背景介绍
背景
需求:新增redfish标准接口,仅支持替换CA和SSL证书
/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate,用于替换证书
决策点:
新增标准接口/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
详细描述:
URI:/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
变化类型:新增接口
操作类型:POST
应用场景:redfish接口替换证书
属性信息如下:
| 属性名称 | 属性说明 | 取值类型 | 约束 |
|---|---|---|---|
| CertificateUri | 被替换证书的链接,此参数应包含一个指向被替换的证书类型资源的链接 | object | required,当前仅支持SSL和CA证书 |
| CertificateUri.@odata.id | 链接到证书资源 | string | 当前支持的URI:CA证书/redfish/v1/Managers/1/Certificates/[1-9]\\d*,SSL证书/redfish/v1/Managers/1/NetworkProtocol/HTTPS/Certificates/[1-9]\\d* |
| CertificateType | 证书的类型 | string(enum): PEM PEMchain PKCS12 |
required,当前不支持PKCS7类型,与标准实现会有差异. 当类型为PEM、PEMchain时,导入CA证书、SSL证书的CSR签名证书;当类型为PKCS12时,导入SSL的自定义证书 |
| CertificateString | 包含证书的字符串 | string | required,证书字符串,如果CertificateType为PEM或者PEMchain,则为PEM格式字符串,如果CertificateType为PKCS12,则为BASE64编码的PKCS12文件字符串 |
| Password | 证书密码 | string | optional,如果CertificateType为PKCS12,则必须包含Password字段 |
请求体实例
{
"CertificateUri": {
"@odata.id": "/redfish/v1/Managers/1/Certificates/1"
},
"CertificateString": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"CertificateType": "PEM"
}
Schema说明
{
"CertificateString":{
"description": "The string for the certificate.",
"longDescription": "The value of this property shall be the string of the certificate, and the format shall follow the requirements specified by the value of the CertificateType property. If the certificate contains any private keys, they shall be removed from the string on GET requests. If the private key for the certificate is not known by the service and is needed to use the certificate, the client shall provide the private key as part of the string in the POST request.",
"requiredParameter": true,
"type": "string"
},
"CertificateType": {
"$ref": "http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/CertificateType",
"description": "The format of the certificate.",
"longDescription": "The value of this parameter shall contain the format type for the certificate.",
"requiredParameter": true
},
"CertificateUri": {
"$ref": "http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/Certificate",
"description": "A link to the certificate that is being replaced.",
"longDescription": "This parameter shall contain the URI of the Certificate that is being replaced.",
"requiredParameter": true
},
"Password": {
"description": "The password for the certificate.",
"longDescription": "This parameter shall contain the password for the certificate contained in the CertificateString parameter. This parameter shall be required if the CertificateType parameter contains PKCS12 and the client-provided certificate is password protected.",
"requiredParameter": false,
"type": "string"
}
}
评审结论
同意新增redfish标准接口/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate,用于替换CA和SSL证书,CertificateType当前不支持PKCS7,ActionInfo返回PEM、PEMchain、PKCS12三种,schema仍采用官方定义。