dbx
- name: Import multiple Secure Boot certificate without applying to iDRAC.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
import_certificates: true
platform_key: /user/name/certificates/pk.pem
KEK:
- /user/name/certificates/kek1.pem
- /user/name/certificates/kek2.pem
database:
- /user/name/certificates/db1.pem
- /user/name/certificates/db2.pem
disallow_database:
- /user/name/certificates/dbx1.pem
- /user/name/certificates/dbx2.pem
- name: Import a Secure Boot certificate and restart the server to apply it.
dellemc.openmanage.idrac_secure_boot:
idrac_ip: "192.168.1.2"
idrac_user: "user"
idrac_password: "password"
ca_path: "/path/to/ca_cert.pem"
import_certificates: true
platform_key: /user/name/certificates/pk.pem
restart: true
job_wait_timeout: 600
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Details of the HTTP Error. Returned: on HTTP error Sample: |
|
Status of the secure boot operation. Returned: always Sample: |