Redfish Certificate upload in OpenBMC.

Jayanth Othayoth ojayanth at gmail.com
Tue Jan 22 00:12:33 AEDT 2019


DMTF Redfish latest version 2018.3  added support for the certificate
management schemas.

Reference:
https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf

https://www.dmtf.org/content/redfish-update-adds-support-certificate-management-sensors

*Uploading a  pre-generated certificate:*
   - The User navigates to the appropriate certificate collection.
         Example: for uploading HTTPS server certificate:
                     URI:
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates
   - The user performs a POST on the Certificate with the certificate (
includes Private key) string in the body.
        -  POST method should  support business logic to call the right
d-bus certificate upload based on the url.
       - Creates a new link and this link details are availble as part
certificatelocation "GET" method"
              Example:
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates/1

*Replacing a certificate:*
  - use the action  #CertificateService.ReplaceCertificate{ } in the
certificate service by providing link to the certificate that is being to
replaced.

*Deleting certificate:*
 - Not allowed.
Note: Not a valid use case for client/server type certificates. This may be
required for Authority type certificate , need more investigation on this.

Looking fro community feedback on the proposed approach related to
certificate upload/management.

Note: Not included CSR based certificate upload/Management.

*Certificate Management Schemas information:*

Certificate: The Certificate resource describes a certificate used to prove
the identify of a component, account, or service

CertificateService: resource off the Service Root
    Contains service level Actions
        GenerateCSR: Manage certificate signing requests from a user
        ReplaceCertificate: Provide an atomic approach for deleting and
adding a certificate

CertificateCollection:
    Perform standard Create operations for managing certificates
    Collections added to resources that can have certificates installed to
it
        The location of the collection will inform the client about the
relationship between the
        certificate and other resources in the data model
        Available URI’s

/redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates/
        /redfish/v1/AccountService/ActiveDirectory/Certificates/

/redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/
        /redfish/v1/AccountService/LDAP/Certificates/
        /redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates

/redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates/

/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates/

/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/


/redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates/

CertificateLocations:resource contains links to all the certificates so
administrators and auditors can easily obtain a complete set
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190121/847d46f8/attachment.html>


More information about the openbmc mailing list