Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1220

Include pg_ssl_ciphers AAP setup parameter in inventory file

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.4
    • controller
    • False
    • Hide

      None

      Show
      None
    • False

      1. What is the nature and description of the request?

      Cu wants to change the ciphers and to have the ability to change from the inventory file giving an example to have a parameter such as "pg_ssl_ciphers".

      2. Why does the customer need this? (List the business requirements here)

       

      We have changed the ciphers on the development hosts. This resolved the security vulnerability.
      However, setting these cipher configuration manually will cause them to be reset after each update/patch of the AAP platform.
      I have checked these settings in the AAP installer/setup script.
      The postgresql.conf and the pg_hba.conf configuration files are overwritten during the installer process using a Jinja2 template.
      The installer will always reset the options, when they are manually set.
      In my request, I propose to include the ability to configure the ciphers and maybe more options (pg_hba, listen address etc.) using inventory variables when executing the AAP installer.
      This way, the default setup can be used for customers that do not have the requirement to adjust the settings.
      As the PostgreSQL configuration files are already rendered using Jinja2 templates, this can be implemented easily (i.e. exactly like the other pg_XXXX variables in the inventory).
      

      Allread told that they can refer to and can customize the ssl_ciphers manually under the /var/lib/pgsql/data/postgresql.conf as per their env requirement.

      Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms
      https://access.redhat.com/articles/3642912 

       

              bcoursen@redhat.com Brian Coursen
              rhn-support-ksuthar Komal Suthar
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: