Validate secure connection to OneView using a certificate file

[ricardoas]

Scenario/Intent

I want to establish a secure HTTPS connection with OneView validating it with a given certificate file passed as one of the configuration credentials parameters.

Environment Details

• OneView SDK Version: 4.3.0
• OneView Appliance Version: 3.00.07_288219
• OneView Client API Version: 300
• Python Version: 2.7.13 and 3.5.3
• Platform: Ubuntu Server 16.04 LTS

Steps to Reproduce

The code below opens an insecure connection to OneView, relying only on username+password for authentication, which is ok for development environments.

from hpOneView.oneview_client import OneViewClient
oneview_client = OneViewClient({'ip': '<host>', 'credentials': {'userName': '<user>', 'password': '<passwod>'})

There should be way to inform the certificate file in the credentials to ensure the SDK is really connecting to OneView. Something like:

from hpOneView.oneview_client import OneViewClient
oneview_client = OneViewClient({'ip': '<host>', 'credentials': {'userName': '<user>', 'password': '<passwod>', 'cert': 'cacertfile.crt'}})

Expected Result

I expect the SDK to:

• open an insecure connection if the user does not specify a certificate
• open a secure connection if the user specified a valid certificate
• reject the OneViewClient instantiation if the certificate does not verify with the server (using a wrong cert OR somebody deployed a malicious fake OneView)

Actual Result

The client provides only a non-validated secure connection mode.

[ricardoas]

A call to https://github.com/HewlettPackard/python-hpOneView/blob/master/hpOneView/connection.py#L94 before login at https://github.com/HewlettPackard/python-hpOneView/blob/master/hpOneView/oneview_client.py#L122 should be enough given that the certificate is loaded by config.

[fgbulsoni]

Hey @ricardoas , I've pushed PR #340 now which should allow you to specify the certificate file.
Could you try it and let me know if it solves your requirements?

The PR still requires tests to be updated and a few things to be actually ready, but it should already be usable.

To generate a cert file, just run:
openssl s_client -showcerts -host <host> -port 443

This will return a lot of stuff, copy this part into a <somefile.crt> file:

-----BEGIN CERTIFICATE-----
Loremipsumdolorsitamet,consecteturadipiscingelit,seddoeiusmodtemporincididuntutlaboreetdoloremagnaaliqua.Utenimadminimveniam,quisnostrudexercitationullamcolaborisnisiutaliquipexeacommodoconsequat.Duisauteiruredolorinreprehenderitinvoluptatevelitessecillumdoloreeufugiatnullapariatur.Excepteursintoccaecatcupidatatnonproident,suntinculpaquiofficiadeseruntmollitanimidestlaborum.
-----END CERTIFICATE-----

Then, add the location of your file inside your config, under the sslBundle tag.

Here is an example when test.crt is my file and it is under the same folder as the example I'm running:

config = {
    "ip": "172.16.101.48",
    "credentials": {
        "userName": "administrator",
        "password": "mypass"
    },
    "api_version": 300,
    "sslBundle": "test.crt"
}

Cheers,

[ricardoas]

Great news, @fgbulsoni!!!

It worked fine here with the test case we tried out before opening this issue... we can (and will) conduct some further tests using OpenStack while you update the PR, it will take a while to set everything up, but I expect them to be fine too.

Thanks!