Latest 9.3.3 Updates to DS8900F REST interface

View Only

Latest 9.3.3 Updates to DS8900F REST interface - Automating Certificates

By Randy Blea posted Tue July 18, 2023 02:44 PM

Like

What's new in REST interface update for 9.3.3?

In the latest update to the DS8000 REST interface, the team focused on customer IDEA DS80-I-197.

Keeping your environment as secure as possible is a high focus in this day and age. Part of that is ensuring that your systems are protected with updated certificates. But for customers with a large number of storage systems, this task can become quite tedious.

This is where automation comes into play. Customers want to be able to automate the ability to manage their DS8000 custom certificates. While these features are available on the DSGUI, providing the REST interfaces allows customers to automate the process across all of their storage systems.

This latest update provides the REST interfaces necessary to

- - Create New Self Signed Certificates
  - Create a Certificate Signing Request and then apply the signed certificate to the DS8000 HMC

Creating new self signed certificates

While typically not recommended, customers today can click a button on the DSGUI to create a self signed certificate. This allows them to periodically modify this self signed certificate.

The equivalent has been provided in the REST interface.

Issuing a POST /v1/hmc/certificate/selfsigned call you can pass in the parameters necessary to create a new self signed certificate. Input content-type is "application/json" and allows you to specify the following values.

- - O - The name of the organization or company
  - OU - The name of a department within the organization or company
  - C - Two letter ISO code for the country where your organization is located (for example, GB, FR or US)
  - ST - The state or province where your organization is located. Do not abbreviate this value. For example, use California and not CA.
  - L - The city or town where the organization is located.
  - days - The number of days that the certificate should be valid for. Default is 365 if not specified.
  - email - The email address of a contact within the organization
  - restart - Whether to automatically reboot the HMC after creating the self signed certificate. Default is false if not specified. NOTE: In order for the new certificate to be activated, a reboot of the HMC is required. If set to false, the reboot can be done through the restart REST interface.

Creating and applying signed certificates

The recommended way to apply custom certificates is to create a Certificate Signing Request which can then be signed by a Certificate Authority which provides a Signed Certificate to use.

The following steps are necessary when using Signed Certificates. This needs to be done for both HMC 1 and HMC 2 for the DS8000.

1. 1. Call the REST interface to create a Certificate Signing Request (CSR)
  2. Send the CSR to a Certificate Authority (this can be automated depending on the certificate authority used)
  3. Call the REST interface to apply the Signed Certificate to the HMC
  4. Call the REST interface to restart the HMC when ready

REST interface for creating a Certificate Signing Request

To request a CSR issue POST /v1/hmc/certificate/csr and pass in the parameters necessary to create the request Input content-type is "application/json" and allows you to specify the following values. Output is text in the form of "application/octect-stream" which contains the CSR information.

- - O - The name of the organization or company
  - OU - The name of a department within the organization or company
  - C - Two letter ISO code for the country where your organization is located (for example, GB, FR or US)
  - ST - The state or province where your organization is located. Do not abbreviate this value. For example, use California and not CA.
  - L - The city or town where the organization is located.
  - email - The email address of a contact within the organization
  - force - Force the creation of a new CSR. Default is true. If set to false, the call will fail in the event that a CSR has already been created but has not be signed yet.

Rest interface for applying the signed certificate to the HMC

After retrieving a signed certificate you can import it onto the HMC by calling POST /v1/hmc/certificate/ and specifying the data in "multipart/form-data" format.

Rest interface to restart the HMC

Neither the self signed certificate nor a signed certificate will be activated until after the HMC is restarted. If you have a lot of storage systems to manage, you might decided to apply the certificate to all of them first, and then reboot them.

To reboot the HMC simply call POST /v1/hmc/restart/

This will cause the HMC called to restart and you will regain access shortly when the restart completes.

Installing and using the new REST interfaces

RESTAPI_DS8900F_5.9.33.8000 - This upgrade is currently only available for DS8900F systems at 89.33.xx.xx levels. Click the link to download the new RESTAPI code and follow the directions in the README in order to self upgrade the HMC to the new level. This code can be applied without disruption and without restarting the HMC.

NOTE: Updates to pyDS8k and the DS8000 Ansible collection to support these new features will be available in the future.

#IBMDS8000 #ansible #Automation

1 comment

20 views

Permalink

Comments

Rohan Chauhan

Fri July 28, 2023 04:35 AM

Looking forward to exploiting this, Randy. Thanks!

IBM Storage

The online community where IBM Storage users meet, share, discuss, and learn.

Mainframe Storage