Use the System Configuration Service (SCSD) tool to create TLS certificates and store them in Vault secure storage. Once certificates are created, they are placed on to the target BMCs.
- The Cray command line interface (CLI) tool is initialized and configured on the system. See Configure the Cray CLI.
TLS certificates can only be set for liquid-cooled BMCs. TLS certificate support for air-cooled BMCs is not supported in release 1.4.
-
(
ncn-mw#) Use SCSD to generate TLS certificates.-
Create a
cert_create.jsonJSON file containing all cabinet level certificate creation information.{ "Domain": "Cabinet", "DomainIDs": [ "x0", "x1", "x2", "x3"] } -
Generate the TLS certificates.
cray scsd bmc createcerts create --format json cert_create.json
Example output:
{ "DomainIDs": [ { "ID": "x0", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x1", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x2", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x3", "StatusCode": 200, "StatusMsg": "OK" } ] }
-
-
(
ncn-mw#) Apply the TLS certificates to the target BMCs.-
Create a new
cert_set.jsonJSON file to specify the endpoints.{ "Force": false, "CertDomain": "Cabinet", "Targets": [ "x0c0s0b0","x0c0s1b0","x0c0s2b0", "x0c0s3b0" ] } -
Set the certificates on the target BMCs.
cray scsd bmc setcerts create --format json cert_set.json
Example output:
{ "Targets": [ { "ID": "x0c0s0b0", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x0c0s1b0", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x0c0s2b0", "StatusCode": 200, "StatusMsg": "OK" }, { "ID": "x0c0s3b0", "StatusCode": 200, "StatusMsg": "OK" } ] }
-
-
(
ncn-mw#) Follow the Redeploying a Chart procedure with the following specifications:-
Name of chart to be redeployed:
cray-hms-smd -
Base name of manifest:
sysmgmt -
When reaching the step to update customizations, perform the following step:
Only follow this step as part of the previously linked chart redeploy procedure.
Enable the
CA_URIvariable in all Hardware Management Services (HMS) that use Redfish.The
customizations.yamlfile needs an entry to specify the URI where the Certificate Authority (CA) bundle can be found.vi customizations.yaml
Example excerpts from
customizations.yaml:hms_ca_info: hms_svc_ca_uri: "/usr/local/cray-pki/certificate_authority.crt"
cray-hms-reds: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}" cray-hms-capmc: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}" cray-hms-meds: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}" cray-hms-hmcollector: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}" cray-hms-smd: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri }}" cray-hms-firmware-action: hms_ca_uri: "{{ hms_ca_info.hms_svc_ca_uri}}"
Setting
hms_ca_urito"vault://pki_common/ca_chain"specifies the use of the Vault PKI directly. -
When reaching the step to validate that the redeploy was successful, there are no additional steps to perform.
-
Make sure to perform the entire linked procedure, including the step to save the updated customizations.
-
At any point the TLS certs can be regenerated and replaced on Redfish BMCs. The CA trust bundle can also be modified at any time. When this is to be done, the following steps are needed:
-
Modify the CA trust bundle.
Once the CA trust bundle is modified, each service will automatically pick up the new CA bundle data. There is no manual step.
-
Regenerate the TLS cabinet-level certificates as done is the preceding step.
-
Place the TLS certificates onto the Redfish BMCs as in the preceding step.