commit | cfcd5f6bd9289c97e25d809068e579f7f3d45aeb | [log] [tgz] |
---|---|---|
author | Marri Devender Rao <devenrao@in.ibm.com> | Fri May 17 08:34:37 2019 -0500 |
committer | Ed Tanous <ed.tanous@intel.com> | Fri Aug 16 18:08:23 2019 +0000 |
tree | 43f6a35518bd7f23ad249f725c8426594cf63088 | |
parent | 3b7f0149959f976ab18ecb5b510c505f2f1f3c94 [diff] |
Redfish: Add TrustStore certificate support 1) Implements CertificateCollection schema to upload CA certificates and to list existing CA certificates 2) Modified CertificateLocatons schema to list CA certificates 3) Modified ReplaceCertificate action of CertificateService schema to cater for replacing existing CA certificate Tested: 1) No validation failure 2) Truststore CertificateCollection curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates/ { "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection", "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/", "@odata.type": "#CertificateCollection.CertificateCollection", "Description": "A Collection of TrustStore certificate instances", "Members": [], "Members@odata.count": 0, "Name": "TrustStore Certificates Collection" } 3) Upload certificate curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -H "Content-Type: application/octet-stream" -X POST -T cert.pem https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": ----\n", "Id": "1", "Issuer": { "CommonName": "localhost", "Organization": "openbmc-project.xyz" }, } 4) Certificate Locations curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${bmc}/redfish/v1/CertificateService/CertificateLocations/ { "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order tolocate all certificates installed on a given service", "Id": "CertificateLocations", "Links": { "Certificates": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" }, { "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1" }, { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1" } ], "Certificates@odata.count": 3 }, "Name": "Certificate Locations" } 5)Replace certificate curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${bmc}/redfish/v1/CertificateService/Actions/Certificateervice.ReplaceCertificate/ -d @data_auth.json { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE--------\n", "Id": "1", "Issuer": { "CommonName": "localhost", "Organization": "openbmc-project.xyz" }, 6)List CertificateCollection curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates/ { "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection", "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/", "@odata.type": "#CertificateCollection.CertificateCollection", "Description": "A Collection of TrustStore certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1" } ], "Members@odata.count": 1, "Name": "TrustStore Certificates Collection" } Change-Id: Ic9644fadfe6fe89b529e16336cc6bcd804810b3a Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
This component attempts to be a "do everything" embedded webserver for openbmc.
At this time, the webserver implements a few interfaces:
BMCWeb is configured by setting -D
flags that correspond to options in bmcweb/CMakeLists.txt
and then compiling. For example, cmake -DBMCWEB_ENABLE_KVM=NO ...
followed by make
. The option names become C++ preprocessor symbols that control which code is compiled into the program.
When BMCWeb starts running, it reads persistent configuration data (such as UUID and session data) from a local file. If this is not usable, it generates a new configuration.
When BMCWeb SSL support is enabled and a usable certificate is not found, it will generate a self-sign a certificate before launching the server. The keys are generated by the prime256v1
algorithm. The certificate
C=US, O=OpenBMC, CN=testhost
,SHA-256
algorithm.The crow project has had a number of additions to make it more useful for use in the OpenBmc Project. A non-exhaustive list is below. At the time of this writing, the crow project is not accepting patches, so for the time being crow will simply be checked in as is.