Use the System Configuration Service (SCSD) tool to create TLS certificates and store them in Vault secure storage. Once certificates are created, they are placed on to the target BMCs.
TLS certificates can only be set for liquid-cooled BMCs. TLS certificate support for air-cooled BMCs is not supported in release 1.4.
Use SCSD to generate TLS certificates.
Create a cert_create.json
JSON file containing all cabinet level certificate creation information.
{
"Domain": "Cabinet",
"DomainIDs": [ "x0", "x1", "x2", "x3"]
}
Generate the TLS certificates.
ncn-mw# cray scsd bmc createcerts create --format json cert_create.json
Example output:
{
"DomainIDs": [
{
"ID": "x0",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x1",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x2",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x3",
"StatusCode": 200,
"StatusMsg": "OK"
}
]
}
Apply the TLS certificates to the target BMCs.
Create a new cert_set.json
JSON file to specify the endpoints.
{
"Force": false,
"CertDomain": "Cabinet",
"Targets": [
"x0c0s0b0","x0c0s1b0","x0c0s2b0", "x0c0s3b0"
]
}
Set the certificates on the target BMCs.
ncn-mw# cray scsd bmc setcerts create --format json cert_set.json
Example output:
{
"Targets": [
{
"ID": "x0c0s0b0",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x0c0s1b0",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x0c0s2b0",
"StatusCode": 200,
"StatusMsg": "OK"
},
{
"ID": "x0c0s3b0",
"StatusCode": 200,
"StatusMsg": "OK"
}
]
}
Follow the Redeploying a Chart procedure with the following specifications:
Name of chart to be redeployed: cray-hms-smd
Base name of manifest: sysmgmt
When reaching the step to update customizations, perform the following step:
Only follow this step as part of the previously linked chart redeploy procedure.
Enable the CA_URI
variable in all Hardware Management Services (HMS) that use Redfish.
The customizations.yaml
file needs an entry to specify the URI where the Certificate Authority (CA) bundle can be found.
ncn-mw# vi customizations.yaml
Example excerpts from customizations.yaml
:
hms_ca_info:
hms_svc_ca_uri: "/usr/local/cray-pki/certificate_authority.crt"
cray-hms-reds:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
cray-hms-capmc:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
cray-hms-meds:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
cray-hms-hmcollector:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
cray-hms-smd:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri }}"
cray-hms-firmware-action:
hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
Setting
hms_ca_uri
to"vault://pki_common/ca_chain"
specifies the use of the Vault PKI directly.
When reaching the step to validate that the redeploy was successful, there are no additional steps to perform.
Make sure to perform the entire linked procedure, including the step to save the updated customizations.
At any point the TLS certs can be regenerated and replaced on Redfish BMCs. The CA trust bundle can also be modified at any time. When this is to be done, the following steps are needed:
Modify the CA trust bundle.
Once the CA trust bundle is modified, each service will automatically pick up the new CA bundle data. There is no manual step.
Regenerate the TLS cabinet-level certificates as done is the preceding step.
Place the TLS certificates onto the Redfish BMCs as in the preceding step.