Secured LDAP Client: Root CA certificate upload process.

Jayanth Othayoth ojayanth at gmail.com
Tue Apr 30 21:20:37 AEST 2019


Based on the community call discussion team decision is to use new URL for
managing Root CA certificates in general.

The below proposal is based on the existing BMC usecase for uploading
RootCA certificates in common place and Application configure to use this
path for application specific validation purpose.

Note: The below proposal scope is limited Redfish side , Certificate
manager ( backend) implementation  is covered here.

Root CA  Certificate (https://en.wikipedia.org/wiki/Root_certificate)
Upload Proposal:

Design approach: Extend the existing Certificate  schema( DMTF(DSP2046
v2018.3).

Proposed URI  for Root CA certificates : *
/redfish/v1/Managers/{ManagerId}/Truststore/Certificates/{CertificateId} *

*Root CA certificate management Flow:*

Installing new Certificate:

   - The user navigates to the Mangers Certificate Collection that is
   subordinate to the “Truststore” object.


   - The user performs a POST on the Certificate collection with the
   certificate string in the body.


Replacing Certificate:

   - Use the existing action #CertificateService.ReplaceCertificate.
      - Note: Most of the user wants to delete the invalid  certificates
      instead of replace.


*Deleting Certificates*
This option is required for deleting invalid/expired/compromised
certificates. Existing CertificateService schema doesn’t support to delete
the installed  certificates. Also  “deletable” option is disabled ((
deletable= false)) in the  CertificateCollection Schema (
https://redfish.dmtf.org/schemas/CertificateCollection.json) .

   - Need to work with Redfish community to add support delete option for
   RootCA certificates.


Looking for the input from the community on the proposed certificate schema
changes to support this feature.

i have already posted question in the Redfish specification forum (
https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553)
related to this few months back to understand any work in progress related
to area.

On Mon, Apr 29, 2019 at 6:22 PM Jayanth Othayoth <ojayanth at gmail.com> wrote:

> To configure Secured LDAP Client in BMC ,  required a Redfish interface to
> upload Server copy of Root CA certificate in BMC for SSL handshaking.
>
> Latest version of DMTF spec (DSP2046 v2018.3 ) certificate supports the
> below URIs:
>
> /redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId}
>
> /redfish/v1/AccountService/ActiveDirectory/Certificates/{CertificateId}
>
> /redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}
>  /redfish/v1/AccountService/LDAP/Certificates/{CertificateId}
> /redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates/{CertificateId}
>
>
> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId}
>
>  /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates/{CertificateId}
>
>  /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}
>  /redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates/{CertificateId}
>
>
> Currently URI
> /redfish/v1/AccountService/LDAP/Certificates/{CertificateId} used for
> upload LDAP client certificates.
>
> Ed, Ratan Can we use use any of the existing uri to upload  LDAP server
> root CA Certificate , or do we need to introduce custom URI  for this
> purpose?
>
> I have already posted question Redfish forum (
> https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553)
> related to general “authority” type certificate  upload process, which can
> be used for this purpose.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190430/e7496921/attachment-0001.htm>


More information about the openbmc mailing list