HPE Community
HPE OneView
1847528 Members
3234 Online
110265 Solutions
New Discussion

OneView as Intermediate CA for iLO's

 
Tinux
Advisor

‎10-11-2022 07:04 AM - last edited on ‎10-12-2022 09:40 PM by

‎10-11-2022 07:04 AM - last edited on ‎10-12-2022 09:40 PM by

OneView as Intermediate CA for iLO's

Can OneView function as Intermediate CA for iLO's  ?

A bit like vCenter does for its managed ESXi hosts.

If not, how do people bulk replace iLO certificate's with selfsigned one's ?

regards,
Martijn

0 Kudos
Reply
6 REPLIES 6
DanCernese
HPE Pro

‎10-11-2022 07:55 AM

‎10-11-2022 07:55 AM

Re: OneView as Intermediate CA for iLO's

HPE OneView does not provide this feature but product management is investigating the topic and would always like to hear customer requirements around the certificate type/length/security/etc. required.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
BradV
Esteemed Contributor

‎10-12-2022 08:17 AM

‎10-12-2022 08:17 AM

Re: OneView as Intermediate CA for iLO's

You can use the OneView REST API to get a authentication id for the iLO, then use the iLO Redfish API to generate a CSR.  Submit that to your certificate signer.  Then upload the signed certificate.  You can put a group of your servers in a for loop around that and loop through a group of servers.

0 Kudos
Reply
Tinux
Advisor

‎10-12-2022 08:38 AM

‎10-12-2022 08:38 AM

Re: OneView as Intermediate CA for iLO's

Hi Brad,

I was allready looking in to that, but is hard to find proper scripts which actually work.
I'm not a REST API or scripting Guru, so this is not a days work for me.

I also noticed an Automatic Certificate Enrollment in iLO5, however this requires Microsofts NDES to be deployed.
It only eases a little of the manual labor because in only automates the part of going through the CA server with the CSR and importing the signed certificate.

Will come back here if I have a working solution (could take a while ...)

Regards,
Martijn

0 Kudos
Reply
BradV
Esteemed Contributor

‎10-13-2022 03:37 AM - edited ‎10-13-2022 03:38 AM

‎10-13-2022 03:37 AM - edited ‎10-13-2022 03:38 AM

Re: OneView as Intermediate CA for iLO's

I had been researching it and this works (Note: I work from a Linux system):

 

# Get a CSR from an iLO interface
SERVER=<server name>
ACTV=$(python -c "import urllib, sys; print urllib.quote(sys.argv[1])" "\"'serverName' = '${SERVER}'\"")
UUID=$(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware?filter=${ACTV} | jq -r '.members[] | .uuid')
read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
   jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' -e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
DATA=$(echo '{"City":"my-city","CommonName":'${SERVER}'","Country":"MC","OrgName":"MyOrg","OrgUnit":"orglist","State","LH","IncludeIP":true}' | jq -c '.')
curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --header "Content-Type: application/json" \
   --data "${DATA}" --request POST ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpeHttpsCert.GenerateCSR | jq -r '.'
CSR=$(curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --request GET ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert | jq -r '.CertificateSigningRequest')
echo "${SERVER}, ${CSR}"

Upload the CSR to your signing authority.  When signed, proceed:

# Upload a signed server certificate to the iLO interface
SERVER=<server name>
ACTV=$(python -c "import urllib, sys; print urllib.quote(sys.argv[1])" "\"'serverName' = '${SERVER}'\"")
UUID=$(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware?filter=${ACTV} | jq -r '.members[] | .uuid')
read iLOSSO iLOAuth <<< $(curl --silent --insecure --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" --request GET ${OneView}/rest/server-hardware/${UUID}/remoteConsoleUrl | \
   jq -r '.remoteConsoleUrl' | sed -e 's|hplocons|https|' -e 's|addr=||' -e 's|^\(.*\)&sessionkey=\(.*\)$|\1 \2|')
# Get signed certficate and put in a variable (copy and paste the certificate between the single quotes):
CRT=$(echo '' | sed -z 's|\n|\\n|g')
DATA=$(echo '{"Certificate"; "'${CRT}'"}' | jq -c '.')
curl --silent --insecure --header "X-Auth-Token: ${iLOAuth}" --header "Content-Type: application/json" \
   --data "${DATA}" --request POST ${iLOSSO}/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpeHttpsCert.ImportCertificate | jq -r '.'

 

See if that helps any?

Reply
Tinux
Advisor

‎10-13-2022 07:43 AM

‎10-13-2022 07:43 AM

Re: OneView as Intermediate CA for iLO's

Hi Brad,

Thanks for the setup in Python.
I generally work from Windows hosts because that's what I have to work with, but I do love Linux.

I did found a piece of PowerShell scripting on the web, but it was also riddled with typo's so I spend half a day troubleshooting, which got me at least to a point that I can make connection to an iLO.
I am not a daily user of both PS and Pyhton, but I try to do my best in understanding pieces of it.
By combining scripts from the web, and I noticed some interesting pieces in your script, I will sure get somewehere.

I will post my working version of a PS script in this thread once it's finished.

Thanks !
Martijn

0 Kudos
Reply
BradV
Esteemed Contributor

‎10-14-2022 02:20 AM - edited ‎10-14-2022 02:22 AM

‎10-14-2022 02:20 AM - edited ‎10-14-2022 02:22 AM

Re: OneView as Intermediate CA for iLO's

FYI, not python scripts, but BASH. 

I do have one line of python in there, but that is only because someone else that knows python well helped me with it.  (apparently the forum will not let me put in a smiley face?)

You can always install the Windows Subsystem for Linux on your Windows server and run it from there?

I do see a bash to powershell converter on github.  You might give that a try or some other bash to powershell converter?  I did run a test on one of our iLOs with those script and was able to get a signed certificate uploaded to the iLO interface.  So, I know they work.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.