- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: OneView REST API retrieve certificate alerts
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2019 03:49 AM
01-24-2019 03:49 AM
In the GUI, I see an alert for a root CA certificate that is invalid with FIPs mode (firmware 4.10.01-0348545). I'm trying to figure out how to use the REST API to first see this alert, then respond to it. I tried retrieving a list of all alerts with:
ALERTS=$(curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}/rest/alerts?start=0&count=-1)
but I don't see the certificate alert in the response. Is access to the certificate alert available through the rest api?
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2019 12:30 AM
01-25-2019 12:30 AM
Re: OneView REST API retrieve certificate alerts
Hi @BradV
Yes it is available in the GET /rest/alerts API response.
I seem to get this specific alert you are referring to (about one of the Verisign CA certificates not being FIPS compliant) in the response on my test appliance.
You have seen it in the UI so it is there in the alerts table in the database.
Will find out if there is a known issue with the "latest" alerts not being available when you query the REST API and come back.
Possibly query for the specific alert id and see instead of a GET all.
Regards,
Bhaskar
I am a HPE employee
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2019 02:17 AM
01-25-2019 02:17 AM
Re: OneView REST API retrieve certificate alerts
Hi @BradV
Most likely the alerts DB and index DB are out of synch on your appliance.
Can you open a support case on this to get that fixed?
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2019 03:34 AM
01-25-2019 03:34 AM
Re: OneView REST API retrieve certificate alerts
Hi Bhaskar,
I do have a ticket opened for OneView, I'll raise that question. I did attempt to just retrieve that specific alert with:
--request GET ${OneView}/rest/alerts?start=1&count=3&filter="healthCategory EQ 'Certificate Management'"
, but that didn't get it. From looking at the REST API vs 800 documentation, 'Certificate Management' does not appear to be a valid health category.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2019 05:34 AM - edited 02-01-2019 05:43 AM
02-01-2019 05:34 AM - edited 02-01-2019 05:43 AM
Re: OneView REST API retrieve certificate alerts
Hi @BradV
Sorry about the delay.
Have you tried the below?
curl -X GET -H "X-API-Version:800" -H "Content-type:application/json" -H "Auth:<auth_token>" 'https://<appliance> /rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22'
You should see a response like the below:
HTTP/1.1 200 OK
Date: Fri, 01 Feb 2019 13:32:46 GMT
Server: Apache
Content-Type: application/json;charset=utf-8
cache-control: no-cache
Transfer-Encoding: chunked
{
"type": "AlertResourceCollectionV3",
"uri": "/rest/alerts?start=0&count=25&sort=created:descending&filter=\"healthCategory EQ 'Certificate Management'\"",
"category": "alerts",
"eTag": null,
"created": "2019-02-01T13:26:38.299Z",
"modified": "2019-02-01T13:26:38.299Z",
"start": 0,
"count": 1,
"total": 1,
"prevPageUri": null,
"nextPageUri": null,
"members": [
{
"type": "AlertResourceV3",
"uri": "/rest/alerts/1460",
"category": "alerts",
"eTag": "2019-02-01T07:25:04.795Z",
"created": "2019-02-01T07:25:04.795Z",
"modified": "2019-02-01T07:25:04.795Z",
"associatedEventUris": [
"/rest/events/26419"
],
"resourceID": null,
"assignedToUser": null,
"activityUri": null,
"changeLog": [],
"clearedByUser": null,
"clearedTime": null,
"correctiveAction": "Refer to the appliance specific documentation for required actions.",
"description": "The root CA certificate with alias name: VeriSign Class 3 Public Primary Certification Authority - G5 is signed with signature algorithm: SHA1WITHRSA, is not compliant for FIPS mode",
"alertTypeID": "Alerts.CertificateStatus.NonCompliant",
"urgency": "Immediate",
"healthCategory": "Certificate Management",
"lifeCycle": false,
"associatedResource": {
"resourceName": "Security",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"resourceCategory": "appliance",
"associationType": "HAS_A"
},
"severity": "Critical",
"alertState": "Locked",
"physicalResourceType": "appliance",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"serviceEventSource": false,
"serviceEventDetails": null,
"parentAlert": null,
"childAlerts": []
}
],
"alertSeverityCounts": null
}
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2019 06:59 AM
02-01-2019 06:59 AM
Re: OneView REST API retrieve certificate alerts
Oh! That worked! Not sure why changing actual quotes to URL encoding works, but it seems to have. I used:
curl --insecure \ --header "content-type: application/json" \ --header "accept: application/json" \ --header "X-API-Version: ${currentVersion}" \ --request GET "${OneView}/rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22" | jq -r '.'
Now, I just have to figure out how to respond to a given alert. I added:
&filter=%22alertState<>%27Cleared%27%22
to the end of the query to not get back the alerts that have already been cleared. I get one that is in a locked state. What does locked mean and how / should I clear it?
Thanks!
Brad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2019 07:21 PM
02-01-2019 07:21 PM
Re: OneView REST API retrieve certificate alerts
Hi @BradV
Locked alerts are usually meant to stay locked until the condition in the appliance that triggered the alert changes.
These are system generated and stay Locked and they auto clear soon after the condition changes,
The Locked alert you are seeing - is that the one about the Verisign CA certificate you saw above when changing the appliance cryptographic mode to FIPS? Let me know.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2019 02:39 AM
02-04-2019 02:39 AM
Re: OneView REST API retrieve certificate alerts
Hi Bhaskar,
Yes. Should I remove the certificate since I won't be using it? The resourceUri reported is: /rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5. According to the REST API (800 version), DELETE /rest/certificates/ca/{aliasName} and it says GET /rest/certificates/ca should return the aliasName, but all I get is:
{ "uri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5", "category": "appliance", "eTag": "2019-02-04T10:24:33.544Z", "modified": "2019-02-04T10:24:33.544Z", "type": "CertificateAuthorityInfo", "certificateDetails": "null", "certRevocationConfInfo": "null", "subjectName": "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US", "certStatus": "GOOD", "certType": "CUSTOM ROOT", "expiryDate": "2036-07-16T23:59:59.00Z", "created": "2019-02-=04T10:24;33.544z" },
How is one supposed to find the aliasName?
Regards,
Brad
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2019 10:57 AM
02-04-2019 10:57 AM
Re: OneView REST API retrieve certificate alerts
You can safely remove the following four certificates if you are not using them elsewhere. These were required for Remote Support until late November but the new certificates use DigiCert root and intermediate certs instead of Verisign and Symantec.
- VeriSign Class 3 Public Primary Certification Authority - G5
- VeriSign Universal Root Certification Authority
- Symantec Class 3 Secure Server CA - G4
- Symantec Class 3 Secure Server SHA256 SSL CA
- Log into the OneView UI
- Click on OneView -> Settings
- Scroll under Security and click the link to manage certificates
- Delete the following certificates
- VeriSign Class 3 Public Primary Certification Authority - G5
- VeriSign Universal Root Certification Authority
- Symantec Class 3 Secure Server CA - G4
- Symantec Class 3 Secure Server SHA256 SSL CA
- Wait for the delete to complete
- Close
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2019 04:27 AM
07-30-2019 04:27 AM
Re: OneView REST API retrieve certificate alerts
Sorry, forgot about this. Just went in and checked. I can view the certificates, but can't find anyway to delete via the gui. I am going to attempt to delete via the REST API.