Skip to main content

Use Ansible to automate installation

Follow these instructions to use the open-source Ansible tool to automate installation of the DigiCert​​®​​ agent software onto one or more Linux servers in silent mode.

You store the agent software and create the Ansible playbook on a central "control" node system, and then execute the Ansible playbook there to upload, extract, and install the software onto your Linux servers (the "managed" nodes) over the network.

Before you begin

  • Make sure you have completed all the steps in the Linux agent silent mode preparation and have the silent mode installer package available (DigiCertTLMAgentGPOInstaller.tar.gz). To verify that your installation package works, use the Installation commands to try installing the agent in silent mode on one of your Linux servers.

  • Install the Ansible software on the central control system. For detailed instructions, refer to the official Ansible documentation.

  • Make sure Python is available on the control system and on all the managed nodes where you will install the agent software.

  • Make sure you have some form of SSH access from the control system to the managed Linux servers. For example, to enable key-based (passwordless) SSH access, use the ssh-keygen command to generate an SSH keypair on each managed server, and the ssh-copy-id command to copy the public key to the central control system.

Notice

All steps below are to be performed on the Ansible control node system.

  1. Create a sub-directory within the main Ansible configuration directory /etc/ansible to store the DigiCert agent software and create the Ansible-based installation files. For these instructions, we'll use the sub-directory called /etc/ansible/opt/digicert. For example, to create this sub-directory on the control node:

    cd /etc/ansible
    mkdir -p opt/digicert
  2. Copy the silent mode installer package (DigiCertTLMAgentGPOInstaller.tar.gz) into the above sub-directory.

Add a file called var.yml in the /etc/ansible/opt/digicert sub-directory you created on the Ansible control node system. Configure this file with the variables to use when installing the DigiCert agent software on your Linux servers. For example:

options:
  AGENT_BUNDLE_NAME: tlm_agent_3.0.14_linux64.tar.gz
  BUSINESS_UNIT_ID: 542bce5b-9a54-41df-a054-fe977133ee09
  ALIASNAME: agents_subnet_1
  PROXY: http://125.125.125.125:3333

Descriptions of configuration parameters:

Add a file called hosts.yml in the /etc/ansible/opt/digicert sub-directory you created on the Ansible control node system. Configure this file with the list of Linux servers where you want to install the DigiCert agent software and any general operational parameters that Ansible should use. For example:

[servers]
server1 ansible_host=10.0.0.1
server2 ansible_host=10.0.0.2
server3 ansible_host=10.0.0.2

[all:vars]
ansible_python_interpreter=/usr/bin/python3
ansible_user=admin

Notes:

  • The directive name for the hosts list (servers in this example) must match what's in your Ansible playbook (see Step 4 below).

  • The all:vars directive sets any additional operational parameters that Ansible should use to access and install the software on each host. Parameters used in this example:

    • ansible_python_interpreter: Path of the Python executable to use on each host.

    • ansible_user: SSH username to use to connect and install the software on each host.

      Notice

      This example assumes key-based (passwordless) SSH authentication. For password-based SSH authentication, add an additional ansible_password directive. Use Ansible Vault or similar to keep passwords secure.

Use the following command syntax to test your Ansible inventory configuration:

ansible-inventory -i {INVENTORY_FILE} --list -y

For example:

ansible-inventory -i /etc/ansible/opt/digicert/hosts.yml --list -y

If successful, the command lists all the hosts in your Ansible inventory file.

The Ansible playbook drives the software installation process and defines all the required tasks.

Add the playbook file in the /etc/ansible/opt/digicert sub-directory you created on the Ansible control node system. Give the playbook file a name like main.yml and configure it as follows:

- hosts: servers # Match the directive in the hosts.yml file
  gather_facts: no
  vars_files: 
    - var.yml
  tasks:
    - name: "Creating a directory if it doesn't exists"
      ansible.builtin.file:
        path: /opt/digicert
        state: directory
        mode: '0755'
      become: yes  # Use this if you need root permissions
      loop: "{{ nodes }}"
      loop_control:
        loop_var: item

    - name: "Copying the tar to remote systems"
      ansible.builtin.copy:
        src: DigiCertTLMAgentGPOInstaller.tar.gz
        dest: /opt/digicert/DigiCertTLMAgentGPOInstaller.tar.gz
        mode: '0644'
      become: yes
      loop: "{{ nodes }}"
      loop_control:
        loop_var: item

    - name: "Extracting the tar on the remote system"
      ansible.builtin.unarchive:
        src: /opt/digicert/DigiCertTLMAgentGPOInstaller.tar.gz
        dest: /opt/digicert
        remote_src: yes
        creates: /opt/digicert/DigiCertTLMAgentGPOInstaller/extracted_file_or_directory  # Use this to avoid re-extraction if the operation has already been done
      become: yes
      loop: "{{ nodes }}"
      loop_control:
        loop_var: item

    - name: "Making the script executable on the remote system"
      ansible.builtin.file:
        path: /opt/digicert/DigiCertTLMAgentGPOInstaller/silentInstaller-by-companion-lnx.sh
        mode: '0755'
        state: file
      become: yes
      loop: "{{ nodes }}"
      loop_control:
        loop_var: item

    - name: "Executing the script on the remote system"
      ansible.builtin.shell: 
        cmd: "/opt/digicert/DigiCertTLMAgentGPOInstaller/silentInstaller-by-companion-lnx.sh AGENT_BUNDLE_NAME={{ options['AGENT_BUNDLE_NAME'] }} BUSINESS_UNIT_ID={{ options['BUSINESS_UNIT_ID'] }} ALIASNAME={{ options['ALIASNAME'] }} PROXY= {{ options['PROXY'] }}"
        executable: /bin/bash
      become: yes
      loop: "{{ nodes }}"
      loop_control:
        loop_var: item
      register: out

    - debug:
        var: out

Notes:

  • The name parameter describes what happens during each installation task.

  • Adjust the cmd in the "Executing the script" task as needed to match the installation parameters you defined in the var.yml file in Step 2.

  • Additional notes are provided as comments (following the # character) on relevant lines in the above example.

Execute the playbook on the Ansible control node to run the defined tasks for installing the DigiCert agent software onto your remote Linux servers.

Change into the /etc/ansible/opt/digicert directory and execute the playbook with the following command, substituting in the names of your inventory and playbook files:

ansible-playbook -i {INVENTORY_FILE} {PLAYBOOK_FILE} -vvv

For example:

ansible-playbook -i hosts.yml main.yml -vvv

Notes:

  • The -vvv option runs the command in one of the highest verbosity modes, which provides detailed output about the installation process.

  • Failed playbook runs are often due to incorrect file paths in your Ansible configuration. Running the playbook in verbose mode makes troubleshooting easier.

What's next

Agents that were successfully installed and provisioned are listed on the Discovery & automation tools > Agents page in DigiCert​​®​​ Trust Lifecycle Manager. Each agent is named based on the value of the ALIASNAME parameter, or else by the license key if you omitted this parameter.