Post by josephreynolds1 on Aug 2, 2021 16:21:29 GMT
This is a one-off question about a use case for an OEM authentication scheme. What is the right URI to upload an OEM authentication token?
The OEM authentication works like this (oversimplified) workflow:
1. The user generates an "access control file" (ACF), an ASN.1 format digitally-signed file which the BMC can authenticate and which allows a specific user to authenticate.
2. The admin uploads the ACF to the BMC.
3. The service user logs into the BMC (using the password associated with the ACF).
For more details, see the design doc "IBM ACF authentication" in review here: gerrit.openbmc-project.xyz/c/openbmc/docs/+/45201
For context: ACF authentication is proposed to help solve the problem of how to isolate the "service" user login (and isolate service user privileges) away from an admin user (which was previously discussed here: redfishforum.com/thread/333/proposed-new-servicerep-role-privilege)
For context: ACF authentication is proposed to help solve the problem of how to isolate the "service" user login (and isolate service user privileges) away from an admin user (which was previously discussed here: redfishforum.com/thread/333/proposed-new-servicerep-role-privilege)
Specifically, I want a Redfish API for step 2 (upload user login credentials). What URI should be used?
We have considered:
- The ACF file is an ASN.1 file, so can we treat it like a certificate? redfish.dmtf.org/schemas/v1/Certificate_v1.xml
- The ACF is per user, so can we consider using an Account URI? /redfish/v1/AccountService/Accounts/service/Oem/IBM/Certificates/ACF
