Verify DSP2059 compliance | Redfish Specification Forum

jyundt
Guppy

Posts: 50

Verify DSP2059 compliance Sept 29, 2022 16:39:49 GMT

Quote

Post by jyundt on Sept 29, 2022 16:39:49 GMT

I'm not entirely sure if this is related to Interop Profiles per se, but what's the best method to verify that a BMC supports functionality to create a new Certificate resource by POST-ing to a CertificateCollection? My Interop Profile already contains a snippet like this below (and this seems to be working fine), however I'm not sure how to validate that a BMC implementation will permit POST-ing to upload new certificates:


	"Resources": {
		"Certificate": {
			"MinVersion": "1.2.0",
			"PropertyRequirements": {
				"CertificateString": {},
				"CertificateType": {},
				"Issuer": {},
				"KeyUsage": {
					"ReadRequirement": "Recommended"
				},
				"Subject": {},
				"ValidNotAfter": {},
				"ValidNotBefore": {}

			},
			"ActionRequirements": {
				"Renew": {
					"ReadRequirement": "Mandatory"
				},
				"Rekey": {
					"ReadRequirement": "Mandatory"
				}
			}
		},
		"CertificateCollection": {
			"PropertyRequirements": {
				"Members": {
					"MinCount": 1
				}
			}
		},
		"CertificateLocations": {
			"MinVersion": "1.0.0",
			"ReadRequirement": "Mandatory",
			"PropertyRequirements": {
				"Links": {}
			}
		},
		"CertificateService": {
			"MinVersion": "1.0.0",
			"ReadRequirement": "Mandatory",
			"PropertyRequirements": {
				"CertificateLocations": {}
			},
			"ActionRequirements": {
				"GenerateCSR": {
					"ReadRequirement": "Mandatory"
				},
				"ReplaceCertificate": {
					"ReadRequirement": "Mandatory"
				}
			}
		}

	},

Is this something that should be covered by the Protocol or Service Validators?

mraineri
Administrator

Posts: 1,132

Verify DSP2059 compliance Sept 29, 2022 18:26:21 GMT

Quote

Post by mraineri on Sept 29, 2022 18:26:21 GMT

The interop validator should be able to test for this, but I suspect it doesn't today. We do have some outstanding items to figure out how to test the modification requirements, but we need to be careful about how this is done. However, I think we can do a simple test for this based on the "Allow" response header.

Specifically for how to convey these requirements, inside of "CertificateCollection", you can specify terms like "CreateResource" and "DeleteResource" to show that members can be added/removed via POST and DELETE.

From the interop spec (the "Schema-level functions" section specifically)...

CreateResource: Specifies a requirement that a user may create a member of this resource. This normally applies to Redfish resource collections. If this property is absent, there is no requirement to support creation of members of this resource.

DeleteResource: Specifies a requirement that a user may delete a member of this resource. This normally applies to Redfish resource collections. If this property is absent, there is no requirement to support deletion of members of this resource.

jyundt
Guppy

Posts: 50

Verify DSP2059 compliance Sept 29, 2022 18:59:16 GMT

Quote

Post by jyundt on Sept 29, 2022 18:59:16 GMT

Ah, that's exactly what I was looking for, thank you! Even if the tool doesn't support this functionality now, I'll start adding CreateResource / DeleteResource definitions to our profiles.

Also, I think you are right, it appears the the tool skips these checks currently.