Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Importing CA certificate to iDRAC via Redfish #286

Open
nikigen68 opened this issue Feb 29, 2024 · 6 comments
Open

Importing CA certificate to iDRAC via Redfish #286

nikigen68 opened this issue Feb 29, 2024 · 6 comments

Comments

@nikigen68
Copy link

nikigen68 commented Feb 29, 2024

Can you please help us by sharing the proper procedure for importing locally generated CA to iDRAC via Redfish protocol? We would like to use that CA so that DELL can verify redfish event communication with some external server.

Locally generated CA is used to sign certificate that is imported to iDRAC via CSR procedure. External server sends request for redfish event client certificate, but it doesn't receive any. What is required so client certificate is sent from iDRAC to external server?

@texroemer
Copy link
Collaborator

Hi @nikigen68

To import CA to iDRAC using Redfish leverage OEM action DelliDRACCardService.ImportSSLCertificate. Note if you have iDRAC version older than 6.00.02 installed you'll need to reboot the iDRAC after installing the cert for changes to take effect.

Example below importing CA cert to iDRAC.

image

Thanks
Tex

@nikigen68
Copy link
Author

Thanks for the answer. We will try it and get back to you.
Can you please help with the 2nd question as well. Is it possible for external server to get certificate from iDRAC redfish event client?

@nikigen68
Copy link
Author

nikigen68 commented Mar 1, 2024

We tried your proposal to import CA:

curl -k -X POST -u : -H "Content-Type: application/json" https://169.254.16.13/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate -d '{"CertificateType":"CA","SSLCertificateFile":"-----BEGIN CERTIFICATE-----\nMIIDnTCCAoWgAwIBAgIUbu+5WR0e16FgNeSdFrq9GfnHRlgwDQYJKoZIhvcNAQEL\nBQAwXjELMAkGA1UEBhMCU0UxCzAJBgNVBAgMAlNUMRIwEAYDVQQHDAlTdG9ja2hv\nbG0xETAPBgNVBAoMCEVyaWNzc29uMQswCQYDVQQLDAJFSTEOMAwGA1UEAwwFYm1j\nQ0EwHhcNMjQwMjE5MDk1OTE2WhcNNDQwMjE0MDk1OTE2WjBeMQswCQYDVQQGEwJT\nRTELMAkGA1UECAwCU1QxEjAQBgNVBAcMCVN0b2NraG9sbTERMA8GA1UECgwIRXJp\nY3Nzb24xCzAJBgNVBAsMAkVJMQ4wDAYDVQQDDAVibWNDQTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAM6vGsgxX32QLbmUcX1Zm3eukoLZvX50RrfX5tFc\nSzHT4zKqyWn07zV9Q1UMu57NFJP8kKJuJmEBNvp6aSjoovocwwSypi+6omuTpZwK\n0bf7ciPIDXqXB1CnitsGaA9NH3rkEnc9elFQgtubs8/PYwhdEPARA4xHmZw+tC7G\nxAUfT9Q30WHyU9xE3w1pDczTx6fUeYCj1cZamU7a/IcRWbzdgUaA7wOB8Bu9u+pV\nkD2itc0zZTwu/nnGgWXzjQlspLVWtVdLkLJUSajG6E829Q5GE5vXfObkDQ3yrukY\nsFyrYIRooQyRegWMyJBvoCuirOrEWddK6ns24ra+Pnt2aHsCAwEAAaNTMFEwHQYD\nVR0OBBYEFHAu4/H7wriieQNMfDGZYHzH1qKwMB8GA1UdIwQYMBaAFHAu4/H7wrii\neQNMfDGZYHzH1qKwMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nALb4ieWi+O/9eOIHVwH3FK2iVd5O3weRGcjBhxHlCYLfvL4QOXOR9j8fGcI3WUKE\nHJs85VRl3+9sVqwpp7cxBILVXiSi72hr4miv1aPKdVdg+2fUCnk9oib4dRvyiEue\ntUqTCu+In3UEwAV22BNhbeuvmad8XQis2rKo8jtRwDJAbS84RsOemiHHltb8XFED\nRqEfBny8hQdUxDo+O1xC3xjeQISen6teVS6RPcw/bBAGDhfPchknIfptmxu/rlKg\ndKroylS//wRpwzTjDmX2YHvPeEMlOq0ceeCuXjQp9OU/Acr5o8qRYv42aokJXbLf\nMfgnHmJRruRv/HQGjgm9WeE=\n-----END CERTIFICATE-----"}'

And then tried sending test event:

curl -i -k -u : -H "Content-Type: application/json" -X POST -d '{"EventTypes": ["Alert"],"EventId": "TestEventId","EventTimestamp": "2017-08-08T08:24:00Z", "Severity": "Critical","Message": "TestMessage", "MessageId": "TMP0118","MessageArgs": [ "TestMessageArg" ], "OriginOfCondition": "/redfish/v1/"}' https://169.254.16.1/redfish/v1/EventService/Actions/EventService.SubmitTestEvent

But we still get "Unknown CA" TLS response.
How to be sure which CA certificate is used to verify Redfish event server certificate from external server? Are there any logs that we could check?

@texroemer
Copy link
Collaborator

Hi @nikigen68, can you answer the questions below to get more clarification about the solution you're wanting to perform.

  1. Is the certificate verification enforced from the event receiver side? If yes update the ca-trust with the issuer of iDRAC WEB_SERVER certificate.

  2. Are you wanting to use iDRAC certificate verification via iDRAC attribute "idrac.redfisheventing.1.IgnoreCertificateErrors" but using certificates issued by internal CA's (Not 3rd party trusted well-known CA's)?

  3. Are you wanting to use certificate auth or mutual TLS auth?

Thanks
Tex

@nikigen68
Copy link
Author

nikigen68 commented Mar 5, 2024

Hi @texroemer

  1. Yes the certificate verification is enforced from event receiver side. We are using our locally generated CA certificate. Event receiver is sending Certificate Request to the client, but it doesn't receive anything back when IgnoreCertificateErrors is set to Yes.

  2. IgnoreCertificateErrors was set successfuly using this command:

curl -k -X PATCH -u :-H "Content-Type: application/json" https://169.254.16.13/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1 -d ' {"Attributes": {"RedfishEventing.1.IgnoreCertificateErrors": "No"}}'

With IgnoreCertificateErrors set to No we get UnknowCA response from iDRAC. We tried to import/install our locally generated CA certificate to iDRAC in multiple ways but nothing seems to work.

  1. We would like to use mTLS if possible, or whatever is available at this moment.

Some more clarifications:

Looking at Redfish API CertificateCollection, as well as GUI, there is a whole bunch of certificates and certificate types and we are failing to fully comprehend the relationship between various certificates and the respective use cases, or find a relevant documentation.
Simply put, what certificate / certificate type is used for what exactly.

iDRAC as a client:

  • Redfish Event - client validation (by server)
    We should be able to get a csr from iDRAC, sign it with our own CA, put the resulting certificate back to the iDRAC. iDRAC shall present this certificate to the Ericsson Redfish event listener (server) when sending Redfish events. This way our listener will ensure the authenticity of the sender of the event. This is not working currently. We can’t get the iDRAC (client) to present the desired certificate to us (the server).
  • Redfish Event - server validation
    We should be able to upload a trusted CA certificate into iDRAC. The Redfish event listener will present a server certificate signed by that CA. iDRAC as a client shall validate the certificate against the uploaded CA. This is not working either.

@texroemer
Copy link
Collaborator

Hi @nikigen68

Thanks for the information, this helps. After discussing this concern with internal teams at Dell there is a bug in iDRAC. I don't know yet when a new iDRAC version will be available with the fix but will keep you posted when i find out more details.

For now as a workaround you'll have to disable cert check on both iDRAC and event listener to stream events.

Thanks
Tex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants