dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
603 stars 279 forks source link

Importing CA certificate to iDRAC via Redfish #286

Open nikigen68 opened 7 months ago

nikigen68 commented 7 months ago

Can you please help us by sharing the proper procedure for importing locally generated CA to iDRAC via Redfish protocol? We would like to use that CA so that DELL can verify redfish event communication with some external server.

Locally generated CA is used to sign certificate that is imported to iDRAC via CSR procedure. External server sends request for redfish event client certificate, but it doesn't receive any. What is required so client certificate is sent from iDRAC to external server?

texroemer commented 7 months ago

Hi @nikigen68

To import CA to iDRAC using Redfish leverage OEM action DelliDRACCardService.ImportSSLCertificate. Note if you have iDRAC version older than 6.00.02 installed you'll need to reboot the iDRAC after installing the cert for changes to take effect.

Example below importing CA cert to iDRAC.

image

Thanks Tex

nikigen68 commented 7 months ago

Thanks for the answer. We will try it and get back to you. Can you please help with the 2nd question as well. Is it possible for external server to get certificate from iDRAC redfish event client?

nikigen68 commented 7 months ago

We tried your proposal to import CA:

curl -k -X POST -u : -H "Content-Type: application/json" https://169.254.16.13/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate -d '{"CertificateType":"CA","SSLCertificateFile":"-----BEGIN CERTIFICATE-----\nMIIDnTCCAoWgAwIBAgIUbu+5WR0e16FgNeSdFrq9GfnHRlgwDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCU0UxCzAJBgNVBAgMAlNUMRIwEAYDVQQHDAlTdG9ja2hv\nbG0xETAPBgNVBAoMCEVyaWNzc29uMQswCQYDVQQLDAJFSTEOMAwGA1UEAwwFYm1j\nQ0EwHhcNMjQwMjE5MDk1OTE2WhcNNDQwMjE0MDk1OTE2WjBeMQswCQYDVQQGEwJT\nRTELMAkGA1UECAwCU1QxEjAQBgNVBAcMCVN0b2NraG9sbTERMA8GA1UECgwIRXJp\nY3Nzb24xCzAJBgNVBAsMAkVJMQ4wDAYDVQQDDAVibWNDQTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAM6vGsgxX32QLbmUcX1Zm3eukoLZvX50RrfX5tFc\nSzHT4zKqyWn07zV9Q1UMu57NFJP8kKJuJmEBNvp6aSjoovocwwSypi+6omuTpZwK\n0bf7ciPIDXqXB1CnitsGaA9NH3rkEnc9elFQgtubs8/PYwhdEPARA4xHmZw+tC7G\nxAUfT9Q30WHyU9xE3w1pDczTx6fUeYCj1cZamU7a/IcRWbzdgUaA7wOB8Bu9u+pV\nkD2itc0zZTwu/nnGgWXzjQlspLVWtVdLkLJUSajG6E829Q5GE5vXfObkDQ3yrukY\nsFyrYIRooQyRegWMyJBvoCuirOrEWddK6ns24ra+Pnt2aHsCAwEAAaNTMFEwHQYD\nVR0OBBYEFHAu4/H7wriieQNMfDGZYHzH1qKwMB8GA1UdIwQYMBaAFHAu4/H7wrii\neQNMfDGZYHzH1qKwMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nALb4ieWi+O/9eOIHVwH3FK2iVd5O3weRGcjBhxHlCYLfvL4QOXOR9j8fGcI3WUKE\nHJs85VRl3+9sVqwpp7cxBILVXiSi72hr4miv1aPKdVdg+2fUCnk9oib4dRvyiEue\ntUqTCu+In3UEwAV22BNhbeuvmad8XQis2rKo8jtRwDJAbS84RsOemiHHltb8XFED\nRqEfBny8hQdUxDo+O1xC3xjeQISen6teVS6RPcw/bBAGDhfPchknIfptmxu/rlKg\ndKroylS//wRpwzTjDmX2YHvPeEMlOq0ceeCuXjQp9OU/Acr5o8qRYv42aokJXbLf\nMfgnHmJRruRv/HQGjgm9WeE=\n-----END CERTIFICATE-----"}'

And then tried sending test event:

curl -i -k -u : -H "Content-Type: application/json" -X POST -d '{"EventTypes": ["Alert"],"EventId": "TestEventId","EventTimestamp": "2017-08-08T08:24:00Z", "Severity": "Critical","Message": "TestMessage", "MessageId": "TMP0118","MessageArgs": [ "TestMessageArg" ], "OriginOfCondition": "/redfish/v1/"}' https://169.254.16.1/redfish/v1/EventService/Actions/EventService.SubmitTestEvent

But we still get "Unknown CA" TLS response. How to be sure which CA certificate is used to verify Redfish event server certificate from external server? Are there any logs that we could check?

texroemer commented 7 months ago

Hi @nikigen68, can you answer the questions below to get more clarification about the solution you're wanting to perform.

  1. Is the certificate verification enforced from the event receiver side? If yes update the ca-trust with the issuer of iDRAC WEB_SERVER certificate.

  2. Are you wanting to use iDRAC certificate verification via iDRAC attribute "idrac.redfisheventing.1.IgnoreCertificateErrors" but using certificates issued by internal CA's (Not 3rd party trusted well-known CA's)?

  3. Are you wanting to use certificate auth or mutual TLS auth?

Thanks Tex

nikigen68 commented 7 months ago

Hi @texroemer

  1. Yes the certificate verification is enforced from event receiver side. We are using our locally generated CA certificate. Event receiver is sending Certificate Request to the client, but it doesn't receive anything back when IgnoreCertificateErrors is set to Yes.

  2. IgnoreCertificateErrors was set successfuly using this command:

curl -k -X PATCH -u :-H "Content-Type: application/json" https://169.254.16.13/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1 -d ' {"Attributes": {"RedfishEventing.1.IgnoreCertificateErrors": "No"}}'

With IgnoreCertificateErrors set to No we get UnknowCA response from iDRAC. We tried to import/install our locally generated CA certificate to iDRAC in multiple ways but nothing seems to work.

  1. We would like to use mTLS if possible, or whatever is available at this moment.

Some more clarifications:

Looking at Redfish API CertificateCollection, as well as GUI, there is a whole bunch of certificates and certificate types and we are failing to fully comprehend the relationship between various certificates and the respective use cases, or find a relevant documentation. Simply put, what certificate / certificate type is used for what exactly.

iDRAC as a client:

texroemer commented 7 months ago

Hi @nikigen68

Thanks for the information, this helps. After discussing this concern with internal teams at Dell there is a bug in iDRAC. I don't know yet when a new iDRAC version will be available with the fix but will keep you posted when i find out more details.

For now as a workaround you'll have to disable cert check on both iDRAC and event listener to stream events.

Thanks Tex