msparby
asked on
How to automate creation of SSL certs and CSRs on an IBM Remote Supervisor Adapter II
The IBM Remote Supervisor Adapter II (RSA2 Card) allows you to manage a server through a web browser. The RSA2 card has its own embedded web server that operates independent of the operating system on the server itself. In order for connections to the card to be secure, you obviously need an SSL certificate installed for the embedded web server. Unfortunately, IBM doesn't provide any method for automating the process of generating and installing certificates or CSRs. The only way to install the certificate is through a manual process requiring you to use a web browser to type in all of the information and then download the resulting CSR which you can then submit to a CA.
Obviously, that kind of process doesn't scale well when you are trying to set up SSL for hundreds or thousands of servers. So how do you automate it? I had some ideas that using "curl" or something might work, but I can't seem to get it right.
If anybody has a server with the Remote Supervisor Adapter and can figure out a way to accomplish this, well, you'll be better than IBM's support staff.
Obviously, that kind of process doesn't scale well when you are trying to set up SSL for hundreds or thousands of servers. So how do you automate it? I had some ideas that using "curl" or something might work, but I can't seem to get it right.
If anybody has a server with the Remote Supervisor Adapter and can figure out a way to accomplish this, well, you'll be better than IBM's support staff.
ASKER
The problem is that the web server isn't accessible from anything other than the web configuration interface. You can't generate the CSR with OpenSSL or aything else. The only way to install a certificate is to manually enter information into the form and let it generate the cert on its own.
It is possible that it requires cookies to properly generate the CSR. At this point I suppose I may have to just put a sniffer on the network to get a better idea of how the transactions actually take place. It could be something that Auto-It would be best suited for but I had hoped for a more graceful solution than just GUI automation.
It is possible that it requires cookies to properly generate the CSR. At this point I suppose I may have to just put a sniffer on the network to get a better idea of how the transactions actually take place. It could be something that Auto-It would be best suited for but I had hoped for a more graceful solution than just GUI automation.
Not sure why you would need to capture packets. Look at the HTML pages. Record the variables and what information they gather. Enable pompting for cookies and you will see whether a cookie is being set. It might be that your curl setup was incomplete, i.e. it did not effectively reflect the click on the submit button or there is some client side validation that would set another variable to have the process continue to the next step.
ASKER
The page uses some JavaScript that I'm not quite understanding either. When you fill out the form to generate the CSR and click submit, it uses some JavaScript to validate the fields before submitting the form. It then opens a pop-up window with a "Generating Certificate. Do not close this window until done." message. After a few seconds, that window closes and the original window reloads with a link to download the CSR.
I don't doubt that my curl command was incomplete. I'll give the cookie-prompting a try to see if it yields anything.
I don't doubt that my curl command was incomplete. I'll give the cookie-prompting a try to see if it yields anything.
The javascript window that is opening up is where your problem lies. Its possible that there the information you submitted gets reformatted and then submitted to the server. If you can replicate what goes on in that proces, you would be able to automate the process. Its possible that the information can reorganized into an XML data stream that gets sent to a particular application on the adapter.
ASKER
The pop-up window doesn't seem to have any actual logic in its source. It looks to be just a placeholder to make you wait... there's just a simple animated GIF image in it. The javascript in that window's source doesn't have any logic to handle the form data.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
using openssl you can generate a private key and CSR. When you have the cert issued, you could paste private key and the cert if that is an option.
Does each have its own cert or will all be sharing the same one?
It is doable. I have not used curl, so do not know what suggestions to make.
Are all the variables and information you entered through the web interface exist on the last page prior to final submission?
You need to determine how the information is maintained within the web service.
it might be possible that the information is maintained on the server and a cookie is being passed. I do not know whether curl by default handles cookies or whether an option needs to be used to make curl handle cookies in the responses.