topic Re: iLO3 RIBCL for Custom CSR in Server Management - Remote Server Management

iLO3 RIBCL for Custom CSR

[Glaubig] — Thu, 30 Jun 2011 23:07:00 GMT

The CSR_CERT_SETTINGS RIBCL command under RIB_INFO is supposed to allow for changing SSL certificate request information. They're documented in a May 2011 edition of the iLO Scripting and Command Line Resource Guide and workS great on an iLO2 processor with firmware of 2.06.

These commands all fail on iLO3 with 1.25 firmware however with an error mesasge of 'Feature not supported'. I'm really hoping this is a bug in the firmware and not that the commands were depricated, they're extremely useful in large scale deployments and standard configurations.

The set in particular is:

<RIB_INFO MODE="write">

<CSR_CERT_SETTINGS>

<CSR_USE_CERT_CUSTOM_SUBJECT VALUE="Yes" />

<CSR_USE_CERT_2048PKEY VALUE="Yes" />

<CSR_SUBJECT_COUNTRY VALUE="Yes" />

<CSR_SUBJECT_STATE VALUE="Yes" />

<CSR_SUBJECT_LOCATION VALUE="Yes" />

<CSR_SUBJECT_ORG_NAME VALUE="Yes" />

<CSR_SUBJECT_ORGUNIT_NAME VALUE="Yes" />

<CSR_SUBJECT_COMMON_NAME VALUE="Yes" />

</CSR_CERT_SETTINGS>

Re: iLO3 RIBCL for Custom CSR

Brett Merrick — Fri, 08 Jul 2011 02:24:23 GMT

Upgraded to iLO3 v 1.25 and now it produces a 2048bit CSR,

However when you upload the replacement certificate it either rejects a certificate that doesn't match, or it accepts the certificate, reboots and then dishes up the old self signed cert.....

Re: iLO3 RIBCL for Custom CSR

[Glaubig] — Wed, 03 Aug 2011 14:37:33 GMT

In the scripting I've done thus far, it seems that the call to generate a CSR is synchronous when on iLO 2 and earlier management processors. This does not seem to be the case for iLO3 at firmware version 1.25. It seems that the call becomes asynchronous, which in my opinion defeats the purpose of making CSR generation scriptable.

Is there an option documented or not that needs to be presented to iLO 3's? Here is a sample of the RIBCL I use:

<RIB_INFO MODE="write">

<CERTIFICATE_SIGNING_REQUEST/>

</RIB_INFO>
</RIBCL>

The response I get from iLO 2 and earlier is the CSR encased in the RIBCL syntax. On iLO 3, instead of the CSR I'm expecting, I instead get a reply that the CSR is in process of being generated. I receive a similar respnose in the web GUI. Although I don't really understand why there is a difference between iLO versions, if I request a CSR I should get one, not a notice to check back later.

On a related note, the custom CSR creation works on iLO 2 (2.06), but on iLO 3 1.25 it never worked. I'd wait hours for the CSR generation and not get it when specifying locale information consistent with my certificate hierarchy. If I left the defaults for C=US, ST=Texas, L=Houston, etc., the CSR generation would however work however. It does at least properly use the FQDN for the CN in the CSR.