HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView REST API retrieve certificate alerts

 
SOLVED
Go to solution
Highlighted
BradV
Trusted Contributor

OneView REST API retrieve certificate alerts

In the GUI, I see an alert for a root CA certificate that is invalid with FIPs mode (firmware 4.10.01-0348545).  I'm trying to figure out how to use the REST API to first see this alert, then respond to it.  I tried retrieving a list of all alerts with:

 

ALERTS=$(curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/alerts?start=0&count=-1)

but I don't see the certificate alert in the response.  Is access to the certificate alert available through the rest api?

 

Thanks!

15 REPLIES 15
BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV

Yes it is available in the GET /rest/alerts API response.
I seem to get this specific alert you are referring to (about one of the Verisign CA certificates not being FIPS compliant) in the response on my test  appliance.
You have seen it in the UI so it is there in the alerts table in the database.
Will find out if there is a known issue with the "latest" alerts not being available when you query the REST API and come back.
Possibly query for the specific alert id and see instead of a GET all.

Regards,
Bhaskar
I am a HPE employee


Accept or Kudo
BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi  @BradV

Most likely the alerts DB and index DB are out of synch on your appliance.
Can you open a support case on this to get that fixed?

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bhaskar,

I do have a ticket opened for OneView, I'll raise that question.  I did attempt to just retrieve that specific alert with: 

--request GET ${OneView}/rest/alerts?start=1&count=3&filter="healthCategory EQ 'Certificate Management'"

, but that didn't get it.  From looking at the REST API vs 800 documentation, 'Certificate Management' does not appear to be a valid health category.

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Sorry about the delay.
Have you tried the below?

curl  -X GET -H "X-API-Version:800" -H "Content-type:application/json" -H "Auth:<auth_token>" 'https://<appliance> /rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22'

You should see a response like the below:

HTTP/1.1 200 OK
Date: Fri, 01 Feb 2019 13:32:46 GMT
Server: Apache
Content-Type: application/json;charset=utf-8
cache-control: no-cache
Transfer-Encoding: chunked

{
"type": "AlertResourceCollectionV3",
"uri": "/rest/alerts?start=0&count=25&sort=created:descending&filter=\"healthCategory EQ 'Certificate Management'\"",
"category": "alerts",
"eTag": null,
"created": "2019-02-01T13:26:38.299Z",
"modified": "2019-02-01T13:26:38.299Z",
"start": 0,
"count": 1,
"total": 1,
"prevPageUri": null,
"nextPageUri": null,
"members": [
{
"type": "AlertResourceV3",
"uri": "/rest/alerts/1460",
"category": "alerts",
"eTag": "2019-02-01T07:25:04.795Z",
"created": "2019-02-01T07:25:04.795Z",
"modified": "2019-02-01T07:25:04.795Z",
"associatedEventUris": [
"/rest/events/26419"
],
"resourceID": null,
"assignedToUser": null,
"activityUri": null,
"changeLog": [],
"clearedByUser": null,
"clearedTime": null,
"correctiveAction": "Refer to the appliance specific documentation for required actions.",
"description": "The root CA certificate with alias name: VeriSign Class 3 Public Primary Certification Authority - G5 is signed with signature algorithm: SHA1WITHRSA, is not compliant for FIPS mode",
"alertTypeID": "Alerts.CertificateStatus.NonCompliant",
"urgency": "Immediate",
"healthCategory": "Certificate Management",
"lifeCycle": false,
"associatedResource": {
"resourceName": "Security",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"resourceCategory": "appliance",
"associationType": "HAS_A"
},
"severity": "Critical",
"alertState": "Locked",
"physicalResourceType": "appliance",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"serviceEventSource": false,
"serviceEventDetails": null,
"parentAlert": null,
"childAlerts": []
}
],
"alertSeverityCounts": null
}

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Oh!  That worked!  Not sure why changing actual quotes to URL encoding works, but it seems to have.  I used: 

curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --request GET "${OneView}/rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22" | jq -r '.'

Now, I just have to figure out how to respond to a given alert.  I added: 

&filter=%22alertState<>%27Cleared%27%22

to the end of the query to not get back the alerts that have already been cleared.  I get one that is in a locked state.  What does locked mean and how / should I clear it?

 

Thanks!

 

Brad

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Locked alerts are usually meant to stay locked until the condition in the appliance that triggered the alert changes.
These are system generated and stay Locked and they auto clear soon after the condition changes,
The Locked alert you are seeing - is that the one about the Verisign CA certificate you saw above when changing the appliance cryptographic mode to FIPS? Let me know.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bhaskar,

Yes.  Should I remove the certificate since I won't be using it?  The resourceUri reported is: /rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5.  According to the REST API (800 version), DELETE /rest/certificates/ca/{aliasName} and it says GET /rest/certificates/ca should return the aliasName, but all I get is: 

{
  "uri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
  "category": "appliance",
  "eTag": "2019-02-04T10:24:33.544Z",
  "modified": "2019-02-04T10:24:33.544Z",
  "type": "CertificateAuthorityInfo",
  "certificateDetails": "null",
  "certRevocationConfInfo": "null",
  "subjectName": "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US",
  "certStatus": "GOOD",
  "certType": "CUSTOM ROOT",
  "expiryDate": "2036-07-16T23:59:59.00Z",
  "created": "2019-02-=04T10:24;33.544z"
},

How is one supposed to find the aliasName?

 

Regards,

Brad

JTodd1
Frequent Advisor

Re: OneView REST API retrieve certificate alerts

You can safely remove the following four certificates if you are not using them elsewhere. These were required for Remote Support until late November but the new certificates use DigiCert root and intermediate certs instead of Verisign and Symantec.

  • VeriSign Class 3 Public Primary Certification Authority - G5
  • VeriSign Universal Root Certification Authority
  • Symantec Class 3 Secure Server CA - G4
  • Symantec Class 3 Secure Server SHA256 SSL CA

 

  1. Log into the OneView UI
  2. Click on OneView -> Settings
  3. Scroll under Security and click the link to manage certificates
  4. Delete the following certificates
  • VeriSign Class 3 Public Primary Certification Authority - G5
  • VeriSign Universal Root Certification Authority
  • Symantec Class 3 Secure Server CA - G4
  • Symantec Class 3 Secure Server SHA256 SSL CA
  1. Wait for the delete to complete
  2. Close
I am an HPE employee
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Sorry, forgot about this.  Just went in and checked.  I can view the certificates, but can't find anyway to delete via the gui.  I am going to attempt to delete via the REST API.