merging the OneAccess-Ansible-Playbook and SiteMinder-Ansible-Playbook repositories

OneAccess-Ansible-Playbook/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Nicolas MASSE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

OneAccess-Ansible-Playbook/README.md

@@ -0,0 +1,12 @@
+# OneAccess-Ansible-Playbook
+This project is the Ansible Playbook to install CA OneAccess
+
+## Preparation work
+
+1. Edit group_vars/sm and change all passwords and DNS names (search for "changeme")
+2. Edit hosts-sm to target your Virtual Machine
+
+## Installation
+
+1. run {{./aw bootstrap your.vm.hostname}}
+2. run {{./aw sm}}

OneAccess-Ansible-Playbook/ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+log_path = ./logs/ansible.log
+filter_plugins = ./local_plugins/filter_plugins
+# ask_sudo_pass = yes

OneAccess-Ansible-Playbook/aw

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# Set environment variables
+export ANSIBLE_CONFIG="./ansible.cfg"
+
+options=""
+target="$1"
+ssh_key="$HOME/.ssh/id_rsa"
+user="root"
+
+if [ -z "$target" ]; then
+  echo "No target specified. Please specify an inventory or 'bootstrap' !"
+  exit 1
+fi
+
+if [ "$target" == "bootstrap" -o "$target" == "bootstrap-minimal" ]; then
+  if [ -z "$2" ]; then
+    echo "Please specify the target host !"
+    exit 1
+  fi
+  host="$2"
+  echo "Starting $target..."
+  echo
+  echo -n "Please enter the initial $user password: "
+  read -s password
+  echo
+  echo
+  echo "Connecting to $host to register the SSH Host Key !"
+  sshpass -p "$password" ssh -i $ssh_key -o StrictHostKeyChecking=no "$user@$host" /bin/true
+  auth=""
+  if [ -n "$password" ]; then
+    auth="ansible_ssh_pass=$password"
+  else
+    auth="ansible_ssh_private_key_file=$ssh_key"
+  fi
+  echo -e "[$target]\n$2 ansible_ssh_user=$user $auth\n" > "./hosts-$target"
+else
+  shift
+  options="$@"
+fi
+
+if [ ! -f "./hosts-$target" ]; then
+  echo "Invalid target '$target' !"
+  exit 1
+fi
+
+# Export our base directory so that any script launched localy can refer to it
+BASEDIR="$(dirname $0)"
+BASEDIR="$(python -c 'import os.path; import sys; print os.path.abspath(sys.argv[1])' "$BASEDIR")"
+export BASEDIR
+
+ansible-playbook -i "./hosts-$target" $options site.yml
+
+rm -f hosts-bootstrap hosts-bootstrap-minimal # temporary file

OneAccess-Ansible-Playbook/group_vars/all

@@ -0,0 +1,7 @@
+---
+  timezone: Europe/Paris
+  ansible_python_interpreter: /usr/bin/python2
+  ansible_ssh_user: oneaccess
+  ansible_ssh_private_key_file: "{{ lookup('env','HOME') }}/.ssh/id_rsa"
+  ansible_ssh_public_key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub' ) }}"
+  sources_dir: /opt/sources

OneAccess-Ansible-Playbook/group_vars/sm

@@ -0,0 +1,89 @@
+---
+# Console Accounts : root and oneaccess (password = M0g0L1ch)
+
+# JDK
+  java_home: /opt/jdk7
+  java_release: 79
+
+# CA SiteMinder
+  sm_user: smuser
+  sm_home: /home/smuser/CA
+  sm_admin_user: siteminder
+  sm_admin_password: changeme
+  sm_policy_store_port: 40389
+  sm_encryption_key: changeme
+  apache_home: /home/www/httpd
+  wa_user: www
+  wa_home: /home/www/CA
+  wa_public_hostname: idp.apim.ca
+  sm_wamui_hostname: wamui.apim.ca
+  sm_session_store_port: 41389
+
+# CA Directory
+  dx_home: /home/dsa/CA/Directory
+  dx_user: dsa
+  dx_group: etrdir
+  dx_acme_dsa_port: 1389
+
+# Temp dir (used by Arcot products)
+  temp_dir: /root/tmp
+
+# Tomcat
+  tomcat_home: /home/www/tomcat
+  tomcat_user: www
+  tomcat_group: www
+  tomcat_port_prefix: 3
+  tomcat_version: 7.0.64
+
+# Apache
+  httpd_home: /home/www/httpd
+  httpd_user: www
+  httpd_group: www
+  httpd_https_port: 30443
+  httpd_http_port: 30080
+  httpd_certificate_cn: "*.apim.ca"
+  httpd_certificate_password: changeme
+
+# MySQL
+  mysql_root_password: changeme
+  mysql_version: 5.6.27
+
+# SSG
+  ssg_user: layer7
+  ssg_runtime_user: gateway
+  ssg_group: gateway
+  ssg_admin_user: admin
+  ssg_admin_password: changeme
+  ssg_db_user: gateway
+  ssg_db_password: changeme
+  ssg_db_name: ssg
+  ssg_hostname: mag.apim.ca
+  ssg_public_port: 58443
+  ssg_passphrase: changeme
+  ssg_admin_port: 59443
+  ssg_service_port: 58443
+  ssg_mag_port: 50443
+  ssg_ssl_certificate_cn: mag.apim.ca
+  ssg_ssl_certificate_password: changeme
+  ssg_otk_db_name: otk_db
+  ssg_otk_db_user: otk_user
+  ssg_otk_db_password: changeme
+  ssg_mag_public_port: 587
+
+# One Access
+  oneaccess_db_name: oneaccess
+  oneaccess_db_username: oneaccess
+  oneaccess_db_password: changeme
+  oneaccess_static_hostname: static.apim.ca
+  oneaccess_intranet_hostname: intranet.apim.ca
+  oneaccess_public_hostname: oneaccess.apim.ca
+  salesforce_certificate_cn: Salesforce SP Signing Cert
+  salesforce_certificate_password: changeme
+  siteminder_certificate_cn: SiteMinder SAML Signing Cert
+  siteminder_certificate_password: changeme
+  layer7_saml_certificate_cn: Layer7 SAML Signing Cert
+  layer7_saml_certificate_password: changeme
+
+# PKI
+  pki_truststore_password: changeme
+  httpd_pki_hostname: pki.apim.ca

OneAccess-Ansible-Playbook/hosts-sm

@@ -0,0 +1,2 @@
+[sm]
+changeme.apim.ca

OneAccess-Ansible-Playbook/local_plugins/filter_plugins/.gitignore

@@ -0,0 +1,2 @@
+*.pyc
+

OneAccess-Ansible-Playbook/local_plugins/filter_plugins/local.py

@@ -0,0 +1,18 @@
+# (c) 2014, Nicolas MASSE
+#
+
+import re
+from ansible import errors
+
+def regex_replace(s, find, replace):
+    return re.sub(find, replace, s)
+
+class FilterModule(object):
+    ''' Custom Filters '''
+
+    def filters(self):
+        return {
+            # regex
+            'regex_replace': regex_replace,
+        }
+

OneAccess-Ansible-Playbook/logs/.gitignore

@@ -0,0 +1 @@
+*.log

OneAccess-Ansible-Playbook/pki/.gitignore

@@ -0,0 +1 @@
+*.jks

OneAccess-Ansible-Playbook/pki/ca/.gitignore

@@ -0,0 +1,7 @@
+index.txt*
+crlnumber*
+newcerts
+serial*
+*.crl
+*.crt
+*.key

OneAccess-Ansible-Playbook/pki/ca/openssl.cnf

@@ -0,0 +1,56 @@
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+[ ca ]
+default_ca	= RootCA
+
+[ RootCA ]
+x509_extensions = ca_ext
+policy		= policy_anything
+dir		= ./ca			# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+crlnumber	= $dir/crlnumber	# The current CRL serial number
+database	= $dir/index.txt	# database index file.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/root_ca.crt 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/root_ca.key	# The private key
+default_md	= sha256
+
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ ca_ext ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+
+[ server_ext ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth,clientAuth
+crlDistributionPoints=URI:http://pki.sp0t.xyz/oneaccess_ca.crl
+
+[ req ]
+x509_extensions = ca_ext
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+C = FR
+O = CA Technologies
+OU = Pre Sales
+CN = OneAccess CA

OneAccess-Ansible-Playbook/pki/cleanup.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+MYDIR="$(dirname $0)"
+cd "$MYDIR"
+
+rm -rf ca/newcerts/*
+echo "01" > ca/serial
+echo "01" > ca/crlnumber
+echo -n > ca/index.txt
+rm -f ca/root_ca.crt ca/root_ca.crl ca/root_ca.key truststore.jks

OneAccess-Ansible-Playbook/pki/gen_certs.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+SERVER_KEYSIZE="2048"
+SERVER_VALIDITY="740"
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+MYDIR="$(dirname $0)"
+cd "$MYDIR"
+
+# Parameter validation
+test -n "$BASENAME"
+test -n "$CERT_CN"
+test -n "$OUTDIR"
+test -n "$PASSWORD"
+
+openssl req -new -newkey "rsa:$SERVER_KEYSIZE" -keyout "$OUTDIR/$BASENAME.key" -nodes -out "$OUTDIR/$BASENAME.csr" -subj "/CN=$CERT_CN"
+openssl ca -batch -in "$OUTDIR/$BASENAME.csr" -out "$OUTDIR/$BASENAME.crt" -notext -days "$SERVER_VALIDITY" -config ca/openssl.cnf -name "RootCA" -extensions server_ext
+cat "$OUTDIR/$BASENAME.key" "$OUTDIR/$BASENAME.crt" | openssl pkcs12 -export -out "$OUTDIR/$BASENAME.p12" -passout "pass:$PASSWORD"
+keytool -importkeystore -noprompt -srcalias 1 -srcstorepass "$PASSWORD" -srcstoretype PKCS12 -srckeystore "$OUTDIR/$BASENAME.p12" -destalias "$BASENAME" -deststoretype JKS -deststorepass "$PASSWORD" -destkeystore "$OUTDIR/$BASENAME.jks"
+cp truststore.jks "$OUTDIR/$BASENAME-trust.jks"
+cp ca/root_ca.crt "$OUTDIR/$BASENAME-ca.crt"

OneAccess-Ansible-Playbook/pki/init.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+ROOTCA_KEYSIZE="2048"
+ROOTCA_VALIDITY="7400"
+ROOTCA_CRLVALIDITY="740"
+
+MYDIR="$(dirname $0)"
+cd "$MYDIR"
+
+rm -rf ca/newcerts/*
+echo "01" > ca/serial
+echo "01" > ca/crlnumber
+echo -n > ca/index.txt
+openssl req -new -sha256 -newkey "rsa:$ROOTCA_KEYSIZE" -keyout "ca/root_ca.key" -nodes -out "ca/root_ca.crt" -x509 -days "$ROOTCA_VALIDITY" -set_serial 0 -config ca/openssl.cnf
+openssl ca -batch -md sha256 -gencrl -crldays "$ROOTCA_CRLVALIDITY" -out "ca/root_ca.crl" -config ca/openssl.cnf

OneAccess-Ansible-Playbook/pki/new_selfsigned_cert.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+SERVER_KEYSIZE="2048"
+SERVER_VALIDITY="740"
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+MYDIR="$(dirname $0)"
+cd "$MYDIR"
+
+# Parameter validation
+test -n "$BASENAME"
+test -n "$CERT_CN"
+test -n "$OUTDIR"
+test -n "$PASSWORD"
+
+openssl req -new -newkey "rsa:$SERVER_KEYSIZE" -keyout "$OUTDIR/$BASENAME.key" -nodes -sha256 -out "$OUTDIR/$BASENAME.crt" -subj "/CN=$CERT_CN" -x509 -set_serial 1 -days 3650 -extensions v3_req -config <(cat <<EOF
+req_extensions = v3_req # The extensions to add to a certificate request
+distinguished_name = req_distinguished_name
+
+[ v3_req ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = critical,CA:false
+keyUsage = critical, digitalSignature, keyEncipherment
+
+[ req_distinguished_name ]
+CN = supplied
+
+EOF) && openssl x509 -noout -text -in "$OUTDIR/$BASENAME.crt"
+
+
+cat "$OUTDIR/$BASENAME.key" "$OUTDIR/$BASENAME.crt" | openssl pkcs12 -export -out "$OUTDIR/$BASENAME.p12" -passout "pass:$PASSWORD"
+
+keytool -importcert -noprompt -trustcacerts -storepass "$PASSWORD" -storetype JKS -keystore "$OUTDIR/$BASENAME-trust.jks" -file "$OUTDIR/$BASENAME.crt" -alias "$BASENAME"
+keytool -list -storetype JKS -storepass "$PASSWORD" -keystore "$OUTDIR/$BASENAME-trust.jks" -rfc
+keytool -importkeystore -noprompt -srcalias 1 -srcstorepass "$PASSWORD" -srcstoretype PKCS12 -srckeystore "$OUTDIR/$BASENAME.p12" -destalias "$BASENAME" -deststoretype JKS -deststorepass "$PASSWORD" -destkeystore "$OUTDIR/$BASENAME.jks"
+keytool -list -storetype JKS -storepass "$OUTDIR/$PASSWORD" -keystore "$OUTDIR/$BASENAME.jks" -rfc

OneAccess-Ansible-Playbook/roles/apache-2.2/files/.gitignore

@@ -0,0 +1,3 @@
+*.tar.gz
+*.zip
+server*

OneAccess-Ansible-Playbook/roles/apache-2.2/tasks/main.yml

@@ -0,0 +1,141 @@
+---
+
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Create the 'httpd' user
+    user: name={{ httpd_user }} comment="WWW User"
+    tags: user
+
+  - name: Set SSH key for the 'httpd' user
+    authorized_key: user={{ httpd_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+    tags: user
+
+  - name: Install GCC
+    yum: name=gcc state=installed
+    tags: compile
+
+  - name: Install Lynx (used by the apache startup script)
+    yum: name=lynx state=installed
+
+  - name: Install the 64 bits version of glibc-devel
+    yum: name=glibc-devel.x86_64 state=latest
+    tags: compile
+
+  - name: Install the 32 bits version of glibc-devel
+    yum: name=glibc-devel.i686 state=latest
+    tags: compile
+
+  - name: Try to update the 64 bits version of openssl
+    yum: name=openssl.x86_64 state=latest
+    when: "ansible_architecture == 'x86_64'"
+    tags: compile
+
+  - name: Install the 32 bits version of openssl
+    yum: name=openssl.i686 state=installed
+    tags: compile
+
+  - name: Install the 32 bits version of openssl-devel
+    yum: name=openssl-devel.i686 state=installed
+    tags: compile
+
+  - name: Create the home dir for Apache
+    file: path={{ httpd_home }} state=directory
+    sudo_user: "{{ httpd_user }}"
+
+  - name: Create the sources dir for Apache
+    file: path={{ httpd_home }}/src state=directory
+    sudo_user: "{{ httpd_user }}"
+
+  - name: Unarchive the apache distribution
+    unarchive: creates={{ httpd_home }}/src/httpd-2.2.29 src=httpd-2.2.29.tar.gz dest={{ httpd_home }}/src
+    sudo_user: "{{ httpd_user }}"
+
+  - name: ./configure Apache
+    shell: chdir={{ httpd_home }}/src/httpd-2.2.29 LIBS=-lpthread ./configure CFLAGS="-m32" --enable-modules="proxy proxy-http proxy-connect headers rewrite ssl" --prefix={{ httpd_home }}
+    sudo_user: "{{ httpd_user }}"
+    tags: compile
+
+  - name: make && make install Apache
+    shell: chdir={{ httpd_home }}/src/httpd-2.2.29 LIBS=-lpthread make clean && make && make install
+    sudo_user: "{{ httpd_user }}"
+    tags: compile
+
+  - name: Disable the Apache default port
+    lineinfile: dest={{ httpd_home }}/conf/httpd.conf regexp="^Listen " state=absent
+    sudo_user: "{{ httpd_user }}"
+
+  - name: Install the headers CGI
+    template: src=headers dest={{ httpd_home }}/cgi-bin/headers mode=0755
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Install the helloworld CGI
+    template: src=helloworld dest={{ httpd_home }}/cgi-bin/helloworld mode=0755
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Install perl-CGI
+    yum: name=perl-CGI state=installed
+
+  - name: Install perl-libwww-perl
+    yum: name=perl-libwww-perl state=installed
+
+  - name: Install the custom.conf
+    template: src=custom.conf dest={{ httpd_home }}/conf/custom.conf mode=644
+    sudo_user: "{{ httpd_user }}"
+    tags:
+      - config
+      - new
+
+  - name: Source the custom.conf
+    lineinfile: dest={{ httpd_home }}/conf/httpd.conf line="Include {{ httpd_home }}/conf/custom.conf" insertafter="EOF" state=present
+    sudo_user: "{{ httpd_user }}"
+
+  - name: Create the static file structure
+    file: path={{ httpd_home }}/htdocs/{{ item }} state=directory
+    with_items: [ "static", "default", "intranet", "pki" ]
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Install the go-away web page
+    template: src=go-away.html dest={{ httpd_home }}/htdocs/default/index.html
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Run the Certificate Generation script (if requested)
+    local_action: command creates={{ lookup('ENV', 'BASEDIR') }}/roles/apache-2.2/files/server.crt {{ lookup('ENV', 'BASEDIR') }}/pki/gen_certs.sh
+    sudo: false
+    tags: certificate
+    environment:
+      CERT_CN: "{{ httpd_certificate_cn }}"
+      PASSWORD: "{{ httpd_certificate_password }}"
+      BASENAME: "server"
+      OUTDIR: "{{ lookup('ENV', 'BASEDIR') }}/roles/apache-2.2/files/"
+    tags: certificate
+    when: httpd_certificate_cn is defined
+
+  - name: Install the new certificate and private key
+    copy: src={{ item }} dest={{ httpd_home }}/conf/{{ item }}
+    sudo_user: "{{ httpd_user }}"
+    with_items: [ "server.key", "server.crt", "server-ca.crt" ]
+    tags: certificate
+
+  - name: Copy the PKI stuffs - CRL
+    copy: src={{ lookup('ENV', 'BASEDIR') }}/pki/ca/root_ca.crl dest={{ httpd_home }}/htdocs/pki/oneaccess_ca.crl
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Copy the PKI stuffs - RootCA
+    copy: src={{ lookup('ENV', 'BASEDIR') }}/pki/ca/root_ca.crt dest={{ httpd_home }}/htdocs/pki/oneaccess_ca.crt
+    sudo_user: "{{ httpd_user }}"
+    tags: www-content
+
+  - name: Copy the favicon.ico
+    copy: src=favicon.ico dest={{ httpd_home }}/htdocs/static/favicon.ico
+    sudo_user: "{{ httpd_user }}"
+    tags:
+      - www-content
+

OneAccess-Ansible-Playbook/roles/apache-2.2/templates/custom.conf

@@ -0,0 +1,144 @@
+Listen {{ httpd_http_port }}
+Listen {{ httpd_https_port }}
+
+NameVirtualHost *:{{ httpd_http_port }}
+NameVirtualHost *:{{ httpd_https_port }}
+
+ServerAdmin none.of@your.business
+ServerTokens prod
+ServerSignature Off
+
+SSLPassPhraseDialog  builtin
+SSLSessionCache        "shmcb:{{ httpd_home }}/logs/ssl_scache(512000)"
+SSLSessionCacheTimeout  300
+SSLMutex  "file:{{ httpd_home }}/logs/ssl_mutex"
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLHonorCipherOrder on
+SSLCertificateFile "{{ httpd_home }}/conf/server.crt"
+SSLCertificateKeyFile "{{ httpd_home }}/conf/server.key"
+SSLCertificateChainFile "{{ httpd_home }}/conf/server-ca.crt"
+
+CustomLog "{{ httpd_home }}/logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+CustomLog "/home/www/httpd/logs/access_full_log" "%t %v %h %u \"%r\" %>s %b (origin=%{HTTP_SM_ORIGIN}e)"
+
+# The favicon is available on all Virtual Hosts
+Alias /favicon.ico {{ httpd_home }}/htdocs/static/favicon.ico
+
+# The default virtual hosts have to be declared first when using Named VirtualHosts
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName dummyhost.dummydomain
+  DocumentRoot {{ httpd_home }}/htdocs/default/
+  SSLEngine on
+</VirtualHost>
+
+<VirtualHost *:{{ httpd_http_port }}>
+  ServerName dummyhost.dummydomain
+  DocumentRoot {{ httpd_home }}/htdocs/default/
+</VirtualHost>
+
+
+# Reverse Proxy the WAM UI
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName {{ sm_wamui_hostname }}
+  SSLEngine on
+
+  # Proxy all requests under / to the WAMUI
+  ProxyPreserveHost On
+  ProxyRequests off
+  SSLProxyEngine on
+  SSLProxyVerify none
+  ProxyPass / https://localhost:48443/
+  ProxyPassReverse / https://localhost:48443/
+
+  # Redirect the root url to the WAMUI Login Page
+  RewriteEngine On
+  RewriteRule ^/$ /iam/siteminder/adminui/ [R=301]
+</VirtualHost>
+
+# Reverse Proxy the Layer7 Web Pages
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName {{ ssg_hostname }}
+  SSLEngine on
+
+  # Proxy all requests under / to Layer7
+  ProxyPreserveHost On
+  ProxyRequests off
+  SSLProxyEngine on
+  SSLProxyVerify none
+  ProxyPass / https://localhost:{{ ssg_service_port }}/
+</VirtualHost>
+
+# Reverse Proxy the SiteMinder Federation
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName {{ wa_public_hostname }}
+  SSLEngine on
+
+  # Proxy all requests under /affwebservices to Tomcat
+  ProxyPreserveHost On
+  ProxyRequests off
+  ProxyPass /affwebservices http://localhost:{{ tomcat_port_prefix }}8080/affwebservices
+  ProxyPassReverse /affwebservices http://localhost:{{ tomcat_port_prefix }}8080/affwebservices
+</VirtualHost>
+
+# Reverse Proxy OneAccess personalization engine
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName {{ oneaccess_public_hostname }}
+  SSLEngine on
+
+  # Proxy all requests under /oneaccess to Tomcat
+  ProxyPreserveHost On
+  ProxyRequests off
+  ProxyPass /oneaccess/ http://localhost:{{ tomcat_port_prefix }}8080/oneaccess/
+  ProxyPassReverse /oneaccess/ http://localhost:{{ tomcat_port_prefix }}8080/oneaccess/
+
+  # Handle Redirections / Proxy
+  SSLProxyEngine on
+  SSLProxyVerify none
+  RewriteEngine on
+
+  # Proxy the /userinfo requests to Layer7
+  RewriteRule ^/userinfo$ https://{{ ssg_hostname }}:{{ ssg_service_port }}/oneaccessweb/userinfo [P]
+
+  # If the sm_origin header is not present, loopback the request so that we can have it
+  RewriteCond %{HTTP:OneAccess-Origin} ^$
+  RewriteRule ^/oneaccess/personalization/(env=.*)?$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/ [P]
+
+  # Once we have the sm_origin header, proxy the request to the correct location
+  RewriteCond %{HTTP:OneAccess-Origin} ^external$
+  RewriteRule ^/oneaccess/personalization/$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/env=ex [P]
+  RewriteCond %{HTTP:OneAccess-Origin} ^internal$
+  RewriteRule ^/oneaccess/personalization/$ https://{{ oneaccess_public_hostname }}:{{ httpd_https_port }}/oneaccess/personalization/env=in [P]
+
+  # Redirect the root url to the Personalization WebApp
+  RewriteRule ^/$ /oneaccess/personalization/ [R=301]
+</VirtualHost>
+
+# Static files
+<VirtualHost *:{{ httpd_https_port }} *:{{ httpd_http_port }}>
+  ServerName {{ oneaccess_static_hostname }}
+  DocumentRoot {{ httpd_home }}/htdocs/static/
+
+  # The static files can be accessed from any location
+  Header set Access-Control-Allow-Origin "*"
+</VirtualHost>
+
+# Intranet
+<VirtualHost *:{{ httpd_https_port }}>
+  ServerName {{ oneaccess_intranet_hostname }}
+  DocumentRoot {{ httpd_home }}/htdocs/intranet/
+
+  # Redirect every url to the Hello World CGI
+  RewriteEngine On
+  RewriteRule ^/$ https://{{ oneaccess_intranet_hostname }}/cgi-bin/helloworld [R=301,L]
+</VirtualHost>
+
+# PKI stuff
+<VirtualHost *:{{ httpd_https_port }} *:{{ httpd_http_port }}>
+  ServerName {{ httpd_pki_hostname }}
+  DocumentRoot {{ httpd_home }}/htdocs/pki/
+
+  AddType application/x-x509-ca-cert .crt
+  AddType application/x-pkcs7-crl    .crl
+  AddType application/x-apple-aspen-config .mobileconfig
+</VirtualHost>

OneAccess-Ansible-Playbook/roles/apache-2.2/templates/go-away.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Go Away !</title>
+</head>
+<body>
+  <h1>Go Away !</h1>
+</body>
+</html>

OneAccess-Ansible-Playbook/roles/apache-2.2/templates/headers

@@ -0,0 +1,14 @@
+#!/usr/bin/perl --
+use strict;
+use warnings;
+use CGI;
+
+my $q = CGI->new;
+my %headers = map { $_ => $q->http($_) } $q->http();
+
+print $q->header('text/html');
+print "<html><body><pre>\n";
+for my $header ( sort keys %headers ) {
+    print "$header: $headers{$header}\n";
+}
+print "</pre></body></html>\n";

OneAccess-Ansible-Playbook/roles/apache-2.2/templates/helloworld

@@ -0,0 +1,12 @@
+#!/usr/bin/perl --
+use strict;
+use warnings;
+use CGI;
+
+my $q = CGI->new;
+my %headers = map { $_ => $q->http($_) } $q->http();
+
+print $q->header('text/html; charset=UTF-8');
+print "<html><head><title>SiteMinder Hello World</title></head><body><h1>\n";
+print "Welcome " . ($headers{'HTTP_SM_USER_COMMON_NAME'} || "unknown user") . " !";
+print "</h1></body></html>\n";

OneAccess-Ansible-Playbook/roles/backup/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+
+  - name: Export the MySQL databases
+    mysql_db: state=dump name="{{ item }}" target="/tmp/{{ item }}.sql.bz2" login_password="{{ mysql_root_password }}" login_user=root
+    with_items: [ "{{ ssg_db_name }}", "{{ ssg_otk_db_name }}", "{{ oneaccess_db_name }}" ]
+    tags: backup
+
+  - name: Dump all DSA
+    command: /bin/sh -l -c 'dxserver stop {{ item }} && dxdumpdb -f /tmp/{{ item }}.ldif {{ item }}; rc="$?"; dxserver start {{ item }}; exit "$rc"'
+    sudo_user: "{{ dx_user }}"
+    with_items: [ "ACMEUsers", "SiteMinderPS", "SiteMinderSS" ]
+    tags: backup
+
+  - name: Compress ldif files
+    command: bzip2 -f /tmp/{{ item }}.ldif
+    with_items: [ "ACMEUsers", "SiteMinderPS", "SiteMinderSS" ]
+    tags: backup
+
+  - name: Retrieve backups
+    fetch: src=/tmp/{{ item }} flat=yes dest={{ lookup('env', 'BASEDIR') + "/backup/" + ansible_date_time.date }}/ fail_on_missing=yes
+    with_items: [ "{{ ssg_db_name }}.sql.bz2", "{{ ssg_otk_db_name }}.sql.bz2", "{{ oneaccess_db_name }}.sql.bz2", "ACMEUsers.ldif.bz2", "SiteMinderPS.ldif.bz2", "SiteMinderSS.ldif.bz2" ]
+    tags: backup
+
+  - name: Remove temporary files
+    file: path="/tmp/{{ item }}" state=absent
+    with_items: [ "{{ ssg_db_name }}.sql.bz2", "{{ ssg_otk_db_name }}.sql.bz2", "{{ oneaccess_db_name }}.sql.bz2", "ACMEUsers.ldif.bz2", "SiteMinderPS.ldif.bz2", "SiteMinderSS.ldif.bz2" ]
+    tags: backup

OneAccess-Ansible-Playbook/roles/base/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+
+  - name: restart sshd
+    service: name=sshd state=reloaded
+
+  - name: update hostname
+    command: hostname {{ shortname }}
+
+ 

OneAccess-Ansible-Playbook/roles/base/tasks/main.yml

@@ -0,0 +1,124 @@
+---
+  - name: Disable SELinux
+    lineinfile: dest="/etc/selinux/config" line="SELINUX=disabled" regexp="^SELINUX=.*" state=present
+    register: selinux
+    tags: selinux
+
+  - name: Reboot is needed to effectively disable SELinux !
+    command: /bin/false
+    when: selinux.changed
+    tags: selinux
+
+  - name: Install the 32 bits library (if needed)
+    yum: name=glibc.i686 state=installed
+    when: "ansible_architecture == 'x86_64'"
+
+  - name: Tell SSHD not to use DNS
+    lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *UseDNS +" line="UseDNS no"
+    notify: restart sshd
+    tags: config
+
+  - name: Tell SSHD to forbid root accesses
+    lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PermitRootLogin +" line="PermitRootLogin no"
+    notify: restart sshd
+    tags: config
+
+  - name: Tell SSHD to forbid password accesses
+    lineinfile: dest=/etc/ssh/sshd_config regexp="^#* *PasswordAuthentication +" line="PasswordAuthentication no"
+    notify: restart sshd
+    tags: config
+
+  - name: Install VIM
+    yum: name=vim-enhanced state=installed
+
+  - name: Install Screen
+    yum: name=screen state=installed
+
+  - name: Install OpenLDAP clients
+    yum: name=openldap-clients state=installed
+
+  - name: Install unzip
+    yum: name=unzip state=installed
+
+  - name: Install tcpdump
+    yum: name=tcpdump state=installed
+
+  - name: Install telnet
+    yum: name=telnet state=installed
+
+  - name: Install strace
+    yum: name=strace state=installed
+
+  - name: Install man-pages
+    yum: name=man-pages state=installed
+
+  - name: Install man
+    yum: name=man state=installed
+
+  - name: Install iptraf
+    yum: name=iptraf state=installed
+
+  - name: Install wget
+    yum: name=wget state=installed
+
+  - name: Compute short hostname
+    set_fact:
+      shortname: "{{ inventory_hostname | regex_replace('([^.]+)\\..*', '\\\\1') }}"
+    tags: config
+
+  - name: Persist the hostname
+    lineinfile: dest=/etc/sysconfig/network regexp="^HOSTNAME=" line="HOSTNAME={{ shortname }}"
+    notify: update hostname
+    tags: config
+
+  - name: Edit /etc/hosts
+    template: src=etc_hosts dest=/etc/hosts owner=root group=root mode=0644
+    tags: config
+
+  - name: Ensure consistent locale across systems (1/2)
+    lineinfile: dest=/etc/sysconfig/i18n regexp="^LANG=" line="LANG=en_US.utf8"
+
+  - name: Ensure consistent locale across systems (2/2)
+    lineinfile: dest=/etc/sysconfig/i18n line="LC_CTYPE=en_US.utf8"
+
+  - name: Install createrepo
+    yum: name=createrepo state=installed
+
+  - name: Create the "sources" dir in /opt
+    file: dest={{ sources_dir }} state=directory
+
+  - name: Create the "rpms" dir in /opt/sources
+    file: dest={{ sources_dir }}/rpms state=directory
+    register: rpmsdir
+
+  - name: Initialize the RPM repository
+    command: createrepo {{ sources_dir }}/rpms
+    when: rpmsdir.changed
+
+  - name: Install the RPM repository in yum config
+    template: src=local.repo dest=/etc/yum.repos.d/local.repo
+
+  - name: Install the OpenSSH clients
+    yum: name=openssh-clients state=installed
+
+  - name: Configure all network interfaces with the same config
+    template: src=ifcfg-ethX dest=/etc/sysconfig/network-scripts/ifcfg-{{ item }}
+    with_items:
+      - eth0
+      - eth1
+      - eth2
+      - eth3
+      - eth4
+      - eth5
+      - eth6
+      - eth7
+      - eth8
+      - eth9
+    tags: config
+
+  - name: Install the custom banner script
+    template: src=rc.local dest=/usr/local/etc/rc.local mode=0755
+    tags: config
+
+  - name: Run the custom banner script at startup
+    lineinfile: dest=/etc/rc.d/rc.local line="/usr/local/etc/rc.local" state=present insertafter=EOF

OneAccess-Ansible-Playbook/roles/base/templates/etc_hostname

@@ -0,0 +1 @@
+{{ shortname }}

OneAccess-Ansible-Playbook/roles/base/templates/etc_hosts

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+#
+# /etc/hosts: static lookup table for host names
+#
+
+#<ip-address>	<hostname.domain.org>	<hostname>
+127.0.0.1	{{ inventory_hostname }} {{ shortname }} localhost.localdomain	localhost {{ oneaccess_static_hostname }} {{ ssg_hostname }} {{ oneaccess_public_hostname }} {{ wa_public_hostname }} {{ sm_wamui_hostname }}
+::1		localhost.localdomain	localhost
+
+# End of file

OneAccess-Ansible-Playbook/roles/base/templates/ifcfg-ethX

@@ -0,0 +1,15 @@
+DEVICE={{ item }}
+TYPE=Ethernet
+ONBOOT=yes
+BOOTPROTO=dhcp
+USERCTL=no
+PEERDNS=yes
+IPV6INIT=no
+DHCP_HOSTNAME={{ shortname }}
+
+## Static configuration sample.
+## Gateway to be configured in /etc/sysconfig/network.
+##
+# BOOTPROTO=static
+# IPADDR=192.168.38.179
+# NETMASK=255.255.255.0

OneAccess-Ansible-Playbook/roles/base/templates/local.repo

@@ -0,0 +1,5 @@
+[localrepo]
+name=Demo Local Repository
+baseurl=file://{{ sources_dir }}/rpms
+enabled=1
+gpgcheck=0

OneAccess-Ansible-Playbook/roles/base/templates/rc.local

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+sed -ri 's/^(eth[0-9]: .*|)$//g; T; d' /etc/issue
+echo >> /etc/issue
+ip addr show scope global |sed -r 's/^.*inet ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/[0-9]+ brd .* (eth[0-9])$/\2: \1/g; t; d' >> /etc/issue
+echo >> /etc/issue

OneAccess-Ansible-Playbook/roles/bootstrap/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+
+ - name: Create user OneAccess
+   user: name=oneaccess group=users groups=users,wheel state=present comment="OneAccess privileged user" password="*"
+   sudo_user: root
+   tags:
+     - bootstrap
+     - user
+
+ - name: Set SSH key for root
+   authorized_key: user=root key="{{ ansible_ssh_public_key }}" manage_dir=yes
+   sudo_user: root
+   tags:
+     - bootstrap
+     - user
+
+ - name: Set SSH key for user OneAccess
+   authorized_key: user=oneaccess key="{{ ansible_ssh_public_key }}" manage_dir=yes
+   sudo_user: root
+   tags:
+     - bootstrap
+     - user
+
+ - name: Configure SUDO
+   template: src=sudoers dest=/etc/sudoers owner=root group=root mode=0440 validate="/usr/sbin/visudo -cf %s"
+   tags:
+     - bootstrap
+     - config

OneAccess-Ansible-Playbook/roles/bootstrap/templates/sudoers

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+%wheel ALL=(ALL) NOPASSWD: ALL
+root ALL=(ALL) NOPASSWD: ALL

OneAccess-Ansible-Playbook/roles/ca-directory/files/.gitignore

@@ -0,0 +1 @@
+*.tgz

OneAccess-Ansible-Playbook/roles/ca-directory/files/sample.ldif

@@ -0,0 +1,47 @@
+dn: o=OneAccess
+objectClass: organization
+objectClass: top
+description: OneAccess
+o: OneAccess
+
+dn: ou=Groups,o=OneAccess
+objectClass: organizationalUnit
+ou: Groups
+description: OneAccess Groups
+
+dn: ou=Users,o=OneAccess
+objectClass: organizationalUnit
+ou: Users
+description: OneAccess Users
+
+dn: uid=nmasse,ou=Users,o=OneAccess
+objectClass: person
+objectClass: inetOrgPerson
+objectClass: top
+uid: nmasse
+userpassword: changeme
+givenname: Nicolas
+cn: Nicolas Massé
+sn: Massé
+mail: nmasse@changeme.test
+title: Sr Consultant, Presales
+jpegPhoto;binary:: /9j/4AAQSkZJRgABAQEAyADIAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCABgAEADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigApKp6tqtro2my314zCGPsoyzE9AB3NcbH8W/D+H8+K6iZT93arfyPFK6Q0mzvqK47TPid4a1GQRm5ktmY4HnpgH8RkD8a6+ORJo1kidXRhlWU5BHsaLg00OoopaYgqC9vIbCxnu522xQoXY+wqeuL+Js6r4bitixBubhY8A43Dmk3ZXHFXdjzzxPP4r8WQRX8MEi2crkxW4b7qdjjvn1rmU+H3iNkEjQsDnON4z/OvXY5FHlovypGAgHYADFWml4JDCub2jPRVCNlc8QHgvxBBcI0u5VBxksOK7LwX4pvvCOtR6XqsudNn5UA5WMk8svcc9RW/fvvcgtx7V5x4xuEDxynO6KT5cUQqNyJq0YRjdH00rK6BlIKsMgjoRS1y3w71c6z4KsZ2B3RqYSezbeAfyxXU11HnsK4b4hRefeeHoWI8trtiwPfAz/Su5rE8Taf8AbLOCdRl7SXzR9MEH+efwpS2Lh8SPHfEWp6+LmWGxhnRM4QrtUYz1y3X8Kv2s+uweHLme6I+0RqNgJ5atmTWIYkxKgdwcKMd6wdV8T29pbXVvcWt35jc7hGdpPse9ce+h63Jy6tnKzXfiW3lEty0zRuM/I6nb+B5NVtft7i60uWS5G2VCHDYwD+Fdvpeu28mmoJIwXX7pdefrWReTx6s9xFMcIIm5HY44qo7mVSnaLdzvfgtcmTwjNbEn9xPgLjplQetek1yPw40CXQPCUKXKbLq5Y3Eq/wB3IAC/goH45rrq6lsebNJSsgproskbIwyrDBHtTqKZJ41eac8OqXVsXEVzE5VXZdwx2OPyrH1Br9UaN9QiJIwMw9/zr0jx3YQhIdQiIS6HyMf7y9s1wL67cbCn2aMnu2a5ZRcXoelSrKUdTGtILkNJNe3ETwgfKqx7ST9a1/BFtby+K7cXKgxM5IBHBxzz7ZwPxrDvrxncSXUoznCxoOSfQe9dL4f06aE+e42zvjgfwDsP61VOLbuZVqitZHtlFZ+m34ubaMSnEwXDZGNx9av10HEDMFXJOAKrm4LsVQYx3NRajN5apGDgsck+1Z9z5giLRN8xH5U0MzPFbC50qQq+75lwR3H+TXkGoW08LssW7LHAA5ya9Wmmmt4ltrlPMtnO1iB8yA96y0tUsHmnKATo5XzO4x/d+vXNZTjdm0JJRZy3hbwPcxXA1LVQTcY/dQt/yz9z7/yru44YLKWGFgHuJD8kQ6/7x9BVAeIdQggZm0+NyT8shzn8QOtXNCa5vb97+8jxMVCAhNowOnFXFJaIzd27s6eG3VUG3ketXYZmVgjfMCcD2qiGKncDj3qxFIHkTs2RVk2KesB5rpUjzlVFRRu8aeXLgntVm4dhqM4Ckj5RkD2qnKH3Y2tx7UCE2+Y3ABJ9aonTZDc+bdSK/dVUYArSt0c7m2Nxx0prK7yE7G/KgCJYkxyowKsIABnoopqxSE/cb8qNrufusI19utAx5kwN56DoKkglG4Of4SPzqk8jTSKiowA5xilj3gISrDJ3dKAZ/9k=
+telephoneNumber: +33123456789
+
+dn: cn=Admins,ou=Groups,o=OneAccess
+objectclass: groupofnames
+cn: Admins
+description: IT Admins group
+member: uid=nmasse,ou=Users,o=OneAccess
+
+dn: cn=Salesforce Users,ou=Groups,o=OneAccess
+objectclass: groupofnames
+cn: Salesforce Users
+description: Salesforce Users
+member: uid=nmasse,ou=Users,o=OneAccess
+
+dn: cn=Intranet Users,ou=Groups,o=OneAccess
+objectclass: groupofnames
+cn: Intranet Users
+description: Intranet Users
+member: uid=nmasse,ou=Users,o=OneAccess

OneAccess-Ansible-Playbook/roles/ca-directory/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+
+ - name: Install TCSH
+   yum: name=tcsh state=installed
+
+ - name: Install AT
+   yum: name=at state=installed
+
+ - name: Create the CA Directory source folder
+   file: path={{ sources_dir }}/ca-directory state=directory
+
+ - name: Extract the installation materials
+   unarchive: creates={{ sources_dir }}/ca-directory/linux_x86 src=cadir-12.0sp4.tgz dest={{ sources_dir }}/ca-directory
+
+ - name: Copy the unattended response file
+   template: src=ca-dir.resp dest={{ sources_dir }}/ca-directory/responsefile.txt
+
+ - name: Install CA Directory
+   command: chdir={{ sources_dir }}/ca-directory/linux_x86/dxserver/install creates={{ dx_home }}/dxserver {{ sources_dir }}/ca-directory/linux_x86/dxserver/install/dxsetup.sh -responsefile {{ sources_dir }}/ca-directory/responsefile.txt -silent
+
+ - name: Copy missing .dxcshrc file (TODO why is it missing ?)
+   template: src=dxcshrc dest={{ dx_home }}/dxserver/install/.dxcshrc
+   sudo_user: "{{ dx_user }}"
+
+ - name: Copy missing .dxprofile file (TODO why is it missing ?)
+   template: src=dxprofile dest={{ dx_home }}/dxserver/install/.dxprofile
+   sudo_user: "{{ dx_user }}"
+
+ - name: Fix symlinks in dxserver/bin (TODO why ?)
+   file: path={{ dx_home }}/dxserver/bin/{{ item }} src={{ item }}64
+   sudo_user: "{{ dx_user }}"
+   with_items: [ "dxserver", "dxloaddb", "dxdumpdb" ]
+
+ - name: Set SSH key for dxuser
+   authorized_key: user={{ dx_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+   tags: user
+
+ - name: Create the ACME datastore
+   command: creates="{{ dx_home }}/dxserver/config/servers/ACMEUsers.dxi" /bin/sh -l -c "dxnewdsa ACMEUsers {{ dx_acme_dsa_port }}"
+   sudo_user: "{{ dx_user }}"
+
+ - name: Copy the LDIF file into the sources dir
+   copy: src=sample.ldif dest={{ sources_dir }}/sample.ldif
+   tags: userstore
+
+ - name: Bind ACME DSA on 127.0.0.1 only
+   lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/ACMEUsers.dxc" line='    address       = tcp "127.0.0.1" port \1' regexp='^\s*address\s*=\s*tcp\s*"[^"]*"\s*port\s*([0-9]+)' backrefs=yes
+   sudo_user: "{{ dx_user }}"
+   tags: config
+
+ - name: Bind ACME DSA on 127.0.0.1 only
+   lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/ACMEUsers.dxc" line='    bind-address  = "127.0.0.1"' insertafter="^\s*address\s*=" regexp='^\s*bind-address\s*='
+   sudo_user: "{{ dx_user }}"
+   tags: config
+
+ - name: Stop the ACME DSA
+   command: /bin/sh -l -c "dxserver stop ACMEUsers"
+   sudo_user: "{{ dx_user }}"
+   tags: userstore
+
+ - name: Load the LDIF into the ACME datastore
+   command: /bin/sh -l -c "dxloaddb ACMEUsers {{ sources_dir }}/sample.ldif"
+   sudo_user: "{{ dx_user }}"
+   tags: userstore
+
+ - name: Flag the ACME DSA as "autostart"
+   file: path={{ dx_home }}/dxserver/config/autostart/ACMEUsers state=touch
+   sudo_user: "{{ dx_user }}"
+   tags: config
+
+ - name: Start the ACME DSA
+   command: /bin/sh -l -c "dxserver start ACMEUsers"
+   sudo_user: "{{ dx_user }}"
+   tags: userstore

OneAccess-Ansible-Playbook/roles/ca-directory/templates/ca-dir-mgt.resp

@@ -0,0 +1,35 @@
+# ==================================
+#   CA Directory Response File
+# ==================================
+# This response file is used to provide the default responses to dxsetup
+# for all installations.
+#
+# The current defaults conform to CA installation standards so these should
+# be taken into account when making modifications.
+#
+# Ensure the variable names being set are not changed and that this file
+# is Bourne Shell compatible.
+#
+
+INSTUSER=root
+ETDIRHOME="{{ dx_home }}"
+
+INSTALLDXWEBSERVER=y
+INSTALLDXMANAGER=y
+INSTALLDOC=y
+
+DXHOME="{{ dx_home }}/dxserver"
+DXWEBHOME="{{ dx_home }}/dxwebserver"
+JAVA_LOC="{{ java_home }}/jre/bin/java"
+
+DEFAULT_DXUSER={{ dx_user }}
+DXSHELL=/bin/csh
+DXGROUP={{ dx_group }}
+
+DXWEBSERVER_CONNECT_PORT=8080
+DXWEBSERVER_SECURE_PORT=8443
+DXWEBSERVER_SHUTDOWN_PORT=8005
+
+# This one seems to be hardcoded
+DXMANAGERUSER={{ dxmanager_user }}
+DXMANAGERPASS={{ dxmanager_password }}

OneAccess-Ansible-Playbook/roles/ca-directory/templates/ca-dir.resp

@@ -0,0 +1,38 @@
+# ==============================
+#   CA Directory Response File
+# ==============================
+# r12 build 9119
+# Thu Jul 17 17:14:09 CEST 2014
+
+# User parameters
+INSTUSER=root
+DXUSER={{ dx_user }}
+DXSHELL=/bin/csh
+DXUID=
+DXGROUP={{ dx_group }}
+DXGID=
+
+# Install parameters
+INSTALLDX=y
+INSTALLDOC=y
+INSTALLDXA=n
+RUN64BIT=n
+SETUID=n
+
+# Location parameters
+ETDIRHOME={{ dx_home }}
+DXHOME={{ dx_home }}/dxserver
+DXGRIDLOC=
+DOCHOME={{ dx_home }}/doc
+
+# DXadmind parameters
+DXMANAGERHOST=
+DXADMINDPORT=
+DXADMINDPASS=
+
+# Upgrade parameters
+BACKUPBIN=
+BACKUPLOC=
+BACKUPDBS=
+RESTARTDSAS=
+LDIFLOC=

OneAccess-Ansible-Playbook/roles/ca-directory/templates/dxcshrc

@@ -0,0 +1,18 @@
+umask 027
+setenv DXHOME {{ dx_home }}/dxserver
+set path = ( $DXHOME/bin $path )
+if ( ! $?LD_LIBRARY_PATH ) then
+    setenv LD_LIBRARY_PATH $DXHOME/bin
+else
+    setenv LD_LIBRARY_PATH $DXHOME/bin:${LD_LIBRARY_PATH}
+endif
+set filec
+
+if !($?LD_LIBRARY_PATH) then
+    setenv LD_LIBRARY_PATH {{ java_home }}/lib/i386/native_threads
+else
+    if ( "`echo LD_LIBRARY_PATH | grep {{ java_home }}`" == "" ) then
+        setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:{{ java_home }}/lib/i386/native_threads
+    endif
+endif
+setenv POSIXLY_CORRECT 1

OneAccess-Ansible-Playbook/roles/ca-directory/templates/dxprofile

@@ -0,0 +1,23 @@
+umask 027
+DXHOME={{ dx_home }}/dxserver
+PATH=$DXHOME/bin:${PATH}
+LD_LIBRARY_PATH=$DXHOME/bin:$LD_LIBRARY_PATH
+export DXHOME PATH LD_LIBRARY_PATH
+
+if [ -z "$LD_LIBRARY_PATH" ]; then
+    LD_LIBRARY_PATH={{ java_home }}/lib/i386/native_threads
+else
+    LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:{{ java_home }}/lib/i386/native_threads
+fi
+export LD_LIBRARY_PATH
+POSIXLY_CORRECT=1
+export POSIXLY_CORRECT
+
+# CA Shared Components
+if [ -f /etc/profile.CA ]; then
+    . /etc/profile.CA
+    if [ ! -z $CALIB ]; then
+        LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${CALIB}
+        export LD_LIBRARY_PATH
+    fi
+fi

OneAccess-Ansible-Playbook/roles/iptables/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Set the iptables rules
+    template: dest=/etc/sysconfig/iptables src=iptables-rules
+    tags: iptables
+
+  - name: Make sure iptables is enabled
+    service: name=iptables state=restarted enabled=yes
+    tags: iptables
+    

OneAccess-Ansible-Playbook/roles/iptables/templates/iptables-rules

@@ -0,0 +1,24 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports {{ httpd_https_port }}
+-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports {{ httpd_http_port }}
+-A PREROUTING -p tcp -m tcp --dport {{ ssg_mag_public_port }} -j REDIRECT --to-ports {{ ssg_mag_port }}
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ httpd_https_port }} -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ httpd_http_port }} -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ ssg_admin_port }} -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ ssg_service_port }} -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ ssg_mag_port }} -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

OneAccess-Ansible-Playbook/roles/java-7/files/.gitignore

@@ -0,0 +1,4 @@
+*.rpm
+*.tar.gz
+*.jar
+

OneAccess-Ansible-Playbook/roles/java-7/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+
+  - name: This module only works on RHEL/CentOS
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Download the Oracle JDK 7 archive
+    command: creates={{ sources_dir }}/jdk-7u{{ java_release }}-linux-i586.tar.gz wget -c --no-check-certificate --no-cookies --header "Cookie:oraclelicense=accept-securebackup-cookie"  http://download.oracle.com/otn-pub/java/jdk/7u{{ java_release }}-b15/jdk-7u{{ java_release }}-linux-i586.tar.gz -O {{ sources_dir }}/jdk-7u{{ java_release }}-linux-i586.tar.gz
+
+  - name: Extract the Oracle JDK 7 archive
+    unarchive: creates=/opt/jdk1.7.0_{{ java_release }} src={{ sources_dir }}/jdk-7u{{ java_release }}-linux-i586.tar.gz dest=/opt copy=no
+    register: java
+
+  - name: Link it to $JAVA_HOME
+    file: dest={{ java_home }} src=/opt/jdk1.7.0_{{ java_release }} state=link
+
+  - name: Update alternatives
+    command: /usr/sbin/update-alternatives --install /usr/bin/java java {{ java_home }}/bin/java 9999 --slave /usr/bin/keytool keytool {{ java_home }}/bin/keytool --slave /usr/bin/rmiregistry rmiregistry {{ java_home }}/bin/rmiregistry
+    when: java.changed
+
+  - name: Set JAVA_HOME
+    lineinfile: line="JAVA_HOME={{ java_home }}" state=present dest=/etc/profile.d/jdk7.sh create=yes
+
+  - name: Set /opt/jdk7 into PATH
+    lineinfile: line='PATH="{{ java_home }}/bin:$PATH"' dest=/etc/profile.d/jdk7.sh state=present
+
+  - name: Install JCE Unlimited strength policy files
+    copy: src={{ item }} dest={{ java_home }}/jre/lib/security/{{ item }}
+    with_items: [ 'local_policy.jar', 'US_export_policy.jar' ]

OneAccess-Ansible-Playbook/roles/mysql-ee-5.6/files/.gitignore

@@ -0,0 +1,2 @@
+*.rpm
+*.jar

OneAccess-Ansible-Playbook/roles/mysql-ee-5.6/tasks/main.yml

@@ -0,0 +1,64 @@
+---
+
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Install libaio
+    yum: name=libaio state=installed
+
+  - name: Be sure to remove any conflicting RPM before installing MySQL
+    yum: name=mysql-libs state=absent
+
+  - name: Copy the MySQL Enterprise Edition 5.6 installation package
+    copy: src={{ item }} dest={{ sources_dir }}/rpms
+    with_items: [ 'MySQL-server-advanced-{{ mysql_version }}-1.el6.i686.rpm', 'MySQL-shared-advanced-{{ mysql_version }}-1.el6.i686.rpm', 'MySQL-shared-compat-advanced-{{ mysql_version }}-1.el6.i686.rpm', 'MySQL-client-advanced-{{ mysql_version }}-1.el6.i686.rpm' ]
+    register: rpmsdir
+    when: ansible_architecture == 'i386'
+
+  - name: Copy the MySQL Enterprise Edition 5.6 installation package
+    copy: src={{ item }} dest={{ sources_dir }}/rpms
+    with_items: [ 'MySQL-server-advanced-{{ mysql_version }}-1.el6.x86_64.rpm', 'MySQL-shared-advanced-{{ mysql_version }}-1.el6.x86_64.rpm', 'MySQL-shared-compat-advanced-{{ mysql_version }}-1.el6.x86_64.rpm', 'MySQL-client-advanced-{{ mysql_version }}-1.el6.x86_64.rpm' ]
+    register: rpmsdir
+    when: ansible_architecture == 'x86_64'
+
+  - name: Update the RPM local repository
+    command: createrepo {{ sources_dir }}/rpms
+    when: rpmsdir.changed
+
+  - name: Flush the yum caches
+    command: yum clean all
+    when: rpmsdir.changed
+
+  - name: Set the default MySQL server configuration (yes, before installation)
+    template: src=my.cnf dest=/etc/my.cnf owner=root group=root mode=0755
+    tags: config
+
+  - name: Create the MySQL data directory
+    file: path=/home/mysql state=directory mode=777
+
+  - name: Install MySQL Enterprise Edition 5.6
+    yum: name={{ item }} state=installed
+    with_items: [ 'MySQL-server-advanced', 'MySQL-shared-advanced', 'MySQL-shared-compat-advanced', 'MySQL-client-advanced' ]
+
+  - name: Update the MySQL data directory
+    file: path=/home/mysql state=directory mode=0750 owner=mysql group=mysql
+
+  - name: Install the MySQL-python package (needed by ansible)
+    yum: name=MySQL-python state=installed
+
+  - name: Fix permissions on /var/lib/mysql
+    file: path=/var/lib/mysql state=directory mode=0750 owner=mysql group=mysql
+
+  - name: Ensure the MySQL service is started
+    service: name=mysql state=started enabled=on
+
+  - name: Copy the MySQL script to init the root password
+    template: src=mysql_set_root_password.sh dest={{ sources_dir }} mode=0755
+
+  - name: Reset the MySQL root password
+    command: "{{ sources_dir }}/mysql_set_root_password.sh"
+
+  - name: Remove the MySQL script
+    file: path={{ sources_dir }}/mysql_set_root_password.sh state=absent

OneAccess-Ansible-Playbook/roles/mysql-ee-5.6/templates/my.cnf

@@ -0,0 +1,51 @@
+[mysqld]
+lower_case_table_names = 1
+character-set-server = utf8
+bind-address = 127.0.0.1
+datadir = /home/mysql
+pid-file = /var/lib/mysql/mysqld.pid
+socket = /var/lib/mysql/mysql.sock
+basedir = /usr
+
+skip-partition
+
+bulk_insert_buffer_size=0
+# using the defaults for the hardware appliance / x86_64 build
+innodb_data_file_path=ibdata:100M:autoextend:max:9216M
+innodb_additional_mem_pool_size=2M
+innodb_log_buffer_size=1M
+innodb_buffer_pool_size=64M
+# only need this buffer for the
+# mysql tablespace for authentication
+key_buffer_size=64M
+query_cache_size=32M
+query_cache_limit=8M
+innodb_log_file_size=16M
+lower_case_table_names=1
+
+# flush binary logs on commits.
+innodb_flush_log_at_trx_commit=1
+binlog_format=MIXED
+max_binlog_size=500M
+expire_logs_days=10
+# 5 gigs of binary logs, at most. Probably less.
+# And sync it too, so that the logs and the files and any remote systems are all
+# in agreement. Its a performance hit for reliability.
+sync_binlog=16
+# set larger connection limit
+max_connections=2625
+# increase timeout
+net_write_timeout=120
+
+low-priority-updates=0
+transaction-isolation=READ-COMMITTED
+# and ignore connect errors so it retries a lot
+max_connect_errors=2000000
+max_allowed_packet=32M
+interactive_timeout=864000
+slow_query_log=1
+
+[mysql]
+# command line imports of audit data can fail with max allowed packet size
+# This will help
+max_allowed_packet=32M

OneAccess-Ansible-Playbook/roles/mysql-ee-5.6/templates/mysql_set_root_password.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Very insecure, but anyway it's a demo !
+NEWPASS={{ mysql_root_password }}
+
+test -f /root/.mysql_secret || exit 0
+sed -r 's/^#.*: (.*)$/[client]\npassword=\1/' /root/.mysql_secret > /root/.my.cnf
+chmod 600 /root/.my.cnf
+echo "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$NEWPASS'); SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('$NEWPASS'); FLUSH PRIVILEGES;" |mysql --connect-expired-password && rm -f /root/.mysql_secret
+echo -e "[client]\npassword=$NEWPASS\n" > /root/.my.cnf
+echo "UPDATE mysql.user SET Password = PASSWORD('$NEWPASS') WHERE User = 'root'; FLUSH PRIVILEGES;" |mysql

OneAccess-Ansible-Playbook/roles/oneaccess/files/.gitignore

@@ -0,0 +1,8 @@
+layer7*
+salesforce*
+siteminder*
+oneaccess.war
+circles.tgz
+*.sql
+*.ddl
+

OneAccess-Ansible-Playbook/roles/oneaccess/tasks/main.yml

@@ -0,0 +1,114 @@
+---
+
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Create a oneaccess directory at the root filesystem
+    file: state=directory path=/oneaccess owner={{ tomcat_user }} group={{ tomcat_group }} mode=0755
+
+  - name: Create subdirectory beneath oneaccess
+    file: state=directory path=/oneaccess/{{ item }} owner={{ tomcat_user }} group={{ tomcat_group }} mode=0755
+    with_items: [ 'conf', 'logs' ]
+
+  - name: Install the One Access configuration file
+    template: src=personalization.properties dest=/oneaccess/conf/personalization.properties
+    tags: config
+
+  - name: Install the One Access configuration file
+    template: src=log4j.properties dest=/oneaccess/conf/log4j.properties
+    tags: config
+
+  - name: Create the One Access database
+    mysql_db: login_user=root login_password={{ mysql_root_password }} name={{ oneaccess_db_name }} state=present
+
+  - name: Create the One Access database user
+    mysql_user: login_user=root login_password={{ mysql_root_password }} name={{ oneaccess_db_username }} password={{ oneaccess_db_password }} priv="{{ oneaccess_db_name }}.*:ALL" state=present
+
+  - name: Copy the database schema to the sources directory
+    copy: src=Personalization_V1-0_BASE.ddl dest={{ sources_dir }}/Personalization_V1-0_BASE.ddl
+
+  - name: Import the database schema
+    mysql_db: login_user=root login_password={{ mysql_root_password }} name={{ oneaccess_db_name }} state=import target={{ sources_dir }}/Personalization_V1-0_BASE.ddl
+    tags:
+      - db
+      - db-schema
+#  - name: Copy the database initial data to the sources directory
+#    copy: src=InitialDataLoad.sql dest={{ sources_dir }}/InitialDataLoad.sql
+
+#  - name: Import the database initial data
+#    mysql_db: login_user=root login_password={{ mysql_root_password }} name={{ oneaccess_db_name }} state=import target={{ sources_dir }}/InitialDataLoad.sql
+
+  - name: Copy the WAR file to tomcat
+    copy: src=oneaccess.war dest={{ tomcat_home }}/webapps/oneaccess.war
+
+  - name: Create a "tiles" directory under "htdocs/static"
+    file: path="{{ httpd_home }}/htdocs/static/tiles/" state=directory owner={{ httpd_user }} group={{ httpd_group }} mode=755
+
+  - name: Copy the static files
+    unarchive: src=circles.tgz dest="{{ httpd_home }}/htdocs/static/tiles/"
+    sudo_user: "{{ httpd_user }}"
+
+  - name: Ugly search & replace in the javascript code
+    replace: regexp="https://msso.ca.com/userinfo.php" replace="/userinfo" backup=yes dest={{ tomcat_home }}/webapps/oneaccess/resources/100/scripts/scripts.js
+    sudo_user: "{{ tomcat_user }}"
+    tags: ugly
+
+  - name: Ugly search & replace in the javascript code
+    replace: regexp='[,]secret:"[^"]+"' replace="" backup=no dest={{ tomcat_home }}/webapps/oneaccess/resources/100/scripts/scripts.js
+    sudo_user: "{{ tomcat_user }}"
+    tags: ugly
+
+  - name: Generate certificates for SFDC
+    local_action: command creates="{{ lookup('env', 'BASEDIR') }}/roles/oneaccess/files/salesforce.jks" "{{ lookup('env', 'BASEDIR') }}/pki/new_selfsigned_cert.sh"
+    sudo: false
+    environment:
+      CERT_CN: "{{ salesforce_certificate_cn }}"
+      PASSWORD: "{{ salesforce_certificate_password }}"
+      BASENAME: "salesforce"
+      OUTDIR: "{{ lookup('ENV', 'BASEDIR') }}/roles/oneaccess/files/"
+    tags: certificate
+    when: salesforce_certificate_cn is defined
+
+  - name: Generate certificates for SiteMinder
+    local_action: command creates="{{ lookup('env', 'BASEDIR') }}/roles/oneaccess/files/siteminder.jks" "{{ lookup('env', 'BASEDIR') }}/pki/new_selfsigned_cert.sh"
+    sudo: false
+    environment:
+      CERT_CN: "{{ siteminder_certificate_cn }}"
+      PASSWORD: "{{ siteminder_certificate_password }}"
+      BASENAME: "siteminder"
+      OUTDIR: "{{ lookup('ENV', 'BASEDIR') }}/roles/oneaccess/files/"
+    tags: certificate
+    when: siteminder_certificate_cn is defined
+
+  - name: Generate a SAML Signing certificate for Layer7
+    local_action: command creates="{{ lookup('env', 'BASEDIR') }}/roles/oneaccess/files/layer7.jks" "{{ lookup('env', 'BASEDIR') }}/pki/new_selfsigned_cert.sh"
+    sudo: false
+    environment:
+      CERT_CN: "{{ layer7_saml_certificate_cn }}"
+      PASSWORD: "{{ layer7_saml_certificate_password }}"
+      BASENAME: "layer7"
+      OUTDIR: "{{ lookup('ENV', 'BASEDIR') }}/roles/oneaccess/files/"
+    tags: certificate
+    when: layer7_saml_certificate_cn is defined
+
+  - name: Copy the Customer Logo
+    copy: src=CHANGEME-customer-logo.png dest={{ tomcat_home }}/webapps/oneaccess/resources/100/images/CHANGEME-customer-logo.png
+    sudo_user: "{{ tomcat_user }}"
+    tags: new
+
+  - name: Customize the OneAccess header
+    template: src=header.html dest={{ tomcat_home }}/webapps/oneaccess/resources/100/views/header.html
+    sudo_user: "{{ tomcat_user }}"
+    tags: new
+
+  - name: Source our custom.css
+    lineinfile: dest={{ tomcat_home }}/webapps/oneaccess/resources/100/styles/main.css backup=yes line='@charset "UTF-8";@import url("custom.css");\2' regexp='^@charset "UTF-8";(@import url\("custom.css"\);)?(.*)$' backrefs=yes state=present
+    sudo_user: "{{ tomcat_user }}"
+    tags: new
+
+  - name: Create our custom.css
+    template: src=custom.css dest={{ tomcat_home }}/webapps/oneaccess/resources/100/styles/custom.css
+    sudo_user: "{{ tomcat_user }}"
+    tags: new

OneAccess-Ansible-Playbook/roles/oneaccess/templates/custom.css

@@ -0,0 +1,30 @@
+.profile {
+  background-color: #CHANGEME !important;
+}
+.applications, .content {
+  background-color: #CHANGEME !important;
+}
+.profile__title, .profile__name {
+  color: #CHANGEME !important;
+}
+.profile__picture {
+  border: 2px solid #CHANGEME !important;
+}
+.mask {
+  background: rgba(0, 0, 0, 0.8) none repeat scroll 0% 0% !important;
+}
+
+.off-canvas__nav {
+  background-color: #CHANGEME !important;
+  color: #CHANGEME !important;
+}
+.off-canvas-list li ul {
+  background-color: #CHANGEME !important;
+}
+
+/* reduce the one access logo in case the customer logo is too big */
+@media screen and (max-width:767px) {
+  .header__logo-oa {
+    height: 20px !important;
+  }
+}

OneAccess-Ansible-Playbook/roles/oneaccess/templates/header.html

@@ -0,0 +1,8 @@
+<div class="container-fixed">
+    <img src="images/icn-menu.png" class="header__menu-icon" alt="menu" ng-click="toggleMenu(app.menuActive)">
+    <img src="images/CHANGEME-customer-logo.png" class="header__logo-ca" />
+    <img src="images/logo-oneaccess.png" class="header__logo-oa" />
+    <a href="/fixme/help" target="_new">
+        <img src="images/icn-help.png" alt="help" class="header__help">
+    </a>
+</div>

OneAccess-Ansible-Playbook/roles/oneaccess/templates/log4j.properties

@@ -0,0 +1,18 @@
+# This file is a template for creating customized versions of the 
+# 'log4j.properties' configuration file.
+
+log4j.rootLogger=INFO, stdout
+log4j.additivity.com.ca.oneaccess=false
+
+log4j.logger.com.ca.oneaccess=DEBUG, rollingFile
+
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %40.40c:%4L - %m%n
+
+log4j.appender.rollingFile=org.apache.log4j.RollingFileAppender
+log4j.appender.rollingFile.File=/oneaccess/logs/personalization.log
+log4j.appender.rollingFile.MaxFileSize=4MB
+log4j.appender.rollingFile.MaxBackupIndex=8
+log4j.appender.rollingFile.layout=org.apache.log4j.PatternLayout
+log4j.appender.rollingFile.layout.ConversionPattern=%d{dd MMM yyyy HH:mm:ss,SSS} %p %t %c - %m%n

OneAccess-Ansible-Playbook/roles/oneaccess/templates/personalization.properties

@@ -0,0 +1,39 @@
+# This file is a template for creating customized versions of the
+# 'personalization.properties' configuration file.
+
+# MySQL JDBC connection properties
+db.driver=com.mysql.jdbc.Driver
+db.jdbcurl=jdbc:mysql://localhost:3306/{{ oneaccess_db_name }}
+db.username={{ oneaccess_db_username }}
+db.password={{ oneaccess_db_password }}
+db.initial.cp.size=3
+
+# Security properties
+security.pmfkey.header.name=sm_user
+security.token.header.name=unknown
+security.token.cookie.name=unknown
+security.sps.host=unknown
+
+# Web Application properties
+image.url=https://{{ oneaccess_static_hostname }}/tiles/circles/
+mobile.launch.url=websso://{{ ssg_hostname }}:{{ ssg_service_port }}/
+
+# Layer 7 connection properties
+layer7.androidpush.url=https://{{ ssg_hostname }}:{{ ssg_service_port }}/android/push/notify
+layer7.applepush.url=https://{{ ssg_hostname }}:{{ ssg_service_port }}/apple/push/notify
+layer7.otp.validation=http://{{ ssg_hostname }}:{{ ssg_service_port }}/caworld/siteminderauth
+
+# This one goes through the Apache Reverse proxy because Java cannot handle TLS > 1.0
+# (and we must configure TLS > 1.0 in Layer7 to accomodate Browsers new security measures)
+layer7.userauth.url=https://{{ ssg_hostname }}:{{ httpd_https_port }}/oneaccessweb/pullappaccessinfo
+
+# One Access plugin properties
+plugin.logo.url=http://localhost:8080/oneaccess/personalization/env=in
+
+# Log4j properties file location
+log4j.config.location=/oneaccess/conf/log4j.properties
+
+sender.api.key=AIzaSyDY-rvi5YrXySoRrpT8V7Lav1RcC3q5vK0
+
+# This id must be defined for test servers only!!
+# test.userid=masni02

OneAccess-Ansible-Playbook/roles/pki/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+
+  - name: Initialize the PKI
+    sudo: no
+    local_action: command creates={{ lookup('ENV', 'BASEDIR') }}/pki/ca/root_ca.crl {{ lookup('ENV', 'BASEDIR') }}/pki/init.sh
+    tags: certificate
+
+  - name: Generate a truststore
+    sudo: no
+    local_action: command creates={{ lookup('ENV', 'BASEDIR') }}/pki/truststore.jks keytool -importcert -noprompt -alias ca -keystore {{ lookup('ENV', 'BASEDIR') }}/pki/truststore.jks -storetype JKS -storepass {{ pki_truststore_password }} -file {{ lookup('ENV', 'BASEDIR') }}/pki/ca/root_ca.crt
+    tags: certificate

OneAccess-Ansible-Playbook/roles/prepare-to-export/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_userspace_bits == '32'"
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Delete existing SSH Keys
+    file: path=/etc/ssh/{{ item }} state=absent
+    with_items:
+      - ssh_host_dsa_key
+      - ssh_host_dsa_key.pub
+      - ssh_host_key
+      - ssh_host_key.pub
+      - ssh_host_rsa_key
+      - ssh_host_rsa_key.pub
+    tags: prepare-to-export
+
+  - name: Stop the SiteMinder WAMUI
+    command: /bin/ksh -l -c "{{ sm_home }}/siteminder/adminui/bin/shutdown.sh"
+    sudo_user: "{{ sm_user }}"
+    ignore_errors: yes
+    tags:
+      - prepare-to-export
+      - wamui-cleanup
+
+  - name: Wait for the WAMUI to Stop (5 seconds)
+    local_action: command sleep 5
+    sudo: false
+    tags:
+      - prepare-to-export
+      - wamui-cleanup
+
+  - name: Make sure the WAMUI forgets his public hostname
+    command: rm -rf "{{ sm_home }}/siteminder/adminui/server/default/data/derby"
+    tags:
+      - prepare-to-export
+      - wamui-cleanup
+
+  - name: Stop the SSHD service
+    service: name=sshd state=stopped enabled=yes
+    tags: prepare-to-export
+
+  - name: Halt the Virtual Machine
+    command: /sbin/halt
+    tags: prepare-to-export

OneAccess-Ansible-Playbook/roles/service-control/tasks/main.yml

@@ -0,0 +1,63 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_userspace_bits == '32'"
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Ensure the RNGD service is started ! Otherwise, the SiteMinder server will be very slow...
+    service: name=rngd state=started enabled=yes
+    tags: start
+
+  - name: Start the SiteMinder Policy Server
+    command: /bin/ksh -l -c "start-ps"
+    sudo_user: "{{ sm_user }}"
+    tags: start
+
+  - name: Start the SiteMinder WAMUI
+    command: /bin/ksh -l -c "nohup {{ sm_home }}/siteminder/adminui/bin/run.sh &"
+    sudo_user: "{{ sm_user }}"
+    tags: start
+
+  - name: Start Tomcat
+    shell: cd {{ tomcat_home }} && nohup ./bin/startup.sh &
+    sudo_user: "{{ tomcat_user }}"
+    tags: start
+
+  - name: Start Apache
+    shell: /bin/bash -l -c "{{ httpd_home }}/bin/apachectl start"
+    sudo_user: "{{ httpd_user }}"
+    tags: start
+
+  - name: Start SSG
+    command: /opt/SecureSpan/Gateway/runtime/bin/gateway.sh start
+    sudo_user: "{{ ssg_runtime_user }}"
+    tags: start
+
+  - name: Stop SSG
+    command: /opt/SecureSpan/Gateway/runtime/bin/gateway.sh stop
+    sudo_user: "{{ ssg_runtime_user }}"
+    tags: stop
+
+  - name: Stop Apache
+    command: /bin/bash -l -c "{{ httpd_home }}/bin/apachectl stop"
+    sudo_user: "{{ httpd_user }}"
+    tags: stop
+
+  - name: Stop Tomcat
+    shell: cd {{ tomcat_home }} && ./bin/shutdown.sh
+    sudo_user: "{{ tomcat_user }}"
+    tags: stop
+
+  - name: Stop the SiteMinder WAMUI
+    command: /bin/ksh -l -c "{{ sm_home }}/siteminder/adminui/bin/shutdown.sh"
+    sudo_user: "{{ sm_user }}"
+    tags: stop
+
+  - name: Stop the SiteMinder Policy Server
+    command: /bin/ksh -l -c "stop-ps"
+    sudo_user: "{{ sm_user }}"
+    register: stop_ps
+    failed_when: "stop_ps.rc != 1"
+    tags: stop

OneAccess-Ansible-Playbook/roles/siteminder-adminui/files/.gitignore

@@ -0,0 +1 @@
+*.zip

OneAccess-Ansible-Playbook/roles/siteminder-adminui/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Copy the SiteMinder AdminUI files to sources_dir
+    unarchive: creates={{ sources_dir }}/ca-adminui-12.52-sp01-linux.bin src=GEN08164535E-AdminUiLinux.zip dest={{ sources_dir }}
+
+  - name: Copy the SiteMinder AdminUI PreReq files to sources_dir
+    unarchive: creates={{ sources_dir }}/adminui-pre-req-12.52-sp01-linux.bin src=GEN08163628E-PreReq.zip dest={{ sources_dir }}
+
+  - name: Fix access rights on installation files (pre-req)
+    file: path={{ sources_dir }}/adminui-pre-req-12.52-sp01-linux.bin mode=0755 state=file
+
+  - name: Fix access rights on installation files (ui)
+    file: path={{ sources_dir }}/ca-adminui-12.52-sp01-linux.bin mode=0755 state=file
+
+  - name: Copy the unattended installation response file (pre-req)
+    template: src=prereq-unattended.properties dest={{ sources_dir }}/prereq-unattended.properties
+
+  - name: Copy the unattended installation response file (ui)
+    template: src=adminui-unattended.properties dest={{ sources_dir }}/adminui-unattended.properties
+
+  - name: Run XPSRegClient
+    command: /bin/ksh -l -c 'XPSRegClient "{{ sm_admin_user }}:{{ sm_admin_password }}" -adminui-setup -vI'
+    sudo_user: "{{ sm_user }}"
+    tags: wamui-register
+
+  - name: Install AdminUI Pre-requisites (warning, no check !)
+    command: creates={{ sm_home }}/siteminder/adminui {{ sources_dir }}/adminui-pre-req-12.52-sp01-linux.bin -f {{ sources_dir }}/prereq-unattended.properties -i silent
+    sudo_user: "{{ sm_user }}"
+    ignore_errors: yes
+
+  - name: Install AdminUI (warning, no check !)
+    command: creates={{ sm_home }}/siteminder/adminui/SiteMinder {{ sources_dir }}/ca-adminui-12.52-sp01-linux.bin -f {{ sources_dir }}/adminui-unattended.properties -i silent
+    sudo_user: "{{ sm_user }}"
+    ignore_errors: yes
+
+  - name: Change the AdminUI SSL port of the built-in JBOSS
+    template: src=bindings-jboss-beans.xml dest={{ sm_home }}/siteminder/adminui/server/default/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml
+    tags: config
+
+  - name: Change the log config of the built-in JBOSS
+    template: src=jboss-log4j.xml dest={{ sm_home }}/siteminder/adminui/server/default/conf/jboss-log4j.xml
+    tags: config
+
+  - name: Flush the WAMUI Cache (do not forget to re-run XPSRegClient)
+    shell: rm -rf {{ sm_home }}/siteminder/adminui/server/default/data/derby/siteminder/*
+    tags: flushcache

OneAccess-Ansible-Playbook/roles/siteminder-adminui/templates/adminui-unattended.properties

@@ -0,0 +1,43 @@
+###############################################
+##### Please do not delete this file ##########
+###############################################
+
+### General Information
+# Install folder
+#   All products are installed in subfolders under this folder
+#   This is parent product root selected by the user
+#   For e.g. C:\\Program Files\\CA
+DEFAULT_INSTALL_FOLDER={{ sm_home }}
+
+# Application Server Information.
+# Valid values for DEFAULT_APP_SERVER are JBoss, WebLogic, WebLogic9, WebSphere
+# Versions Supported are JBoss 5.1.0 ,Web Logic 10.3, WebSphere 7.0
+DEFAULT_APP_SERVER=JBoss
+
+# Path to JDK/JRE for the Application Server
+# For JBoss this has to be path to JDK and for WebLogic, Websphere it is path to JRE or JDK
+DEFAULT_NETE_JAVA_HOME=
+DEFAULT_APP_SERVER_URL=
+
+# JBoss Information
+DEFAULT_JBOSS_FOLDER=
+
+# Weblogic Information
+
+DEFAULT_BINARY_FOLDER=
+DEFAULT_DOMAIN_FOLDER=
+DEFAULT_SERVER_NAME=
+
+# WebSphere Information
+DEFAULT_WEBSPHERE_FOLDER=
+
+#WAS_NODE Location: \\installedApps\\
+# and directory \\config\\cells\\\\nodes\\
+DEFAULT_WAS_NODE=
+#WAS_SERVER Value: \\config\\cells\\\\nodes\\\\servers\\
+DEFAULT_WAS_SERVER=
+#WAS_CELL: \\config\\cells\\
+DEFAULT_WAS_CELL=
+
+#WAS_PROFILE = \\profiles\\
+WAS_PROFILE=

OneAccess-Ansible-Playbook/roles/siteminder-adminui/templates/bindings-jboss-beans.xml

@@ -0,0 +1,146 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<deployment xmlns="urn:jboss:bean-deployer:2.0">
+
+	<bean name="ServiceBindingManager"
+	      class="org.jboss.services.binding.ServiceBindingManager">
+		<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.system:service=ServiceBindingManager", exposedInterface=org.jboss.services.binding.ServiceBindingManagerMBean.class, registerDirectly=true)</annotation>
+		<constructor factoryMethod="getServiceBindingManager">
+			<factory bean="ServiceBindingManagementObject"/>
+		</constructor>
+	</bean>
+
+	<bean name="ServiceBindingManagementObject"
+	      class="org.jboss.services.binding.managed.ServiceBindingManagementObject">
+		<constructor>
+			<parameter>ports-default</parameter>
+			<parameter>
+				<set>
+					<bean class="org.jboss.services.binding.impl.ServiceBindingSet">
+						<constructor>
+							<parameter>ports-default</parameter>
+							<parameter>${jboss.bind.address}</parameter>
+							<parameter>0</parameter>
+							<parameter><null/></parameter>
+						</constructor>
+					</bean>
+				</set>
+			</parameter>
+			<parameter>
+				<set>
+					<bean class="org.jboss.services.binding.ServiceBindingMetadata">
+						<property name="serviceName">jboss.web:service=WebServer</property>
+						<!-- HTTPS address and port are defined below -->
+						<property name="hostName">127.0.0.1</property>
+						<property name="port">48080</property>
+						<property name="fixedHostName">false</property>
+						<property name="description">JBoss Web HTTP connector socket</property>
+						<property name="serviceBindingValueSourceConfig">
+							<bean class="org.jboss.services.binding.impl.XSLTServiceBindingValueSourceConfig">
+								<constructor>
+									<parameter><![CDATA[
+  <xsl:stylesheet xmlns:xsl='http://www.w3.org/1999/XSL/Transform' version='1.0'>
+    <xsl:output method="xml" />
+    <xsl:param name="host"/>
+    <xsl:param name="port"/>
+    <xsl:param name="httpsHost"/>
+    <xsl:param name="httpsPort"/>
+    <xsl:param name="keyStore"/>
+    <xsl:param name="keyStoreType"/>
+    <xsl:param name="keyStorePassword"/>
+
+    <xsl:template match="/">
+      <xsl:apply-templates/>
+    </xsl:template>
+
+    <xsl:template match="Connector[(not(@SSLEnabled) or @SSLEnabled='false') and @port = '8080']">
+      <Connector>
+        <xsl:for-each select="@*">
+          <xsl:choose>
+            <xsl:when test="(name() = 'address')">
+              <xsl:attribute name="address"><xsl:value-of select="$host" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'port')">
+              <xsl:attribute name="port"><xsl:value-of select="$port" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'redirectPort')">
+              <xsl:attribute name="redirectPort"><xsl:value-of select="$httpsPort" /></xsl:attribute>
+            </xsl:when>
+            <xsl:otherwise>
+              <xsl:attribute name="{name()}"><xsl:value-of select="." /></xsl:attribute>
+            </xsl:otherwise>
+          </xsl:choose>
+        </xsl:for-each>
+        <xsl:apply-templates/>
+      </Connector>
+    </xsl:template>
+
+    <xsl:template match="Connector[@SSLEnabled='true' and @port = '8443']">
+      <Connector>
+        <xsl:for-each select="@*">
+          <xsl:choose>
+            <xsl:when test="(name() = 'address')">
+              <xsl:attribute name="address"><xsl:value-of select="$httpsHost" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'port')">
+              <xsl:attribute name="port"><xsl:value-of select="$httpsPort" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'keystoreFile')">
+              <xsl:attribute name="keystoreFile"><xsl:value-of select="$keyStore" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'keystoreType')">
+              <xsl:attribute name="keystoreType"><xsl:value-of select="$keyStoreType" /></xsl:attribute>
+            </xsl:when>
+            <xsl:when test="(name() = 'keystorePass')">
+              <xsl:attribute name="keystorePass"><xsl:value-of select="$keyStorePassword" /></xsl:attribute>
+            </xsl:when>
+            <xsl:otherwise>
+              <xsl:attribute name="{name()}"><xsl:value-of select="." /></xsl:attribute>
+            </xsl:otherwise>
+          </xsl:choose>
+        </xsl:for-each>
+        <xsl:apply-templates/>
+      </Connector>
+    </xsl:template>
+
+    <xsl:template match="*|@*">
+      <xsl:copy>
+        <xsl:apply-templates select="@*|node()"/>
+      </xsl:copy>
+    </xsl:template>
+  </xsl:stylesheet>]]>
+									</parameter>
+									<parameter>
+										<!-- No clean way to apply two bindings to one resource -->
+										<map keyClass="java.lang.String" valueClass="java.lang.String">
+											<entry>
+												<key>httpsHost</key>
+												<value>127.0.0.1</value>
+											</entry>
+											<entry>
+												<key>httpsPort</key>
+<value>48443</value>
+											</entry>
+											<entry>
+												<key>keyStore</key>
+												<value>${javax.net.ssl.keyStore}</value>
+											</entry>
+											<entry>
+												<key>keyStoreType</key>
+												<value>${javax.net.ssl.keyStoreType}</value>
+											</entry>
+											<entry>
+												<key>keyStorePassword</key>
+												<value>${javax.net.ssl.keyStorePassword}</value>
+											</entry>
+										</map>
+									</parameter>
+								</constructor>
+							</bean>
+						</property>
+					</bean>
+				</set>
+			</parameter>
+		</constructor>
+	</bean>
+
+</deployment>

OneAccess-Ansible-Playbook/roles/siteminder-adminui/templates/jboss-log4j.xml

@@ -0,0 +1,390 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+
+<!-- ===================================================================== -->
+<!--                                                                       -->
+<!--  Log4j Configuration                                                  -->
+<!--                                                                       -->
+<!-- ===================================================================== -->
+
+<!-- $Id: jboss-log4j.xml 87678 2009-04-22 16:47:08Z bstansberry@jboss.com $ -->
+
+<!--
+   | For more configuration information and examples see the Jakarta Log4j
+   | owebsite: http://jakarta.apache.org/log4j
+ -->
+
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false">
+
+   <!-- ================================= -->
+   <!-- Preserve messages in a local file -->
+   <!-- ================================= -->
+
+   <!-- A time/date based rolling appender -->
+   <appender name="FILE" class="org.jboss.logging.appender.DailyRollingFileAppender">
+      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+      <param name="File" value="${jboss.server.log.dir}/server.log"/>
+      <param name="Append" value="true"/>
+      <!-- In AS 5.0.x the server log threshold was set by a system
+           property. In 5.1 and later we are instead using the system
+           property to set the priority on the root logger (see <root/> below)
+      <param name="Threshold" value="${jboss.server.log.threshold}"/>
+      -->
+
+      <!-- Rollover at midnight each day -->
+      <!-- <param name="DatePattern" value="'.'yyyy-MM-dd"/> -->
+
+      <!-- Rollover at the top of each hour
+      <param name="DatePattern" value="'.'yyyy-MM-dd-HH"/>
+      -->
+
+      <layout class="org.apache.log4j.PatternLayout">
+         <!-- The default pattern: Date Priority [Category] (Thread) Message\n -->
+         <param name="ConversionPattern" value="%d %-5p [%c] (%t) %m%n"/>
+
+         <!-- The full pattern: Date MS Priority [Category] (Thread:NDC) Message\n
+         <param name="ConversionPattern" value="%d %-5r %-5p [%c] (%t:%x) %m%n"/>
+          -->
+      </layout>
+   </appender>
+
+   <!-- A size based file rolling appender
+   <appender name="FILE" class="org.jboss.logging.appender.RollingFileAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="File" value="${jboss.server.log.dir}/server.log"/>
+     <param name="Append" value="false"/>
+     <param name="MaxFileSize" value="500KB"/>
+     <param name="MaxBackupIndex" value="1"/>
+
+     <layout class="org.apache.log4j.PatternLayout">
+       <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
+     </layout>
+   </appender>
+   -->
+
+   <!-- ============================== -->
+   <!-- Append messages to the console -->
+   <!-- ============================== -->
+
+   <appender name="CONSOLE" class="org.apache.log4j.ConsoleAppender">
+      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+      <param name="Target" value="System.out"/>
+      <param name="Threshold" value="ERROR"/>
+
+      <layout class="org.apache.log4j.PatternLayout">
+         <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c{1}] %m%n"/>
+      </layout>
+   </appender>
+
+   <!-- ====================== -->
+   <!-- More Appender examples -->
+   <!-- ====================== -->
+
+   <!-- Buffer events and log them asynchronously
+   <appender name="ASYNC" class="org.apache.log4j.AsyncAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <appender-ref ref="FILE"/>
+     <appender-ref ref="CONSOLE"/>
+     <appender-ref ref="SMTP"/>
+   </appender>
+   -->
+
+   <!-- EMail events to an administrator
+   <appender name="SMTP" class="org.apache.log4j.net.SMTPAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="Threshold" value="ERROR"/>
+     <param name="To" value="admin@myhost.domain.com"/>
+     <param name="From" value="nobody@myhost.domain.com"/>
+     <param name="Subject" value="JBoss Sever Errors"/>
+     <param name="SMTPHost" value="localhost"/>
+     <param name="BufferSize" value="10"/>
+     <layout class="org.apache.log4j.PatternLayout">
+       <param name="ConversionPattern" value="[%d{ABSOLUTE},%c{1}] %m%n"/>
+     </layout>
+   </appender>
+   -->
+
+   <!-- Syslog events
+   <appender name="SYSLOG" class="org.apache.log4j.net.SyslogAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="Facility" value="LOCAL7"/>
+     <param name="FacilityPrinting" value="true"/>
+     <param name="SyslogHost" value="localhost"/>
+     <layout class="org.apache.log4j.PatternLayout">
+       <param name="ConversionPattern" value="[%d{ABSOLUTE},%c{1}] %m%n"/>
+     </layout>
+   </appender>
+   -->
+
+   <!-- Log events to JMS (requires a topic to be created)
+   <appender name="JMS" class="org.apache.log4j.net.JMSAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="Threshold" value="ERROR"/>
+     <param name="TopicConnectionFactoryBindingName" value="java:/ConnectionFactory"/>
+     <param name="TopicBindingName" value="topic/MyErrorsTopic"/>
+   </appender>
+   -->
+
+   <!-- Log events through SNMP
+   <appender name="TRAP_LOG" class="org.apache.log4j.ext.SNMPTrapAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="ImplementationClassName" value="org.apache.log4j.ext.JoeSNMPTrapSender"/>
+     <param name="ManagementHost" value="127.0.0.1"/>
+     <param name="ManagementHostTrapListenPort" value="162"/>
+     <param name="EnterpriseOID" value="1.3.6.1.4.1.24.0"/>
+     <param name="LocalIPAddress" value="127.0.0.1"/>
+     <param name="LocalTrapSendPort" value="161"/>
+     <param name="GenericTrapType" value="6"/>
+     <param name="SpecificTrapType" value="12345678"/>
+     <param name="CommunityString" value="public"/>
+     <param name="ForwardStackTraceWithTrap" value="true"/>
+     <param name="Threshold" value="DEBUG"/>
+     <param name="ApplicationTrapOID" value="1.3.6.1.4.1.24.12.10.22.64"/>
+     <layout class="org.apache.log4j.PatternLayout">
+            <param name="ConversionPattern" value="%d,%p,[%t],[%c],%m%n"/>
+     </layout>
+   </appender>
+   -->
+
+   <!--  Emit events as JMX notifications
+   <appender name="JMX" class="org.jboss.monitor.services.JMXNotificationAppender">
+      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+
+      <param name="Threshold" value="WARN"/>
+      <param name="ObjectName" value="jboss.system:service=Logging,type=JMXNotificationAppender"/>
+
+      <layout class="org.apache.log4j.PatternLayout">
+         <param name="ConversionPattern" value="%d %-5p [%c] %m"/>
+      </layout>
+   </appender>
+   -->
+
+   <!-- Security AUDIT Appender
+   <appender name="AUDIT" class="org.jboss.logging.appender.DailyRollingFileAppender">
+      <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+      <param name="File" value="${jboss.server.log.dir}/audit.log"/>
+      <param name="Append" value="true"/>
+      <param name="DatePattern" value="'.'yyyy-MM-dd"/>
+      <layout class="org.apache.log4j.PatternLayout">
+         <param name="ConversionPattern" value="%d %-5p [%c] (%t:%x) %m%n"/>
+      </layout>
+   </appender>
+   -->
+
+   <!-- ================ -->
+   <!-- Limit categories -->
+   <!-- ================ -->
+
+   <!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
+   <category name="org.apache">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit the jacorb category to WARN as its INFO is verbose -->
+   <category name="jacorb">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Set the logging level of the JSF implementation that uses
+      | java.util.logging. The jdk logging levels can be controlled
+      | through the org.jboss.logging.log4j.JDKLevel class that
+      | in addition to the standard log4j levels it adds support for
+      | SEVERE, WARNING, CONFIG, FINE, FINER, FINEST
+   -->
+   <category name="javax.enterprise.resource.webcontainer.jsf">
+     <priority value="INFO" class="org.jboss.logging.log4j.JDKLevel"/>
+   </category>
+
+   <!-- Limit the org.jgroups category to WARN as its INFO is verbose -->
+   <category name="org.jgroups">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Limit the org.quartz category to INFO as its DEBUG is verbose -->
+   <category name="org.quartz">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit the com.sun category to INFO as its FINE is verbose -->
+   <category name="com.sun">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit the sun category to INFO as its FINE is verbose -->
+   <category name="sun">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit the javax.xml.bind category to INFO as its FINE is verbose -->
+   <category name="javax.xml.bind">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit JBoss categories
+   <category name="org.jboss">
+      <priority value="INFO"/>
+   </category>
+   -->
+
+   <!-- Limit the JSR77 categories -->
+   <category name="org.jboss.management">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Limit the JBoss server implementation -->
+   <category name="org.jboss.bootstrap.microcontainer.ServerImpl">
+      <priority value="INFO" />
+   </category>
+
+   <!-- Limit the DerbyDatabase category (JBAS-7090) -->
+   <category name="org.jboss.jdbc.DerbyDatabase">
+      <priority value="OFF"/>
+   </category>
+
+   <!-- Limit the verbose facelets compiler -->
+   <category name="facelets.compiler">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Limit the verbose ajax4jsf cache initialization -->
+   <category name="org.ajax4jsf.cache">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Limit the verbose embedded jopr categories -->
+   <category name="org.rhq">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Limit the verbose seam categories -->
+   <category name="org.jboss.seam">
+      <priority value="WARN"/>
+   </category>
+
+   <!-- Show the evolution of the DataSource pool in the logs [inUse/Available/Max]
+   <category name="org.jboss.resource.connectionmanager.JBossManagedConnectionPool">
+     <priority value="TRACE"/>
+   </category>
+   -->
+
+   <!-- Category specifically for Security Audit Provider
+   <category name="org.jboss.security.audit.providers.LogAuditProvider" additivity="false">
+     <priority value="TRACE"/>
+     <appender-ref ref="AUDIT"/>
+   </category>
+   -->
+
+   <!-- Limit the org.jboss.serial (jboss-serialization) to INFO as its DEBUG is verbose -->
+   <category name="org.jboss.serial">
+      <priority value="INFO"/>
+   </category>
+
+   <!-- Decrease the priority threshold for the org.jboss.varia category
+   <category name="org.jboss.varia">
+     <priority value="DEBUG"/>
+   </category>
+   -->
+
+   <!-- Enable JBossWS message tracing
+   <category name="org.jboss.ws.core.MessageTrace">
+     <priority value="TRACE"/>
+   </category>
+   -->
+
+   <!--
+      | An example of enabling the custom TRACE level priority that is used
+      | by the JBoss internals to diagnose low level details. This example
+      | turns on TRACE level msgs for the org.jboss.ejb.plugins package and its
+      | subpackages. This will produce A LOT of logging output.
+      |
+      | Note: since jboss AS 4.2.x, the trace level is supported natively by
+      | log4j, so although the custom org.jboss.logging.XLevel priority will
+      | still work, there is no need to use it. The two examples that follow
+      | will both enable trace logging.
+   <category name="org.jboss.system">
+     <priority value="TRACE" class="org.jboss.logging.XLevel"/>
+   </category>
+   <category name="org.jboss.ejb.plugins">
+     <priority value="TRACE"/>
+   </category>
+   -->
+
+   <!--
+       | Logs these events to SNMP:
+           - server starts/stops
+           - cluster evolution (node death/startup)
+           - When an EJB archive is deployed (and associated verified messages)
+           - When an EAR archive is deployed
+
+   <category name="org.jboss.system.server.Server">
+     <priority value="INFO" />
+     <appender-ref ref="TRAP_LOG"/>
+   </category>
+
+   <category name="org.jboss.ha.framework.interfaces.HAPartition.lifecycle">
+     <priority value="INFO" />
+     <appender-ref ref="TRAP_LOG"/>
+   </category>
+
+   <category name="org.jboss.deployment.MainDeployer">
+     <priority value="ERROR" />
+     <appender-ref ref="TRAP_LOG"/>
+   </category>
+
+   <category name="org.jboss.ejb.EJBDeployer">
+     <priority value="INFO" />
+     <appender-ref ref="TRAP_LOG"/>
+   </category>
+
+   <category name="org.jboss.deployment.EARDeployer">
+     <priority value="INFO" />
+     <appender-ref ref="TRAP_LOG"/>
+   </category>
+   -->
+
+   <!-- Clustering logging -->
+   <!-- Uncomment the following to redirect the org.jgroups and
+      org.jboss.ha categories to a cluster.log file.
+
+   <appender name="CLUSTER" class="org.jboss.logging.appender.RollingFileAppender">
+     <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
+     <param name="File" value="${jboss.server.log.dir}/cluster.log"/>
+     <param name="Append" value="false"/>
+     <param name="MaxFileSize" value="500KB"/>
+     <param name="MaxBackupIndex" value="1"/>
+
+     <layout class="org.apache.log4j.PatternLayout">
+       <param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
+     </layout>
+   </appender>
+   <category name="org.jgroups">
+     <priority value="DEBUG" />
+     <appender-ref ref="CLUSTER"/>
+   </category>
+   <category name="org.jboss.ha">
+     <priority value="DEBUG" />
+     <appender-ref ref="CLUSTER"/>
+   </category>
+   -->
+
+   <!-- ======================= -->
+   <!-- Setup the Root category -->
+   <!-- ======================= -->
+
+<!--
+TODO The CONSOLE appender should not be used when running as a service
+or the '/bin/run.log' will get out of control
+-->
+
+   <root>
+      <!--
+         Set the root logger priority via a system property. Note this is parsed by log4j,
+         so the full JBoss system property format is not supported; e.g.
+         setting a default via ${jboss.server.log.threshold:WARN} will not work.
+       -->
+      <priority value="${jboss.server.log.threshold}"/>
+      <appender-ref ref="CONSOLE"/>
+      <appender-ref ref="FILE"/>
+   </root>
+
+</log4j:configuration>

OneAccess-Ansible-Playbook/roles/siteminder-adminui/templates/prereq-unattended.properties

@@ -0,0 +1,26 @@
+###############################################
+##### Please do not delete this file ##########
+###############################################
+
+### General Information
+#   Install folder
+#   All products are installed in subfolders under this folder
+#   This is parent product root selected by the user
+#   For e.g. C:\\Program Files\\smwamui
+DEFAULT_INSTALL_FOLDER={{ sm_home }}
+
+#   Server Port
+#   Port on which application server is going to run
+#   For e.g. 8080
+DEFAULT_APP_SERVER_PORT=48080
+
+#   Server Name
+#   Please enter the fully qualified hostname or IPV4 IP Address or IPV6 IP address
+#   servername.domain (fully qualifies hostname) OR
+#   138.42.194.91 (IPv4 Address)
+#   2001:0db8:3c4d:0015:0000:0000:abcd:ef12 (IPV6 Address)
+DEFAULT_APP_SERVER_HOST={{ ansible_fqdn }}
+
+#   Review the LGPL license (JBossORG-EULA.txt), located in the directory USER_INSTALL_DIR
+#   To accept the license, set this (ACCEPT_LGPL_EULA) variable to YES
+ACCEPT_LGPL_EULA=YES

OneAccess-Ansible-Playbook/roles/siteminder-common/tasks/main.yml

@@ -0,0 +1,81 @@
+---
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Install compat–gcc-34-c++
+    yum: name=compat-gcc-34-c++ state=present
+
+  - name: Upgrade all required libs (64 bits version)
+    yum: name={{ item }} state=latest
+    when: "ansible_architecture == 'x86_64'"
+    with_items:
+      - ncurses-libs.x86_64
+      - compat-libtermcap.x86_64
+      - libstdc++.x86_64
+      - libXrender.x86_64
+      - libXtst.x86_64
+      - libuuid.x86_64
+      - libSM.x86_64
+      - libXext.x86_64
+      - libXi.x86_64
+      - libXft.x86_64
+      - libXt.x86_64
+      - libXp.x86_64
+      - freetype.x86_64
+      - expat.x86_64
+      - fontconfig.x86_64
+      - libX11.x86_64
+      - libxcb.x86_64
+      - libXau.x86_64
+      - compat-db42.x86_64
+      - compat-db43.x86_64
+      - libICE.x86_64
+      - compat-libstdc++-33.x86_64
+      - compat-db.x86_64
+
+  - name: Install all required libs (32 bits version)
+    yum: name={{ item }} state=present
+    with_items:
+      - ncurses-libs.i686
+      - compat-libtermcap.i686
+      - libstdc++.i686
+      - libXrender.i686
+      - libXtst.i686
+      - libuuid.i686
+      - libSM.i686
+      - libXext.i686
+      - libXi.i686
+      - libXft.i686
+      - libXt.i686
+      - libXp.i686
+      - freetype.i686
+      - expat.i686
+      - fontconfig.i686
+      - libX11.i686
+      - libxcb.i686
+      - libXau.i686
+      - compat-db42.i686
+      - compat-db43.i686
+      - libICE.i686
+      - compat-libstdc++-33.i686
+      - compat-db.i686
+
+  - name: Install KSH
+    yum: name=ksh state=installed
+
+  - name: Install xauth (needed by smconsole)
+    yum: name=xorg-x11-xauth state=present
+
+  - name: Install RNGD
+    yum: name=rng-tools state=installed
+
+  - name: Install the RNGD configuration
+    lineinfile: dest=/etc/sysconfig/rngd line='EXTRAOPTIONS="-r /dev/urandom -o /dev/random -b -t .1"' regexp="^EXTRAOPTIONS="
+
+  - name: Restart RNGD and make sure it is enabled
+    service: name=rngd state=restarted enabled=yes
+
+  - name: Install patch (needed by ansible)
+    yum: name=patch state=installed

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/files/.gitignore

@@ -0,0 +1 @@
+*.zip

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/files/base.xps

@@ -0,0 +1,528 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Created by CA SiteMinder Version 12.52.0100.499
+     by os:smuser
+     at 11:45:34 on 2015-02-23 -->
+<!-- Uses schema "CA_SiteMinder_WAM-XPS2.xsd". This file
+     can be found on policy servers under siteminder/db -->
+<XPS xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+    xs:noNamespaceSchemaLocation="CA_SiteMinder_WAM-XPS2.xsd">
+    <XPSVersion>1</XPSVersion>
+    <HostInformation>ca-sso</HostInformation>
+    <XPSAdmin>os:smuser</XPSAdmin>
+    <PolicyData IsDumpExport="false">
+        <References>
+            <ReferenceValue ReferenceId="Ref00001">
+                <StringValue>127.0.0.1,44441,44442,44443</StringValue>
+            </ReferenceValue>
+            <ReferenceValue ReferenceId="Ref00002">
+                <StringValue>localhost:1389</StringValue>
+            </ReferenceValue>
+            <ReferenceValue ReferenceId="Ref00003">
+                <StringValue>o=ACME</StringValue>
+            </ReferenceValue>
+            <ReferenceObject ReferenceId="Ref00004" ObjectClass="CA.SM::AgentType">
+            <Xid>CA.SM::AgentType@10-8d78bb96-ae15-11d1-9cdd-006008aac24b</Xid>
+            <Attribute Name="CA.SM::AgentType.Name" Type="Identity">
+                <StringValue>Web Agent</StringValue>
+            </Attribute>
+            <Attribute Name="CA.SM::AgentType.Desc" Type="Comment">
+                <StringValue>SiteMinder Web Agent</StringValue>
+            </Attribute>
+            </ReferenceObject>
+        </References>
+        <Object Class="CA.SM::Agent" Xid="CA.SM::Agent@01-00094e34-f4da-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:37:30" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::Agent.AgentTypeLink">
+                <LinkValue>
+                    <XREF>Ref00004</XREF>
+                </LinkValue>
+            </Property>
+            <Property Name="CA.SM::Agent.RealmHintAttrId">
+                <NumberValue>0</NumberValue>
+            </Property>
+            <Property Name="CA.SM::Agent.Name">
+                <StringValue>agent_default</StringValue>
+            </Property>
+            <Property Name="CA.SM::Agent.Desc">
+                <StringValue>Default VHOST Agent</StringValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::Agent@01-00094e34-f4da-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::Agent" Xid="CA.SM::Agent@01-0003e1dc-f4fb-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:38:03" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::Agent.AgentTypeLink">
+                <LinkValue>
+                    <XREF>Ref00004</XREF>
+                </LinkValue>
+            </Property>
+            <Property Name="CA.SM::Agent.RealmHintAttrId">
+                <NumberValue>0</NumberValue>
+            </Property>
+            <Property Name="CA.SM::Agent.Name">
+                <StringValue>agent_waop</StringValue>
+            </Property>
+            <Property Name="CA.SM::Agent.Desc">
+                <StringValue>Option Pack&apos;s Agent</StringValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::Agent@01-0003e1dc-f4fb-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::AgentConfig" Xid="CA.SM::AgentConfig@21-0007dd6b-f55e-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:39:43" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::AgentConfig.Attributes">
+                <StringValue>UseSecureCookies=0=no</StringValue>
+                <StringValue>FCCCompatMode=0=no</StringValue>
+                <StringValue>#EnableFormCache=0=</StringValue>
+                <StringValue>#LogoffUri=0=</StringValue>
+                <StringValue>LogFileName=0=</StringValue>
+                <StringValue>RequireCookies=0=yes</StringValue>
+                <StringValue>MaxUrlSize=0=4097</StringValue>
+                <StringValue>LegacyVariables=0=yes</StringValue>
+                <StringValue>CssChecking=0=yes</StringValue>
+                <StringValue>UseSecureCPCookies=0=no</StringValue>
+                <StringValue>#FormCacheTimeOut=0=</StringValue>
+                <StringValue>TransientIPCheck=0=no</StringValue>
+                <StringValue>ConstructFullPwsvcURL=0=no</StringValue>
+                <StringValue>#DlpErrorFile=0=</StringValue>
+                <StringValue>#IgnoreUrl=0=</StringValue>
+                <StringValue>#SSOTrustedZone=0=</StringValue>
+                <StringValue>#MaxTimeoutURL=0=</StringValue>
+                <StringValue>TargetAsRelativeURI=0=no</StringValue>
+                <StringValue>LogAppend=0=no</StringValue>
+                <StringValue>MaxSessionCacheSize=0=750</StringValue>
+                <StringValue>#ForceGetSessionData=0=</StringValue>
+                <StringValue>LogFileSize=0=100</StringValue>
+                <StringValue>#PreserveHeaders=0=</StringValue>
+                <StringValue>#BadFormChars=0=%3C%2C%3E%2C%26%2C%2522</StringValue>
+                <StringValue>#EnableWebAgent=0=</StringValue>
+                <StringValue>EnableMonitoring=0=yes</StringValue>
+                <StringValue>#ValidTargetDomain=0=no</StringValue>
+                <StringValue>#TraceDelimiter=0=</StringValue>
+                <StringValue>CookieDomainScope=0=0</StringValue>
+                <StringValue>#EnableNTChallengeResponse=0=</StringValue>
+                <StringValue>#CustomIpHeader=0=no</StringValue>
+                <StringValue>SessionUpdatePeriod=0=60</StringValue>
+                <StringValue>#ExpireForProxy=0=</StringValue>
+                <StringValue>DefaultAgentName=2=agent_default</StringValue>
+                <StringValue>#LogLocalTime=0=yes</StringValue>
+                <StringValue>#ProxyHeadersAutoAuth10=0=</StringValue>
+                <StringValue>#OverlookSessionForMethods=0=no</StringValue>
+                <StringValue>#StoreSessioninServer=0=</StringValue>
+                <StringValue>#OverlookSessionForMethodUri=0=</StringValue>
+                <StringValue>#BadQueryChars=0=</StringValue>
+                <StringValue>#ProxyHeadersAutoAuth=0=</StringValue>
+                <StringValue>#DlpSupportEnabled=0=None</StringValue>
+                <StringValue>#SecureApps=0=yes</StringValue>
+                <StringValue>#HostConfigFile=0=</StringValue>
+                <StringValue>ProxyTimeout=0=120</StringValue>
+                <StringValue>DisableDotDotRule=0=no</StringValue>
+                <StringValue>#LegacyTransferEncoding=0=</StringValue>
+                <StringValue>#LegacyEncoding=0=</StringValue>
+                <StringValue>#AcceptTPCookie=0=</StringValue>
+                <StringValue>#FCCForcelsProtected=0=</StringValue>
+                <StringValue>TraceFile=0=no</StringValue>
+                <StringValue>#4xCompatMode=0=</StringValue>
+                <StringValue>UseAnonAccess=0=no</StringValue>
+                <StringValue>MaxResourceCacheSize=0=750</StringValue>
+                <StringValue>#PostPreservationFile=0=</StringValue>
+                <StringValue>#EnableAccounting=0=</StringValue>
+                <StringValue>EnforcePolicies=0=yes</StringValue>
+                <StringValue>LimitCookieProvider=0=no</StringValue>
+                <StringValue>#CssErrorfile=0=</StringValue>
+                <StringValue>#IdleTimeoutURL=0=</StringValue>
+                <StringValue>#Custom401ErrorFile=0=no</StringValue>
+                <StringValue>TraceAppend=0=no</StringValue>
+                <StringValue>#UseServerRequestIp=0=no</StringValue>
+                <StringValue>PersistentIPCheck=0=yes</StringValue>
+                <StringValue>#LegacyCookieProvider=0=no</StringValue>
+                <StringValue>PersistentCookies=0=no</StringValue>
+                <StringValue>#LegacyPostPreservationEncoding=0=</StringValue>
+                <StringValue>#LegalHostNameChars=0=</StringValue>
+                <StringValue>SFCCExt=0=.sfcc</StringValue>
+                <StringValue>#ReqCookieErrorFile=0=</StringValue>
+                <StringValue>#DefaultHostName=0=</StringValue>
+                <StringValue>EnableAuditing=0=no</StringValue>
+                <StringValue>FCCExt=0=.fcc</StringValue>
+                <StringValue>#BadCssChars=0=</StringValue>
+                <StringValue>#SharedSecret=0=</StringValue>
+                <StringValue>#TrackSessionDomain=0=</StringValue>
+                <StringValue>#RequireClientIP=0=</StringValue>
+                <StringValue>#ProxyHeadersDefaultTime=0=</StringValue>
+                <StringValue>#IgnoreCPFornotprotected=0=no</StringValue>
+                <StringValue>#DefaultLocale=0=</StringValue>
+                <StringValue>#UseHTTPOnlyCookies=0=</StringValue>
+                <StringValue>BadUrlChars=0=%2F%2F%2C.%2F%2C%2F.%2C%2F%2A%2C%2A.%2C~%2C%5C%2C%2500-%251f%2C%257f</StringValue>
+                <StringValue>EnableCookieProvider=0=yes</StringValue>
+                <StringValue>#CslCertUniqueAttribute=0=</StringValue>
+                <StringValue>CacheAnonymous=0=no</StringValue>
+                <StringValue>#XFrameOptions=0=</StringValue>
+                <StringValue>#HttpServicePrincipal=0=</StringValue>
+                <StringValue>DecodeQueryData=0=no</StringValue>
+                <StringValue>#AgentNamesAreFQHostNames=0=no</StringValue>
+                <StringValue>CCCExt=0=.ccc</StringValue>
+                <StringValue>#LowerCaseHTTP=0=yes</StringValue>
+                <StringValue>#CookieValidationPeriod=0=no</StringValue>
+                <StringValue>#PreservePostData=0=yes</StringValue>
+                <StringValue>SetRemoteUser=0=no</StringValue>
+                <StringValue>#ProxyHeadersTimeOutPercentage=0=</StringValue>
+                <StringValue>ProxyTrust=0=no</StringValue>
+                <StringValue>#LowerCaseProtocolSpecifier=0=</StringValue>
+                <StringValue>#SaveCredsTimeout=0=720</StringValue>
+                <StringValue>TraceConfigFile=0=</StringValue>
+                <StringValue>#DeleteCerts=0=no</StringValue>
+                <StringValue>#IgnoreHost=0=</StringValue>
+                <StringValue>#ClientLocalePreferred=0=no</StringValue>
+                <StringValue>ResourceCacheTimeout=0=600</StringValue>
+                <StringValue>AllowLocalConfig=0=no</StringValue>
+                <StringValue>CookieDomain=0=</StringValue>
+                <StringValue>#ProxyHeadersUnprotected10=0=</StringValue>
+                <StringValue>#UseSecureCPCookies=0=</StringValue>
+                <StringValue>#AutoAuthorizeOptions=0=</StringValue>
+                <StringValue>AllowCacheHeaders=0=no</StringValue>
+                <StringValue>SessionGracePeriod=0=30</StringValue>
+                <StringValue>#IgnoreXMLSDK=0=</StringValue>
+                <StringValue>#UseSessionForAnonymous=0=</StringValue>
+                <StringValue>#SSOZoneName=0=</StringValue>
+                <StringValue>TraceFileName=0=</StringValue>
+                <StringValue>#MasterCookiePath=0=%2Froot</StringValue>
+                <StringValue>#TraceFormat=0=</StringValue>
+                <StringValue>DisableAuthSrcVars=0=no</StringValue>
+                <StringValue>#OverlookSessionForUrls=0=no</StringValue>
+                <StringValue>#CookiePathScope=0=%2Froot</StringValue>
+                <StringValue>#ProxyHeadersProtected=0=</StringValue>
+                <StringValue>DisableSessionVars=0=no</StringValue>
+                <StringValue>#ProxyDefinition=0=no</StringValue>
+                <StringValue>#AgentWaitTime=0=5</StringValue>
+                <StringValue>#CookiePath=0=no</StringValue>
+                <StringValue>#ProxyHeadersUnprotected=0=</StringValue>
+                <StringValue>#SecureURLs=0=</StringValue>
+                <StringValue>#EncryptAgentName=0=yes</StringValue>
+                <StringValue>IgnoreQueryData=0=no</StringValue>
+                <StringValue>TraceFileSize=0=100</StringValue>
+                <StringValue>TransientIDCookies=0=no</StringValue>
+                <StringValue>#TraceFilesToKeep=0=</StringValue>
+                <StringValue>#KCCExt=0=</StringValue>
+                <StringValue>SCCExt=0=.scc</StringValue>
+                <StringValue>#WebAppClientResponse=0=Resource%3D%7CMethod%3D%7CStatus%3D%7CBody%3D%7CContent-Type%3D%7CCharset%3D</StringValue>
+                <StringValue>#ProxyHeadersProtected10=0=</StringValue>
+                <StringValue>#CookieProvider=0=</StringValue>
+                <StringValue>#ExpiredCookieURL=0=</StringValue>
+                <StringValue>Logfile=0=no</StringValue>
+                <StringValue>ProxyAgent=0=no</StringValue>
+                <StringValue>DisableUserNameVars=0=no</StringValue>
+                <StringValue>#SmpsServicePrincipal=0=</StringValue>
+                <StringValue>#EnforceRealmTimeouts=0=no</StringValue>
+                <StringValue>#ConformToRFC2047=0=yes</StringValue>
+                <StringValue>#ForceCookieDomain=0=no</StringValue>
+                <StringValue>#RemoteUserVar=0=</StringValue>
+                <StringValue>#AgentName=0=</StringValue>
+                <StringValue>#Localization=0=yes</StringValue>
+                <StringValue>#EnableFccWindowsAuth=0=no</StringValue>
+                <StringValue>#HttpheaderEncodingSpec=0=</StringValue>
+                <StringValue>PSPollInterval=0=30</StringValue>
+                <StringValue>#DisableDNSLookup=0=</StringValue>
+                <StringValue>#HttpsPorts=0=no</StringValue>
+                <StringValue>#DisallowUTF8NonCanonical=0=</StringValue>
+                <StringValue>#ForceFQHost=0=no</StringValue>
+                <StringValue>#DlpExclusionList=0=.aspx%2C.html%2C.htm%2C.ico%2C.jpg</StringValue>
+                <StringValue>#CslMaxCacheEntries=0=1000</StringValue>
+                <StringValue>#ServerErrorFile=0=</StringValue>
+                <StringValue>#LogFilesToKeep=0=</StringValue>
+                <StringValue>#GetPortFromHeaders=0=no</StringValue>
+                <StringValue>IgnoreExt=0=.class%2C.gif%2C.jpg%2C.jpeg%2C.png%2C.fcc%2C.scc%2C.sfcc%2C.ccc%2C.ntc%2C.sac</StringValue>
+                <StringValue>NTCExt=0=.ntc</StringValue>
+                <StringValue>OverrideIgnoreExtFilter=0=</StringValue>
+            </Property><!-- Name="CA.SM::AgentConfig.Attributes" -->
+            <Property Name="CA.SM::AgentConfig.Name">
+                <StringValue>ACO_Apache</StringValue>
+            </Property>
+            <Property Name="CA.SM::AgentConfig.Desc">
+                <StringValue>Apache&apos;s Agent Configuration</StringValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::AgentConfig@21-0007dd6b-f55e-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::AgentConfig" Xid="CA.SM::AgentConfig@21-0006cccd-f595-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:40:38" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::AgentConfig.Attributes">
+                <StringValue>UseSecureCookies=0=no</StringValue>
+                <StringValue>FCCCompatMode=0=no</StringValue>
+                <StringValue>#EnableFormCache=0=</StringValue>
+                <StringValue>#LogoffUri=0=</StringValue>
+                <StringValue>LogFileName=0=</StringValue>
+                <StringValue>RequireCookies=0=yes</StringValue>
+                <StringValue>MaxUrlSize=0=4097</StringValue>
+                <StringValue>LegacyVariables=0=yes</StringValue>
+                <StringValue>CssChecking=0=yes</StringValue>
+                <StringValue>UseSecureCPCookies=0=no</StringValue>
+                <StringValue>#FormCacheTimeOut=0=</StringValue>
+                <StringValue>TransientIPCheck=0=no</StringValue>
+                <StringValue>ConstructFullPwsvcURL=0=no</StringValue>
+                <StringValue>#DlpErrorFile=0=</StringValue>
+                <StringValue>#IgnoreUrl=0=</StringValue>
+                <StringValue>#SSOTrustedZone=0=</StringValue>
+                <StringValue>#MaxTimeoutURL=0=</StringValue>
+                <StringValue>TargetAsRelativeURI=0=no</StringValue>
+                <StringValue>LogAppend=0=no</StringValue>
+                <StringValue>MaxSessionCacheSize=0=750</StringValue>
+                <StringValue>#ForceGetSessionData=0=</StringValue>
+                <StringValue>LogFileSize=0=100</StringValue>
+                <StringValue>#PreserveHeaders=0=</StringValue>
+                <StringValue>#BadFormChars=0=%3C%2C%3E%2C%26%2C%2522</StringValue>
+                <StringValue>#EnableWebAgent=0=</StringValue>
+                <StringValue>#ValidTargetDomain=0=no</StringValue>
+                <StringValue>EnableMonitoring=0=yes</StringValue>
+                <StringValue>#TraceDelimiter=0=</StringValue>
+                <StringValue>CookieDomainScope=0=0</StringValue>
+                <StringValue>#EnableNTChallengeResponse=0=</StringValue>
+                <StringValue>SessionUpdatePeriod=0=60</StringValue>
+                <StringValue>#CustomIpHeader=0=no</StringValue>
+                <StringValue>#ExpireForProxy=0=</StringValue>
+                <StringValue>DefaultAgentName=2=agent_waop</StringValue>
+                <StringValue>#LogLocalTime=0=yes</StringValue>
+                <StringValue>#ProxyHeadersAutoAuth10=0=</StringValue>
+                <StringValue>#OverlookSessionForMethods=0=no</StringValue>
+                <StringValue>#StoreSessioninServer=0=</StringValue>
+                <StringValue>#OverlookSessionForMethodUri=0=</StringValue>
+                <StringValue>#BadQueryChars=0=</StringValue>
+                <StringValue>#ProxyHeadersAutoAuth=0=</StringValue>
+                <StringValue>#DlpSupportEnabled=0=None</StringValue>
+                <StringValue>#SecureApps=0=yes</StringValue>
+                <StringValue>#HostConfigFile=0=</StringValue>
+                <StringValue>ProxyTimeout=0=120</StringValue>
+                <StringValue>DisableDotDotRule=0=no</StringValue>
+                <StringValue>#LegacyTransferEncoding=0=</StringValue>
+                <StringValue>#LegacyEncoding=0=</StringValue>
+                <StringValue>#AcceptTPCookie=0=</StringValue>
+                <StringValue>#FCCForcelsProtected=0=</StringValue>
+                <StringValue>TraceFile=0=no</StringValue>
+                <StringValue>#4xCompatMode=0=</StringValue>
+                <StringValue>UseAnonAccess=0=no</StringValue>
+                <StringValue>MaxResourceCacheSize=0=750</StringValue>
+                <StringValue>#PostPreservationFile=0=</StringValue>
+                <StringValue>#EnableAccounting=0=</StringValue>
+                <StringValue>EnforcePolicies=0=yes</StringValue>
+                <StringValue>LimitCookieProvider=0=no</StringValue>
+                <StringValue>#CssErrorfile=0=</StringValue>
+                <StringValue>#IdleTimeoutURL=0=</StringValue>
+                <StringValue>#Custom401ErrorFile=0=no</StringValue>
+                <StringValue>TraceAppend=0=no</StringValue>
+                <StringValue>#UseServerRequestIp=0=no</StringValue>
+                <StringValue>PersistentIPCheck=0=yes</StringValue>
+                <StringValue>#LegacyCookieProvider=0=no</StringValue>
+                <StringValue>PersistentCookies=0=no</StringValue>
+                <StringValue>#LegacyPostPreservationEncoding=0=</StringValue>
+                <StringValue>#LegalHostNameChars=0=</StringValue>
+                <StringValue>SFCCExt=0=.sfcc</StringValue>
+                <StringValue>#ReqCookieErrorFile=0=</StringValue>
+                <StringValue>#DefaultHostName=0=</StringValue>
+                <StringValue>EnableAuditing=0=no</StringValue>
+                <StringValue>FCCExt=0=.fcc</StringValue>
+                <StringValue>#BadCssChars=0=</StringValue>
+                <StringValue>#SharedSecret=0=</StringValue>
+                <StringValue>#TrackSessionDomain=0=</StringValue>
+                <StringValue>#RequireClientIP=0=</StringValue>
+                <StringValue>#ProxyHeadersDefaultTime=0=</StringValue>
+                <StringValue>#IgnoreCPFornotprotected=0=no</StringValue>
+                <StringValue>#DefaultLocale=0=</StringValue>
+                <StringValue>#UseHTTPOnlyCookies=0=</StringValue>
+                <StringValue>BadUrlChars=0=%2F%2F%2C.%2F%2C%2F.%2C%2F%2A%2C%2A.%2C~%2C%5C%2C%2500-%251f%2C%257f</StringValue>
+                <StringValue>EnableCookieProvider=0=yes</StringValue>
+                <StringValue>#CslCertUniqueAttribute=0=</StringValue>
+                <StringValue>CacheAnonymous=0=no</StringValue>
+                <StringValue>#XFrameOptions=0=</StringValue>
+                <StringValue>#HttpServicePrincipal=0=</StringValue>
+                <StringValue>DecodeQueryData=0=no</StringValue>
+                <StringValue>#AgentNamesAreFQHostNames=0=no</StringValue>
+                <StringValue>CCCExt=0=.ccc</StringValue>
+                <StringValue>#LowerCaseHTTP=0=yes</StringValue>
+                <StringValue>#CookieValidationPeriod=0=no</StringValue>
+                <StringValue>#PreservePostData=0=yes</StringValue>
+                <StringValue>SetRemoteUser=0=no</StringValue>
+                <StringValue>#ProxyHeadersTimeOutPercentage=0=</StringValue>
+                <StringValue>ProxyTrust=0=no</StringValue>
+                <StringValue>#LowerCaseProtocolSpecifier=0=</StringValue>
+                <StringValue>#SaveCredsTimeout=0=720</StringValue>
+                <StringValue>TraceConfigFile=0=</StringValue>
+                <StringValue>#DeleteCerts=0=no</StringValue>
+                <StringValue>#IgnoreHost=0=</StringValue>
+                <StringValue>#ClientLocalePreferred=0=no</StringValue>
+                <StringValue>ResourceCacheTimeout=0=600</StringValue>
+                <StringValue>AllowLocalConfig=0=no</StringValue>
+                <StringValue>CookieDomain=0=</StringValue>
+                <StringValue>#ProxyHeadersUnprotected10=0=</StringValue>
+                <StringValue>#UseSecureCPCookies=0=</StringValue>
+                <StringValue>#AutoAuthorizeOptions=0=</StringValue>
+                <StringValue>AllowCacheHeaders=0=no</StringValue>
+                <StringValue>SessionGracePeriod=0=30</StringValue>
+                <StringValue>#IgnoreXMLSDK=0=</StringValue>
+                <StringValue>#UseSessionForAnonymous=0=</StringValue>
+                <StringValue>#SSOZoneName=0=</StringValue>
+                <StringValue>TraceFileName=0=</StringValue>
+                <StringValue>#MasterCookiePath=0=%2Froot</StringValue>
+                <StringValue>#TraceFormat=0=</StringValue>
+                <StringValue>DisableAuthSrcVars=0=no</StringValue>
+                <StringValue>#OverlookSessionForUrls=0=no</StringValue>
+                <StringValue>#CookiePathScope=0=%2Froot</StringValue>
+                <StringValue>#ProxyHeadersProtected=0=</StringValue>
+                <StringValue>DisableSessionVars=0=no</StringValue>
+                <StringValue>#ProxyDefinition=0=no</StringValue>
+                <StringValue>#AgentWaitTime=0=5</StringValue>
+                <StringValue>#CookiePath=0=no</StringValue>
+                <StringValue>#ProxyHeadersUnprotected=0=</StringValue>
+                <StringValue>#SecureURLs=0=</StringValue>
+                <StringValue>#EncryptAgentName=0=yes</StringValue>
+                <StringValue>IgnoreQueryData=0=no</StringValue>
+                <StringValue>TraceFileSize=0=100</StringValue>
+                <StringValue>TransientIDCookies=0=no</StringValue>
+                <StringValue>#TraceFilesToKeep=0=</StringValue>
+                <StringValue>#KCCExt=0=</StringValue>
+                <StringValue>SCCExt=0=.scc</StringValue>
+                <StringValue>#WebAppClientResponse=0=Resource%3D%7CMethod%3D%7CStatus%3D%7CBody%3D%7CContent-Type%3D%7CCharset%3D</StringValue>
+                <StringValue>#ProxyHeadersProtected10=0=</StringValue>
+                <StringValue>#CookieProvider=0=</StringValue>
+                <StringValue>#ExpiredCookieURL=0=</StringValue>
+                <StringValue>Logfile=0=no</StringValue>
+                <StringValue>ProxyAgent=0=no</StringValue>
+                <StringValue>DisableUserNameVars=0=no</StringValue>
+                <StringValue>#SmpsServicePrincipal=0=</StringValue>
+                <StringValue>#EnforceRealmTimeouts=0=no</StringValue>
+                <StringValue>#ConformToRFC2047=0=yes</StringValue>
+                <StringValue>#ForceCookieDomain=0=no</StringValue>
+                <StringValue>#RemoteUserVar=0=</StringValue>
+                <StringValue>#AgentName=0=</StringValue>
+                <StringValue>#Localization=0=yes</StringValue>
+                <StringValue>#EnableFccWindowsAuth=0=no</StringValue>
+                <StringValue>#HttpheaderEncodingSpec=0=</StringValue>
+                <StringValue>PSPollInterval=0=30</StringValue>
+                <StringValue>#DisableDNSLookup=0=</StringValue>
+                <StringValue>#HttpsPorts=0=no</StringValue>
+                <StringValue>#DisallowUTF8NonCanonical=0=</StringValue>
+                <StringValue>#ForceFQHost=0=no</StringValue>
+                <StringValue>#DlpExclusionList=0=.aspx%2C.html%2C.htm%2C.ico%2C.jpg</StringValue>
+                <StringValue>#CslMaxCacheEntries=0=1000</StringValue>
+                <StringValue>#ServerErrorFile=0=</StringValue>
+                <StringValue>#LogFilesToKeep=0=</StringValue>
+                <StringValue>#GetPortFromHeaders=0=no</StringValue>
+                <StringValue>IgnoreExt=0=.class%2C.gif%2C.jpg%2C.jpeg%2C.png%2C.fcc%2C.scc%2C.sfcc%2C.ccc%2C.ntc%2C.sac</StringValue>
+                <StringValue>NTCExt=0=.ntc</StringValue>
+                <StringValue>OverrideIgnoreExtFilter=0=</StringValue>
+            </Property><!-- Name="CA.SM::AgentConfig.Attributes" -->
+            <Property Name="CA.SM::AgentConfig.Name">
+                <StringValue>ACO_WAOP</StringValue>
+            </Property>
+            <Property Name="CA.SM::AgentConfig.Desc">
+                <StringValue>Option Pack&apos;s Agent Configuration</StringValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::AgentConfig@21-0006cccd-f595-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::UserDirectory" Xid="CA.SM::UserDirectory@0e-000bf2ee-f463-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:35:31" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::UserDirectory.UseAdvancedAuthStore">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.SearchScope">
+                <NumberValue>2</NumberValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.EnableSecurityContext">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.SearchRoot">
+                <LinkValue><XREF>Ref00003</XREF></LinkValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.Name">
+                <StringValue>DIR_ACME</StringValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.RequireCredentials">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.EmailAddrAttribute">
+                <StringValue>mail</StringValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.SecureConnection">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.UserLookupEnd">
+                <StringValue>)</StringValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.Desc">
+                <StringValue>ACME Users</StringValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.Server">
+                <LinkValue><XREF>Ref00002</XREF></LinkValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.UserLookupStart">
+                <StringValue>(uid=</StringValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.SearchTimeout">
+                <NumberValue>30</NumberValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.SearchResults">
+                <NumberValue>0</NumberValue>
+            </Property>
+            <Property Name="CA.SM::UserDirectory.Namespace">
+                <StringValue>LDAP:</StringValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::UserDirectory@0e-000bf2ee-f463-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::HostConfig" Xid="CA.SM::HostConfig@21-000c9cb1-f404-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:33:56" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::HostConfig.NewSocketStep">
+                <NumberValue>2</NumberValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.MinSocketsPerPort">
+                <NumberValue>2</NumberValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.EnableFailOver">
+                <BooleanValue>true</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.PolicyServer">
+                <LinkValue><XREF>Ref00001</XREF></LinkValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.Name">
+                <StringValue>HCO_Local</StringValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.Desc">
+                <StringValue>Local Policy Server</StringValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.RequestTimeout">
+                <NumberValue>60</NumberValue>
+            </Property>
+            <Property Name="CA.SM::HostConfig.MaxSocketsPerPort">
+                <NumberValue>20</NumberValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::HostConfig@21-000c9cb1-f404-14ea-b2ed-00017f0090ad" -->
+        <Object Class="CA.SM::AuthScheme" Xid="CA.SM::AuthScheme@0d-00067686-f4a6-14ea-b2ed-00017f0090ad" CreatedDateTime="2015-02-23T09:36:38" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Add">
+            <Property Name="CA.SM::AuthScheme.PersistSessionVars">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Name">
+                <StringValue>AS_Form</StringValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.AllowAuthLevelOverride">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.IsRadius">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.AllowSaveCreds">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.SupportsValidateIdentity">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.IgnorePwCheck">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.IsUsedbyAdmin">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Desc">
+                <StringValue>HTML Form Authentication Scheme</StringValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Level">
+                <NumberValue>5</NumberValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.IsTemplate">
+                <BooleanValue>false</BooleanValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Param">
+                <StringValue>/siteminderagent/forms/login.fcc;ACS=0;REL=1</StringValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Library">
+                <StringValue>smauthhtml</StringValue>
+            </Property>
+            <Property Name="CA.SM::AuthScheme.Type">
+                <NumberValue>4</NumberValue>
+            </Property>
+        </Object><!-- Xid="CA.SM::AuthScheme@0d-00067686-f4a6-14ea-b2ed-00017f0090ad" -->
+    </PolicyData>
+</XPS>
+<!-- 11:45:51 2015-02-23 -->

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/files/sm.registry.patch

@@ -0,0 +1,48 @@
+45a46
+> Enabled=              	                  0x1;	REG_DWORD
+53a55
+> Enabled=              	                    0;	REG_DWORD
+60a63
+> Enabled=              	                    0;	REG_DWORD
+174a178
+> Enabled=              	                  0x1;	REG_DWORD
+185a190
+> Enabled=              	                  0x1;	REG_DWORD
+210,211c215,216
+< RolloverOnStart=      	                  0x1;	REG_DWORD
+< RolloverSize=         	                  0xa;	REG_DWORD
+---
+> RolloverOnStart=      	                    0;	REG_DWORD
+> RolloverSize=         	                    0;	REG_DWORD
+227,228c232,233
+< TraceRolloverOnStart= 	                  0x1;	REG_DWORD
+< TraceRolloverSize=    	                  0xa;	REG_DWORD
+---
+> TraceRolloverOnStart= 	                    0;	REG_DWORD
+> TraceRolloverSize=    	                    0;	REG_DWORD
+244a250
+> KeyStoreProviderNamespace=	                LDAP:;	REG_SZ
+293,297c299,303
+< AffiliateFilter=      	                    0;	REG_DWORD
+< AnonymousAuthFilter=  	                    0;	REG_DWORD
+< AnonymousAzFilter=    	                    0;	REG_DWORD
+< AuthFilter=           	                    0;	REG_DWORD
+< AzFilter=             	                    0;	REG_DWORD
+---
+> AffiliateFilter=      	                  0x1;	REG_DWORD
+> AnonymousAuthFilter=  	                  0x1;	REG_DWORD
+> AnonymousAzFilter=    	                  0x1;	REG_DWORD
+> AuthFilter=           	                  0x1;	REG_DWORD
+> AzFilter=             	                  0x1;	REG_DWORD
+299a306
+> LogAccess=            	                  0x1;	REG_DWORD
+303,304c310,311
+< RolloverOnStart=      	                  0x1;	REG_DWORD
+< RolloverSize=         	                  0xa;	REG_DWORD
+---
+> RolloverOnStart=      	                    0;	REG_DWORD
+> RolloverSize=         	                    0;	REG_DWORD
+310c317
+< UserAdminFilter=      	                    0;	REG_DWORD
+---
+> UserAdminFilter=      	                  0x1;	REG_DWORD

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/tasks/main.yml

@@ -0,0 +1,247 @@
+---
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Create the 'smuser' user
+    user: name={{ sm_user }} comment="CA SiteMinder User" shell=/bin/ksh
+    tags: user
+
+  - name: Set SSH key for smuser
+    authorized_key: user={{ sm_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+    tags: user
+
+  - name: Set the required .profile for smuser
+    template: src=profile dest=/home/{{ sm_user }}/.profile
+    sudo_user: "{{ sm_user }}"
+    tags: user
+
+  - name: Copy the SiteMinder Policy Server files to sources_dir
+    unarchive: creates={{ sources_dir }}/ps-12.52-sp01-linux src=GEN08170134E-PolicyServerLinux.zip dest={{ sources_dir }}
+
+  - name: Copy the unattended installation response file
+    template: src=ca-ps-installer.properties dest={{ sources_dir }}/ca-ps-installer.properties
+
+  - name: Create the installation dir
+    file: path={{ sm_home }} owner={{ sm_user }} state=directory
+
+  - name: Install SiteMinder (warning, no check !)
+    command: creates={{ sm_home }}/siteminder {{ sources_dir }}/ps-12.52-sp01-linux/ca-ps-12.52-sp01-linux.bin -f {{ sources_dir }}/ca-ps-installer.properties -i silent
+    sudo_user: "{{ sm_user }}"
+    ignore_errors: yes
+
+  - name: Copy smreg
+    command: install {{ sources_dir }}/ps-12.52-sp01-linux/smreg {{ sm_home }}/siteminder/bin/smreg -m 755 -o {{ sm_user }}
+
+  - name: Create the SiteMinderPS DSA
+    command: creates={{ dx_home }}/dxserver/config/knowledge/SiteMinderPS.dxc /bin/sh -l -c "dxnewdsa SiteMinderPS {{ sm_policy_store_port }} 'ou=PS,o=SiteMinder'"
+    sudo_user: "{{ dx_user }}"
+
+  - name: Flag the SiteMinderPS DSA as "autostart"
+    file: path={{ dx_home }}/dxserver/config/autostart/SiteMinderPS state=touch
+    sudo_user: "{{ dx_user }}"
+
+  - name: Copy netegrity.dxc to the right place
+    command: creates={{ dx_home }}/dxserver/config/schema/netegrity.dxc install -m 644 -o {{ dx_user }} -g {{ dx_group }} {{ sm_home }}/siteminder/eTrust/netegrity.dxc {{ dx_home }}/dxserver/config/schema/netegrity.dxc
+
+  - name: Copy etrust.dxc to the right place
+    command: creates={{ dx_home }}/dxserver/config/schema/etrust.dxc install -m 644 -o {{ dx_user }} -g {{ dx_group }} {{ sm_home }}/siteminder/xps/db/etrust.dxc {{ dx_home }}/dxserver/config/schema/etrust.dxc
+
+  - name: Create the smdsa.dxg (custom schema)
+    template: dest={{ dx_home }}/dxserver/config/schema/smdsa.dxg src=smdsa.dxg owner={{ sm_user }} mode=0644
+    tags: config
+
+  - name: Enable the custom schema
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderPS.dxi state=present regexp='^source "../schema/[a-z]+.dxg";' line='source "../schema/smdsa.dxg";'
+    tags: config
+
+  - name: Set config 'ignore-name-bindings'
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderPS.dxi state=present insertafter="EOF" line='set ignore-name-bindings = true;'
+    tags: config
+
+  - name: Create the smdsa.dxc (custom limits)
+    template: dest={{ dx_home }}/dxserver/config/limits/smdsa.dxc src=smdsa.dxc owner={{ dx_user }} mode=0644
+    tags: config
+
+  - name: Bind SiteMinderPS DSA on 127.0.0.1 only
+    lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/SiteMinderPS.dxc" line='    bind-address = "127.0.0.1"' insertafter="^\s*address\s*=" regexp='^\s*bind-address\s*='
+    sudo_user: "{{ dx_user }}"
+    tags: config
+
+  - name: Bind SiteMinderPS DSA on 127.0.0.1 only
+    lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/SiteMinderPS.dxc" line='    address       = tcp "127.0.0.1" port \1' regexp='^\s*address\s*=\s*tcp\s*"[^"]*"\s*port\s*([0-9]+)' backrefs=yes
+    sudo_user: "{{ dx_user }}"
+    tags: config
+
+  - name: Enable the custom limits
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderPS.dxi state=present regexp='^source "../limits/[a-z]+.dxc";' line='source "../limits/smdsa.dxc";'
+    tags: config
+
+  - name: Copy the initial DSA to the sources dir
+    template: src=sm-ps.ldif dest={{ sources_dir }}/sm-ps.ldif
+
+  - name: Stop the SiteMinderPS DSA
+    command: /bin/sh -l -c "dxserver stop SiteMinderPS"
+    sudo_user: "{{ dx_user }}"
+
+  - name: Load the LDIF into the SiteMinderPS datastore
+    command: /bin/sh -l -c "dxloaddb SiteMinderPS {{ sources_dir }}/sm-ps.ldif"
+    sudo_user: "{{ dx_user }}"
+
+  - name: Start the SiteMinderPS DSA
+    command: /bin/sh -l -c "dxserver start SiteMinderPS"
+    sudo_user: "{{ dx_user }}"
+
+  - name: Register the SiteMinder Policy Store
+    command: /bin/ksh -l -c "smldapsetup reg -hlocalhost -p{{ sm_policy_store_port }} -dcn=DXAdmin,ou=PS,o=SiteMinder -wpassword -rou=PS,o=SiteMinder -v"
+    sudo_user: "{{ sm_user }}"
+
+  - name: Set the SiteMinder admin password
+    command: /bin/ksh -l -c "smreg -su {{ sm_admin_password }}"
+    sudo_user: "{{ sm_user }}"
+
+  - name: Run XPSDDInstall
+    command: chdir={{ sm_home }}/siteminder/xps/dd /bin/ksh -l -c "XPSDDInstall SmMaster.xdd"
+    sudo_user: "{{ sm_user }}"
+
+  - name: Run XPSImport
+    command: chdir={{ sm_home }}/siteminder/db /bin/ksh -l -c "XPSImport smpolicy.xml -npass"
+    sudo_user: "{{ sm_user }}"
+
+  - name: Disable the Healh Monitor
+    lineinfile: dest={{ sm_home }}/siteminder/config/siteminder.conf state=present regexp='^MONITOR_ENABLED=[a-zA-Z]+' line='MONITOR_ENABLED=no'
+    sudo_user: "{{ sm_user }}"
+    tags: config
+
+  - name: Make a copy of the SiteMinder registry
+    command: creates={{ sm_home }}/siteminder/registry/sm.registry.initial cp {{ sm_home }}/siteminder/registry/sm.registry {{ sm_home }}/siteminder/registry/sm.registry.initial
+    sudo_user: "{{ sm_user }}"
+
+  - name: Upload the patch file
+    copy: src=sm.registry.patch dest={{ sources_dir }}/sm.registry.patch
+
+  - name: Patch the SiteMinder registry
+    command: patch {{ sm_home }}/siteminder/registry/sm.registry {{ sources_dir }}/sm.registry.patch
+    sudo_user: "{{ sm_user }}"
+
+  - name: Create the SiteMinderSS DSA
+    command: creates={{ dx_home }}/dxserver/config/knowledge/SiteMinderSS.dxc /bin/sh -l -c "dxnewdsa SiteMinderSS {{ sm_session_store_port }} 'ou=SS,o=SiteMinder'"
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Flag the SiteMinderSS DSA as "autostart"
+    file: path={{ dx_home }}/dxserver/config/autostart/SiteMinderSS state=touch
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Enable the custom schema
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi state=present regexp='^source "../schema/[a-z]+.dxg";' line='source "../schema/smdsa.dxg";'
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Set config 'ignore-name-bindings'
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi state=present insertafter="EOF" line='set ignore-name-bindings = true;'
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Bind SiteMinderSS DSA on 127.0.0.1 only
+    lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/SiteMinderSS.dxc" line='    bind-address = "127.0.0.1"' insertafter="^\s*address\s*=" regexp='^\s*bind-address\s*='
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Bind SiteMinderSS DSA on 127.0.0.1 only
+    lineinfile: dest="{{ dx_home }}/dxserver/config/knowledge/SiteMinderSS.dxc" line='    address       = tcp "127.0.0.1" port \1' regexp='^\s*address\s*=\s*tcp\s*"[^"]*"\s*port\s*([0-9]+)' backrefs=yes
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Set "cache-index-all-except = smVariableValue,smsessionblob"
+    lineinfile: dest="{{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi" line='set cache-index-all-except = smVariableValue,smsessionblob;' regexp='^\s*set\s+cache-index-all-except\s*=\s*' insertbefore=EOF
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Set "lookup-cache = true"
+    lineinfile: dest="{{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi" line='set lookup-cache = true;' regexp='^\s*set\s+lookup-cache\s*=\s*' insertbefore=EOF
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Set "disable-transaction-log-flush = true"
+    lineinfile: dest="{{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi" line='set disable-transaction-log-flush = true;' regexp='^\s*set\s+disable-transaction-log-flush\s*=\s*' insertbefore=EOF
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Set "disable-transaction-log = true"
+    lineinfile: dest="{{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi" line='set disable-transaction-log = true;' regexp='^\s*set\s+disable-transaction-log\s*=\s*' insertbefore=EOF
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Enable the custom limits
+    lineinfile: dest={{ dx_home }}/dxserver/config/servers/SiteMinderSS.dxi state=present regexp='^source "../limits/[a-z]+.dxc";' line='source "../limits/smdsa.dxc";'
+    when: sm_session_store_port is defined
+    tags:
+      - config
+      - session-store
+
+  - name: Copy the initial DSA to the sources dir
+    template: src=sm-ss.ldif dest={{ sources_dir }}/sm-ss.ldif
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Stop the SiteMinderPS DSA
+    command: /bin/sh -l -c "dxserver stop SiteMinderSS"
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Load the LDIF into the SiteMinderSS datastore
+    command: /bin/sh -l -c "dxloaddb SiteMinderSS {{ sources_dir }}/sm-ss.ldif"
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Start the SiteMinderSS DSA
+    command: /bin/sh -l -c "dxserver start SiteMinderSS"
+    sudo_user: "{{ dx_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Upload the patch file to register the Session Store
+    template: src=sm-ss.registry.patch dest={{ sources_dir }}/sm-ss.registry.patch
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Patch the SiteMinder registry to register the Session Store
+    command: patch {{ sm_home }}/siteminder/registry/sm.registry {{ sources_dir }}/sm-ss.registry.patch
+    sudo_user: "{{ sm_user }}"
+    when: sm_session_store_port is defined
+    tags: session-store
+
+  - name: Start the SiteMinder Policy Server
+    command: /bin/ksh -l -c "start-ps"
+    sudo_user: "{{ sm_user }}"

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/ca-ps-installer.properties

@@ -0,0 +1,87 @@
+### General Information
+DEFAULT_INSTALL_DIR={{ sm_home }}/siteminder
+DEFAULT_SHORTCUTS_DIR=
+DEFAULT_JRE_ROOT={{ java_home }}/jre
+DEFAULT_BROWSER=
+DEFAULT_SMPROFILE_CHOICE=
+DEFAULT_ENCRYPTKEY={{ sm_encryption_key }}
+CA_SM_PS_FIPS140=COMPAT
+
+### Feature Selection
+DEFAULT_OVMGUI_CHOICE=false
+DEFAULT_WEBSERVERS_CHOICE=false
+DEFAULT_SNMP_CHOICE=false
+DEFAULT_POLICYSTORE_CHOICE=false
+
+## Adding this key value pair to support silent install ADAM policy store
+DEFAULT_XPS_POLICYSTORE_TYPE=
+
+### OneView Monitor GUI
+DEFAULT_JDK_ROOT=
+DEFAULT_SERVLETEXEC_INSTANCE_NAME=
+DEFAULT_SERVLETEXEC_ROOT=
+
+### Web Server(s)
+# This is a list of web server instance information.
+#   Format:       instance_name_1,root_folder_1;instance_name_2,root_folder_2; etc...
+#   Examples:     To configure IIS,
+#                 DEFAULT_WEBSERVER_INFO=IIS,
+#                 To configure Apache and a Sun instance,
+#                 DEFAULT_WEBSERVER_INFO=,/usr/apache2;suninstance,/usr/sunwebserverroot
+#
+DEFAULT_WEBSERVER_INFO=
+DEFAULT_WEBSERVER_ROOT=
+
+### SNMP
+# DEFAULT_ROOT_PW=<To define cleartext root password, insert string here and uncomment line.>
+ENCRYPTED_ROOT_PW=
+
+
+### Policy Store
+### For LDAP, DEFAULT_POLICYSTORE_TYPE=LDAP and for ODBC DEFAULT_POLICYSTORE_TYPE=RDB
+DEFAULT_POLICYSTORE_TYPE=
+DEFAULT_POLICYSTORE_IP=
+DEFAULT_POLICYSTORE_PORT=
+DEFAULT_POLICYSTORE_ADMINDN=
+# DEFAULT_POLICYSTORE_ADMINPW=<To define cleartext LDAP Admin password, insert string here and uncomment line.>
+ENCRYPTED_POLICYSTORE_ADMINPW=
+DEFAULT_POLICYSTORE_ROOTDN=
+DEFAULT_POLICYSTORE_USER_CHOICE=
+DEFAULT_POLICYSTORE_USERDN=
+# DEFAULT_POLICYSTORE_USERPW=<To define cleartext LDAP user password, insert string here and uncomment line.>
+ENCRYPTED_POLICYSTORE_USERPW=
+DEFAULT_INIT_POLICYSTORE_CHOICE=false
+# DEFAULT_SM_ADMINPW=<To define cleartext LDAP SiteMinder Super User password, insert string here and uncomment line.>
+ENCRYPTED_SM_ADMINPW=
+
+### Policy Store ODBC
+## Supported RDB Types are MS SQL Server2005,2008 and ORACLE10g,11i,12c.
+## In case of Oracle, DEFAULT_RDB_DBNAME should contain Oracle Service Name.
+## In SQL, DEFAULT_RDB_DBNAME should contain SQL Named Instance or Database Name.
+## Possible value for DEFAULT_RDB_DBTYPE, For SQL - DB_MSSQL and Oracle - DB_ORACLE
+## Specify a PARAM_DSN value if you want to specify different Database source name. It is an optional.
+DEFAULT_RDB_DSN=
+DEFAULT_RDB_DBSERVER=
+DEFAULT_RDB_DBNAME=
+DEFAULT_RDB_PORT=
+DEFAULT_RDB_USERNAME=
+DEFAULT_RDB_DBTYPE=
+# DEFAULT_RDB_PASSWORD=<To define a clear text password for the database administrator, enter the value here and uncomment the line. >
+ENCRYPTED_RDB_PASSWORD=
+
+
+# Import default CA certificates
+DEFAULT_SMKEYDB_IMPORT_CHOICE=
+
+# Enabling Password Services
+# Supported Password Services are Advanced Password Services (APS), Basic Password Services (BPS)
+PASSWORD_RESULT=Basic Password Services
+
+# Master Key Details
+# Use below key if you want to supply password in plain text
+#MASTER_KEY=
+
+#Use below key to provide Master Key in encrypted format.
+ENCRYPTED_MASTER_KEY=
+
+IS_SA_ENABLED=false

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/profile

@@ -0,0 +1,5 @@
+ulimit -n 1024
+unset LANG
+unset LC_CTYPE
+unset LC_ALL
+. $HOME/CA/siteminder/smprofile.ksh

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/sm-ps.ldif

@@ -0,0 +1,22 @@
+dn: ou=Netegrity,ou=PS,o=SiteMinder
+ou: Netegrity
+objectClass: organizationalUnit
+
+dn: ou=SiteMinder,ou=Netegrity,ou=PS,o=SiteMinder
+ou: SiteMinder
+objectClass: organizationalUnit
+
+dn: ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,ou=PS,o=SiteMinder
+ou: PolicySvr4
+objectClass: organizationalUnit
+
+dn: ou=XPS,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,ou=PS,o=SiteMinder
+ou: XPS
+objectClass: organizationalUnit
+
+dn: cn=DXAdmin,ou=PS,o=SiteMinder
+cn: DXAdmin
+sn: Admin
+givenName: DX
+userPassword: password
+objectClass: inetOrgPerson

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/sm-ss.ldif

@@ -0,0 +1,14 @@
+dn: ou=SS,o=SiteMinder
+ou: SS
+objectClass: organizationalUnit
+
+dn: ou=SessionStore,ou=SS,o=SiteMinder
+ou: SessionStore
+objectClass: organizationalUnit
+
+dn: cn=DXAdmin,ou=SS,o=SiteMinder
+cn: DXAdmin
+sn: Admin
+givenName: DX
+userPassword: password
+objectClass: inetOrgPerson

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/sm-ss.registry.patch

@@ -0,0 +1,20 @@
+--- sm.registry.20151021	2015-10-21 14:28:48.560915176 +0200
++++ sm.registry	2015-10-21 14:30:37.108915156 +0200
+@@ -194,12 +194,12 @@
+ Version=              	                  5.0;	REG_SZ
+
+ HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\LdapSessionServer=482496606
+-AdminDN=              	                     ;	REG_SZ
+-AdminPW=              	                     ;	REG_SZ
+-Enabled=              	                    0;	REG_DWORD
++AdminDN=              	cn=DXAdmin,ou=SS,o=SiteMinder;	REG_SZ
++AdminPW=              	{RC2}ibeBaU6DvuFsFs02B9BFvn5Iyy0E57CD;	REG_SZ
++Enabled=              	                  0x1;	REG_DWORD
+ MaxConnections=       	                  0xa;	REG_DWORD
+-Server=               	                     ;	REG_SZ
+-SSRootDN=             	                     ;	REG_SZ
++Server=               	      127.0.0.1:{{ sm_session_store_port }};	REG_SZ
++SSRootDN=             	ou=SessionStore,ou=SS,o=SiteMinder;	REG_SZ
+ Use Default=          	                    0;	REG_DWORD
+ Use SSL=              	                    0;	REG_DWORD
+ Version=              	                  5.0;	REG_SZ

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/smdsa.dxc

@@ -0,0 +1,30 @@
+# size limits
+set max-users = 1000;
+set max-op-size = 4000;
+set multi-write-queue = 20000;
+
+# time limits
+set max-bind-time = none;
+set bind-idle-time = 3600;
+set max-op-time = 600;
+
+# size limits
+set credits = 5;
+set max-local-ops = 1000;
+
+##
+## TODO : place me in a separate file !
+##
+
+# Disable log rollover (when possible)
+set rollover-trace-log = false;
+set rollover-alarm-log = false;
+
+# More logs !
+set query-log-advanced = all;
+set update-log-show-values = true;
+set trace-log = "logs/$s_trace.log";
+set query-log = "logs/$s_query.log";
+set update-log = "logs/$s_update.log";
+set connect-log = "logs/$s_connect.log";
+set trace = query;

OneAccess-Ansible-Playbook/roles/siteminder-policy-server/templates/smdsa.dxg

@@ -0,0 +1,7 @@
+source "x500.dxc";
+source "cosine.dxc";
+source "umich.dxc";
+source "inetop.dxc";
+source "dxserver.dxc";
+source "netegrity.dxc";
+source "etrust.dxc";

OneAccess-Ansible-Playbook/roles/siteminder-webagent/files/.gitignore

@@ -0,0 +1,2 @@
+*.tar.gz
+*.zip

OneAccess-Ansible-Playbook/roles/siteminder-webagent/tasks/main.yml

@@ -0,0 +1,84 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Create the 'wauser' user
+    user: name={{ wa_user }} comment="CA SiteMinder Web Agent User"
+    tags: user
+
+  - name: Set SSH key for wauser
+    authorized_key: user={{ wa_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+    tags: user
+
+  - name: Set the required .profile for wauser
+    template: src=profile dest=/home/{{ wa_user }}/.bash_profile
+    sudo_user: "{{ wa_user }}"
+    tags: user
+
+  - name: Create the local dir for the wauser
+    file: path=/home/{{ wa_user }}/local state=directory
+    sudo_user: "{{ wa_user }}"
+
+  - name: Copy the SiteMinder Web Agent files to sources_dir
+    unarchive: creates={{ sources_dir }}/ca-wa-12.52-linux.bin src=smwa-12.52-cr01-linux.zip dest={{ sources_dir }}
+
+  - name: Copy the unattended installation response file
+    template: src=ca-wa-installer.properties dest={{ sources_dir }}/ca-wa-installer.properties
+
+  - name: Run the SiteMinder Web Agent installer
+    command: creates={{ wa_home }}/webagent/bin {{ sources_dir }}/ca-wa-12.52-linux.bin -f {{ sources_dir }}/ca-wa-installer.properties -i silent
+    sudo_user: "{{ wa_user }}"
+    ignore_errors: yes
+
+#
+# Manual Configuration to create :
+#  - agent_default
+#  - ACO_ApacheWebAgent, with DefaultAgentName = agent_default
+#  - HCO_Local
+#
+# TODO : XPS Import
+
+  - name: Configure the SiteMinder Web Agent
+    shell: source {{ wa_home }}/webagent/ca_wa_env.sh && {{ wa_home }}/webagent/ca-wa-config.sh -f {{ sources_dir }}/ca-wa-installer.properties -i silent
+    sudo_user: "{{ wa_user }}"
+    ignore_errors: yes
+
+# In case of failure ?
+#
+#  - name: Run smreghost to catchup configuration script failure
+#    shell: source {{ wa_home }}/webagent/ca_wa_env.sh && {{ wa_home }}/webagent/bin/smreghost -i 127.0.0.1 -u {{ sm_admin_user }} -p {{ sm_admin_password }} -f {{ wa_home }}/webagent/config/SmHost.conf -o -hc HCO_Local -hn {{ inventory_hostname }}
+#    sudo_user: "{{ wa_user }}"
+#
+# and edit conf/WebAgent.conf  to add path to SmHosts
+
+  - name: Copy the SiteMinder Web Agent Option Pack files to sources_dir
+    unarchive: creates={{ sources_dir }}/ca-wa-opack-12.52-linux.bin src=smwaop-12.52-cr01-linux.zip dest={{ sources_dir }}
+
+  - name: Copy the unattended installation response file
+    template: src=ca-wa-opack-installer.properties dest={{ sources_dir }}/ca-wa-opack-installer.properties
+
+  - name: Run the SiteMinder Web Agent Option Pack installer
+    command: creates={{ wa_home }}/webagent/affwebservices {{ sources_dir }}/ca-wa-opack-12.52-linux.bin -f {{ sources_dir }}/ca-wa-opack-installer.properties -i silent
+    sudo_user: "{{ wa_user }}"
+    ignore_errors: yes
+
+  - name: Install AffWebServices.properties
+    template: src=AffWebServices.properties dest={{ wa_home }}/webagent/affwebservices/WEB-INF/classes/AffWebServices.properties
+    sudo_user: "{{ wa_user }}"
+    tags: config
+
+  - name: Install LoggerConfig.properties
+    template: src=LoggerConfig.properties dest={{ wa_home }}/webagent/affwebservices/WEB-INF/classes/LoggerConfig.properties
+    sudo_user: "{{ wa_user }}"
+    tags: config
+
+  - name: Install WebAgent.conf
+    template: src=WebAgent.conf dest={{ wa_home }}/webagent/affwebservices/WEB-INF/classes/WebAgent.conf
+    sudo_user: "{{ wa_user }}"
+
+  - name: Install the AffWebServices WEBAPP
+    file: state=link src={{ wa_home }}/webagent/affwebservices dest={{ tomcat_home }}/webapps/affwebservices
+    sudo_user: "{{ wa_user }}"

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/AffWebServices.properties

@@ -0,0 +1,25 @@
+//tunnel library type. valid values are 'c' and 'java'
+NotificationLibraryType=java
+//NotificationLibraryType=c
+
+//In case of java tunnel library provide the fully qualified classname of the provider. Else
+//Library name followed by a space and then the function name
+NotificationLibraryDetails=com.netegrity.affiliateminder.webservices.NotificationEventAdapter
+//NotificationLibraryDetails=libName funName
+
+//SiteMinder server that will process the request at the time of the tunnel call.
+// Valid values are:
+//		0	- for the authorization server port number.
+//		1 	- for the authentication server port number.
+//		2 	- for the accounting server port number.
+SMserverPort=0
+
+//In case of 4.x IIS web agent, please leave its value empty. Else provide the full path
+//of the WebAgent.conf file.
+AgentConfigLocation={{ wa_home }}/webagent/affwebservices/WEB-INF/classes/WebAgent.conf
+
+//SAML2.0 Manage NameID feature
+//ProcessBackgroundNameIDOperations - Flag indicating that the thread should run on this system.  By default, this value will be false. Should be enabled for only one WA-OP.
+ProcessBackgroundNameIDOperations=false
+//BackgroundProcessingInterval - the number of seconds defining the interval when this thread should wake up to check if there are requests to be processed.  By default, this will be 60 seconds
+BackgroundProcessingInterval=60

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/LoggerConfig.properties

@@ -0,0 +1,64 @@
+// Log and trace configuration parameters for com.netegrity.affiliateminder.webservices
+
+// LoggingOn can be Y, N
+LoggingOn=Y
+
+// If LogFileName is set Log output will go to the file named
+LogFileName={{ wa_home }}/webagent/log/affwebserv.log
+
+// LogLocalTime can be Y, N.  Y will log timestamps in local time rather than GMT.
+LogLocalTime=N
+
+// TraceRollover defines the type of rollover functionality desired for trace output files.
+// Please choose from the following valid values:
+//	0	- [default].  No rollover is performed.  Existing files are overwritten at startup.
+//	2	- Rollover now.  Rollover is only performed at startup..
+//	1	- Append.  No rollover is performed.  Existing files are appended to at startup.
+//	3	- Rollover.  Files rollover when they grow to the limit set by LogSize.
+//	4	- Rollover now with size.  Files rollover at startup and then grow to the limit set by LogSize.
+LogRollover=0
+
+// LogSize dictates the maximum file size in megabytes when rolling over by size
+LogSize=10
+
+// LogCount defines how many log output files to leave around when rollover is enabled.
+LogCount=10
+
+// TracingOn can be Y, N
+TracingOn=Y
+
+// EnableDNSLookUp can be Y, N
+EnableDNSLookUp=N
+
+// If TraceFileName is set Trace output will go to the file named
+TraceFileName={{ wa_home }}/webagent/log/FWSTrace.log
+
+// TraceConfigFile should be set to the full path of the desired Trace.conf configuration file
+TraceConfig={{ wa_home }}/webagent/config/FWSTrace.conf
+
+// TraceRollover defines the type of rollover functionality desired for trace output files.
+// Please choose from the following valid values:
+//	0	- [default].  No rollover is performed.  Existing files are overwritten at startup.
+//	1	- Append.  No rollover is performed.  Existing files are appended to at startup.
+//	2	- Rollover now.  Rollover is only performed at startup..
+//	3	- Rollover.  Files rollover when they grow to the limit set by TraceSize.
+//	4	- Rollover now with size.  Files rollover at startup and then grow to the limit set by TraceSize.
+TraceRollover=0
+
+// TraceSize dictates the maximum file size in megabytes when rolling over by size
+TraceSize=10
+
+// TraceCount defines how many trace output files to leave around when rollover is enabled.
+TraceCount=10
+
+// TraceFormat dicates the trace output file format.
+// Please choose frmo the following valid values:
+//	0	- [default]
+//	1	- Fixed width fields.
+//	2	- Delimited format (delimiter chosen by TraceDelim setting).
+//	3	- XML
+TraceFormat=0
+
+// TraceDelim may be set to any printable ASCII character and defines the field delimiter to use
+// when TraceFormat=2.  Otherwise this setting is ignored.
+TraceDelim=,

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/WebAgent.conf

@@ -0,0 +1,7 @@
+# WebAgent.conf - configuration file for SiteMinder Web Agent
+
+LOCALE=en-US
+
+HostConfigFile="{{ wa_home }}/webagent/config/SmHost.conf"
+AgentConfigObject="ACO_WAOP"
+EnableWebAgent="YES"

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/ca-wa-installer.properties

@@ -0,0 +1,180 @@
+##################################################################
+## nete-wa-installer.properties                                 ##
+## Properties file for the SiteMinder Web Agent                 ##
+## unattended installation and configuration                    ##
+##                                                              ##
+## This file is generated by an initial Web Agent installation  ##
+## and configuration performed in GUI or Console mode.          ##
+## Use this file for unattended installation and configuration. ##
+##################################################################
+
+
+################################################################
+# General Information
+################################################################
+# Specifies the information used for the unattended installation.
+
+USER_INSTALL_DIR={{ wa_home }}
+USER_SHORTCUTS=/home/{{ wa_user }}/local
+
+################################################################
+# 1. Trusted Host Registration
+################################################################
+# A trusted host is a client computer where one or more Agents
+# can be installed. To establish a connection between the
+# trusted host and the Policy Server, register the host with
+# the Policy Server.
+
+# Register the trusted host only once, not each time you install and
+# configure a Web Agent.
+
+#Set to 1 to register this Agent with a Policy Server.
+#Set to 0 if you had registered this Agent with a Policy Server before.
+
+HOST_REGISTRATION_YES=1
+
+################################################################
+# 1.1 Administrator For Trusted Host Registration
+################################################################
+# Enter the name and password of an administrator who has the
+# right to register a trusted host with the Policy Server.
+# This entry must match the name of an administrator defined
+# at the Policy Server.
+
+ADMIN_REG_NAME={{ sm_admin_user }}
+DEFAULT_ADMIN_REG_PASSWORD={{ sm_admin_password }}
+#ADMIN_REG_PASSWORD=ENC:pT4HvukLeehIkP3Mc6Rq4Q==
+
+# Set to 1 to enable shared secret rollover
+SHARED_SECRET_ROLLOVER_YES=0
+
+################################################################
+# 1.2 Cryptographic Hardware Configuration (optional)
+# (HKS is not supported for SM r12) CQ #63987
+################################################################
+# This section only applies if you registered a trusted host.
+#
+# NOTE: These are only used if CRYPTO_CONFIG_YES = 1.
+#       Select a path and file name of PKCS11, then enter
+#       the token label and pass phrase. The token label can be blank.
+#       The pass phrase cannot be blank.
+
+#Set to 1 to enable PKCS11 Cryptographic Hardware.
+#CRYPTO_CONFIG_YES=
+
+#The location and file name of the PKCS11 library.
+#PKCS11_FILENAME=
+
+#The token label for PKCS11
+#TOKEN_LABEL=
+
+#The token passphrase
+#TOKEN_PASS_PHRASE=
+
+################################################################
+# 1.3 Trusted Host Name and Host Configuration Object
+################################################################
+# Specify the name of the host you want to register with the
+# Policy Server.
+
+# Enter the name of the host configuration object.
+# The name must match a host configuration object name
+# already defined at the Policy Server.
+
+TRUSTED_HOST_NAME={{ inventory_hostname }}
+CONFIG_OBJ=HCO_Local
+
+################################################################
+# 1.4 List of Policy Servers IP Addresses and FIPS Mode Settings
+################################################################
+# Enter the IP Address of the Policy Server where you are
+# registering this host.
+#
+# Specify the IP address in the form of <IP_address:port>
+# To list multiple addresses, enter <IP_address:port>, <IP_address:port>
+# For example: 111.112.1.45(IPV4), 122.113.1.47:45(IPV4)
+#		 IPV6:	[cd00:a706:a054:1:250:56ff:fe9b:7c8]:44441
+#			or	[cd00:a706:a054:1:250:56ff:fe9b:7c8]
+#			or	 cd00:a706:a054:1:250:56ff:fe9b:7c8
+
+
+IP_ADDRESS_STRING=127.0.0.1
+FIPS_VALUE=COMPAT
+
+################################################################
+# 1.5   Host Configuration File Location
+################################################################
+# Enter a name and location for the Host Configuration File,
+# SmHost.conf.
+
+SM_HOST_FILENAME=SmHost.conf
+SM_HOST_DIR={{ wa_home }}/webagent/config
+
+###############################################################
+# 2. Web Server Selection
+###############################################################
+
+#The following entries are for UNIX systems only:
+
+APACHE_SELECTED=1
+APACHE_WEBSERVER_ROOT={{ httpd_home }}
+
+#The following APACHE entries for APACHE VENDOR web servers.ex:IHS,
+#   Oracle 10g etc.APACHE_SPECIFIC_TYPE is 1,if the
+#   APACHE WEBSERVER ROOT is specific path.ie,
+#   other than APACHE webserver path.
+
+APACHE_SPECIFIC_PATH_YES=
+APACHE_VENDOR_TYPE=HTTP_APACHE
+APACHE_VERSION=2.2.29
+
+
+
+DOMINO_SELECTED=0
+DOMINO_WEBSERVER_ROOT=
+
+IPLANET_SELECTED=0
+IPLANET_WEBSERVER_ROOT=/home/apache/iplanet
+
+IBM_HTTP_SERVER_ZOS=
+IBM_HTTP_WEBSERVER_ZOS_CONF_PATH=
+
+# NOTE: Do not edit the following WEB_SERVER_INFO entry. To modify
+#       it, re-run the Web Agent configuration to regenerate
+#       this string with the appropriate values.
+
+WEB_SERVER_INFO=Apache,/home/www/httpd/conf,Apache 2.2.29,+EMPTYSTR+,apache,2.2.29,/home/www/httpd,Unix,+EMPTYSTR+,1,1,0,0,0,1,No advanced authentication,ACO_Apache,0,undefined,ENC:6f1I5TLVEpuSBHpf4GrASg==,
+
+######################################################################
+# VIRTUAL SITE CONFIGURATION ON IIS6/IIS7
+
+# Enter the Site Names which need to be configured against CONFIGURE_SITES with each
+#separated by ",". If they are already configured, and they are listed in
+#CONFIGURE_SITES, will be overwritten. Sites which are already configured, and you want to
+#unconfigure those, enter against UNCONFIGURE_SITES and each site name separatedby ",".
+#Sites, which are already configured and not listed in both sections will be preserved.
+###############################################################
+# For eg:
+#1.If Site1,Site2 need to be configured,then enter CONFIGURE_SITES=Site1,Site2.
+#2.If both are configured and you want Site1 to Preserve and Site 2t o be Overwrite
+#then use as below CONFIGURE_SITES= Site2 and don't specify site1 in UNCONFIGURE_SITES
+#3. If you want to unconfigure site1 and site2 then use UNCONFIGURE_SITES=site1,site2
+#4. If you want to preserve all, then don't specify any sites under CONFIGURE_SITES and
+#UNCONFIGURE_SITES.
+####################################################################
+
+CONFIGURE_SITES=
+UNCONFIGURE_SITES=
+
+################################################################
+# 3. Enable Web Agent Option
+################################################################
+ENABLE_WEBAGENT_RESULT=YES
+
+################################################################
+# 4. Restart Web Server Option (Windows only)
+################################################################
+# Set to YES to allow the installation program to reboot the
+# Windows machine, if required.
+
+USER_REQUESTED_RESTART=

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/ca-wa-opack-installer.properties

@@ -0,0 +1,10 @@
+#Enter the path of where SiteMinder Web Agent is already installed or
+#enter the path where you would like to install CA SiteMinder Option Pack for Web Agent.
+#
+#For Windows, must use double backslashes for path separator
+USER_INSTALL_DIR={{ wa_home }}/webagent
+#
+NETE_JDK_ROOT={{ java_home }}
+
+#For Windows, change the line value below to 'YES' if you would like to restart the machine.
+USER_REQUESTED_RESTART=NO

OneAccess-Ansible-Playbook/roles/siteminder-webagent/templates/profile

@@ -0,0 +1,6 @@
+unset LANG
+unset LC_CTYPE
+unset LC_ALL
+test -r $HOME/.bashrc && . $HOME/.bashrc
+test -r $HOME/CA/webagent/ca_wa_env.sh && . $HOME/CA/webagent/ca_wa_env.sh
+test -r $HOME/CA/webagent/ca-wa-opack-env.sh && . $HOME/CA/webagent/ca-wa-opack-env.sh

OneAccess-Ansible-Playbook/roles/ssg-8.3/files/.gitignore

@@ -0,0 +1,3 @@
+layer7*
+*.rpm
+*.xml

OneAccess-Ansible-Playbook/roles/ssg-8.3/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+
+  - name: This module only works on CentOS 6
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Install pexpect
+    yum: name=pexpect state=installed
+
+  - name: Copy the SSG 8.3 installation package
+    copy: src={{ item }} dest={{ sources_dir }}/rpms
+    with_items: [ 'ssg-8.3.00-2.noarch.rpm', 'ssg-mag-2.3.0-1.noarch.rpm' ]
+    register: rpmsdir
+    tags: rpm
+
+  - name: Update the RPM local repository
+    command: createrepo {{ sources_dir }}/rpms
+    when: rpmsdir.changed
+    tags: rpm
+
+  - name: Flush the yum caches
+    command: yum clean all
+    when: rpmsdir.changed
+    tags: rpm
+
+  - name: Install SSG 8.3
+    yum: name=ssg state=installed
+    tags: rpm
+
+  - name: Set SSH key for the "gateway" user
+    authorized_key: user={{ ssg_runtime_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+    tags: user
+
+  - name: Copy the SSG setup script
+    template: src=setup_ssg_83.py dest={{ sources_dir }}/setup_ssg_83.py mode=0755
+
+  - name: Setup SSG
+    command: creates=/opt/SecureSpan/Gateway/node/default/etc/conf/node.properties {{ sources_dir }}/setup_ssg_83.py
+
+  - name: Create the hierarchy for auto provisioning
+    file: path=/opt/SecureSpan/Gateway/node/default/etc/bootstrap state=directory owner={{ ssg_user }} group={{ ssg_group }} mode=0755
+
+  - name: Create the hierarchy for license auto provisioning
+    file: path=/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license state=directory owner={{ ssg_user }} group={{ ssg_group }} mode=0755
+    tags: license
+
+  - name: Publish the licence for auto provisioning
+    copy: src={{ item }} dest=/opt/SecureSpan/Gateway/node/default/etc/bootstrap/license/
+    with_items: [ 'gw_license.xml', 'mag_license.xml' ]
+    tags: license
+
+  - name: Create the hierarchy for service auto provisioning
+    file: path=/opt/SecureSpan/Gateway/node/default/etc/bootstrap/services state=directory owner={{ ssg_user }} group={{ ssg_group }} mode=0755
+
+  - name: Publish the services for auto provisioning
+    file: state=touch owner={{ ssg_user }} group={{ ssg_group }} mode=0755 dest=/opt/SecureSpan/Gateway/node/default/etc/bootstrap/services/{{ item }}
+    with_items: [ 'restman' ]
+
+  - name: Start the Gateway service
+    command: /opt/SecureSpan/Gateway/runtime/bin/gateway.sh start
+
+  - name: Install the tcp_tune script
+    template: dest=/etc/init.d/tcp_tune src=tcp_tune mode=0755
+
+  - name: Make sure the tcp_tune service is started and enabled
+    service: name=tcp_tune enabled=yes state=restarted
+
+  - name: Generate certificates for Layer7
+    local_action: command creates="{{ lookup('env', 'BASEDIR') }}/roles/ssg-8.3/files/layer7.jks" "{{ lookup('env', 'BASEDIR') }}/pki/gen_certs.sh"
+    sudo: false
+    environment:
+      CERT_CN: "{{ ssg_ssl_certificate_cn }}"
+      PASSWORD: "{{ ssg_ssl_certificate_password }}"
+      BASENAME: "layer7"
+      OUTDIR: "{{ lookup('ENV', 'BASEDIR') }}/roles/ssg-8.3/files/"
+    tags: certificate
+    when: ssg_ssl_certificate_cn is defined
+
+  - name: Install MAG 2.3
+    yum: name=ssg-mag state=installed
+    tags: rpm
+
+  - name: Import the MAG DB Schema
+    mysql_db: login_user={{ ssg_otk_db_user }} login_password={{ ssg_otk_db_password }} name={{ ssg_otk_db_name }} state=import target=/opt/SecureSpan/Gateway/config/etc/sql/mag_db_schema.sql
+    tags:
+      - db
+      - db-schema

OneAccess-Ansible-Playbook/roles/ssg-8.3/templates/setup_ssg_83.py

@@ -0,0 +1,62 @@
+#!/usr/bin/python2
+
+import pexpect
+import sys
+import os
+
+os.environ['IA_TEMPDIR'] = '{{ temp_dir }}'
+
+child = pexpect.spawn ('/opt/SecureSpan/Gateway/runtime/bin/setup.sh')
+child.logfile = sys.stdout
+child.timeout = 300
+
+child.expect('Please make a selection:')
+child.sendline("2")
+child.expect('Java VM Path .*:')
+child.sendline('{{ java_home }}/jre')
+child.expect('Java VM Memory Allocation')
+child.sendline('')
+child.expect("Database Connection. .Yes.")
+child.sendline('')
+child.expect('Database Host .*:')
+child.sendline('localhost')
+child.expect('Database Port .*:')
+child.sendline('3306')
+child.expect('Database Name .*:')
+child.sendline('{{ ssg_db_name }}')
+child.expect('Database Username .*:')
+child.sendline('{{ ssg_db_user }}')
+child.expect('Database Password:')
+child.sendline('{{ ssg_db_password }}')
+child.expect('Confirm Database Password:')
+child.sendline('{{ ssg_db_password }}')
+child.expect('Administrative Database Username:')
+child.sendline('root')
+child.expect('Administrative Database Password:')
+child.sendline('{{ mysql_root_password }}')
+child.expect('Configure Database Failover Connection')
+child.sendline('')
+child.expect('SSM Username:')
+child.sendline('{{ ssg_admin_user }}')
+child.expect('SSM Password:')
+child.sendline('{{ ssg_admin_password }}')
+child.expect('Confirm SSM Password:')
+child.sendline('{{ ssg_admin_password }}')
+child.expect('Administrative HTTPS Listener. .No.:')
+child.sendline('Yes')
+child.expect('Administrative IP Address ...:')
+child.sendline('')
+child.expect('Administrative Port .8443.:')
+child.sendline('{{ ssg_service_port }}')
+child.expect('Cluster Host .*:')
+child.sendline('{{ ssg_hostname }}')
+child.expect('Cluster Passphrase:')
+child.sendline('{{ ssg_passphrase }}')
+child.expect('Confirm Cluster Passphrase:')
+child.sendline('{{ ssg_passphrase }}')
+child.expect('Press .Enter. to continue')
+child.sendline('')
+child.expect('Press .Enter. to continue')
+child.sendline('')
+child.expect('Please make a selection:')
+child.sendline("X")

OneAccess-Ansible-Playbook/roles/ssg-8.3/templates/tcp_tune

@@ -0,0 +1,87 @@
+#!/bin/bash
+# Network Startup config
+#
+# chkconfig: 2345 99 01
+# description: Layer7's Secure Span Gateway TCP protection
+# processname: none
+# pidfile: none
+# config: none
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Tune the Linux TCP/IP Stack
+start() {
+	echo "Setting wide local port range for more outbound connections"
+	echo "1024 65530" > /proc/sys/net/ipv4/ip_local_port_range
+	echo "Disable ECN because some systems don't do it right yet"
+	echo 0 > /proc/sys/net/ipv4/tcp_ecn
+	echo "Setting Low latency TCP"
+	echo 1 > /proc/sys/net/ipv4/tcp_low_latency
+	echo "Turning off timestamps"
+	echo 0 > /proc/sys/net/ipv4/tcp_timestamps
+	echo "Lowering keepalive time"
+	echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
+	echo 5 > /proc/sys/net/ipv4/tcp_keepalive_intvl
+	echo "Lowering FIN timeout"
+	echo 20 > /proc/sys/net/ipv4/tcp_fin_timeout
+	echo "Turning On Window scaling"
+	echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
+	echo "Turning On Selective Acknowledgement"
+	echo 1 > /proc/sys/net/ipv4/tcp_sack
+	echo "Disable route triangulation"
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	echo "Disable Source routing"
+	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+	echo "Disable Ping broadcasts"
+	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+	echo "Increasing SYN packet Backlog"
+	echo 8192 > /proc/sys/net/ipv4/tcp_max_syn_backlog
+	echo "Setting higher tcp memory limits"
+  echo 16777216 > /proc/sys/net/core/wmem_max
+	echo 16777216 > /proc/sys/net/core/rmem_max
+	# The following are in 4k-byte PAGES, not bytes
+	echo "196608 262144 393216" > /proc/sys/net/ipv4/tcp_mem
+  echo "Setting socket sizes for best cpu usage"
+  echo "131072" > /proc/sys/net/core/wmem_default
+  echo "174760" > /proc/sys/net/core/rmem_default
+  echo "4096 174760 16777216" > /proc/sys/net/ipv4/tcp_rmem
+  echo "4096 16384 16777216" > /proc/sys/net/ipv4/tcp_wmem
+
+	echo "Turning on TIME_WAIT recyle and reuse"
+	echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
+	echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
+	echo "Increasing number of TIME_WAIT buckets"
+	echo 360000 > /proc/sys/net/ipv4/tcp_max_tw_buckets
+	echo "Turning on syncookie protection from Denial of Service (DOS) attacks"
+	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+	echo "Don't cache thresholds from previous connections"
+  echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save
+  echo "Increase Network backlogs for Gigabit"
+  echo 2500 > /proc/sys/net/core/netdev_max_backlog
+  echo "Increase maximum connections"
+  echo 10240 > /proc/sys/net/core/somaxconn
+	echo "Memory limit for fragment assembly"
+  echo 4194304 > /proc/sys/net/ipv4/ipfrag_high_thresh
+	echo "Done"
+	return 0
+}
+stop() {
+	echo
+}
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	stop
+	start
+	;;
+esac
+
+exit $RETVAL

OneAccess-Ansible-Playbook/roles/tomcat-7/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+
+  - name: This module only works on RHEL/CentOS
+    assert:
+      that:
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Create the tomcat group
+    group: name={{ tomcat_group }} state=present
+    tags: user
+
+  - name: Create the tomcat user
+    user: name={{ tomcat_user }} state=present group={{ tomcat_group }}
+    tags: user
+
+  - name: Set SSH key for the tc user
+    authorized_key: user={{ tomcat_user }} key="{{ ansible_ssh_public_key }}" manage_dir=yes
+    tags: user
+
+  - name: Download tomcat
+    command: wget -c --no-check-certificate http://www.mirrorservice.org/sites/ftp.apache.org/tomcat/tomcat-7/v{{ tomcat_version }}/bin/apache-tomcat-{{ tomcat_version }}.tar.gz -O {{ sources_dir }}/apache-tomcat-{{ tomcat_version }}.tar.gz
+
+  - name: Extract the Tomcat 7 archive
+    unarchive: creates=/home/{{ tomcat_user }}/apache-tomcat-{{ tomcat_version }} src={{ sources_dir }}/apache-tomcat-{{ tomcat_version }}.tar.gz dest="/home/{{ tomcat_user }}/" copy=no
+    sudo_user: "{{ tomcat_user }}"
+
+  - name: Move it to $TOMCAT_HOME
+    command: creates={{ tomcat_home }} mv /home/{{ tomcat_user }}/apache-tomcat-{{ tomcat_version }} {{ tomcat_home }}
+    sudo_user: "{{ tomcat_user }}"
+
+  - name: Copy the MySQL JDBC driver to $TOMCAT_HOME/lib
+    copy: src=mysql-connector-java-commercial-5.1.30-bin.jar dest={{ tomcat_home }}/lib
+    sudo_user: "{{ tomcat_user }}"
+
+  - name: Change ports in server.xml
+    template: src=server.xml dest={{ tomcat_home }}/conf/server.xml
+    sudo_user: "{{ tomcat_user }}"
+    tags: config
+
+  - name: Prevent Tomcat from rotating logs
+    template: src=logging.properties dest={{ tomcat_home }}/conf/logging.properties
+    sudo_user: "{{ tomcat_user }}"
+    tags: config
+
+  - name: Create setenv.sh for tomcat
+    template: src=profile dest={{ tomcat_home }}/bin/setenv.sh
+    sudo_user: "{{ tomcat_user }}"
+    tags: config
+
+  - name: Create setenv.sh for tomcat
+    template: src=custom.sh dest={{ tomcat_home }}/bin/custom.sh
+    sudo_user: "{{ tomcat_user }}"
+    tags: config
+
+  - name: Upload the truststore
+    copy: src={{ lookup('ENV', 'BASEDIR') }}/pki/truststore.jks dest={{ tomcat_home }}/conf/trust.jks
+    sudo_user: "{{ tomcat_user }}"
+    tags: certificate

OneAccess-Ansible-Playbook/roles/tomcat-7/templates/custom.sh

@@ -0,0 +1 @@
+JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/conf/trust.jks -Djavax.net.ssl.trustStorePassword=changeme -Djavax.net.ssl.trustStoreType=jks"

OneAccess-Ansible-Playbook/roles/tomcat-7/templates/logging.properties

@@ -0,0 +1,73 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+1catalina.org.apache.juli.FileHandler.prefix = catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+2localhost.org.apache.juli.FileHandler.prefix = localhost.
+
+3manager.org.apache.juli.FileHandler.level = FINE
+3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+3manager.org.apache.juli.FileHandler.prefix = manager.
+
+4host-manager.org.apache.juli.FileHandler.level = FINE
+4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+# Prevent log rotation
+1catalina.org.apache.juli.FileHandler.rotatable = false
+2localhost.org.apache.juli.FileHandler.rotatable = false
+3manager.org.apache.juli.FileHandler.rotatable = false
+4host-manager.org.apache.juli.FileHandler.rotatable = false
+1catalina.org.apache.juli.FileHandler.suffix = log
+2localhost.org.apache.juli.FileHandler.suffix = log
+3manager.org.apache.juli.FileHandler.suffix = log
+4host-manager.org.apache.juli.FileHandler.suffix = log
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
+
+# For example, set the org.apache.catalina.util.LifecycleBase logger to log
+# each component that extends LifecycleBase changing state:
+#org.apache.catalina.util.LifecycleBase.level = FINE
+
+# To see debug messages in TldLocationsCache, uncomment the following line:
+#org.apache.jasper.compiler.TldLocationsCache.level = FINE

OneAccess-Ansible-Playbook/roles/tomcat-7/templates/profile

@@ -0,0 +1,6 @@
+unset LANG
+unset LC_CTYPE
+unset LC_ALL
+test -r $HOME/.bashrc && . $HOME/.bashrc
+test -r $HOME/.bash_profile && . $HOME/.bash_profile
+test -r $CATALINA_HOME/bin/custom.sh && . $CATALINA_HOME/bin/custom.sh

OneAccess-Ansible-Playbook/roles/tomcat-7/templates/server.xml

@@ -0,0 +1,143 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server address="127.0.0.1" port="{{ tomcat_port_prefix }}8005" shutdown="SHUTDOWN">
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+  <Listener className="org.apache.catalina.core.JasperListener" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL HTTP/1.1 Connector on port 8080
+    -->
+    <Connector address="127.0.0.1" port="{{ tomcat_port_prefix }}8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="{{ tomcat_port_prefix }}8443" />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL HTTP/1.1 Connector on port 8443
+         This connector uses the BIO implementation that requires the JSSE
+         style configuration. When using the APR/native implementation, the
+         OpenSSL style configuration is required as described in the APR/native
+         documentation -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+               clientAuth="false" sslProtocol="TLS" />
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <Connector address="127.0.0.1" port="{{ tomcat_port_prefix }}8009" protocol="AJP/1.3" redirectPort="{{ tomcat_port_prefix }}8443" />
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="http_access" suffix=".log" rotatable="false"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>

OneAccess-Ansible-Playbook/roles/tomcat-7/templates/tomcat_init_script

@@ -0,0 +1,69 @@
+#!/bin/bash
+#
+# Tomcat Startup Script
+#
+# chkconfig: 2345 80 30
+# description: Tomcat Application Server
+#
+
+### BEGIN INIT INFO
+# Provides: webfort
+# Required-Start: $local_fs $network $remote_fs
+# Required-Stop: $local_fs $network $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop tomcat server
+# Description: Tomcat Application server
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+TOMCAT_USER={{ tomcat_user }}
+tomcat_pid="$(pgrep -U $TOMCAT_USER java)"
+running=$?
+
+start() {
+  [ "$EUID" != "0" ] && exit 4
+  su "$TOMCAT_USER" -c "{{ tomcat_home }}/bin/catalina.sh start"
+}
+
+stop() {
+  [ "$EUID" != "0" ] && exit 4
+  su "$TOMCAT_USER" -c "{{ tomcat_home }}/bin/catalina.sh stop"
+}
+
+status() {
+  echo -n "Tomcat "
+  if [ -n "$tomcat_pid" ]; then
+    echo "started"
+  else
+    echo "stopped"
+  fi
+  return $running
+}
+
+# See how we were called.
+case "$1" in
+  start)
+    [ $running -eq 0 ] && exit 0
+    start
+    ;;
+  stop)
+    [ $running -eq 0 ] || exit 0
+    stop
+    ;;
+  restart|force-reload)
+    stop
+    sleep 5
+    start
+    ;;
+  status)
+    status
+    ;;
+  *)
+    echo $"Usage: $0 {start|stop|restart}"
+    exit 2
+esac
+
+exit $?

OneAccess-Ansible-Playbook/roles/vmware-tools/files/.gitignore

@@ -0,0 +1 @@
+*.tar.gz

OneAccess-Ansible-Playbook/roles/vmware-tools/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+
+  - name: This module only works on CentOS 6 x86
+    assert:
+      that:
+        - "ansible_userspace_bits == '32'"
+        - "ansible_os_family == 'RedHat'"
+
+  - name: Unarchive the VMware Tools installation media
+    unarchive: creates={{ sources_dir }}/vmware-tools-distrib src=VMwareTools-9.6.2-1688356.tar.gz dest={{ sources_dir }}
+
+  - name: Install the VMware Tools
+    command: creates=/usr/bin/vmware-config-tools.pl {{ sources_dir }}/vmware-tools-distrib/vmware-install.pl --default
+
+  - name: Install fuse
+    yum: name=fuse-libs state=installed
+
+  - name: Patch the startup scripts
+    template: src=vmware-tools-thinprint.conf dest=/etc/init/vmware-tools-thinprint.conf
+
+# TODO : start the vmware-tools-thinprint service before ?
+
+  - name: Configure the VMware Tools
+    command: /usr/bin/vmware-config-tools.pl -d -p

OneAccess-Ansible-Playbook/roles/vmware-tools/templates/vmware-tools-thinprint.conf

@@ -0,0 +1,6 @@
+author "Nicolas MASSE"
+description "Dummy Service"
+
+console output
+
+exec /bin/sleep 5

OneAccess-Ansible-Playbook/site.yml

@@ -0,0 +1,31 @@
+---
+
+ - name: Bootstrap a CentOS node
+   hosts: bootstrap
+   sudo: no
+   roles:
+    - bootstrap
+
+ - name: OneAccess Demo
+   hosts: sm
+   sudo: yes
+   roles:
+     - bootstrap
+     - base
+     - vmware-tools
+     - java-7
+     - pki
+     - ca-directory
+     - siteminder-common
+     - siteminder-policy-server
+     - siteminder-adminui
+     - apache-2.2
+     - tomcat-7
+     - siteminder-webagent
+     - mysql-ee-5.6
+     - ssg-8.3
+     - oneaccess
+     - iptables
+#     - prepare-to-export
+#     - service-control
+#     - backup

SiteMinder-Ansible-Playbook/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Nicolas MASSE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

SiteMinder-Ansible-Playbook/ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+log_path = ./logs/ansible.log
+filter_plugins = ./local_plugins/filter_plugins
+

SiteMinder-Ansible-Playbook/aw

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Set environment variables
+export ANSIBLE_CONFIG="./ansible.cfg"
+
+options=""
+target="$1"
+ssh_key="$HOME/.ssh/id_rsa"
+
+if [ -z "$target" ]; then
+  echo "No target specified. Please specify an inventory or 'bootstrap' !"
+  exit 1
+fi
+
+if [ "$target" == "bootstrap" -o "$target" == "bootstrap-minimal" ]; then
+  if [ -z "$2" ]; then
+    echo "Please specify the target host !"
+    exit 1
+  fi
+  host="$2"
+  echo "Starting $target..."
+  echo
+  echo -n "Please enter the initial root password: "
+  read -s password
+  echo
+  echo
+  echo "Connecting to $host to register the SSH Host Key !"
+  sshpass -p "$password" ssh -i $ssh_key -o StrictHostKeyChecking=no "root@$host" /bin/true
+  auth=""
+  if [ -n "$password" ]; then
+    auth="ansible_ssh_pass=$password"
+  else
+    auth="ansible_ssh_private_key_file=$ssh_key"
+  fi
+  echo -e "[$target]\n$2 ansible_ssh_user=root $auth\n" > ./hosts-$target
+else
+  shift
+  options="$@"
+fi
+
+if [ ! -f "./hosts-$target" ]; then
+  echo "Invalid target '$target' !"
+  exit 1
+fi
+
+ansible-playbook -i ./hosts-$target $options site.yml
+
+rm -f hosts-bootstrap hosts-bootstrap-minimal # temporary file