mq certificate
Overview
This resource allows you to manage SSL Certificates for MQ in a database.
It allows multiple operations:
1) Adding a certificate from an ascii of binary file 2) Importing a labeled certificate from an other certificate database 3) Creating a self signed certificate
Option 1: Adding a certificate from an ascii of binary file
Puppet uses this action when the source parameter is specified and the specified source_type is either ascii or binary. Here is an example on how to use this:
mq_certificate {'/var/mqm/keys/test_db_2.kdb:my_label_1':
ensure => 'present',
password => 'verysecret',
source => '/var/mqm/keys/my_label_2.ascii',
source_type => 'ascii',
}
Option 2: Importing a labeled certificate from an other certificate database
Puppet uses this action when the source parameter is specified and the specified source_type is:
- cms
- kdb
- pkcs12
- p12
- pkcs7
- pem
Here is an example on how to use this:
mq_certificate {'/var/mqm/keys/test_db_2.kdb:my_label_1':
ensure => 'present',
password => 'verysecret',
source => '/var/mqm/keys/my_label_1.p12',
source_type => 'p12',
source_label => 'my_label_1',
source_password => 'verysecret',
}
Option 3: Creating a self signed certificate.
When no source value is given, Puppet creates a self signed cerificate withe the specified label inside of the certificate database. Here is an example on how that works:
mq_certificate {'/var/mqm/keys/test_db_1.kdb:my_label_1':
ensure => 'present',
password => 'verysecret',
distinguished_name => 'cn=bert.....',
}
Attributes
| Attribute Name | Short Description |
|---|---|
| db_type | The type of key database. |
| disable_corrective_change | Disable the modification of a resource when Puppet decides it is a corrective change. |
| disable_corrective_ensure | Disable the creation or removal of a resource when Puppet decides is a corrective change. |
| distinguished_name | This is a puppet parameter and not a managed property. |
| ensure | The basic property that the resource should be in. |
| expire_days | This is a puppet parameter and not a managed property. |
| file_name | This is a puppet parameter and not a managed property. |
| key_size | The size of the key to generate. |
| label | The certificate label. |
| name | |
| password | The certificate database password. |
| provider | resource. |
| source | The source file containing the certificate. |
| source_label | This is the label of the certificate in the source file. |
| source_password | |
| source_type | The type of certificate to load. |
| tmp_dir | The tmp directory to put the fetched certificate on.. |
| trust | Enable or disable trust on certificate. |
| x509version | the x509 version to use when creating a self signed certificate. |
db_type
The type of key database.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Valid values are cms, jceks, jks, kdb, p12, pkcs12, pkcs12s2.
Back to overview of mq_certificate
disable_corrective_change
Disable the modification of a resource when Puppet decides it is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
...
disable_corrective_change => true,
...
}
When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:
Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)
Back to overview of mq_certificate
disable_corrective_ensure
Disable the creation or removal of a resource when Puppet decides is a corrective change.
(requires easy_type V2.11.0 or higher)
When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.
Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.
Here is an example of this:
crucial_resource {'be_carefull':
ensure => 'present',
...
disable_corrective_ensure => true,
...
}
When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:
Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)
Back to overview of mq_certificate
distinguished_name
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
ensure
The basic property that the resource should be in.
Valid values are present, absent.
Back to overview of mq_certificate
expire_days
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
file_name
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
key_size
The size of the key to generate.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Valid values are 512, 1024, 2048, 4096.
Back to overview of mq_certificate
label
The certificate label.
Back to overview of mq_certificate
name
Back to overview of mq_certificate
password
The certificate database password.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
provider
The specific backend to use for this mq_certificate resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:
- simple
- Manage MQ certificates
Back to overview of mq_certificate
source
The source file containing the certificate.
It can by either a file or an url. The following kind of URL’s are supported:
puppet:URIs, which point to files in modules or Puppet file server mount points.- Fully qualified paths to locally available files (including files on NFS shares or Windows mapped drives).
file:URIs, which behave the same as local file paths.http:URIs, which point to files served by common web servers
The normal form of a puppet: URI is:
puppet:///modules/<MODULE NAME>/<FILE PATH>
This will fetch a file from a module on the Puppet master (or from a local module when using Puppet apply). Given a modulepath of /etc/puppetlabs/code/modules, the example above would resolve to /etc/puppetlabs/code/modules/<MODULE NAME>/files/<FILE PATH>.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
source_label
This is the label of the certificate in the source file.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
source_password
Back to overview of mq_certificate
source_type
The type of certificate to load.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Valid values are cms, kdb, pkcs12, p12, pkcs7, pem, binary, ascii.
Back to overview of mq_certificate
tmp_dir
The tmp directory to put the fetched certificate on..
Back to overview of mq_certificate
trust
Enable or disable trust on certificate.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Back to overview of mq_certificate
x509version
the x509 version to use when creating a self signed certificate.
This is a puppet parameter and not a managed property. Therefor it is only used during creation of the resource. Changes to this parameter in your manifest, do NOT result in modifications on the system.
Valid values are 1, 2, 3.
