Deploy SSL certificates via iracadm on a iDRAC 6 (Sven H?xter)

Spike_White at Dell.com Spike_White at Dell.com
Tue Jul 31 13:46:14 CDT 2012


To deploy an SSL certificate via dracadm on a iDRAC 6 -- I did the following.

  1. On a Linux server, used openssl to generate my *.csr  file.  (cert request file).   This also generated the private key *.key file (used with the *.cer file later).
  2. Uploaded my *.csr file to my CA (certificate authority).
  3. Got my *.cert file back (as base-64 encoded format I believe).
  4. Renamed to a *.cer file.  (probably not important, but I'm more familiar w/ openssl self-signed cert terminology).

   5. Ran the following commands on server:
            # Fix DRAC SSL cert key.
            racadm sslcertupload -t 1 -f rac-wc.wc.dell.com.cer
            racadm sslkeyupload -t 1 -f rac-wc.wc.dell.com.key
            racadm sslcertview -t 1

BTW, /opt/dell/srvadm/sbin/racadm is just a wrapper script that calls the correct underlying actual executable.  idracadm6 for an iDRAC6.

Spike


   1. Deploy SSL certificates via iracadm on a iDRAC 6 (Sven H?xter)


----------------------------------------------------------------------

Message: 1
Date: Tue, 31 Jul 2012 15:38:18 +0200
From: Sven H?xter <sven.hoexter at hosteurope.de>
Subject: Deploy SSL certificates via iracadm on a iDRAC 6
To: linux-poweredge at dell.com
Message-ID: <5017DFCA.6040802 at hosteurope.de>
Content-Type: text/plain; charset=ISO-8859-1

Hi,

we're currently aiming at an automatic deployment of SSL certificates on all iDRAC cards with the help of iracadm. Sadly we currently fail to push keys, certificates or retrieve at least a CSR.

So far I've configured the following cfgRacSecurity settings:
# idracadm -r ww.xx.yy.zz -u root -p calvin getconfig -g cfgRacSecurity Security Alert: Certificate is invalid - unable to get local issuer certificate Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
cfgRacSecCsrKeySize=2048
cfgRacSecCsrCommonName=testdrac.hosteurope.example
cfgRacSecCsrOrganizationName=Hosteurope
cfgRacSecCsrOrganizationUnit=MH
cfgRacSecCsrLocalityName=Cologne
cfgRacSecCsrStateName=NRW
cfgRacSecCsrCountryCode=DE
cfgRacSecCsrEmailAddr=me at hosteurope.example

idracadm -r ww.xx.yy.zz -u root -p calvin getversion Security Alert: Certificate is invalid - unable to get local issuer certificate Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
 Bios Version          = 6.0.7
 iDRAC Version         = 1.90
 USC Version           = 1.5.0.671

Operating system is RHEL 5.8 with srvadmin-idracadm-7.0.0-4.190.2.el5

Retrieving a CSR does nothing and idracadm just exists with return code 1:

idracadm -r ww.xx.yy.zz -u root -p calvin sslcsrgen -g -f test.csr Security Alert: Certificate is invalid - unable to get local issuer certificate Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
[root at node1 ~]# echo $?
1

stracing the process I can see that it prints out write(1, "Generating CSR. Please wait...", 30Generating CSR. Please
wait...) = 30
and exists later on.

It's similar for the sslcertupload command. No output and idracadm just exists with a returncode 1.

Now we tried it locally and now we get some interesting output when we don't define an output file:
idracadm sslcsrgen -g
ash Get The <Segmentation fault>, Retry!
ash Get The <Segmentation fault>, Retry Fail!

My best guess is that the segfault happens on the iDRAC card itself and idracadm just receives the output via IPMI.

Has someone succeeded with SSL certificate deployment via idracadm at all? Is there some secret switch you need to set first to get this working?


Utilizing the Webgui all of the cfgRacSecurity settings are present and I can retrieve a CSR file and upload a certificate signed by my own CA.
So the settings itself seem to be valid. It's just that the ssl* command implementation in idracadm seems to be broken or requires some special settings?

Any help would be appreciated.

Regards,
Sven
--
Sven H?xter
Technical Service Linux
Managed Hosting

-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de Welserstra?e 14 - 51149 K?ln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht K?ln - USt-IdNr.: DE187370678
Gesch?ftsf?hrer: Patrick Pulverm?ller, Thomas Vollrath

(*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus den dt. Mobilfunknetzen



------------------------------

_______________________________________________
Linux-PowerEdge mailing list
Linux-PowerEdge at dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

End of Linux-PowerEdge Digest, Vol 98, Issue 64
***********************************************



More information about the Linux-PowerEdge mailing list