Redfish Certificate upload in OpenBMC.
Jayanth Othayoth
ojayanth at gmail.com
Tue Jan 22 00:12:33 AEDT 2019
DMTF Redfish latest version 2018.3 added support for the certificate
management schemas.
Reference:
https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf
https://www.dmtf.org/content/redfish-update-adds-support-certificate-management-sensors
*Uploading a pre-generated certificate:*
- The User navigates to the appropriate certificate collection.
Example: for uploading HTTPS server certificate:
URI:
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates
- The user performs a POST on the Certificate with the certificate (
includes Private key) string in the body.
- POST method should support business logic to call the right
d-bus certificate upload based on the url.
- Creates a new link and this link details are availble as part
certificatelocation "GET" method"
Example:
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates/1
*Replacing a certificate:*
- use the action #CertificateService.ReplaceCertificate{ } in the
certificate service by providing link to the certificate that is being to
replaced.
*Deleting certificate:*
- Not allowed.
Note: Not a valid use case for client/server type certificates. This may be
required for Authority type certificate , need more investigation on this.
Looking fro community feedback on the proposed approach related to
certificate upload/management.
Note: Not included CSR based certificate upload/Management.
*Certificate Management Schemas information:*
Certificate: The Certificate resource describes a certificate used to prove
the identify of a component, account, or service
CertificateService: resource off the Service Root
Contains service level Actions
GenerateCSR: Manage certificate signing requests from a user
ReplaceCertificate: Provide an atomic approach for deleting and
adding a certificate
CertificateCollection:
Perform standard Create operations for managing certificates
Collections added to resources that can have certificates installed to
it
The location of the collection will inform the client about the
relationship between the
certificate and other resources in the data model
Available URI’s
/redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates/
/redfish/v1/AccountService/ActiveDirectory/Certificates/
/redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/
/redfish/v1/AccountService/LDAP/Certificates/
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates/
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates/
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates/
CertificateLocations:resource contains links to all the certificates so
administrators and auditors can easily obtain a complete set
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190121/847d46f8/attachment.html>
More information about the openbmc
mailing list