<div dir="ltr">Great, thanks for the update. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 13, 2020 at 6:24 AM Zbyszek <<a href="mailto:zbigniewku@gmail.com">zbigniewku@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Instruction is under review:<br>
<a href="https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234" rel="noreferrer" target="_blank">https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234</a><br>
<br>
pon., 11 maj 2020 o 20:57 Neeraj Ladkani <<a href="mailto:neladk@microsoft.com" target="_blank">neladk@microsoft.com</a>> napisał(a):<br>
><br>
> "Oem": {<br>
> "OpenBMC": {<br>
> "@odata.type": "#OemAccountService.v1_0_0.AccountService",<br>
> "AuthMethods": {<br>
> "BasicAuth": true,<br>
> "Cookie": true,<br>
> "SessionToken": true,<br>
> "TLS": true,<br>
> "XToken": true<br>
> }<br>
> }<br>
><br>
> -----Original Message-----<br>
> From: openbmc <openbmc-bounces+neladk=<a href="mailto:microsoft.com@lists.ozlabs.org" target="_blank">microsoft.com@lists.ozlabs.org</a>> On Behalf Of Neeraj Ladkani<br>
> Sent: Monday, May 11, 2020 11:20 AM<br>
> To: Zbyszek <<a href="mailto:zbigniewku@gmail.com" target="_blank">zbigniewku@gmail.com</a>><br>
> Cc: OpenBMC Maillist <<a href="mailto:openbmc@lists.ozlabs.org" target="_blank">openbmc@lists.ozlabs.org</a>>; Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank">ztai@google.com</a>><br>
> Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds<br>
><br>
> I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb but I do not see TLSAuth/Certificates in redfish/v1/AccountService ? I tried to upload CA cert via bmcweb but I could not make it work ( Authentication failing)<br>
><br>
> I could not find documentation to enable this feature. it would be great if someone can send steps to enable this feature?<br>
><br>
> Neeraj<br>
><br>
><br>
> -----Original Message-----<br>
> From: Zbyszek <<a href="mailto:zbigniewku@gmail.com" target="_blank">zbigniewku@gmail.com</a>><br>
> Sent: Thursday, May 7, 2020 2:10 AM<br>
> To: Neeraj Ladkani <<a href="mailto:neladk@microsoft.com" target="_blank">neladk@microsoft.com</a>><br>
> Cc: Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank">ztai@google.com</a>>; OpenBMC Maillist <<a href="mailto:openbmc@lists.ozlabs.org" target="_blank">openbmc@lists.ozlabs.org</a>><br>
> Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds<br>
><br>
> czw., 7 maj 2020 o 10:14 Neeraj Ladkani <<a href="mailto:neladk@microsoft.com" target="_blank">neladk@microsoft.com</a>> napisał(a):<br>
> ><br>
> > Hi Zbyszek,<br>
> ><br>
> > Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?<br>
><br>
><br>
> Yes it can, by default all authentication methods are enabled except TLS.<br>
> Which method is enabled can be checked via redfish service<br>
> AccountService->Oem->OpenBMC->AuthMethods.<br>
> To change these settings send PATCH to<br>
> https://{{bmc_ip}}/redfish/v1/AccountService.<br>
> For example to turn the tls use this patch body : {"Oem": {"OpenBMC":<br>
> {"AuthMethods": {"TLS": true}}}}<br>
><br>
> I think this diagram at paragraph 'Authentication Process'<br>
> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&reserved=0" rel="noreferrer" target="_blank">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&reserved=0</a><br>
> can be useful in understanding how the authentication process flow looks like.<br>
> (now I see that some parts of this design, like paths requires updates, but the diagram is valid).<br>
><br>
><br>
> ><br>
> > It will be good to document curl APIs to enable this feature and test end to end flows.<br>
> ><br>
> > Thanks<br>
> > Neeraj<br>
> ><br>
> > -----Original Message-----<br>
> > From: openbmc <openbmc-bounces+neladk=<a href="mailto:microsoft.com@lists.ozlabs.org" target="_blank">microsoft.com@lists.ozlabs.org</a>><br>
> > On Behalf Of Zbyszek<br>
> > Sent: Thursday, May 7, 2020 12:49 AM<br>
> > To: Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank">ztai@google.com</a>><br>
> > Cc: OpenBMC Maillist <<a href="mailto:openbmc@lists.ozlabs.org" target="_blank">openbmc@lists.ozlabs.org</a>><br>
> > Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always<br>
> > succeeds<br>
> ><br>
> > śr., 6 maj 2020 o 20:19 Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank">ztai@google.com</a>> napisał(a):<br>
> > ><br>
> > > Hi Zbyszek,<br>
> > ><br>
> > > Thanks for your reply. I look forward to the official documentation.<br>
> > ><br>
> > > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.<br>
> ><br>
> > Yes, always returning true we do not break the tls handshake allowing for connection.<br>
> > But user will not be authenticated anyway because its name will not be extracted from the certificate.<br>
> > In such case user should receive proper http error code telling he is not authenticated.<br>
> ><br>
> > ><br>
> > > // We always return true to allow full auth flow if (!preverified) {<br>
> > > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return<br>
> > > true; }<br>
> > ><br>
> > > Thanks,<br>
> > > Zhenfei<br>
> > ><br>
> > > On Wed, May 6, 2020 at 4:22 AM Zbyszek <<a href="mailto:zbigniewku@gmail.com" target="_blank">zbigniewku@gmail.com</a>> wrote:<br>
> > >><br>
> > >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank">ztai@google.com</a>> napisał(a):<br>
> > >> ><br>
> > >> > Hi,<br>
> > >> ><br>
> > >> > I've been testing bmcweb mTLS for a while and found the user<br>
> > >> > defined verify callback function returns true in all cases.<br>
> > >> > (<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%" rel="noreferrer" target="_blank">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%</a><br>
> > >> > 25<br>
> > >> > 2F<br>
> > >> > <a href="http://github.com" rel="noreferrer" target="_blank">github.com</a>%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne<br>
> > >> > ct<br>
> > >> > ion.h%23L287&data=02%7C01%7Cneladk%<a href="http://40microsoft.com" rel="noreferrer" target="_blank">40microsoft.com</a>%7C8f5ff612<br>
> > >> > 5e<br>
> > >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0<br>
> > >> > %7<br>
> > >> > C637244345695157575&sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd<br>
> > >> > s1<br>
> > >> > lHeZaCnbimciLw%3D&reserved=0)<br>
> > >> ><br>
> > >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?<br>
> > >><br>
> > >> No, purpose of this callback is to only extract the user name from<br>
> > >> the certificate and then allow to proceed with default OpenSSL<br>
> > >> verification flow which should finally fail if something is wrong<br>
> > >> with the certificate no matter what this function returned.<br>
> > >> The 'set_verify_callback' doesn't replace the whole verification<br>
> > >> procedure, it only adds a callback that is called when the default<br>
> > >> validator checks each certificate. The 'preverified' parameter,<br>
> > >> passed to it indicates if verification of the certificate succeeded or not.<br>
> > >> You should be able to see it in bmcweb logs.<br>
> > >><br>
> > >> ><br>
> > >> > Thanks,<br>
> > >> > Zhenfei<br>
</blockquote></div>