HPE Community
HPE OneView
1752770 Members
4851 Online
108789 Solutions
New Discussion

Re: OneView REST API retrieve certificate alerts

 
SOLVED
Go to solution
BhaskarV
Trusted Contributor

‎07-30-2019 05:34 PM

‎07-30-2019 05:34 PM

Re: OneView REST API retrieve certificate alerts

Hi @Brad 

You need to login with a user that has Infrastructure Administrator privileges in orer to be able to see the "x" delete option. 
Do check if the user you are logging in as has the privilege.
Sure, you can use DELETE /rest/certificates/ca/ API and get the certificate deleted.

Let me know if you are running into issues.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BradV
Esteemed Contributor

‎08-02-2019 03:23 AM

‎08-02-2019 03:23 AM

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

I was logged in as the local administrator.  I just never had an option to delete.  So, attempting to pull out information on a given certifcate, then delete.  I would request that HPE add some more filter options to GET /rest/certificates/ca.  Apparently now the only filter that works is "filter=certType:INTERNAL.'  I tried changing INTERNAL to: STANDARD_ROOT, CUSTOM_ROOT, INTERMEDIATE, or LEAF_CERT and they all failed.  It would be nice to be able to filter on all variations of certType.  It would also be helpful to be able to filter on certStatus, expiryDate, and/or subjectName.  certStatus filtering would help find just the certificates with a problem.  expiryDate will help find certificates that have expired or are about to.  subjectName would help identify what servers are still using an HPE self-generated certificate, especially if one desires to get signed certificates for all interfaces.  Another improvement to the documenation would be related to DELETE /rest/certificates/ca/{aliasName}.  There is no example or description on what the aliasName is?  When one does a GET /rest/certificates/ca, none of the properties is labeled "alias" anything.  Is the aliasName possibly what is at the end of the uri element?  For example, "VeriSign Class 3 Public Primary Certification Authority - G5?"  Well, I tried: 

ALIASNAME="VeriSign Class 3 Public Primary Certification Authority - G5"
curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'

 After a bit, got back "parse error: Invalid numeric literal at line 1, column 10."  So, that does not seem to be correct.  

Another enhancement request is about the gui.  When in the manage certificates sub-window and after selecting some filter condition and hit the Update button, there is no way to change the filter condition and hit update again.  One has to close out the window and then go back in.

Any ideas on what the aliasName should actually be?

0 Kudos
Reply
BhaskarV
Trusted Contributor

‎08-05-2019 02:20 AM - edited ‎08-05-2019 02:34 AM

‎08-05-2019 02:20 AM - edited ‎08-05-2019 02:34 AM

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Appears you are running into multiple problems.

1. What browser are you using? Google Chrome? (What version)? Or Mozilla Firefox? Or Internet Explorer?
Can you try using one of the other browsers from the above to see if the "x" mark appears against the CA certificates that you want to delete.
Given that you are logged in as "local administrator", you should have the "Infrastructure Administrator" privilege required to view and delete CA certificates. Seems to me your browser is probably causing a problem. Asking about this as later on in your post you also mention not being able to filter and use the "Update" button properly.

2. What is the alias?
It is a user supplied input that you may have provided at the time of adding a certificate.
It is an optional user input. 
If the user never supplied an alias input, the common name from the Subject field of the certificate CN=xxxx is used as the default alias name.
In the case of the pre-bundled 6 CA certificates, we do auto populate the alias names with the common name CN=xxxx field from these CA certificates.

When you click on any of the CA certificates in the Manage Certificates UI what you see in the title fields in the popup are the "alias". In the case of "VeriSign Class 3 Public Primary Certification Authority - G5", the alias name is "VeriSign Class 3 Public Primary Certification Authority - G5" as you have rightly used.

It is just that "curl" is sensitive to spaces. Needs you to explicitly convert spaces to the URL Encoding for spaces which is %20.

So in the below

curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'

you will need to use something like the below. 
Note the %20 wherever there were spaces before.

curl --insecure \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request DELETE ${OneView}/rest/certificates/ca/VeriSign%20Class%203%20Public%20Primary%20Certification%20Authority%20-%20G5 | jq -r '.'

Instead of a "DELETE" you can try a "GET" first.

3. You can use the drop down on "State" to view the certificates that are "Expired".
Sure, have passed on your inputs to our product team on the filtering and documentation improvements.
Thank you for sharing these.

Regards,
Bhaskar

        

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
BradV
Esteemed Contributor

‎08-05-2019 07:18 AM

‎08-05-2019 07:18 AM

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

Using firefox 45.9.0.  Don't see a version of chrome available from any of our repositories.  I'll have to check.

I was able to delete the certificate through the rest API.  I did: 

ALIASNAME="VeriSign%20Class%203%20Public%20Primary%20Certification%20Authority%20-%20G5"
# Retrieve and look at current state:
curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request GET ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'
# Delete the certificate:
TASKURI=$(curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.uri')
# Check the status of the task:
curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request GET ${OneView}${TASKURI} | jq -r '.'

 

0 Kudos
Reply
BhaskarV
Trusted Contributor

‎08-05-2019 08:24 PM

‎08-05-2019 08:24 PM

Re: OneView REST API retrieve certificate alerts

Thanks @BradV,

Let me know if you have had a chance to locate and check using Google Chrome.

Alternatively, can you upgrade Firefox to a more recent revision and check. 
Our laptops are currently at version 68 of Firefox (and that keeps updating automatically periodically in the background).
If you can either upgrade Firefox, try from a newer Firefox on a different machine, that would also help.

Let me know how that goes.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

Reply
BradV
Esteemed Contributor

‎08-06-2019 02:57 AM

‎08-06-2019 02:57 AM

Solution

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

I work from a virtual linux system that another group maintains.  I had not realized a lot of the applications are nfs mounted to /usr/local/bin and not installed to the virtual system.  That is why firefox was so old.  I installed firefox on the virtual host and am now up to 60.8.0esr.  I have already deleted the critical certificate through the REST API.  So, all of the remaining certificates are in a good status.  I think I was looking for a "Delete" button when I clicked on the certificate for a detailed view.  I think what you meant by "Delete" is the "x" at the right of the list of certificates?  If so, maybe add a column header saying "Delete" or something like that?  I did notice with this version of firefox that after I use the filter and hit update, I can modify the filter and hit update again.  So, that seems to be a function of the different firefox versions.

 

I am able to retrieve the certificate alerts through the rest api with: 

CERTALERTS=$(curl --insecure \
              --header "X-API-Version: ${currentVersion}" \
              --header "auth: ${sessionID}" \
              --request GET ${OneView}/rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22&filter=%22alertState<>%27Cleared%27%22")

The steps to delete are above in a previous post.

Thanks!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.