cisco.ise.trusted_certificate module – Resource module for Trusted Certificate

Note

This module is part of the cisco.ise collection (version 1.2.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.ise.

To use it in a playbook, specify: cisco.ise.trusted_certificate.

New in version 1.0.0: of cisco.ise

Synopsis

  • Manage operations update and delete of the resource Trusted Certificate.

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ciscoisesdk >= 1.1.0

  • python >= 3.5

Parameters

Parameter

Comments

authenticateBeforeCRLReceived

boolean

Switch to enable/disable CRL Verification if CRL is not Received.

Choices:

  • no

  • yes

automaticCRLUpdate

boolean

Switch to enable/disable automatic CRL update.

Choices:

  • no

  • yes

automaticCRLUpdatePeriod

integer

Automatic CRL update period.

automaticCRLUpdateUnits

string

Unit of time for automatic CRL update.

crlDistributionUrl

string

CRL Distribution URL.

crlDownloadFailureRetries

integer

If CRL download fails, wait time before retry.

crlDownloadFailureRetriesUnits

string

Unit of time before retry if CRL download fails.

description

string

Description for trust certificate.

downloadCRL

boolean

Switch to enable/disable download of CRL.

Choices:

  • no

  • yes

enableOCSPValidation

boolean

Switch to enable/disable OCSP Validation.

Choices:

  • no

  • yes

enableServerIdentityCheck

boolean

Switch to enable/disable verification if HTTPS or LDAP server certificate name fits the configured server URL.

Choices:

  • no

  • yes

id

string

Id path parameter. The ID of the Trusted Certificate to be deleted.

ignoreCRLExpiration

boolean

Switch to enable/disable ignore CRL Expiration.

Choices:

  • no

  • yes

ise_debug

boolean

Flag for Identity Services Engine SDK to enable debugging.

Choices:

  • no ← (default)

  • yes

ise_hostname

string / required

The Identity Services Engine hostname.

ise_password

string / required

The Identity Services Engine password to authenticate.

ise_username

string / required

The Identity Services Engine username to authenticate.

ise_uses_api_gateway

boolean

added in 1.1.0 of cisco.ise

Flag that informs the SDK whether to use the Identity Services Engine’s API Gateway to send requests.

If it is true, it uses the ISE’s API Gateway and sends requests to https://{{ise_hostname}}.

If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid).

Choices:

  • no

  • yes ← (default)

ise_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

  • no

  • yes ← (default)

ise_version

string

Informs the SDK which version of Identity Services Engine to use.

Default: “3.1.0”

ise_wait_on_rate_limit

boolean

Flag for Identity Services Engine SDK to enable automatic rate-limit handling.

Choices:

  • no

  • yes ← (default)

name

string

Friendly name of the certificate.

nonAutomaticCRLUpdatePeriod

integer

Non automatic CRL update period.

nonAutomaticCRLUpdateUnits

string

Unit of time of non automatic CRL update.

rejectIfNoStatusFromOCSP

boolean

Switch to reject certificate if there is no status from OCSP.

Choices:

  • no

  • yes

rejectIfUnreachableFromOCSP

boolean

Switch to reject certificate if unreachable from OCSP.

Choices:

  • no

  • yes

selectedOCSPService

string

Name of selected OCSP Service.

status

string

Trusted Certificate’s status.

trustForCertificateBasedAdminAuth

boolean

Trust for Certificate based Admin authentication.

Choices:

  • no

  • yes

trustForCiscoServicesAuth

boolean

Trust for authentication of Cisco Services.

Choices:

  • no

  • yes

trustForClientAuth

boolean

Trust for client authentication and Syslog.

Choices:

  • no

  • yes

trustForIseAuth

boolean

Trust for authentication within ISE.

Choices:

  • no

  • yes

Notes

Note

  • Does not support check_mode

See Also

See also

Trusted Certificate reference

Complete reference of the Trusted Certificate object model.

Examples

- name: Update by id
  cisco.ise.trusted_certificate:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    authenticateBeforeCRLReceived: true
    automaticCRLUpdate: true
    automaticCRLUpdatePeriod: 0
    automaticCRLUpdateUnits: string
    crlDistributionUrl: string
    crlDownloadFailureRetries: 0
    crlDownloadFailureRetriesUnits: string
    description: string
    downloadCRL: true
    enableOCSPValidation: true
    enableServerIdentityCheck: true
    id: string
    ignoreCRLExpiration: true
    name: string
    nonAutomaticCRLUpdatePeriod: 0
    nonAutomaticCRLUpdateUnits: string
    rejectIfNoStatusFromOCSP: true
    rejectIfUnreachableFromOCSP: true
    selectedOCSPService: string
    status: string
    trustForCertificateBasedAdminAuth: true
    trustForCiscoServicesAuth: true
    trustForClientAuth: true
    trustForIseAuth: true

- name: Delete by id
  cisco.ise.trusted_certificate:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: absent
    id: string

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

ise_response

dictionary

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: “{\n \”authenticateBeforeCRLReceived\”: \”string\”,\n \”automaticCRLUpdate\”: \”string\”,\n \”automaticCRLUpdatePeriod\”: \”string\”,\n \”automaticCRLUpdateUnits\”: \”string\”,\n \”crlDistributionUrl\”: \”string\”,\n \”crlDownloadFailureRetries\”: \”string\”,\n \”crlDownloadFailureRetriesUnits\”: \”string\”,\n \”description\”: \”string\”,\n \”downloadCRL\”: \”string\”,\n \”enableOCSPValidation\”: \”string\”,\n \”enableServerIdentityCheck\”: \”string\”,\n \”expirationDate\”: \”string\”,\n \”friendlyName\”: \”string\”,\n \”id\”: \”string\”,\n \”ignoreCRLExpiration\”: \”string\”,\n \”internalCA\”: true,\n \”isReferredInPolicy\”: true,\n \”issuedBy\”: \”string\”,\n \”issuedTo\”: \”string\”,\n \”keySize\”: \”string\”,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”nonAutomaticCRLUpdatePeriod\”: \”string\”,\n \”nonAutomaticCRLUpdateUnits\”: \”string\”,\n \”rejectIfNoStatusFromOCSP\”: \”string\”,\n \”rejectIfUnreachableFromOCSP\”: \”string\”,\n \”selectedOCSPService\”: \”string\”,\n \”serialNumberDecimalFormat\”: \”string\”,\n \”sha256Fingerprint\”: \”string\”,\n \”signatureAlgorithm\”: \”string\”,\n \”status\”: \”string\”,\n \”subject\”: \”string\”,\n \”trustedFor\”: \”string\”,\n \”validFrom\”: \”string\”\n}\n”

ise_update_response

dictionary

added in 1.1.0 of cisco.ise

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: “{\n \”response\”: {\n \”id\”: \”string\”,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”message\”: \”string\”\n },\n \”version\”: \”string\”\n}\n”

Authors

  • Rafael Campos (@racampos)