This repository contains an Ansible playbook for automating the setup of a TAK (Team Awareness Kit) Server. It handles the installation of required packages, configuration of certificates, and initial setup of the TAK Server.
- Ansible installed on your control node
- Target Ubuntu or Debian-based system(s) where you want to install TAK Server
- SSH access to the target system(s)
- TAK Server .deb package file
.
├── cert-metadata.sh.j2
├── inventory.ini
├── takserver_5.2-RELEASE16_all.deb
└── tak-setup.yml
cert-metadata.sh.j2
: Jinja2 template for certificate metadatainventory.ini
: Inventory file listing your target hoststakserver_5.2-RELEASE16_all.deb
: TAK Server Debian package filetak-setup.yml
: Main Ansible playbook for TAK Server setup
-
Edit the
inventory.ini
file to include the IP addresses or hostnames of your target systems. -
Review and modify the variables in the
tak-setup.yml
playbook as needed. Key variables include:tak_version
: Version of the TAK Server packageca_common_name
: Common name for the Root CAintermediate_ca_name
: Common name for the Intermediate CAserver_cert_name
: Name for the server certificateadmin_cert_name
: Name for the admin certificate
-
Ensure the TAK Server .deb package file is in the same directory as the playbook.
To run the playbook:
ansible-playbook -i inventory.ini tak-setup.yml
- Installs required packages (nano, gnupg, OpenJDK 17)
- Configures PAM limits
- Sets up PostgreSQL repository and installs PostgreSQL and PostGIS
- Installs TAK Server from the .deb package
- Configures certificates (Root CA, Intermediate CA, Server Certificate, Admin Certificate)
- Modifies TAK Server configuration
- Enables and starts the TAK Server service
- Configures UFW (Uncomplicated Firewall)
After running the playbook:
- The admin certificate (
webadmin.p12
by default) will be copied to the home directory of the Ansible user on the target system. - The intermediate CA truststore will also be copied to the home directory.
- You can use these files to set up client connections to your TAK Server.
- This playbook assumes a Debian-based system (tested on Ubuntu).
- Ensure you have adequate permissions to perform all operations on the target system.
- Review and adjust firewall rules as needed for your specific environment.
After the initial setup, you may want to configure Certificate AutoEnrollment. This process allows the TAK Server to issue certificates to clients upon successful authentication. Follow these steps:
-
Identify the signing truststore:
ls -l /opt/tak/certs/files/*-signing.jks
-
Configure the Marti dashboard:
- Navigate to Configuration > Security and Authentication
- Under Security Configuration, select Edit Security
- Check "Enable Certificate Enrollment" and select "TAK Server CA"
- Enter the following:
- Signing Keystore File:
certs/files/<CACommonName>-signing.jks
- Signing Keystore Password: (default is
atakatak
or as defined incert-metadata.sh
) - Validity Days: (enter desired certificate validity period)
- Signing Keystore File:
-
Modify the CoreConfig.xml file:
sudo su tak cd /opt/tak vi CoreConfig.xml
- Locate the
certificateSigning
element - Modify
nameEntry
values as needed - Add
CAkey
andCAcertificate
attributes toTAKServerCAConfig
:<TAKServerCAConfig keystore="JKS" keystoreFile="certs/files/TAK-ID-CA-01-signing.jks" keystorePass="atakatak" validityDays="30" signatureAlg="SHA256WithRSA" CAkey="/opt/tak/certs/files/<CAcommonName>" CAcertificate="/opt/tak/certs/files/<CAcommonName>"/>
- Add
x509checkRevocation="true"
to the<auth>
element
- Locate the
-
Validate the configuration:
./validateConfig.sh
-
Restart the TAK Server service:
exit sudo systemctl restart takserver.service
-
Monitor the log for errors:
tail -f /opt/tak/logs/takserver-messaging.log
Note: Be cautious when adding multiple OU nameEntry values, as there is a known bug with iTAK/iTAK Tracker in this scenario.
Remember to adjust these steps as needed for your specific environment and requirements.
If you encounter issues:
- Check the Ansible output for error messages.
- Review TAK Server logs on the target system (
/opt/tak/logs/
). - Ensure all prerequisites are met and the TAK Server .deb file is correct.
- Change default passwords and certificate passphrases in a production environment.
- Review and adjust firewall rules as needed.
- Ensure proper file permissions for sensitive files (certificates, keys).
Feel free to submit issues or pull requests if you have suggestions for improvements or encounter any problems.