• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 504
  • Last Modified:

How to automate creation of SSL certs and CSRs on an IBM Remote Supervisor Adapter II

The IBM Remote Supervisor Adapter II (RSA2 Card) allows you to manage a server through a web browser.  The RSA2 card has its own embedded web server that operates independent of the operating system on the server itself.  In order for connections to the card to be secure, you obviously need an SSL certificate installed for the embedded web server.  Unfortunately, IBM doesn't provide any method for automating the process of generating and installing certificates or CSRs.  The only way to install the certificate is through a manual process requiring you to use a web browser to type in all of the information and then download the resulting CSR which you can then submit to a CA.

Obviously, that kind of process doesn't scale well when you are trying to set up SSL for hundreds or thousands of servers.  So how do you automate it?  I had some ideas that using "curl" or something might work, but I can't seem to get it right.

If anybody has a server with the Remote Supervisor Adapter and can figure out a way to accomplish this, well, you'll be better than IBM's support staff.
0
msparby
Asked:
msparby
  • 4
  • 3
1 Solution
 
arnoldCommented:
What kind of web server is it?  Can it use RSA/DER format?
using openssl you can generate a private key and CSR.  When you have the cert issued, you could paste private key and  the cert if that is an option.

Does each have its own cert or will all be sharing the same one?

It is doable.  I have not used curl, so do not know what suggestions to make.

Are all the variables and information you entered through the web interface exist on the last page prior to final submission?
You need to determine how the information is maintained within the web service.

it might be possible that the information is maintained on the server and a cookie is being passed.  I do not know whether curl by default handles cookies or whether an option needs to be used to make curl handle cookies in the responses.





0
 
msparbyAuthor Commented:
The problem is that the web server isn't accessible from anything other than the web configuration interface.  You can't generate the CSR with OpenSSL or aything else.  The only way to install a certificate is to manually enter information into the form and let it generate the cert on its own.

It is possible that it requires cookies to properly generate the CSR.  At this point I suppose I may have to just put a sniffer on the network to get a better idea of how the transactions actually take place.  It could be something that Auto-It would be best suited for but I had hoped for a more graceful solution than just GUI automation.
0
 
arnoldCommented:
Not sure why you would need to capture packets. Look at the HTML pages.  Record the variables and what information they gather.  Enable pompting for cookies and you will see whether a cookie is being set.  It might be that your curl setup was incomplete, i.e. it did not effectively reflect the click on the submit button or there is some client side validation that would set another variable to have the process continue to the next step.

 
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
msparbyAuthor Commented:
The page uses some JavaScript that I'm not quite understanding either.  When you fill out the form to generate the CSR and click submit, it uses some JavaScript to validate the fields before submitting the form.  It then opens a pop-up window with a "Generating Certificate.  Do not close this window until done." message.  After a few seconds, that window closes and the original window reloads with a link to download the CSR.

I don't doubt that my curl command was incomplete.  I'll give the cookie-prompting a try to see if it yields anything.
0
 
arnoldCommented:
The javascript window that is opening up is where your problem lies.  Its possible that there the information you submitted gets reformatted and then submitted to the server.  If you can replicate what goes on in that proces, you would be able to automate the process. Its possible that the information can reorganized into an XML data stream that gets sent to a particular application on the adapter.
0
 
msparbyAuthor Commented:
The pop-up window doesn't seem to have any actual logic in its source.  It looks to be just a placeholder to make you wait... there's just a simple animated GIF image in it.  The javascript in that window's source doesn't have any logic to handle the form data.
0
 
arnoldCommented:
The mechanism that opens the javascript popup has the transactional information.  The items displayed in the javascript pop up are the response from the server.  See within the last screen if a window open exists.  see whether there there is a reference to a function or does it reference something else as the source for the window.  
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now