Redfish: Add certificate service to manage HTTPS certificates

Implements CertificateService schema to list the actions available. Implements CertificateLocations schema to list the certificates present in the system. Implements CertificateCollection schema to upload/list existing HTTPS certificates Implements Certificate schema to view existing HTTPS certificate Cater for reloading the SSL context after a certificate is uploaded. Fix Certificate signature validation failure At present bmcweb uses the certificate from "/home/root/server.pem" the same is modified to "/etc/ssl/certs/https/server.pem" as phosphor-certificate-manager uses the specified path to install/replace certificates. Bmcweb creates a self-signed certificate when certificate is not present. Catered for creating "/etc/ssl/certs/https/" direcotry structure so that self signed certificate is created in the path. Implements ReplaceCertificate action of Certificate Service for replacing existing HTTPS certificates Cleanup of older self-signed certificate at /home/root/server.pem 1. Tested schema with validator and no issues 2. Privilege map for certificate service is not yet pubished 2. GET on /redfish/v1/CertificateService/ "CertificateService": { "@odata.id": "/redfish/v1/CertificateService" }, 3. GET on /redfish/v1/CertificateService/CertificateLocations/ "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Name": "Certificate Locations" 4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates { Returns contents of certificate "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1", "@odata.type": "#Certificate.v1A_0_0.Certificate", "Id": "1", "Issuer": { ... ... } 5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/ { "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates", "@odata.type": "#CertificateCollection.CertificatesCollection", "Description": "A Collection of HTTPS certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Members@odata.count": 1, "Name": "HTTPS Certificate Collection" } 6.GET on /redfish/v1/CertificateService/CertificateLocations/ { "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Links": { "Certificates": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Certificates@odata.count": 1 }, "Name": "Certificate Locations" } 7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n", "CertificateType": "PEM", "Description": "HTTPS Certificate", "Id": "1", "Issuer": { } 8. Verified SSL context is reloaded after a certificate is installed. 9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @data_https.json { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n", "Description": "HTTPS certificate", "Id": "1", "Issuer": { } 4. data_https.json file contents { "CertificateString": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } } Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060 Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com> Signed-off-by: Ed Tanous <ed.tanous@intel.com>
author: Marri Devender Rao <devenrao@in.ibm.com> 2019-01-21 19:27:12 +0300
committer: Ed Tanous <ed.tanous@intel.com> 2019-06-13 01:53:05 +0300
commit: 5968caee7ccf978755a9a63d225965101a0c0378 (patch)
tree: 81f7298459cc19487bcbc4774d5e84764c1d5283 /src
parent: d22c8396f0bcec4488d0c98eae3092384b3a5929 (diff)
download: bmcweb-5968caee7ccf978755a9a63d225965101a0c0378.tar.xz
1 files changed, 0 insertions, 9 deletions
diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp
index a4cf582aa7..1c9c1f18d3 100644
--- a/src/webserver_main.cpp
+++ b/src/webserver_main.cpp
@@ -61,15 +61,6 @@ int main(int argc, char** argv)
     auto io = std::make_shared<boost::asio::io_context>();
     CrowApp app(io);
 
-#ifdef BMCWEB_ENABLE_SSL
-    std::string sslPemFile("server.pem");
-    std::cout << "Building SSL Context\n";
-
-    ensuressl::ensureOpensslKeyPresentAndValid(sslPemFile);
-    std::cout << "SSL Enabled\n";
-    auto sslContext = ensuressl::getSslContext(sslPemFile);
-    app.ssl(std::move(sslContext));
-#endif
     // Static assets need to be initialized before Authorization, because auth
     // needs to build the whitelist from the static routes
author	Marri Devender Rao <devenrao@in.ibm.com>	2019-01-21 19:27:12 +0300
committer	Ed Tanous <ed.tanous@intel.com>	2019-06-13 01:53:05 +0300
commit	5968caee7ccf978755a9a63d225965101a0c0378 (patch)
tree	81f7298459cc19487bcbc4774d5e84764c1d5283 /src
parent	d22c8396f0bcec4488d0c98eae3092384b3a5929 (diff)
download	bmcweb-5968caee7ccf978755a9a63d225965101a0c0378.tar.xz