topic Re: OneView as Intermediate CA for iLO's in HPE OneView

OneView as Intermediate CA for iLO's

Tinux — Thu, 13 Oct 2022 04:40:06 GMT

Can OneView function as Intermediate CA for iLO's ?

A bit like vCenter does for its managed ESXi hosts.

If not, how do people bulk replace iLO certificate's with selfsigned one's ?

regards,
Martijn

Re: OneView as Intermediate CA for iLO's

DanCernese — Tue, 11 Oct 2022 14:55:47 GMT

HPE OneView does not provide this feature but product management is investigating the topic and would always like to hear customer requirements around the certificate type/length/security/etc. required.

Re: OneView as Intermediate CA for iLO's

BradV — Wed, 12 Oct 2022 15:17:13 GMT

You can use the OneView REST API to get a authentication id for the iLO, then use the iLO Redfish API to generate a CSR. Submit that to your certificate signer. Then upload the signed certificate. You can put a group of your servers in a for loop around that and loop through a group of servers.

Re: OneView as Intermediate CA for iLO's

Tinux — Wed, 12 Oct 2022 15:38:39 GMT

Hi Brad,

I was allready looking in to that, but is hard to find proper scripts which actually work.
I'm not a REST API or scripting Guru, so this is not a days work for me.

I also noticed an Automatic Certificate Enrollment in iLO5, however this requires Microsofts NDES to be deployed.
It only eases a little of the manual labor because in only automates the part of going through the CA server with the CSR and importing the signed certificate.

Will come back here if I have a working solution (could take a while ...)

Regards,
Martijn

Re: OneView as Intermediate CA for iLO's

BradV — Thu, 13 Oct 2022 10:38:13 GMT

I had been researching it and this works (Note: I work from a Linux system):

# Get a CSR from an iLO interface SERVER=<server name> ACTV=$(python -c "import urllib, sys; print urllib.quote(sys.argv[1])" "\"'serverName' = '${SERVER}'\"") UUID=$(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware?filter=${ACTV} | jq -r '.members[] | .uuid') read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \ jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' -e 's|^$.*$&sessionkey=$.*$$|\1 \2|') DATA=$(echo '{"City":"my-city","CommonName":'${SERVER}'","Country":"MC","OrgName":"MyOrg","OrgUnit":"orglist","State","LH","IncludeIP":true}' | jq -c '.') curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --header "Content-Type: application/json" \ --data "${DATA}" --request POST ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpeHttpsCert.GenerateCSR | jq -r '.' CSR=$(curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert | jq -r '.CertificateSigningRequest') echo "${SERVER}, ${CSR}"

Upload the CSR to your signing authority. When signed, proceed:

# Upload a signed server certificate to the iLO interface SERVER=<server name> ACTV=$(python -c "import urllib, sys; print urllib.quote(sys.argv[1])" "\"'serverName' = '${SERVER}'\"") UUID=$(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware?filter=${ACTV} | jq -r '.members[] | .uuid') read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \ jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' -e 's|^$.*$&sessionkey=$.*$$|\1 \2|') # Get signed certficate and put in a variable (copy and paste the certificate between the single quotes): CRT=$(echo '' | sed -z 's|\n|\\n|g') DATA=$(echo '{"Certificate"; "'${CRT}'"}' | jq -c '.') curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --header "Content-Type: application/json" \ --data "${DATA}" --request POST ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpeHttpsCert.ImportCertificate | jq -r '.'

See if that helps any?

Re: OneView as Intermediate CA for iLO's

Tinux — Thu, 13 Oct 2022 14:43:36 GMT

Hi Brad,

Thanks for the setup in Python.
I generally work from Windows hosts because that's what I have to work with, but I do love Linux.

I did found a piece of PowerShell scripting on the web, but it was also riddled with typo's so I spend half a day troubleshooting, which got me at least to a point that I can make connection to an iLO.
I am not a daily user of both PS and Pyhton, but I try to do my best in understanding pieces of it.
By combining scripts from the web, and I noticed some interesting pieces in your script, I will sure get somewehere.

I will post my working version of a PS script in this thread once it's finished.

Thanks !
Martijn

Re: OneView as Intermediate CA for iLO's

BradV — Fri, 14 Oct 2022 09:22:35 GMT

FYI, not python scripts, but BASH.

I do have one line of python in there, but that is only because someone else that knows python well helped me with it. (apparently the forum will not let me put in a smiley face?)

You can always install the Windows Subsystem for Linux on your Windows server and run it from there?

I do see a bash to powershell converter on github. You might give that a try or some other bash to powershell converter? I did run a test on one of our iLOs with those script and was able to get a signed certificate uploaded to the iLO interface. So, I know they work.