This section describes the HPE Transport Layer Security (TLS) configuration of the UEFI/BIOS OEM extension . This configuration is required if you want to boot an operating system from remote using the HTTPS protocol.
The iLO TLS configuration is presented in the Security Service section.
In iLO 6, the HPE OEM #HpeTlsConfig extension URI is /redfish/v1/Systems/{id}/bios/oem/hpe/tlsconfig/. In iLO 5 the URI is /redfish/v1/Systems/{id}/bios/tlsconfig/. It is used for reading and setting properties. It has three resources:
Current Settings Resource (read-only) :
/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/- Contains current TLS certificates resource configuration data active in the system.
Pending Settings Resource (read/write) :
/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/settings/Writable resources
"Ciphers"- Set the desired supported ciphers"HostnameCheck"- Enable/Disable host name checking"ProtocolVersion"- Set the desired protocol version"VerifyMode"- Set the verification method (PEER/NONE)"NewCertificates"- An array of the certificates to be installed"DeleteCertificates"- An array of the fingerprints of the certificates to be deleted
Read Only properties that gets modified internally:
"Certificates"- An array of all the installed certificates"TlsCaCertificateCount"- The number of the installed certificates
TLS Default Settings Resource (read-only) :
/redfish/v1/systems/1/bios/oem/hpe/tlsconfig/baseconfigs/- Holds the default values of the resource. Refer to the example below to perform the reset.
The certificates are X509 keys. In PEM format, the certificates are encoded in a series of strings with LF or CR-LF invisible characters in their ASCII representation (\n or \r\n):
The following is an example of a CR-LF certificate in a PEM format:
-----BEGIN CERTIFICATE-----
MIIEHTCCAwWgAwIBAgIQe8LmWgF5edKw01/avJg69DANBgkqhkiG9w0BAQsFADCB
kTELMAkGA1UEBhMCVVMxKzApBgNVBAoTIkhld2xldHQgUGFja2FyZCBFbnRlcnBy
aXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTMw
...
-----END CERTIFICATE-----It should be modified to replace the CR-LF characters with their ASCII representation:
-----BEGIN CERTIFICATE-----\r\nMIIGxDCCBaygAwIBAgIQUkL9757013wOQ2heZMCLizANBgkqhkiG9w0BAQsFADCB\r\nkTELMAkGA1UEBhMCVVMxKzApBgNVBAo
TIkhld2xldHQgUGFja2FyZCBFbnRlcnBy\r\naXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTMw\r\n
...\r\n
-----END CERTIFICATE-----On Linux systems, you can use the following sed or awk commands to replace the CR-LF or LF invisible characters in a file with their ASCII representation:
dos2unix file
sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' file
or
dos2unix file
awk '{printf "%s\\n", $0}' file
Finally, the certificate needs to be PUT (only a PUT request will be successful) through the API:
PUT /redfish/v1/Systems/{item}/bios/oem/hpe/tlsconfig/settings/When a certificate is installed, a new field is created with the Fingerprint of that certificate (SHA256). To remove a certificate, PUT the fingerprint to remove in the settings environment.
PUT /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/You can delete more than one certificate at a time.
PUT /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/- Modifying Ciphers
PATCH /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/ - Modifying VerifyMode Possible values: PEER or NONE.
PATCH /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/- Modifying HostnameCheck Cannot be changed if
VerifyModeis set to NONE.
PATCH /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/- Modifying ProtocolVersion Possible values: "AUTO", "1.0", "1.1" or "1.2".
PATCH /redfish/v1/Systems/1/bios/oem/hpe/tlsconfig/settings/