cert kdb cleanup fails to list kdb to resolve failures

[rfransix]

Hi, i'm using the following to loop through the cert kdb's and delete expired certs, however, on failure the play exits without displaying the current kdb id name. How do i code to output the kdb id on every query so i know where to focus troubleshooting? Thank you.

I can output the kdb id names on "Get All Cert KDB Names", yet when it 'changes', 'skips', or on 'failure' the output does not include the id kdb name. Here is an example error:

TASK [delete_certdb_personal_cert_cg : Get list of Personal Certificates in Keystore] *******************************************************************************************************
fatal: [hostname.com]: FAILED! => {"changed": false, "log": "[2019-11-25 13:43:51,195] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: {"firmware_label":"isam_9.0.4.0_20171201-2325","firmware_build":"20171201-2325","firmware_version":"9.0.4.0","product_description":"IBM Security Access Manager","deployment_model":"Appliance","product_name":"isam"}\n[2019-11-25 13:43:51,320] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: { "configured": true}\n[2019-11-25 13:43:51,454] [PID:9329 TID:140155918956352] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: [{"name":"ISAM Base Appliance","description":"IBM Security Access Manager Base Appliance","id":"wga","enabled":"True"}, {"name":"ISAM Advanced Access Control","description":"IBM Security Access Manager Advanced Access Control","id":"mga","enabled":"True"}, {"name":"ISAM Federation","description":"IBM Security Access Manager Federation","id":"federation","enabled":"True"}]\n[2019-11-25 13:43:52,112] [PID:9329 TID:140155918956352] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():64] text: {"message":"DPWAP0039E An error occured in the GSKKM_OpenKeyDbX(&dbInfo, &dbh) system function: GSKKM_ERR_NULL_PARAMETER"}\n", "msg": "('HTTP Return code: 500', u'{"message":"DPWAP0039E An error occured in the GSKKM_OpenKeyDbX(&dbInfo, &dbh) system function: GSKKM_ERR_NULL_PARAMETER"}')", "name": "ibmsecurity.isam.base.ssl_certificates.personal_certificate.get_all"}

---

Create a Report on Junctions

###########################################################################################################

Set the timestamp variable to be used in create snapshot comment

###########################################################################################################

• name: Set variables for rest of playbook
  hosts: localhost
  tasks:
  • set_fact:
    timestamp: "{{ lookup('pipe', 'date +%m-%d-%Y') }}"
    tags: ["setup"]

###########################################################################################################

Set the timestamp variable to be used in create snapshot comment

###########################################################################################################

• name: Create Snapshot
  hosts: primary
  connection: local
  roles:
  • role: create_snapshot
    create_snapshot_comment: "Prior to running delete expired certificates script {{hostvars['localhost']['timestamp']}}"
    tags: ["snapshot"]

###########################################################################################################

Get a list of the certificate databases from the primary appliance.

###########################################################################################################

• name: Get All Cert KDBs
  hosts: primary
  no_log: False
  connection: local
  vars:
  log_level: "CRITICAL"
  roles:

  • role: start_config

  • role: get_cert_dbs_cg

###########################################################################################################

Check to see if personal certificates in KDB are expired and delete if expired.

###########################################################################################################

• name: Get Personal Certificate Details
  hosts: primary
  connection: local
  tasks:

  • name: Get Personal Certificate Details
    include_role:
    name: delete_certdb_personal_cert_cg
    vars:
    cert_db_id: "{{ outer_item['id'] }}"
    with_items: "{{ certdbs_ret_obj['data'] | default([]) }}"
    loop_control:
    loop_var: outer_item

###########################################################################################################

Check to see if signer certificates in KDB are expired and delete if expired.

###########################################################################################################

• name: Get Signer Certificate Details
  hosts: primary
  connection: local
  tasks:

  • name: Get Signer Certificate Details
    include_role:
    name: delete_certdb_signer_cert_cg
    vars:
    cert_db_id: "{{ outer2_item['id'] }}"
    with_items: "{{ certdbs_ret_obj['data'] | default([]) }}"
    loop_control:
    loop_var: outer2_item

---

here is the get_cert_dbs_cg

• name: Get Certificate Databases ID/Names
  isam:
  appliance: "{{ inventory_hostname }}"
  username: "{{ username }}"
  password: "{{ password }}"
  lmi_port: "{{ lmi_port }}"
  log: "{{ log_level }}"
  force: "{{ force }}"
  action: ibmsecurity.isam.base.ssl_certificates.certificate_databases.get_all
  register: ret_obj

• name: Set variable for use by rest of playbook
  set_fact:
  certdbs_ret_obj: "{{ ret_obj }}"

• name: Output
  debug: msg="{{ item['id'] }}"
  with_items: "{{ certdbs_ret_obj['data'] }}"

[ram-ibm]

I suspect using ignore_errors flag in the task that is failing should let me proceed to the "Output" task?

[ram-ibm]

block:
rescue:
always:

https://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html
The above might be better solution to handling errors?