The Utilities API significantly includes a set of methods that allow you to manage certificate generation and registration within Oracle VM Manager. This is important as the WS-API also allows for certificate-based authentication, allowing you to further secure how custom-developed applications authenticate and interact with Oracle VM Manager. This section explores some of these methods briefly in the context of the REST API.
Certificate management within Oracle VM Manager is discussed in a variety of contexts throughout the documentation. For more information on authenticating using an SSL certificate using REST, please see Section 2.6.1, “Authenticating”. Please also refer to Setting up SSL on Oracle VM Manager in the Oracle VM Administrator's Guide for more information on SSL certificate management.
Once authenticated, either using an existing SSL certificate, or using the HTTP BASIC authentication mechanism, it is possible to query the Utility API to obtain the internal Oracle VM Manager CA certificate. This is achieved by simply sending an HTTP GET request to the following URI:
https://hostname:port/ovm/core/wsapi/rest/Utilities/Certificate/CaCertificate
This method simply returns the CA certificate as a string.
It is useful to obtain the CA certificate and to add it to your trusted certificates or to your keystore, so that it can be used to validate SSL interactions with Oracle VM Manager.
The API provides options to sign and register an SSL certificate using the internal Oracle VM Manager CA certificate. There are equally options to only sign a certificate, or to register an already signed certificate. This can be useful if you have added a trusted third-party CA certificate to Oracle VM Manager's own keystore, and wish to use a certificate issued by that third-party. These additional API methods are discussed in the API documentation. In this case, we assume that you need to sign and register a certificate with the internal CA.
The REST API allows you to sign and register a certificate by sending a POST request to the following URI:
https://hostname:port/ovm/core/wsapi/rest/Utilities/Certificate
The body of the POST request can contain either a JSON or XML representation of a loginCertificate object. Only the certificate element of the object need be populated. If no object is submitted within the POST request, the API automatically generates a certificate and passphraseless key that can be used for authentication. For security reasons, it is usually a good idea to generate a certificate locally and to set a passphrase for the key beforehand, so that the certificate can be passed in the body of the request.
By default, the API only registers a certificate sent in the
body of a POST request sent to this URI. This is to enable
the possibility of using certificates already signed by a
third party. To force the API to also sign a certificate
submitted using this method, the boolean
sign parameter must also be set to true
within the URI. Therefore, in this case, you should post to
the URI:
https://hostname:port/ovm/core/wsapi/rest/Utilities/Certificate?sign=True
In the SOAP version of this process, we focussed on how this could be performed using Java. In this REST-based example, we achieve the same thing using Python. The principles are much the same.
First create a key and certificate locally using a tool like OpenSSL. If you are using Java, you would probably do this by generating a keystore using the Java keytool command as presented in the SOAP version of this example.
$ openssl genrsa -des3 -out mykey.pem 2048 $ openssl req -new -key mykey.pem -out mycertreq.csr $ openssl x509 -req -days 365 -in mycertreq.csr -signkey mykey.pem -out mycert.pem
For security reasons, it is advisable to set a passphrase for your key. Note that this is a typical self-signed certificate, so you first generate a Certificate Signing Request (CSR) and then use your key to sign the certificate that you intend to generate from this CSR.
Once you have created a certificate, you can use the REST API to sign it. In Python, the following code could be used, assuming that you have already set up a Requests session and authenticated as described in Section 2.6.1.2, “Python”:
cert=open('/path/to/mycert.pem').read()
body={'certificate': cert}
r=s.post('https://127.0.0.1:7002/ovm/core/wsapi/rest/Utilities/Certificate?sign=True',
data=json.dumps(body))
signed_cert=r.json()['certificate']
f=open('/path/to/signed.pem','w')
f.write(signed_cert)
f.close()
In the above example, we read the contents of the self-signed
certificate into a variable named 'cert' and use this to
create a python data structure that we can convert to a JSON
string similar to the content that the API expects in the body
of the request. We submit the POST request and set the
sign parameter to True in the URI. We extract
the newly signed certificate from the body of the response and
then write the content of this into a file at
/path/to/signed.pem.
To use this certificate to authenticate to either the REST or SOAP API using Python, it should be combined with its key. You can do this easily on the command line:
$ cat/path/to/signed.pem/path/to/mykey.pem>>/path/to/OVMSignedCertificate.pem
You can now use this new certificate to authenticate against either the SOAP or REST API from within any of your programs, as described in Section 2.6.1.2, “Python”.