HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView REST API retrieve certificate alerts

 
SOLVED
Go to solution
BradV
Trusted Contributor

OneView REST API retrieve certificate alerts

In the GUI, I see an alert for a root CA certificate that is invalid with FIPs mode (firmware 4.10.01-0348545).  I'm trying to figure out how to use the REST API to first see this alert, then respond to it.  I tried retrieving a list of all alerts with:

 

ALERTS=$(curl --insecure \
--header "content-type: application/json" \
--header "accept: application/json" \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request GET ${OneView}/rest/alerts?start=0&count=-1)

but I don't see the certificate alert in the response.  Is access to the certificate alert available through the rest api?

 

Thanks!

15 REPLIES 15
BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV

Yes it is available in the GET /rest/alerts API response.
I seem to get this specific alert you are referring to (about one of the Verisign CA certificates not being FIPS compliant) in the response on my test  appliance.
You have seen it in the UI so it is there in the alerts table in the database.
Will find out if there is a known issue with the "latest" alerts not being available when you query the REST API and come back.
Possibly query for the specific alert id and see instead of a GET all.

Regards,
Bhaskar
I am a HPE employee


Accept or Kudo
BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi  @BradV

Most likely the alerts DB and index DB are out of synch on your appliance.
Can you open a support case on this to get that fixed?

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bhaskar,

I do have a ticket opened for OneView, I'll raise that question.  I did attempt to just retrieve that specific alert with: 

--request GET ${OneView}/rest/alerts?start=1&count=3&filter="healthCategory EQ 'Certificate Management'"

, but that didn't get it.  From looking at the REST API vs 800 documentation, 'Certificate Management' does not appear to be a valid health category.

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Sorry about the delay.
Have you tried the below?

curl  -X GET -H "X-API-Version:800" -H "Content-type:application/json" -H "Auth:<auth_token>" 'https://<appliance> /rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22'

You should see a response like the below:

HTTP/1.1 200 OK
Date: Fri, 01 Feb 2019 13:32:46 GMT
Server: Apache
Content-Type: application/json;charset=utf-8
cache-control: no-cache
Transfer-Encoding: chunked

{
"type": "AlertResourceCollectionV3",
"uri": "/rest/alerts?start=0&count=25&sort=created:descending&filter=\"healthCategory EQ 'Certificate Management'\"",
"category": "alerts",
"eTag": null,
"created": "2019-02-01T13:26:38.299Z",
"modified": "2019-02-01T13:26:38.299Z",
"start": 0,
"count": 1,
"total": 1,
"prevPageUri": null,
"nextPageUri": null,
"members": [
{
"type": "AlertResourceV3",
"uri": "/rest/alerts/1460",
"category": "alerts",
"eTag": "2019-02-01T07:25:04.795Z",
"created": "2019-02-01T07:25:04.795Z",
"modified": "2019-02-01T07:25:04.795Z",
"associatedEventUris": [
"/rest/events/26419"
],
"resourceID": null,
"assignedToUser": null,
"activityUri": null,
"changeLog": [],
"clearedByUser": null,
"clearedTime": null,
"correctiveAction": "Refer to the appliance specific documentation for required actions.",
"description": "The root CA certificate with alias name: VeriSign Class 3 Public Primary Certification Authority - G5 is signed with signature algorithm: SHA1WITHRSA, is not compliant for FIPS mode",
"alertTypeID": "Alerts.CertificateStatus.NonCompliant",
"urgency": "Immediate",
"healthCategory": "Certificate Management",
"lifeCycle": false,
"associatedResource": {
"resourceName": "Security",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"resourceCategory": "appliance",
"associationType": "HAS_A"
},
"severity": "Critical",
"alertState": "Locked",
"physicalResourceType": "appliance",
"resourceUri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
"serviceEventSource": false,
"serviceEventDetails": null,
"parentAlert": null,
"childAlerts": []
}
],
"alertSeverityCounts": null
}

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Oh!  That worked!  Not sure why changing actual quotes to URL encoding works, but it seems to have.  I used: 

curl --insecure \
   --header "content-type: application/json" \
   --header "accept: application/json" \
   --header "X-API-Version: ${currentVersion}" \
   --request GET "${OneView}/rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22" | jq -r '.'

Now, I just have to figure out how to respond to a given alert.  I added: 

&filter=%22alertState<>%27Cleared%27%22

to the end of the query to not get back the alerts that have already been cleared.  I get one that is in a locked state.  What does locked mean and how / should I clear it?

 

Thanks!

 

Brad

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Locked alerts are usually meant to stay locked until the condition in the appliance that triggered the alert changes.
These are system generated and stay Locked and they auto clear soon after the condition changes,
The Locked alert you are seeing - is that the one about the Verisign CA certificate you saw above when changing the appliance cryptographic mode to FIPS? Let me know.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bhaskar,

Yes.  Should I remove the certificate since I won't be using it?  The resourceUri reported is: /rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5.  According to the REST API (800 version), DELETE /rest/certificates/ca/{aliasName} and it says GET /rest/certificates/ca should return the aliasName, but all I get is: 

{
  "uri": "/rest/certificates/ca/VeriSign Class 3 Public Primary Certification Authority - G5",
  "category": "appliance",
  "eTag": "2019-02-04T10:24:33.544Z",
  "modified": "2019-02-04T10:24:33.544Z",
  "type": "CertificateAuthorityInfo",
  "certificateDetails": "null",
  "certRevocationConfInfo": "null",
  "subjectName": "CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US",
  "certStatus": "GOOD",
  "certType": "CUSTOM ROOT",
  "expiryDate": "2036-07-16T23:59:59.00Z",
  "created": "2019-02-=04T10:24;33.544z"
},

How is one supposed to find the aliasName?

 

Regards,

Brad

JTodd1
Frequent Advisor

Re: OneView REST API retrieve certificate alerts

You can safely remove the following four certificates if you are not using them elsewhere. These were required for Remote Support until late November but the new certificates use DigiCert root and intermediate certs instead of Verisign and Symantec.

  • VeriSign Class 3 Public Primary Certification Authority - G5
  • VeriSign Universal Root Certification Authority
  • Symantec Class 3 Secure Server CA - G4
  • Symantec Class 3 Secure Server SHA256 SSL CA

 

  1. Log into the OneView UI
  2. Click on OneView -> Settings
  3. Scroll under Security and click the link to manage certificates
  4. Delete the following certificates
  • VeriSign Class 3 Public Primary Certification Authority - G5
  • VeriSign Universal Root Certification Authority
  • Symantec Class 3 Secure Server CA - G4
  • Symantec Class 3 Secure Server SHA256 SSL CA
  1. Wait for the delete to complete
  2. Close
I am an HPE employee
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Sorry, forgot about this.  Just went in and checked.  I can view the certificates, but can't find anyway to delete via the gui.  I am going to attempt to delete via the REST API.

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @Brad 

You need to login with a user that has Infrastructure Administrator privileges in orer to be able to see the "x" delete option. 
Do check if the user you are logging in as has the privilege.
Sure, you can use DELETE /rest/certificates/ca/ API and get the certificate deleted.

Let me know if you are running into issues.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

I was logged in as the local administrator.  I just never had an option to delete.  So, attempting to pull out information on a given certifcate, then delete.  I would request that HPE add some more filter options to GET /rest/certificates/ca.  Apparently now the only filter that works is "filter=certType:INTERNAL.'  I tried changing INTERNAL to: STANDARD_ROOT, CUSTOM_ROOT, INTERMEDIATE, or LEAF_CERT and they all failed.  It would be nice to be able to filter on all variations of certType.  It would also be helpful to be able to filter on certStatus, expiryDate, and/or subjectName.  certStatus filtering would help find just the certificates with a problem.  expiryDate will help find certificates that have expired or are about to.  subjectName would help identify what servers are still using an HPE self-generated certificate, especially if one desires to get signed certificates for all interfaces.  Another improvement to the documenation would be related to DELETE /rest/certificates/ca/{aliasName}.  There is no example or description on what the aliasName is?  When one does a GET /rest/certificates/ca, none of the properties is labeled "alias" anything.  Is the aliasName possibly what is at the end of the uri element?  For example, "VeriSign Class 3 Public Primary Certification Authority - G5?"  Well, I tried: 

ALIASNAME="VeriSign Class 3 Public Primary Certification Authority - G5"
curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'

 After a bit, got back "parse error: Invalid numeric literal at line 1, column 10."  So, that does not seem to be correct.  

Another enhancement request is about the gui.  When in the manage certificates sub-window and after selecting some filter condition and hit the Update button, there is no way to change the filter condition and hit update again.  One has to close out the window and then go back in.

Any ideas on what the aliasName should actually be?

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Hi @BradV 

Appears you are running into multiple problems.

1. What browser are you using? Google Chrome? (What version)? Or Mozilla Firefox? Or Internet Explorer?
Can you try using one of the other browsers from the above to see if the "x" mark appears against the CA certificates that you want to delete.
Given that you are logged in as "local administrator", you should have the "Infrastructure Administrator" privilege required to view and delete CA certificates. Seems to me your browser is probably causing a problem. Asking about this as later on in your post you also mention not being able to filter and use the "Update" button properly.

2. What is the alias?
It is a user supplied input that you may have provided at the time of adding a certificate.
It is an optional user input. 
If the user never supplied an alias input, the common name from the Subject field of the certificate CN=xxxx is used as the default alias name.
In the case of the pre-bundled 6 CA certificates, we do auto populate the alias names with the common name CN=xxxx field from these CA certificates.

When you click on any of the CA certificates in the Manage Certificates UI what you see in the title fields in the popup are the "alias". In the case of "VeriSign Class 3 Public Primary Certification Authority - G5", the alias name is "VeriSign Class 3 Public Primary Certification Authority - G5" as you have rightly used.

It is just that "curl" is sensitive to spaces. Needs you to explicitly convert spaces to the URL Encoding for spaces which is %20.

So in the below

curl --insecure \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'

you will need to use something like the below. 
Note the %20 wherever there were spaces before.

curl --insecure \
--header "X-API-Version: ${currentVersion}" \
--header "auth: ${sessionID}" \
--request DELETE ${OneView}/rest/certificates/ca/VeriSign%20Class%203%20Public%20Primary%20Certification%20Authority%20-%20G5 | jq -r '.'

Instead of a "DELETE" you can try a "GET" first.

3. You can use the drop down on "State" to view the certificates that are "Expired".
Sure, have passed on your inputs to our product team on the filtering and documentation improvements.
Thank you for sharing these.

Regards,
Bhaskar

        

 


Accept or Kudo
BradV
Trusted Contributor

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

Using firefox 45.9.0.  Don't see a version of chrome available from any of our repositories.  I'll have to check.

I was able to delete the certificate through the rest API.  I did: 

ALIASNAME="VeriSign%20Class%203%20Public%20Primary%20Certification%20Authority%20-%20G5"
# Retrieve and look at current state:
curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request GET ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.'
# Delete the certificate:
TASKURI=$(curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request DELETE ${OneView}/rest/certificates/ca/"${ALIASNAME}" | jq -r '.uri')
# Check the status of the task:
curl --insecure \
 --header "X-API-Version: ${currentVersion}" \
 --header "auth: ${sessionID}" \
 --request GET ${OneView}${TASKURI} | jq -r '.'

 

BhaskarV
HPE Pro

Re: OneView REST API retrieve certificate alerts

Thanks @BradV,

Let me know if you have had a chance to locate and check using Google Chrome.

Alternatively, can you upgrade Firefox to a more recent revision and check. 
Our laptops are currently at version 68 of Firefox (and that keeps updating automatically periodically in the background).
If you can either upgrade Firefox, try from a newer Firefox on a different machine, that would also help.

Let me know how that goes.

Regards,
Bhaskar


Accept or Kudo
BradV
Trusted Contributor
Solution

Re: OneView REST API retrieve certificate alerts

Hi Bashkar,

I work from a virtual linux system that another group maintains.  I had not realized a lot of the applications are nfs mounted to /usr/local/bin and not installed to the virtual system.  That is why firefox was so old.  I installed firefox on the virtual host and am now up to 60.8.0esr.  I have already deleted the critical certificate through the REST API.  So, all of the remaining certificates are in a good status.  I think I was looking for a "Delete" button when I clicked on the certificate for a detailed view.  I think what you meant by "Delete" is the "x" at the right of the list of certificates?  If so, maybe add a column header saying "Delete" or something like that?  I did notice with this version of firefox that after I use the filter and hit update, I can modify the filter and hit update again.  So, that seems to be a function of the different firefox versions.

 

I am able to retrieve the certificate alerts through the rest api with: 

CERTALERTS=$(curl --insecure \
              --header "X-API-Version: ${currentVersion}" \
              --header "auth: ${sessionID}" \
              --request GET ${OneView}/rest/alerts?filter=%22healthCategory+EQ+%27Certificate+Management%27%22&filter=%22alertState<>%27Cleared%27%22")

The steps to delete are above in a previous post.

Thanks!