Step 5: Creating Ansible vault files

You must create and configure Ansible® vault files on each of the appliance systems, both master and receiver.

About this task

Complete the following steps to create and configure the Ansible vault files on each of the appliance systems.

Procedure

  1. From the /usr/share/resilient-dr/ansible/templates directory, copy vault.template to /usr/share/resilient-dr/ansible/group_vars/all and rename it to vault. Review the vault file for important information about the variables and settings.
  2. From the vault_ssl_certs_supply_method section, if you are managing your certs manually, make sure this variable is set to manual, which is the default. If you want to use the supply method, set this variable value to supply.
    Note: You do not need to set the vault_root_cn variable, specified in the group_vars/all/vault, file unless you are using the generate option for the postgres SSL certificates. The generate option is for test purposes only and is not recommended for production environments.
  3. Set the vault_postgres_ssl_security_level variable to specify the security option that you are using for postgres replication streaming. The supported security options are verify-full, verify-ca, and require. The default is verify-full, which is the highest security setting. It requires the common name to match the server identity and verifies using the root cert that the server is a trusted host.
    Note: Do not change the vault_postgres_base_path variable unless you have a custom Postgres data directory path. Do not change the vault_postgres_service_name variable unless you are using a different version of Postgres than v14. This is unlikely on the SOAR appliance, unless you have upgraded Postgres to a version other than v14.
  4. Update vault_postgres_replication_db_password by changing <REPLACE_WITH_REP_DB_PASSWORD> to the password to be used when the system creates the postgres replication user.

    This password is used when the receiver appliance is connecting to the master appliance to replicate Postgres data.

    Note: Do not use the following characters in the password:
    • "
    • '
    • )
    • (
    • ;
    • .
  5. Activate the built-in Ansible environment. 
    source /opt/ansible-venv/python/ansible-python-env-latest/bin/activate
  6. Encrypt the vault file in ansible/group_vars/all by running the following command from the /usr/share/resilient-dr/ansible directory: 
    ansible-vault encrypt group_vars/all/vault

    You are prompted to provide a password. This must be the same as the other encrypted files. You will need this password when running Ansible commands.

    Note: To decrypt the file, from the /usr/share/resilient-dr/ansible, enter the following command:
    ansible-vault decrypt group_vars/all/vault
  7. Optionally, change the settings in vault_vars_maximum_async_wait_in_minutes parameter.
    The parameter sets the maximum amount of time to wait for a single Asynchronous Ansible task to complete in minutes. This is used for long running tasks such as backing up the receiver db and performing a pg_basebackup of the master db to the receiver. The default value is 180 minutes, although very large databases may require more time, depending on db size and in some cases the network conditions.
    Important: This parameter must have a value in the vault file.
  8. Optionally, change the settings in vault_vars_poll_interval_in_seconds parameter.
    The parameter sets the poll interval time (in seconds) specifying how long to wait between each new ssh connection to check if the Asynchronous task has completed. The default value in the template is 15 seconds, which means a new ssh connection is established every 15 seconds to check for task completion until the timeout value is reached or the task itself completes.
    Important: This parameter must have a value in the vault file.

Results

You should now have the following configuration files with ownership and permissions set and the files should have meaningful names to avoid confusion or enabling DR on the wrong host:
group_vars/all:
rw-r----. 1 resadmin co3 vars
rw------. 1 resadmin resadmin vault

files/
rw------. 1 resadmin resadmin ssh_vault.yml
rw------. 1 resadmin resadmin <ssl_certs_vault_a.yml>
rw------. 1 resadmin resadmin <ssl_certs_vault_b.yml>

inventories/
rw-r----. 1 resadmin resadmin <resilient_hosts_master_machine_a.yml>
rw-r----. 1 resadmin resadmin <resilient_hosts_master_machine_b.yml>

What to do next

Make sure to complete these configuration steps on each of the appliances. After you have completed the configuration on both appliances, proceed to Configuring apps running on an integration server.