Secured LDAP Client: Root CA certificate upload process.
Jayanth Othayoth
ojayanth at gmail.com
Tue Apr 30 21:20:37 AEST 2019
Based on the community call discussion team decision is to use new URL for
managing Root CA certificates in general.
The below proposal is based on the existing BMC usecase for uploading
RootCA certificates in common place and Application configure to use this
path for application specific validation purpose.
Note: The below proposal scope is limited Redfish side , Certificate
manager ( backend) implementation is covered here.
Root CA Certificate (https://en.wikipedia.org/wiki/Root_certificate)
Upload Proposal:
Design approach: Extend the existing Certificate schema( DMTF(DSP2046
v2018.3).
Proposed URI for Root CA certificates : *
/redfish/v1/Managers/{ManagerId}/Truststore/Certificates/{CertificateId} *
*Root CA certificate management Flow:*
Installing new Certificate:
- The user navigates to the Mangers Certificate Collection that is
subordinate to the “Truststore” object.
- The user performs a POST on the Certificate collection with the
certificate string in the body.
Replacing Certificate:
- Use the existing action #CertificateService.ReplaceCertificate.
- Note: Most of the user wants to delete the invalid certificates
instead of replace.
*Deleting Certificates*
This option is required for deleting invalid/expired/compromised
certificates. Existing CertificateService schema doesn’t support to delete
the installed certificates. Also “deletable” option is disabled ((
deletable= false)) in the CertificateCollection Schema (
https://redfish.dmtf.org/schemas/CertificateCollection.json) .
- Need to work with Redfish community to add support delete option for
RootCA certificates.
Looking for the input from the community on the proposed certificate schema
changes to support this feature.
i have already posted question in the Redfish specification forum (
https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553)
related to this few months back to understand any work in progress related
to area.
On Mon, Apr 29, 2019 at 6:22 PM Jayanth Othayoth <ojayanth at gmail.com> wrote:
> To configure Secured LDAP Client in BMC , required a Redfish interface to
> upload Server copy of Root CA certificate in BMC for SSL handshaking.
>
> Latest version of DMTF spec (DSP2046 v2018.3 ) certificate supports the
> below URIs:
>
> /redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId}
>
> /redfish/v1/AccountService/ActiveDirectory/Certificates/{CertificateId}
>
> /redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}
> /redfish/v1/AccountService/LDAP/Certificates/{CertificateId}
> /redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates/{CertificateId}
>
>
> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId}
>
> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates/{CertificateId}
>
> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}
> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates/{CertificateId}
>
>
> Currently URI
> /redfish/v1/AccountService/LDAP/Certificates/{CertificateId} used for
> upload LDAP client certificates.
>
> Ed, Ratan Can we use use any of the existing uri to upload LDAP server
> root CA Certificate , or do we need to introduce custom URI for this
> purpose?
>
> I have already posted question Redfish forum (
> https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553)
> related to general “authority” type certificate upload process, which can
> be used for this purpose.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190430/e7496921/attachment-0001.htm>
More information about the openbmc
mailing list