diff --git a/examples/playbook/CFPOC_HAPROXY.yaml b/examples/playbook/CFPOC_HAPROXY.yaml new file mode 100644 index 00000000..a10496f1 --- /dev/null +++ b/examples/playbook/CFPOC_HAPROXY.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'HAProxy\public_le' + installations: + - format: PEM + file: "/etc/ssl/private/haproxy_443.pem" + chainFile: "/etc/ssl/private/haproxy_443.chain" + keyFile: "/etc/ssl/private/haproxy_443.key" + afterInstallAction: "cat /etc/ssl/private/haproxy_443.chain >> /etc/ssl/private/haproxy_443.pem && cat /etc/ssl/private/haproxy_443.key >> /etc/ssl/private/haproxy_443.pem && systemctl restart haproxy" + diff --git a/examples/playbook/CFPOC_HTTPD.yaml b/examples/playbook/CFPOC_HTTPD.yaml new file mode 100644 index 00000000..f112c50c --- /dev/null +++ b/examples/playbook/CFPOC_HTTPD.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: httpd # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'Apache\public_le' + installations: + - format: PEM + file: "/etc/ssl/certs/apache_443.crt" + chainFile: "/etc/ssl/certs/apache_443.chain.crt" + keyFile: "/etc/ssl/private/apache_443.key" + afterInstallAction: "systemctl restart apache2" + \ No newline at end of file diff --git a/examples/playbook/CFPOC_NGINX.yaml b/examples/playbook/CFPOC_NGINX.yaml new file mode 100644 index 00000000..7cadd8ea --- /dev/null +++ b/examples/playbook/CFPOC_NGINX.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: nginx # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'Nginx\public_le' + installations: + - format: PEM + file: "/etc/ssl/certs/nginx_443.crt" + chainFile: "/etc/ssl/certs/nginx_443.chain.crt" + keyFile: "/etc/ssl/private/nginx_443.key" + afterInstallAction: "cat /etc/ssl/certs/nginx_443.chain.crt >> /etc/ssl/certs/nginx_443.crt && systemctl reload nginx" + diff --git a/examples/playbook/CFPOC_TOMCAT.yaml b/examples/playbook/CFPOC_TOMCAT.yaml new file mode 100644 index 00000000..12251e72 --- /dev/null +++ b/examples/playbook/CFPOC_TOMCAT.yaml @@ -0,0 +1,31 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: tomcat # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'Tomcat\public_le' + installations: + - format: JKS + file: '/etc/ssl/private/tomcat_8443.jks' + jksAlias: tomcat8443 + jksPassword: '{{ Env "KEYSTOREPASS" }}' + afterInstallAction: "systemctl restart tomcat" + backupFiles: true + diff --git a/examples/playbook/CFPOC_TOMCAT_P12.yaml b/examples/playbook/CFPOC_TOMCAT_P12.yaml new file mode 100644 index 00000000..c614a3c1 --- /dev/null +++ b/examples/playbook/CFPOC_TOMCAT_P12.yaml @@ -0,0 +1,29 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: tomcat # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'Tomcat\public_le' + installations: + - format: PKCS12 + file: '/etc/ssl/private/tomcat_8443.p12' + p12Password: '{{ Env "KEYSTOREPASS" }}' + afterInstallAction: "systemctl restart tomcat" + diff --git a/examples/playbook/TLSDC_IIS_DefaultWebSite.yaml b/examples/playbook/TLSDC_IIS_DefaultWebSite.yaml new file mode 100644 index 00000000..de437c47 --- /dev/null +++ b/examples/playbook/TLSDC_IIS_DefaultWebSite.yaml @@ -0,0 +1,32 @@ +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [IIS] + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'Certificates\IIS\Pull' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSDC_IIS_DefaultWebSite' + capiIsNonExportable: True + afterInstallAction: Import-Module Webadministration; Get-WebBinding "Default Web Site" | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")} + + diff --git a/examples/playbook/TLSDC_IIS_Demo.yaml b/examples/playbook/TLSDC_IIS_Demo.yaml new file mode 100644 index 00000000..27effb2d --- /dev/null +++ b/examples/playbook/TLSDC_IIS_Demo.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' +certificateTasks: + - name: IISDC # Task Identifier, no relevance in tool run + renewBefore: 30d # or percentage like 30% + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [IIS] + sanDNS: + - '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + zone: 'Certificates\IIS\Pull' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSDC_IIS_Demo' #when changing this also change the removal command below + capiIsNonExportable: True + afterInstallAction: Import-Module Webadministration; Get-WebBinding tlsDC_Pull | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IISDC_THUMBPRINT, "My")}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_IIS_Demo" -and $_.Thumbprint -ne $Env:VCERT_IISDC_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } \ No newline at end of file diff --git a/examples/playbook/TLSDC_RDP_Demo.yaml b/examples/playbook/TLSDC_RDP_Demo.yaml new file mode 100644 index 00000000..79560308 --- /dev/null +++ b/examples/playbook/TLSDC_RDP_Demo.yaml @@ -0,0 +1,33 @@ +certificateTasks: + - name: RDP # Task Identifier, no relevance in tool run + renewBefore: 30d # or percentage like 30% + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [RDP] + zone: 'Certificates\Demo Operational\Pull\RDP' + location: + instance: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + tlsAddress: '{{ Env "TLSPC_Hostname" }}.tlsp.demo:3389' + zone: 'Installations\Agentless\SLC\Demo Operational\Pull\RDP' + replace: true + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSDC_RDP_Demo' #when changing this also change the removal command below + capiIsNonExportable: True + afterInstallAction: $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; $result = Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Env:VCERT_RDP_THUMBPRINT"}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_RDP_Demo" -and $_.Thumbprint -ne $Env:VCERT_RDP_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' \ No newline at end of file diff --git a/examples/playbook/TLSDC_US_IIS_No_Install.yaml b/examples/playbook/TLSDC_US_IIS_No_Install.yaml new file mode 100644 index 00000000..c6a46557 --- /dev/null +++ b/examples/playbook/TLSDC_US_IIS_No_Install.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + #trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 30% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [vcert] + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'Certificates\vcert\IIS' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSDC_US_IIS_No_Install' + capiIsNonExportable: True + #afterInstallAction: Import-Module Webadministration; Get-WebBinding vcert_website | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")} \ No newline at end of file diff --git a/examples/playbook/TLSDC_US_IIS_P12.yaml b/examples/playbook/TLSDC_US_IIS_P12.yaml new file mode 100644 index 00000000..16b6dd4e --- /dev/null +++ b/examples/playbook/TLSDC_US_IIS_P12.yaml @@ -0,0 +1,31 @@ +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + #trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + # Templating needs to go between single quotes to avoid issues when refreshing tokens + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'Certificates\vcert\IIS' + installations: + - format: PKCS12 + useLegacyP12: true + file: 'c:\temp\cert.p12' + p12Password: '{{ Env "P12_PASSWORD" }}' \ No newline at end of file diff --git a/examples/playbook/TLSDC_US_NGINX.yaml b/examples/playbook/TLSDC_US_NGINX.yaml new file mode 100644 index 00000000..499c39b6 --- /dev/null +++ b/examples/playbook/TLSDC_US_NGINX.yaml @@ -0,0 +1,32 @@ +config: + connection: + platform: tpp + url: https://dc.tlsp.demo # URL to TPP instance + #trustBundle: /path/to/my/trustbundle.pem # Optional TrustBundle for TPP connection + credentials: + accessToken: '{{ Env "TPP_ACCESS_TOKEN" }}' + refreshToken: '{{ Env "TPP_REFRESH_TOKEN" }}' +certificateTasks: + - name: nginx # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + # Templating needs to go between single quotes to avoid issues when refreshing tokens + commonName: '{{ Env "TLSPC_Hostname" }}.mimlab.io' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.mimlab.io' + zone: 'Certificates\vcert\nginx' + installations: + - format: PEM + file: "/etc/nginx/ssl/nginx_443.crt" + chainFile: "/etc/nginx/ssl/nginx_443.chain" + keyFile: "/etc/nginx/ssl/nginx_443.key" + afterInstallAction: "cat /etc/nginx/ssl/nginx_443.chain >> /etc/nginx/ssl/nginx_443.crt && sudo nginx -s reload" diff --git a/examples/playbook/TLSPC_EU_ENABLE_WINRM_HTTPS_Demo.yaml b/examples/playbook/TLSPC_EU_ENABLE_WINRM_HTTPS_Demo.yaml new file mode 100644 index 00000000..a0e5b1d3 --- /dev/null +++ b/examples/playbook/TLSPC_EU_ENABLE_WINRM_HTTPS_Demo.yaml @@ -0,0 +1,32 @@ +config: + connection: + platform: vaas #cloudplatform + url: https://api.venafi.eu + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: WINRM # Task Identifier, no relevance in tool run + renewBefore: 30d # or percentage like 30% + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [WINRM] + sanDNS: + - '{{ Env "TLSPC_Hostname" }}' + zone: 'WinRM\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_WINRM_Demo' + capiIsNonExportable: True + afterInstallAction: $setting=Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='WINRM-tcp'"; if ($setting) { Set-WmiInstance -Path $setting.__path -Argument @{SSLCertificateSHA1Hash="$Env:VCERT_WINRM_THUMBPRINT"} }; $listener=Get-Item -Path WSMan:\Localhost\Listener\* | Where-Object { $_.Keys -match "HTTPS" }; if ($listener) { Remove-Item -Path $listener.PSPath -Recurse -Force }; New-Item -Path WSMan:\Localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbprint "$Env:VCERT_WINRM_THUMBPRINT" -Force + + + diff --git a/examples/playbook/TLSPC_IIS_Demo.yaml b/examples/playbook/TLSPC_IIS_Demo.yaml new file mode 100644 index 00000000..24b4347b --- /dev/null +++ b/examples/playbook/TLSPC_IIS_Demo.yaml @@ -0,0 +1,29 @@ +config: + connection: + platform: tlspc #cloudplatform + credentials: + externalJWT: '{{ Env "TLSPC_ExternalJWT" }}' + tokenURL: '{{ Env "TLSPC_tokenURL" }}' # https://api.venafi.cloud/v1/oauth2/v2.0/0ce51ed1-da6f-11ec-a787-89187550eb51/token' +certificateTasks: + - name: IISPC # Task Identifier, no relevance in tool run + renewBefore: 31d # or 30% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.io' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.mimdemo.io' + zone: 'IIS pull\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_IIS_Demo' + capiIsNonExportable: True + afterInstallAction: Import-Module Webadministration; Get-WebBinding tlsPC_Pull | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IISPC_THUMBPRINT, "My")}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSPC_IIS_Demo" -and $_.Thumbprint -ne $Env:VCERT_IISPC_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_Demo.yaml b/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_Demo.yaml new file mode 100644 index 00000000..f4ae076d --- /dev/null +++ b/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_Demo.yaml @@ -0,0 +1,31 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: WINRM # Task Identifier, no relevance in tool run + renewBefore: 30d # or percentage like 30% + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [WINRM] + sanDNS: + - '{{ Env "TLSPC_Hostname" }}' + zone: 'WinRM\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_WINRM_Demo' + capiIsNonExportable: True + afterInstallAction: $setting=Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='WINRM-tcp'"; if ($setting) { Set-WmiInstance -Path $setting.__path -Argument @{SSLCertificateSHA1Hash="$Env:VCERT_WINRM_THUMBPRINT"} }; $listener=Get-Item -Path WSMan:\Localhost\Listener\* | Where-Object { $_.Keys -match "HTTPS" }; if ($listener) { Remove-Item -Path $listener.PSPath -Recurse -Force }; New-Item -Path WSMan:\Localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbprint "$Env:VCERT_WINRM_THUMBPRINT" -Force + + + diff --git a/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_oAuth_Demo.yaml b/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_oAuth_Demo.yaml new file mode 100644 index 00000000..dac716e9 --- /dev/null +++ b/examples/playbook/TLSPC_US_ENABLE_WINRM_HTTPS_oAuth_Demo.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: tlspc #cloudplatform + credentials: + externalJWT: '{{ Env "TLSPC_ExternalJWT" }}' + tokenURL: '{{ Env "TLSPC_tokenURL" }}' # https://api.venafi.cloud/v1/oauth2/v2.0/0ce51ed1-da6f-11ec-a787-89187550eb51/token' +certificateTasks: + - name: WINRM # Task Identifier, no relevance in tool run + renewBefore: 30d # or percentage like 30% + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: [WINRM] + sanDNS: + - '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + zone: 'WinRM\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_WINRM_Demo' + capiIsNonExportable: True + afterInstallAction: $setting=Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='WINRM-tcp'"; if ($setting) { Set-WmiInstance -Path $setting.__path -Argument @{SSLCertificateSHA1Hash="$Env:VCERT_WINRM_THUMBPRINT"} }; $listener=Get-Item -Path WSMan:\Localhost\Listener\* | Where-Object { $_.Keys -match "HTTPS" }; if ($listener) { Remove-Item -Path $listener.PSPath -Recurse -Force }; New-Item -Path WSMan:\Localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbprint "$Env:VCERT_WINRM_THUMBPRINT" -Force + diff --git a/examples/playbook/TLSPC_US_IIS.yaml b/examples/playbook/TLSPC_US_IIS.yaml new file mode 100644 index 00000000..6786f142 --- /dev/null +++ b/examples/playbook/TLSPC_US_IIS.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'IIS pull\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_US_IIS' + capiIsNonExportable: True + afterInstallAction: Import-Module Webadministration; Get-WebBinding vcert_website | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")} + + diff --git a/examples/playbook/TLSPC_US_IIS_No_Install.yaml b/examples/playbook/TLSPC_US_IIS_No_Install.yaml new file mode 100644 index 00000000..3bc53d83 --- /dev/null +++ b/examples/playbook/TLSPC_US_IIS_No_Install.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'IIS pull\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + useLegacyP12: '{{ Env "useLegacyP12" "false"}}' + capiFriendlyName: 'vCert Playbook - TLSPC_US_IIS_No_Install' + capiIsNonExportable: True + afterInstallAction: 'echo success!' + diff --git a/examples/playbook/TLSPC_US_IIS_P12.yaml b/examples/playbook/TLSPC_US_IIS_P12.yaml new file mode 100644 index 00000000..078c2517 --- /dev/null +++ b/examples/playbook/TLSPC_US_IIS_P12.yaml @@ -0,0 +1,27 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: p12 # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimdemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: 'IIS pull\ztAllowAll' + installations: + - format: PKCS12 + useLegacyP12: '{{ Env "useLegacyP12" "false" }}' + file: 'c:\temp\cert.p12' + p12Password: '{{ Env "P12_PASSWORD" }}' \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_IIS_ServiceAccount.yaml b/examples/playbook/TLSPC_US_IIS_ServiceAccount.yaml new file mode 100644 index 00000000..b774631b --- /dev/null +++ b/examples/playbook/TLSPC_US_IIS_ServiceAccount.yaml @@ -0,0 +1,34 @@ +config: + connection: + platform: tlspc #cloudplatform + credentials: + externalJWT: '{{ Env "TLSPC_ExternalJWT" }}' + tokenURL: '{{ Env "TLSPC_tokenURL" }}' # https://api.venafi.cloud/v1/oauth2/v2.0/0ce51ed1-da6f-11ec-a787-89187550eb51/token' +certificateTasks: + - name: IIS # Task Identifier, no relevance in tool run + renewBefore: 30% + setEnvVars: ["thumbprint"] + request: + timeout: 60 + csr: local + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimlab.io' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Hostname | ToLower -}}.tlsp.demo' + zone: 'IIS pull\ztAllowAll' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_US_IIS' + capiIsNonExportable: True + afterInstallAction: Import-Module Webadministration; Get-WebBinding tlsPC_Pull | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IIS_THUMBPRINT, "My")}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSPC_US_IIS" -and $_.Thumbprint -ne $Env:VCERT_IIS_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } + + + + diff --git a/examples/playbook/TLSPC_US_JENKINS.yaml b/examples/playbook/TLSPC_US_JENKINS.yaml new file mode 100644 index 00000000..ea791e90 --- /dev/null +++ b/examples/playbook/TLSPC_US_JENKINS.yaml @@ -0,0 +1,29 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: Jenkins # Task Identifier + renewBefore: 30d # 20% + setEnvVars: ["thumbprint"] + request: + csr: local + validDays: 31d + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Env "TLSPC_Hostname"}}.tlsp.demo' + - '{{ Hostname | ToLower -}}.tlsp.demo' + zone: "jenkins\\ztAllowAll" + installations: + - format: PKCS12 + file: '/var/lib/jenkins/certs/jenkins.p12' + p12Password: '{{ Env "P12_PASSWORD" }}' + afterInstallAction: 'sudo systemctl restart jenkins' \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_HAPROXY_Demo.yaml b/examples/playbook/TLSPC_US_POD_HAPROXY_Demo.yaml new file mode 100644 index 00000000..7c9fde8b --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_HAPROXY_Demo.yaml @@ -0,0 +1,29 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'vcert\ztAllowAll' + installations: + - format: PEM + file: "/etc/haproxy/certs/haproxy_443.pem" + chainFile: "/etc/haproxy/certs/haproxy_443.chain" + keyFile: "/etc/haproxy/certs/haproxy_443.key" + afterInstallAction: "cat /etc/haproxy/certs/haproxy_443.chain >> /etc/haproxy/certs/haproxy_443.pem && cat /etc/haproxy/certs/haproxy_443.key >> /etc/haproxy/certs/haproxy_443.pem && systemctl restart haproxy" diff --git a/examples/playbook/TLSPC_US_POD_HTTPD_Demo.yaml b/examples/playbook/TLSPC_US_POD_HTTPD_Demo.yaml new file mode 100644 index 00000000..2128dbbc --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_HTTPD_Demo.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: httpd # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'vcert\ztAllowAll' + installations: + - format: PEM + file: "/etc/apache2/ssl/apache_443.crt" + chainFile: "/etc/apache2/ssl/apache_443.chain" + keyFile: "/etc/apache2/ssl/apache_443.key" + afterInstallAction: "cat /etc/apache2/ssl/apache_443.chain >> /etc/apache2/ssl/apache_443.crt && nohup systemctl apache2 restart" + diff --git a/examples/playbook/TLSPC_US_POD_NGINX_Demo.yaml b/examples/playbook/TLSPC_US_POD_NGINX_Demo.yaml new file mode 100644 index 00000000..a4493680 --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_NGINX_Demo.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: nginx # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'vcert\ztAllowAll' + installations: + - format: PEM + file: "/etc/nginx/ssl/nginx_443.crt" + chainFile: "/etc/nginx/ssl/nginx_443.chain" + keyFile: "/etc/nginx/ssl/nginx_443.key" + afterInstallAction: "cat /etc/nginx/ssl/nginx_443.chain >> /etc/nginx/ssl/nginx_443.crt && sudo nginx -s reload" + diff --git a/examples/playbook/TLSPC_US_POD_TOMCAT_Demo.yaml b/examples/playbook/TLSPC_US_POD_TOMCAT_Demo.yaml new file mode 100644 index 00000000..1b7e4ca2 --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_TOMCAT_Demo.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: tomcat # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "DOMAINS"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "DOMAINS"}}' + zone: 'vcert\ztAllowAll' + installations: + - format: JKS + file: '/usr/share/tomcat/ssl/tomcat_443.jks' + jksAlias: tomcat443 + jksPassword: '{{ Env "KEYSTOREPASS" }}' + afterInstallAction: "systemctl restart tomcat" + backupFiles: true \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_WORKSHOP_LAB3_WEB_FRONTEND.yaml b/examples/playbook/TLSPC_US_POD_WORKSHOP_LAB3_WEB_FRONTEND.yaml new file mode 100644 index 00000000..04282ed5 --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_WORKSHOP_LAB3_WEB_FRONTEND.yaml @@ -0,0 +1,29 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "WEBDOMAIN"}}' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{Env "WEBDOMAIN"}}' + zone: 'Workshop Labs\Workshops-ztPKUS' + installations: + - format: PEM + file: "/etc/ssl/certs/web.crt" + chainFile: "/etc/ssl/certs/web.crt.chain" + keyFile: "/etc/ssl/private/web.key" + afterInstallAction: "cat /etc/ssl/certs/web.crt.chain >> /etc/ssl/certs/web.crt" \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_WORKSHOP_LABS_GUACAMOLE.yaml b/examples/playbook/TLSPC_US_POD_WORKSHOP_LABS_GUACAMOLE.yaml new file mode 100644 index 00000000..e10a85ca --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_WORKSHOP_LABS_GUACAMOLE.yaml @@ -0,0 +1,26 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: guacamole # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "PUBLICDOMAIN"}}' + country: US + locality: Salt Lake City + state: Utah + organization: Venafi, Inc. + sanDNS: + - '{{Env "PUBLICDOMAIN"}}' + zone: 'Workshop Labs\Workshop Public' + installations: + - format: PEM + file: "/config/ssl/cert.pem" + chainFile: "/config/ssl/chain.pem" + keyFile: "/config/ssl/cert.key" \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_CAPI.yaml b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_CAPI.yaml new file mode 100644 index 00000000..a316a96c --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_CAPI.yaml @@ -0,0 +1,32 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "PUBLICDOMAIN"}}' + country: US + locality: Salt Lake City + state: Utah + organization: Venafi, Inc. + sanDNS: + - '{{Env "PUBLICDOMAIN"}}' + zone: 'Workshop Labs\Workshop Public' #public or testing cert determined in control plane + installations: + - format: PEM + file: 'c:\ssl\certs\web.crt' + chainFile: 'c:\ssl\certs\web.crt.chain' + keyFile: 'c:\ssl\private\web.key' + #afterInstallAction: "cat /etc/ssl/certs/web.crt.chain >> /etc/ssl/certs/web.crt" + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - BastioHost' #when changing this also change the removal command below + capiIsNonExportable: True + # afterInstallAction: Import-Module Webadministration; Get-WebBinding tlsDC_Pull | where {($_.protocol -eq "https")} | % {$_.addsslcertificate($Env:VCERT_IISDC_THUMBPRINT, "My")}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_IIS_Demo" -and $_.Thumbprint -ne $Env:VCERT_IISDC_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_KEYCLOACK.yaml b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_KEYCLOACK.yaml new file mode 100644 index 00000000..465efdca --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_KEYCLOACK.yaml @@ -0,0 +1,28 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "PUBLICDOMAIN"}}' + country: US + locality: Salt Lake City + state: Utah + organization: Venafi, Inc. + sanDNS: + - '{{Env "PUBLICDOMAIN"}}' + zone: 'Workshop Labs\Workshop Public' #public or internal controled in the control plane + installations: + - format: PEM + file: "/opt/keycloak/conf/server.crt.pem" + chainFile: "/opt/keycloak/conf/server.crt.chain" + keyFile: "/opt/keycloak/conf/server.key.pem" + afterInstallAction: "chmod 644 /opt/keycloak/conf/*" + #&& cat /opt/keycloak/conf/server.crt.chain >> /opt/keycloak/conf/server.crt.pem" \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_NGINX.yaml b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_NGINX.yaml new file mode 100644 index 00000000..e0e999d2 --- /dev/null +++ b/examples/playbook/TLSPC_US_POD_WORKSHOP_PUBLICCERT_NGINX.yaml @@ -0,0 +1,27 @@ +config: + connection: + platform: vaas #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: haproxy # Task Identifier, can be used with + renewBefore: 30d + setEnvVars: ["thumbprint"] + request: + csr: local + keySize: 3072 + subject: + commonName: '{{Env "PUBLICDOMAIN"}}' + country: US + locality: Salt Lake City + state: Utah + organization: Venafi, Inc. + sanDNS: + - '{{Env "PUBLICDOMAIN"}}' + zone: 'Workshop Labs\Workshop Public' #public or internal controled in the control plane + installations: + - format: PEM + file: "/etc/ssl/certs/web.crt" + chainFile: "/etc/ssl/certs/web.crt.chain" + keyFile: "/etc/ssl/private/web.key" + afterInstallAction: "cat /etc/ssl/certs/web.crt.chain >> /etc/ssl/certs/web.crt" \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_RDP.yaml b/examples/playbook/TLSPC_US_RDP.yaml new file mode 100644 index 00000000..20505c51 --- /dev/null +++ b/examples/playbook/TLSPC_US_RDP.yaml @@ -0,0 +1,30 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + apiKey: '{{ Env "TLSPC_APIKEY" }}' +certificateTasks: + - name: RDP # Task Identifier, no relevance in tool run + renewBefore: 20% + setEnvVars: ["thumbprint"] + request: + csr: local + validDays: 31d + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.venafidemo.com' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Env "TLSPC_Hostname"}}.venafidemo.com' + - '{{ Hostname | ToLower -}}.venafidemo.com' + zone: "vcert prod\\rdp" + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_US_RDP' + capiIsNonExportable: True + afterInstallAction: $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; $result=Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Env:VCERT_RDP_THUMBPRINT"} \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_RDP_Demo.yaml b/examples/playbook/TLSPC_US_RDP_Demo.yaml new file mode 100644 index 00000000..784e7c98 --- /dev/null +++ b/examples/playbook/TLSPC_US_RDP_Demo.yaml @@ -0,0 +1,31 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + externalJWT: '{{ Env "TLSPC_ExternalJWT" }}' + tokenURL: '{{ Env "TLSPC_tokenURL" }}' # https://api.venafi.cloud/v1/oauth2/v2.0/0ce51ed1-da6f-11ec-a787-89187550eb51/token' +certificateTasks: + - name: RDP # Task Identifier, no relevance in tool run + renewBefore: 30d # 20% + setEnvVars: ["thumbprint"] + request: + csr: local + validDays: 31d + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.tlsp.demo' + country: GB + locality: London + state: London + organization: Venafi + orgUnits: + - vcert + sanDNS: + - '{{ Env "TLSPC_Hostname"}}.tlsp.demo' + - '{{ Hostname | ToLower -}}.tlsp.demo' + zone: "vcert\\ztAllowAll" + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_US_RDP' + capiIsNonExportable: True + afterInstallAction: $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; $result = Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Env:VCERT_RDP_THUMBPRINT"}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_RDP_Demo" -and $_.Thumbprint -ne $Env:VCERT_RDP_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } \ No newline at end of file diff --git a/examples/playbook/TLSPC_US_RDP_mimlab.io.yaml b/examples/playbook/TLSPC_US_RDP_mimlab.io.yaml new file mode 100644 index 00000000..44498445 --- /dev/null +++ b/examples/playbook/TLSPC_US_RDP_mimlab.io.yaml @@ -0,0 +1,24 @@ +config: + connection: + platform: vAaS #cloudplatform + credentials: + externalJWT: '{{ Env "TLSPC_ExternalJWT" }}' + tokenURL: '{{ Env "TLSPC_tokenURL" }}' # https://api.venafi.cloud/v1/oauth2/v2.0/0ce51ed1-da6f-11ec-a787-89187550eb51/token' +certificateTasks: + - name: RDP # Task Identifier, no relevance in tool run + renewBefore: 30d # 20% + setEnvVars: ["thumbprint"] + request: + csr: local + validDays: 31d + subject: + commonName: '{{ Env "TLSPC_Hostname" }}.mimlab.io' + sanDNS: + - '{{ Env "TLSPC_Hostname"}}.mimlab.io' + zone: 'vcert prod\rdp' + installations: + - format: CAPI + capiLocation: 'LocalMachine\MY' + capiFriendlyName: 'vCert Playbook - TLSPC_US_RDP_mimlab.op' + capiIsNonExportable: True + afterInstallAction: $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path; $result = Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$Env:VCERT_RDP_THUMBPRINT"}; Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "vCert Playbook - TLSDC_RDP_Demo" -and $_.Thumbprint -ne $Env:VCERT_RDP_THUMBPRINT } | ForEach-Object { Remove-Item -Path "Cert:\LocalMachine\My\$($_.Thumbprint)" -Force } \ No newline at end of file