check_point.mgmt.cp_mgmt_opsec_trusted_ca module – Manages opsec-trusted-ca objects on Checkpoint over Web Services API

Note

This module is part of the check_point.mgmt collection (version 6.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_opsec_trusted_ca.

New in check_point.mgmt 6.0.0

Synopsis

  • Manages opsec-trusted-ca objects on Checkpoint devices including creating, updating and removing objects.

  • All operations are performed over Web Services API.

  • Available from R82 management version.

Parameters

Parameter

Comments

allow_certificates_from_branches

boolean

Allow only certificates from listed branches.

Choices:

  • false

  • true

auto_publish_session

boolean

Publish the current session if changes have been performed after task completes.

Choices:

  • false ← (default)

  • true

automatic_enrollment

dictionary

Certificate automatic enrollment.

automatically_enroll_certificate

boolean

Whether to automatically enroll certificate.

Choices:

  • false

  • true

cmpv1_settings

dictionary

Cmpv1 protocol settings. Available only if “protocol” is set to “cmpv1”.

direct_tcp_settings

dictionary

Direct tcp transport layer settings.

ip_address

string

Certificate authority IP address.

port

integer

Port number.

cmpv2_settings

dictionary

Cmpv2 protocol settings. Available only if “protocol” is set to “cmpv1”.

direct_tcp_settings

dictionary

Direct tcp transport layer settings.

ip_address

string

Certificate authority IP address.

port

integer

Port number.

http_settings

dictionary

Http transport layer settings.

url

string

Certificate authority URL.

transport_layer

string

Transport layer.

Choices:

  • "http"

  • "direct-tcp"

protocol

string

Protocol that communicates with the certificate authority. Available only if “automatically-enroll-certificate” parameter is set to true.

Choices:

  • "scep"

  • "cmpv2"

  • "cmpv1"

scep_settings

dictionary

Scep protocol settings. Available only if “protocol” is set to “scep”.

ca_identifier

string

Certificate authority identifier.

url

string

Certificate authority URL.

base64_certificate

string

Certificate file encoded in base64.

branches

list / elements=string

Branches to allow certificates from. Required only if “allow-certificates-from-branches” set to “true”.

cache_crl

boolean

Cache Certificate Revocation List on the Security Gateway.

Choices:

  • false

  • true

color

string

Color of the object. Should be one of existing colors.

Choices:

  • "aquamarine"

  • "black"

  • "blue"

  • "crete blue"

  • "burlywood"

  • "cyan"

  • "dark green"

  • "khaki"

  • "orchid"

  • "dark orange"

  • "dark sea green"

  • "pink"

  • "turquoise"

  • "dark blue"

  • "firebrick"

  • "brown"

  • "forest green"

  • "gold"

  • "dark gold"

  • "gray"

  • "dark gray"

  • "light green"

  • "lemon chiffon"

  • "coral"

  • "sea green"

  • "sky blue"

  • "magenta"

  • "purple"

  • "slate blue"

  • "violet red"

  • "navy blue"

  • "olive"

  • "orange"

  • "red"

  • "sienna"

  • "yellow"

comments

string

Comments string.

crl_cache_method

string

Weather to retrieve new Certificate Revocation List after the certificate expires or after a fixed period.

Choices:

  • "timeout"

  • "expiration date"

crl_cache_timeout

integer

When to fetch new Certificate Revocation List (in minutes).

details_level

string

The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.

Choices:

  • "uid"

  • "standard"

  • "full"

domains_to_process

list / elements=string

Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are, CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.

ignore_errors

boolean

Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.

Choices:

  • false

  • true

ignore_warnings

boolean

Apply changes ignoring warnings.

Choices:

  • false

  • true

name

string / required

Object name.

retrieve_crl_from_http_servers

boolean

Whether to retrieve Certificate Revocation List from http servers.

Choices:

  • false

  • true

retrieve_crl_from_ldap_servers

boolean

Whether to retrieve Certificate Revocation List from ldap servers.

Choices:

  • false

  • true

state

string

State of the access rule (present or absent).

Choices:

  • "present" ← (default)

  • "absent"

tags

list / elements=string

Collection of tag identifiers.

version

string

Version of checkpoint. If not given one, the latest version taken.

wait_for_task

boolean

Wait for the task to end. Such as publish task.

Choices:

  • false

  • true ← (default)

wait_for_task_timeout

integer

How many minutes to wait until throwing a timeout error.

Default: 30

Examples

- name: add-opsec-trusted-ca
  cp_mgmt_opsec_trusted_ca:
    base64_certificate:
      "MIICwjCCAaqgAwIBAgIILdexblpVEMIwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAxMNd3d3Lm9wc2VjLmNvbTAeFw0yMzA2MjUwOTE3MDBaFw0yNTAzMzExNjAwMDBaMBgxFjAUBgNVBAMTDXd3dy5vcH
       lYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjpqCxDaVg+I1b+wqnmjjYtL3v7Tlu/YpMbsKnv+M1gRz6QFUOoSVnxKLo0A7Y4kCqa1OPcHO/LtXuok43F1YZPVKm3xWpY8FmqGqf5
       uGmSwm1HPObcMjwGOyFgwpwEDF5e0UMZ7xtJF8BZ5KKBh3ZfQ1FbmbVqSUPcmOi+NE4JspPlHxX+m6es/yeSGR1A2ezKY7KePTlwVtDe8hiLrYyKG92nka5rkD1QyEIVJ0W5wrnU4nGEDIHeOfT09zroQx
       NLkb51sl4Tog/qw+EraVGIBe/iFnSJoDF37i2mLJqI/t8bel+aGDAxgMx1pO85OClgjPSWL0UIXGI2xrR+JAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHTs1AutAmSLHF2
       RLJtrRNkso0lMyA7XI7k1TNpTk7TCZLNY0VbUliGbcl+POH4EG8ARUrftnwRDCTBd2BdJTqG2CyNADi+bw8aLvbxok7KH0GlQvGjyfq+sHK12wTl4ULNyYoAPZ01GhXOvkobROdSyjxvBVhxdVo90kj7mH
       v3N83huNhfstDFUBcQCmMkbLuzDUZrl2a1OtqlOdNC6mNvb7Jq9W9vRxGA514e7jqyoM+PwHu5fILx/jmGT8suOUnvbtcDdFhjqixAPer6uSPR0CSbiJvuDy72DPH5mjZK5dQKewNYOZ/BQEsRIBe+Q6eG
       oJqi+cD63cwlw0DCc="
    name: opsec_ca
    state: present

- name: set-opsec-trusted-ca
  cp_mgmt_opsec_trusted_ca:
    name: opsec_ca
    automatic_enrollment:
      automatically_enroll_certificate: true
      protocol: "cmpv1"
      cmpv1_settings:
        direct_tcp_settings:
          ip_address: "1.1.1.1"
    state: present

- name: delete-opsec-trusted-ca
  cp_mgmt_opsec_trusted_ca:
    name: opsec_ca
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cp_mgmt_opsec_trusted_ca

dictionary

The checkpoint object created or updated.

Returned: always, except when deleting the object.

Authors

  • Eden Brillant (@chkp-edenbr)