Перейти к основному содержимому

AccountService

AccountService 1.18.0

 
Versionv1.18
Release2025.1

Description

The AccountService schema defines an account service. The properties are common to, and enable management of, all user accounts. The properties include the password requirements and control features, such as account lockout. Properties and actions in this service specify general behavior that should be followed for typical accounts, however implementations might override these behaviors for special accounts or situations to avoid denial of service or other deadlock situations.

URIs

/​redfish/​v1/​AccountService
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService

Properties

PropertyTypeAttributesNotes
AccountLockoutCounterResetAfterinteger
(s)		read-writeThe period of time, in seconds, between the last failed login attempt and the reset of the lockout threshold counter. This value must be less than or equal to the AccountLockoutDuration value. A reset sets the counter to 0.
AccountLockoutCounterResetEnabled (v1.5+)booleanread-writeAn indication of whether the threshold counter is reset after AccountLockoutCounterResetAfter expires. If true, it is reset. If false, only a successful login resets the threshold counter and if the user reaches the AccountLockoutThreshold limit, the account will be locked out indefinitely and only an administrator-issued reset clears the threshold counter. If this property is absent, the default is true.
AccountLockoutDurationinteger
(s)		read-write
(null)		The period of time, in seconds, that an account is locked after the number of failed login attempts reaches the account lockout threshold, within the period between the last failed login attempt and the reset of the lockout threshold counter. If this value is 0, no lockout will occur. If the AccountLockoutCounterResetEnabled value is false, this property is ignored.
AccountLockoutThresholdintegerread-write
(null)		The number of allowed failed login attempts before a user account is locked for a specified duration. If 0, the account is never locked.
Accounts {}objectThe collection of manager accounts.
Actions (v1.2+) {}objectThe available actions for this resource.
ActiveDirectory (v1.3+) {}objectThe first Active Directory external account provider that this account service supports. For more information about this property, see ExternalAccountProvider in Property Details.
AdditionalExternalAccountProviders (v1.3+) {}objectThe additional external account providers that this account service uses.
AuthFailureLoggingThresholdintegerread-writeThe number of authorization failures per account that are allowed before the failed attempt is logged to the manager log.
EnforcePasswordHistoryCount (v1.17+)integerread-writeThe number of unique new passwords that need to be associated with a user account before a previous password is accepted when modifying the password. If 0, a user does not need to provide a unique new password.
HTTPBasicAuth (v1.15+)string
(enum)		read-write
(null)		Indicates if HTTP Basic authentication is enabled for this service. For the possible property values, see HTTPBasicAuth in Property details.
LDAP (v1.3+) {}objectThe first LDAP external account provider that this account service supports. For more information about this property, see ExternalAccountProvider in Property Details.
LocalAccountAuth (v1.3+)string
(enum)		read-writeAn indication of how the service uses the accounts collection within this account service as part of authentication. The enumerated values describe the details for each mode. For the possible property values, see LocalAccountAuth in Property details.
MaxPasswordLengthintegerread-writeThe maximum password length for this account service.
MinPasswordLengthintegerread-writeThe minimum password length for this account service.
MultiFactorAuth (v1.12+) {object
(null)		The multi-factor authentication settings that this account service supports.
      ClientCertificate (v1.12+) {object
(null)		The settings related to client certificate authentication schemes such as mTLS or CAC/PIV.
            CertificateMappingAttribute (v1.12+)string
(enum)		read-write
(null)		The client certificate attribute to map to a user. For the possible property values, see CertificateMappingAttribute in Property details.
            Certificates (v1.12+) {}objectThe link to a collection of CA certificates used to validate client certificates.
            Enabled (v1.12+)booleanread-write
(null)		An indication of whether client certificate authentication is enabled.
            RespondToUnauthenticatedClients (v1.12+)booleanread-write
(null)		An indication of whether the service responds to clients that do not successfully authenticate.
      }
      GoogleAuthenticator (v1.12+) {object
(null)		The settings related to Google Authenticator multi-factor authentication. For generic Time-Based One-Time Password (TOTP) multi-factor authentication, use the TimeBasedOneTimePassword property.
            Enabled (v1.12+)booleanread-write
(null)		An indication of whether multi-factor authentication with Google Authenticator is enabled.
            SecretKey (v1.12+)stringread-write
(null)		The secret key to use when communicating with the Google Authenticator server. This property is null in responses.
            SecretKeySet (v1.12+)booleanread-onlyIndicates if the SecretKey property is set.
      }
      MicrosoftAuthenticator (v1.12+) {object
(null)		The settings related to Microsoft Authenticator multi-factor authentication. For generic Time-Based One-Time Password (TOTP) multi-factor authentication, use the TimeBasedOneTimePassword property.
            Enabled (v1.12+)booleanread-write
(null)		An indication of whether multi-factor authentication with Microsoft Authenticator is enabled.
            SecretKey (v1.12+)stringread-write
(null)		The secret key to use when communicating with the Microsoft Authenticator server. This property is null in responses.
            SecretKeySet (v1.12+)booleanread-onlyIndicates if the SecretKey property is set.
      }
      OneTimePasscode (v1.14+) {object
(null)		The settings related to one-time passcode (OTP) multi-factor authentication.
            Enabled (v1.14+)booleanread-write
(null)		An indication of whether multi-factor authentication using a one-time passcode is enabled.
      }
      SecurID (v1.12+) {object
(null)		The settings related to RSA SecurID multi-factor authentication.
            Certificates (v1.12+) {}objectThe link to a collection of server certificates for the RSA SecurID server referenced by the ServerURI property.
            ClientId (v1.12+)stringread-write
(null)		The client ID to use when communicating with the RSA SecurID server.
            ClientSecret (v1.12+)stringread-write
(null)		The client secret to use when communicating with the RSA SecurID server. This property is null in responses.
            ClientSecretSet (v1.12+)booleanread-onlyIndicates if the ClientSecret property is set.
            Enabled (v1.12+)booleanread-write
(null)		An indication of whether multi-factor authentication with RSA SecurID is enabled.
            ServerURI (v1.12+)string
(URI)		read-write
(null)		The URI of the RSA SecurID server.
      }
      TimeBasedOneTimePassword (v1.16+) {object
(null)		The settings related to Time-based One-Time Password (TOTP) multi-factor authentication.
            Enabled (v1.16+)booleanread-write
(null)		An indication of whether multi-factor authentication with a Time-based One-Time Password (TOTP) is enabled.
            TimeStepSeconds (v1.16+)integerread-write
(null)		The time step, in seconds, for calculating the one-time password.
      }
}
OAuth2 (v1.10+) {}object
(null)		The first OAuth 2.0 external account provider that this account service supports. For more information about this property, see ExternalAccountProvider in Property Details.
Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
OutboundConnections (v1.14+) {}object
(null)		The collection of outbound connection configurations.
PasswordExpirationDays (v1.9+)integerread-write
(null)		The number of days before account passwords in this account service will expire.
PasswordGuidanceMessage (v1.18+)stringread-onlyPassword creation guidance for manager accounts.
PasswordGuidanceMessageId (v1.18+)stringread-only
(null)		MessageId that contains password creation guidance for manager accounts.
PrivilegeMap (v1.1+) {}objectThe link to the mapping of the privileges required to complete a requested operation on a URI associated with this service.
RequireChangePasswordAction (v1.14+)booleanread-write
(null)		An indication of whether clients are required to invoke the ChangePassword action to modify account passwords.
RestrictedOemPrivileges (v1.8+) [ ]array (string)read-onlyThe set of restricted OEM privileges.
RestrictedPrivileges (v1.8+) [ ]array (string
(enum))		read-onlyThe set of restricted Redfish privileges. For the possible property values, see RestrictedPrivileges in Property details.
Roles {}objectThe collection of Redfish roles.
ServiceEnabledbooleanread-write
(null)		An indication of whether the account service is enabled. If true, it is enabled. If false, it is disabled and users cannot be created, deleted, or modified, and new sessions cannot be started. However, established sessions might still continue to run. Any service, such as the session service, that attempts to access the disabled account service fails. However, this does not affect HTTP Basic Authentication connections.
Status {}objectThe status and health of the resource and its subordinate or dependent resources. See the Resource schema for details on this property.
SupportedAccountTypes (v1.8+) [ ]array (string
(enum))		read-onlyThe account types supported by the service. For the possible property values, see SupportedAccountTypes in Property details.
SupportedOEMAccountTypes (v1.8+) [ ]array (string)read-onlyThe OEM account types supported by the service.
TACACSplus (v1.8+) {}object
(null)		The first TACACS+ external account provider that this account service supports. For more information about this property, see ExternalAccountProvider in Property Details.

Property details

AccountProviderType

 

The type of external account provider to which this service connects.

stringDescription
ActiveDirectoryServiceAn external Active Directory service.
LDAPServiceA generic external LDAP service.
OAuth2 (v1.10+)An external OAuth 2.0 service.
OEMAn OEM-specific external authentication or directory service.
RedfishServiceAn external Redfish service.
TACACSplus (v1.8+)An external TACACS+ service.

Authentication

 

The information required to authenticate to the external service.

AuthenticationType (v1.3+)string
(enum)		read-write
(null)		The type of authentication used to connect to the external account provider. For the possible property values, see AuthenticationType in Property details.
EncryptionKey (v1.8+)stringread-write
(null)		Specifies the encryption key.
EncryptionKeySet (v1.8+)booleanread-only
(null)		Indicates if the EncryptionKey property is set.
KerberosKeytab (v1.3+)stringread-write
(null)		The Base64-encoded Kerberos keytab for this service. A PATCH or PUT operation writes the keytab. This property is null in responses.
Oem (v1.3+) {}objectThe OEM extension property. See the Resource schema for details on this property.
Password (v1.3+)stringread-write
(null)		The password for this service. A PATCH or PUT request writes the password. This property is null in responses.
Token (v1.3+)stringread-write
(null)		The token for this service. A PATCH or PUT operation writes the token. This property is null in responses.
Username (v1.3+)stringread-writeThe username for the service.

AuthenticationType

 

The type of authentication used to connect to the external account provider.

stringDescription
KerberosKeytabA Kerberos keytab.
OEMAn OEM-specific authentication mechanism.
TokenAn opaque authentication token.
UsernameAndPasswordA username and password combination.

CertificateMappingAttribute

 

The client certificate attribute to map to a user.

stringDescription
CommonNameMatch the Common Name (CN) field in the provided certificate to the username.
UserPrincipalNameMatch the User Principal Name (UPN) field in the provided certificate to the username.
WholeMatch the whole certificate.

ExternalAccountProvider

 

The external account provider services that can provide accounts for this manager to use for authentication.

AccountProviderType (v1.3+, deprecated v1.5)string
(enum)		read-only
(null)		The type of external account provider to which this service connects. For the possible property values, see AccountProviderType in Property details. Deprecated in v1.5 and later. This property is deprecated because the account provider type is known when used in the LDAP and ActiveDirectory objects.
Authentication (v1.3+) {}objectThe authentication information for the external account provider. For more information about this property, see Authentication in Property Details.
Certificates (v1.4+) {}objectThe link to a collection of certificates that the external account provider uses.
LDAPService (v1.3+) {}objectThe additional mapping information needed to parse a generic LDAP service. For more information about this property, see LDAPService in Property Details.
OAuth2Service (v1.10+) {}object
(null)		The additional information needed to parse an OAuth 2.0 service. For more information about this property, see OAuth2Service in Property Details.
PasswordSet (v1.7+)booleanread-onlyIndicates if the Password property is set.
Priority (v1.8+)integerread-write
(null)		The authentication priority for the external account provider.
RemoteRoleMapping (v1.3+) [ {arrayThe mapping rules to convert the external account providers account information to the local Redfish role.
      LocalAccountTypes (v1.16+) [ ]array (string
(enum))		read-write
(null)		The list of local services in the manager that the remote user or group is allowed to access. For the possible property values, see LocalAccountTypes in Property details.
      LocalOEMAccountTypes (v1.16+) [ ]array (string, null)read-writeThe OEM account types for the remote user or group.
      LocalRole (v1.3+)stringread-write
(null)		The name of the local Redfish role to which to map the remote user or group.
      MFABypass (v1.12+) {}object
(null)		The multi-factor authentication bypass settings. See the AccountService.v1_18_1 schema for details on this property.
      Oem (v1.3+) {}objectThe OEM extension property. See the Resource schema for details on this property.
      RemoteGroup (v1.3+)stringread-write
(null)		The name of the remote group, or the remote role in the case of a Redfish service, that maps to the local Redfish role to which this entity links.
      RemoteUser (v1.3+)stringread-write
(null)		The name of the remote user that maps to the local Redfish role to which this entity links.
} ]
Retries (v1.13+)integerread-write
(null)		The number of times to retry connecting to an address in the ServiceAddresses property before attempting the next address in the array.
ServiceAddresses (v1.3+) [ ]array (string, null)read-writeThe addresses of the user account providers to which this external account provider links. The format of this field depends on the type of external account provider.
ServiceEnabled (v1.3+)booleanread-write
(null)		An indication of whether this service is enabled.
TACACSplusService (v1.8+) {}object
(null)		The additional information needed to parse a TACACS+ services. For more information about this property, see TACACSplusService in Property Details.
TimeoutSeconds (v1.13+)integerread-write
(null)		The period of time, in seconds, this account service will wait for a response from an address of a user account provider before timing out.

HTTPBasicAuth

 

Indicates if HTTP Basic authentication is enabled for this service.

stringDescription
DisabledHTTP Basic authentication is disabled.
EnabledHTTP Basic authentication is enabled.
UnadvertisedHTTP Basic authentication is enabled, but is not advertised with the WWW-Authenticate response header.

idRef

 
@odata.idstring
(URI)		read-onlyThe unique identifier for a resource.

LDAPService

 

The settings required to parse a generic LDAP service.

Oem (v1.3+) {}objectThe OEM extension property. See the Resource schema for details on this property.
SearchSettings (v1.3+) {objectThe required settings to search an external LDAP service.
      BaseDistinguishedNames (v1.3+) [ ]array (string, null)read-writeThe base distinguished names to use to search an external LDAP service.
      EmailAttribute (v1.14+)stringread-write
(null)		The attribute name that contains the LDAP user's email address.
      GroupNameAttribute (v1.3+)stringread-write
(null)		The attribute name that contains the LDAP group name entry.
      GroupsAttribute (v1.3+)stringread-write
(null)		The attribute name that contains the groups for a user on the LDAP user entry.
      SSHKeyAttribute (v1.11+)stringread-write
(null)		The attribute name that contains the LDAP user's SSH public key entry.
      UsernameAttribute (v1.3+)stringread-write
(null)		The attribute name that contains the LDAP username entry.
}

LocalAccountAuth

 

An indication of how the service uses the accounts collection within this account service as part of authentication. The enumerated values describe the details for each mode.

stringDescription
DisabledThe service never authenticates users based on the account service-defined accounts collection.
EnabledThe service authenticates users based on the account service-defined accounts collection.
FallbackThe service authenticates users based on the account service-defined accounts collection only if any external account providers are currently unreachable.
LocalFirst (v1.6+)The service first authenticates users based on the account service-defined accounts collection. If authentication fails, the service authenticates by using external account providers.

LocalAccountTypes

 

The list of local services in the manager that the remote user or group is allowed to access.

stringDescription
ControlPanelAllow PIN-based access via an external control panel, such as a keypad, touchscreen, or other human interface.
HostConsoleAllow access to the host's console, which could be connected through Telnet, SSH, or another protocol.
IPMIAllow access to the Intelligent Platform Management Interface service.
KVMIPAllow access to a Keyboard-Video-Mouse over IP session.
ManagerConsoleAllow access to the manager's console, which could be connected through Telnet, SSH, SM CLP, or another protocol.
OEMOEM account type. See the OEMAccountTypes property.
RedfishAllow access to the Redfish service.
SNMPAllow access to SNMP services.
VirtualMediaAllow access to control virtual media.
WebUIAllow access to a web user interface session, such as a graphical interface or another web-based protocol.

Mode

 

The mode of operation for token validation.

stringDescription
DiscoveryOAuth 2.0 service information for token validation is downloaded by the service.
OfflineOAuth 2.0 service information for token validation is configured by a client. Clients should configure the Issuer and OAuthServiceSigningKeys properties for this mode.

OAuth2Service

 

Various settings to parse an OAuth 2.0 service.

Audience (v1.10+) [ ]array (string)read-onlyThe allowable audience strings of the Redfish service.
Issuer (v1.10+)stringread-write
(null)		The issuer string of the OAuth 2.0 service. Clients should configure this property if Mode contains Offline.
Mode (v1.10+)string
(enum)		read-writeThe mode of operation for token validation. For the possible property values, see Mode in Property details.
OAuthServiceSigningKeys (v1.10+)stringread-write
(null)		The Base64-encoded signing keys of the issuer of the OAuth 2.0 service. Clients should configure this property if Mode contains Offline.
Oem (v1.13+) {}objectThe OEM extension property. See the Resource schema for details on this property.

PasswordExchangeProtocols

 

Indicates the allowed TACACS+ password exchange protocols.

stringDescription
ASCIIThe ASCII Login method.
CHAPThe CHAP Login method.
MSCHAPv1The MS-CHAP v1 Login method.
MSCHAPv2The MS-CHAP v2 Login method.
PAPThe PAP Login method.

RestrictedPrivileges

 

The set of restricted Redfish privileges.

stringDescription
AdministrateStorageAdministrator for storage subsystems and storage systems found in the storage collection and storage system collection respectively.
AdministrateSystemsAdministrator for systems found in the systems collection. Able to manage boot configuration, keys, and certificates for systems.
ConfigureComponentsCan configure components that this service manages.
ConfigureCompositionInfrastructureCan view and configure composition service resources.
ConfigureManagerCan configure managers.
ConfigureSelfCan change the password for the current user account, log out of their own sessions, and perform operations on resources they created. Services will need to be aware of resource ownership to map this privilege to an operation from a particular user.
ConfigureUsersCan configure users and their accounts.
LoginCan log in to the service and read resources.
NoAuthAuthentication is not required.
OperateStorageBackupOperator for storage backup functionality for storage subsystems and storage systems found in the storage collection and storage system collection respectively.
OperateSystemsOperator for systems found in the systems collection. Able to perform resets and configure interfaces.

SupportedAccountTypes

 

The account types supported by the service.

stringDescription
ControlPanelAllow PIN-based access via an external control panel, such as a keypad, touchscreen, or other human interface.
HostConsoleAllow access to the host's console, which could be connected through Telnet, SSH, or another protocol.
IPMIAllow access to the Intelligent Platform Management Interface service.
KVMIPAllow access to a Keyboard-Video-Mouse over IP session.
ManagerConsoleAllow access to the manager's console, which could be connected through Telnet, SSH, SM CLP, or another protocol.
OEMOEM account type. See the OEMAccountTypes property.
RedfishAllow access to the Redfish service.
SNMPAllow access to SNMP services.
VirtualMediaAllow access to control virtual media.
WebUIAllow access to a web user interface session, such as a graphical interface or another web-based protocol.

TACACSplusService

 

Various settings to parse a TACACS+ service.

AuthorizationService (v1.13+)stringread-writeThe TACACS+ service authorization argument.
Oem (v1.13+) {}objectThe OEM extension property. See the Resource schema for details on this property.
PasswordExchangeProtocols (v1.8+) [ ]array (string
(enum))		read-write
(null)		Indicates the allowed TACACS+ password exchange protocols. For the possible property values, see PasswordExchangeProtocols in Property details.
PrivilegeLevelArgument (v1.8+)stringread-write
(null)		Indicates the name of the TACACS+ argument name in an authorization request.

Example response

{
    "@odata.type": "#AccountService.v1_18_1.AccountService",
    "Id": "AccountService",
    "Name": "Account Service",
    "Description": "Local Manager Account Service",
    "Status": {
        "State": "Enabled",
        "Health": "OK"
    },
    "ServiceEnabled": true,
    "AuthFailureLoggingThreshold": 3,
    "MinPasswordLength": 8,
    "EnforcePasswordHistoryCount": 5,
    "PasswordGuidanceMessageId": "ContosoService.1.2.PasswordComplexity",
    "PasswordGuidanceMessage": "Password must contain at least three of the following: an uppercase character, a lowercase character, a numeric digit, or a punctuation character",
    "AccountLockoutThreshold": 5,
    "AccountLockoutDuration": 30,
    "AccountLockoutCounterResetAfter": 30,
    "AccountLockoutCounterResetEnabled": true,
    "Accounts": {
        "@odata.id": "/redfish/v1/AccountService/Accounts"
    },
    "Roles": {
        "@odata.id": "/redfish/v1/AccountService/Roles"
    },
    "LocalAccountAuth": "Enabled",
    "LDAP": {
        "AccountProviderType": "LDAPService",
        "ServiceEnabled": false,
        "ServiceAddresses": [
            "ldaps://ldap.example.org:636"
        ],
        "Authentication": {
            "AuthenticationType": "UsernameAndPassword",
            "Username": "cn=Manager,dc=example,dc=org",
            "Password": null
        },
        "LDAPService": {
            "SearchSettings": {
                "BaseDistinguishedNames": [
                    "dc=example,dc=org"
                ],
                "UsernameAttribute": "uid",
                "GroupsAttribute": "memberof"
            }
        },
        "RemoteRoleMapping": [
            {
                "RemoteUser": "cn=Manager,dc=example,dc=org",
                "LocalRole": "Administrator"
            },
            {
                "RemoteGroup": "cn=Admins,ou=Groups,dc=example,dc=org",
                "LocalRole": "Administrator"
            },
            {
                "RemoteGroup": "cn=PowerUsers,ou=Groups,dc=example,dc=org",
                "LocalRole": "Operator"
            },
            {
                "RemoteGroup": "(cn=*)",
                "LocalRole": "ReadOnly"
            }
        ]
    },
    "ActiveDirectory": {
        "AccountProviderType": "ActiveDirectoryService",
        "ServiceEnabled": true,
        "ServiceAddresses": [
            "ad1.example.org",
            "ad2.example.org",
            null,
            null
        ],
        "Authentication": {
            "AuthenticationType": "KerberosKeytab",
            "KerberosKeytab": null
        },
        "RemoteRoleMapping": [
            {
                "RemoteGroup": "Administrators",
                "LocalRole": "Administrator"
            },
            {
                "RemoteUser": "DOMAIN\\Bob",
                "LocalRole": "Operator"
            },
            {
                "RemoteGroup": "PowerUsers",
                "LocalRole": "Operator"
            },
            {
                "RemoteGroup": "Everybody",
                "LocalRole": "ReadOnly"
            }
        ]
    },
    "AdditionalExternalAccountProviders": {
        "@odata.id": "/redfish/v1/AccountService/ExternalAccountProviders"
    },
    "RequireChangePasswordAction": false,
    "@odata.id": "/redfish/v1/AccountService"
}

Certificate 1.10.0

 
Versionv1.10
Release2025.2

Description

The Certificate schema describes a certificate that proves the identity of a component, account, or service.

URIs

/​redfish/​v1/​AccountService/​Accounts/​{ManagerAccountId}/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​ActiveDirectory/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​ExternalAccountProviders/​{ExternalAccountProviderId}/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​LDAP/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​MultiFactorAuth/​ClientCertificate/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​MultiFactorAuth/​SecurID/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​OutboundConnections/​{OutboundConnectionId}/​Certificates/​{CertificateId}
/​redfish/​v1/​AccountService/​OutboundConnections/​{OutboundConnectionId}/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​Drives/​{DriveId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​NetworkAdapters/​{NetworkAdapterId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​PowerSubsystem/​PowerSupplies/​{PowerSupplyId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Chassis/​{ChassisId}/​TrustedComponents/​{TrustedComponentId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Drives/​{DriveId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Processors/​{ProcessorId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​Drives/​{DriveId}/​Certificates/​{CertificateId} (deprecated)
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Boot/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​KeyManagement/​KMIPCertificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Processors/​{ProcessorId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​SecureBoot/​SecureBootDatabases/​{DatabaseId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Drives/​{DriveId}/​Certificates/​{CertificateId} (deprecated)
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​Certificates/​{CertificateId}
/​redfish/​v1/​CompositionService/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​EventService/​Subscriptions/​{EventDestinationId}/​Certificates/​{CertificateId}
/​redfish/​v1/​EventService/​Subscriptions/​{EventDestinationId}/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​Fabrics/​{FabricId}/​Switches/​{SwitchId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​NetworkProtocol/​HTTPS/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​Accounts/​{ManagerAccountId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​ActiveDirectory/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​ExternalAccountProviders/​{ExternalAccountProviderId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​LDAP/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​MultiFactorAuth/​ClientCertificate/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​MultiFactorAuth/​SecurID/​Certificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​SPDM/​RevokedCertificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​SPDM/​TrustedCertificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​TLS/​Client/​RevokedCertificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​TLS/​Client/​TrustedCertificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​TLS/​Server/​RevokedCertificates/​{CertificateId}
/​redfish/​v1/​Managers/​{ManagerId}/​SecurityPolicy/​TLS/​Server/​TrustedCertificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Drives/​{DriveId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Processors/​{ProcessorId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​Drives/​{DriveId}/​Certificates/​{CertificateId} (deprecated)
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Boot/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​KeyManagement/​KMIPCertificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Processors/​{ProcessorId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​SecureBoot/​SecureBootDatabases/​{DatabaseId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Drives/​{DriveId}/​Certificates/​{CertificateId} (deprecated)
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​Certificates/​{CertificateId}
/​redfish/​v1/​ResourceBlocks/​{ResourceBlockId}/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Boot/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​KeyManagement/​KMIPCertificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Memory/​{MemoryId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Processors/​{ProcessorId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​SecureBoot/​SecureBootDatabases/​{DatabaseId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Controllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​Drives/​{DriveId}/​Certificates/​{CertificateId} (deprecated)
/​redfish/​v1/​Systems/​{ComputerSystemId}/​Storage/​{StorageId}/​StorageControllers/​{StorageControllerId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​Certificates/​{CertificateId}
/​redfish/​v1/​Systems/​{ComputerSystemId}/​VirtualMedia/​{VirtualMediaId}/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​UpdateService/​ClientCertificates/​{CertificateId}
/​redfish/​v1/​UpdateService/​RemoteServerCertificates/​{CertificateId}

Properties

PropertyTypeAttributesNotes
Actions {objectThe available actions for this resource.
      #Certificate.Rekey (v1.1+) {}objectThis action generates a new key-pair for a certificate and produces a certificate signing request. For more information, see the Actions section below.
      #Certificate.Renew (v1.1+) {}objectThis action generates a certificate signing request by using the existing information and key-pair of the certificate. For more information, see the Actions section below.
}
CertificateStringstringread-only required on create
(null)		The string for the certificate.
CertificateTypestring
(enum)		read-only required on create
(null)		The format of the certificate. For the possible property values, see CertificateType in Property details.
CertificateUsageTypes (v1.4+) [ ]array (string
(enum))		read-only
(null)		The types or purposes for this certificate. For the possible property values, see CertificateUsageTypes in Property details.
Fingerprint (v1.3+)stringread-onlyThe fingerprint of the certificate.
FingerprintHashAlgorithm (v1.3+)stringread-onlyThe hash algorithm for the fingerprint of the certificate.
Issuer {objectThe issuer of the certificate.
      AdditionalCommonNames (v1.6+) [ ]array (string, null)read-onlyAdditional common names of the entity.
      AdditionalOrganizationalUnits (v1.6+) [ ]array (string, null)read-onlyAdditional organizational units of the entity.
      AlternativeNames (v1.7+) [ ]array (string, null)read-onlyThe additional host names of the entity.
      Citystringread-onlyThe city or locality of the organization of the entity.
      CommonNamestringread-onlyThe common name of the entity.
      Countrystringread-onlyThe country of the organization of the entity.
      DisplayString (v1.6+)stringread-only
(null)		A human-readable string for this identifier.
      DomainComponents (v1.6+) [ ]array (string, null)read-onlyThe domain components of the entity.
      Emailstringread-only
(null)		The email address of the contact within the organization of the entity.
      Organizationstringread-onlyThe name of the organization of the entity.
      OrganizationalUnitstringread-onlyThe name of the unit or division of the organization of the entity.
      Statestringread-onlyThe state, province, or region of the organization of the entity.
}
KeyUsage [ ]array (string
(enum))		read-only
(null)		The key usage extension, which defines the purpose of the public keys in this certificate. For the possible property values, see KeyUsage in Property details.
Links (v1.4+) {objectThe links to other resources that are related to this resource.
      Issuer (v1.4+) {object
(null)		A link to the certificate of the CA that issued this certificate.
            @odata.idstring
(URI)		read-onlyThe unique identifier for a resource.
      }
      Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
      Subjects (v1.4+) [ {arrayAn array of links to certificates that were issued by the CA that is represented by this certificate.
            @odata.idstring
(URI)		read-onlyThe unique identifier for a resource.
      } ]
}
Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
Password (v1.10+)stringread-write
(null)		The password for the certificate.
SerialNumber (v1.3+)stringread-onlyThe serial number of the certificate.
SignatureAlgorithm (v1.3+)stringread-onlyThe algorithm used for creating the signature of the certificate.
SPDM (v1.5+) {objectSPDM-related information for the certificate.
      SlotId (v1.5+)integerread-only
(null)		Slot identifier of the certificate.
}
Status (v1.10+) {}objectThe status and health of the resource and its subordinate or dependent resources. See the Resource schema for details on this property.
Subject {objectThe subject of the certificate.
      AdditionalCommonNames (v1.6+) [ ]array (string, null)read-onlyAdditional common names of the entity.
      AdditionalOrganizationalUnits (v1.6+) [ ]array (string, null)read-onlyAdditional organizational units of the entity.
      AlternativeNames (v1.7+) [ ]array (string, null)read-onlyThe additional host names of the entity.
      Citystringread-onlyThe city or locality of the organization of the entity.
      CommonNamestringread-onlyThe common name of the entity.
      Countrystringread-onlyThe country of the organization of the entity.
      DisplayString (v1.6+)stringread-only
(null)		A human-readable string for this identifier.
      DomainComponents (v1.6+) [ ]array (string, null)read-onlyThe domain components of the entity.
      Emailstringread-only
(null)		The email address of the contact within the organization of the entity.
      Organizationstringread-onlyThe name of the organization of the entity.
      OrganizationalUnitstringread-onlyThe name of the unit or division of the organization of the entity.
      Statestringread-onlyThe state, province, or region of the organization of the entity.
}
UefiSignatureOwner (v1.2+)string
(uuid)		read-only
(null)		The UEFI signature owner for this certificate.
ValidNotAfterstring
(date-time)		read-onlyThe date when the certificate is no longer valid.
ValidNotBeforestring
(date-time)		read-onlyThe date when the certificate becomes valid.

Actions

Rekey (v1.1+)

Description

This action generates a new key-pair for a certificate and produces a certificate signing request.

Action URI

{Base URI of target resource}/Actions/Certificate.Rekey

Action parameters

Parameter NameTypeAttributesNotes
      ChallengePasswordstringoptionalThe challenge password to apply to the certificate for revocation requests.
      KeyBitLengthintegeroptionalThe length of the key, in bits, if needed based on the KeyPairAlgorithm parameter value.
      KeyCurveIdstringoptionalThe curve ID to use with the key, if needed based on the KeyPairAlgorithm parameter value.
      KeyPairAlgorithmstringoptionalThe type of key-pair for use with signing algorithms.

Response Payload

{
      Certificate (v1.1+) {objectrequiredThe link to the certificate being rekeyed.
            @odata.idstring
(URI)		read-onlyThe unique identifier for a resource.
      }
      CSRString (v1.1+)stringread-only requiredThe string for the certificate signing request.
}

Request Example

{
    "KeyPairAlgorithm": "TPM_ALG_RSA",
    "KeyBitLength": 4096
}

Response Example

{
    "CSRString": "-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----",
    "Certificate": {
        "@odata.id": "/redfish/v1/Managers/BMC/NetworkProtocol/HTTPS/Certificates/1"
    }
}

Renew (v1.1+)

Description

This action generates a certificate signing request by using the existing information and key-pair of the certificate.

Action URI

{Base URI of target resource}/Actions/Certificate.Renew

Action parameters

Parameter NameTypeAttributesNotes
      ChallengePasswordstringoptionalThe challenge password to apply to the certificate for revocation requests.

Response Payload

{
      Certificate (v1.1+) {objectrequiredThe link to the certificate being renewed.
            @odata.idstring
(URI)		read-onlyThe unique identifier for a resource.
      }
      CSRString (v1.1+)stringread-only requiredThe string for the certificate signing request.
}

Request Example

{
    "ChallengePassword": "p4ssw0rd"
}

Response Example

{
    "CSRString": "-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----",
    "Certificate": {
        "@odata.id": "/redfish/v1/Managers/BMC/NetworkProtocol/HTTPS/Certificates/1"
    }
}

Property details

CertificateType

 

The format of the certificate.

stringDescription
PEMA Privacy Enhanced Mail (PEM)-encoded single certificate.
PEMchainA Privacy Enhanced Mail (PEM)-encoded certificate chain.
PKCS12A Base64-encoded PKCS12 certificate bundle.
PKCS7A Privacy Enhanced Mail (PEM)-encoded PKCS7 certificate.

CertificateUsageTypes

 

The types or purposes for this certificate.

stringDescription
BIOSThis certificate is a BIOS certificate like those associated with UEFI.
DeviceThis certificate is a device type certificate like those associated with SPDM and other standards.
EKThis certificate is an EK certificate like those associated with TCG TPMs.
IAKThis certificate is an IAK certificate like those associated with TCG TPMs.
IDevIDThis certificate is an IDevID certificate like those associated with TCG TPMs.
LAKThis certificate is an LAK certificate like those associated with TCG TPMs.
LDevIDThis certificate is an LDevID certificate like those associated with TCG TPMs.
PlatformThis certificate is a platform type certificate like those associated with SPDM and other standards.
SSHThis certificate is used for SSH.
UserThis certificate is a user certificate like those associated with a manager account.
WebThis certificate is a web or HTTPS certificate like those used for event destinations.

KeyUsage

 

The key usage extension, which defines the purpose of the public keys in this certificate.

stringDescription
ClientAuthenticationTLS WWW client authentication.
CodeSigningSigns downloadable executable code.
CRLSigningVerifies signatures on certificate revocation lists (CRLs).
DataEnciphermentDirectly enciphers raw user data without an intermediate symmetric cipher.
DecipherOnlyDeciphers data while performing a key agreement.
DigitalSignatureVerifies digital signatures, other than signatures on certificates and CRLs.
EmailProtectionEmail protection.
EncipherOnlyEnciphers data while performing a key agreement.
KeyAgreementKey agreement.
KeyCertSignVerifies signatures on public key certificates.
KeyEnciphermentEnciphers private or secret keys.
NonRepudiationVerifies digital signatures, other than signatures on certificates and CRLs, and provides a non-repudiation service that protects against the signing entity falsely denying some action.
OCSPSigningSigns OCSP responses.
ServerAuthenticationTLS WWW server authentication.
TimestampingBinds the hash of an object to a time.

Example response

{
    "@odata.type": "#Certificate.v1_11_0.Certificate",
    "Id": "1",
    "Name": "HTTPS Certificate",
    "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIFsTCC [*truncated*] GXG5zljlu\n-----END CERTIFICATE-----",
    "CertificateType": "PEM",
    "Issuer": {
        "Country": "US",
        "State": "Oregon",
        "City": "Portland",
        "Organization": "Contoso",
        "OrganizationalUnit": "ABC",
        "CommonName": "manager.contoso.org"
    },
    "Subject": {
        "Country": "US",
        "State": "Oregon",
        "City": "Portland",
        "Organization": "Contoso",
        "OrganizationalUnit": "ABC",
        "CommonName": "manager.contoso.org"
    },
    "ValidNotBefore": "2018-09-07T13:22:05Z",
    "ValidNotAfter": "2019-09-07T13:22:05Z",
    "KeyUsage": [
        "KeyEncipherment",
        "ServerAuthentication"
    ],
    "SerialNumber": "5d:7a:d8:df:f6:fc:c1:b3:ca:fe:fb:cc:38:f3:01:64:51:ea:05:cb",
    "Fingerprint": "A6:E9:D2:5C:DC:52:DA:4B:3B:14:97:F3:A4:53:D9:99:A1:0B:56:41",
    "FingerprintHashAlgorithm": "TPM_ALG_SHA1",
    "SignatureAlgorithm": "sha256WithRSAEncryption",
    "@odata.id": "/redfish/v1/Managers/BMC/NetworkProtocol/HTTPS/Certificates/1"
}

ManagerAccount 1.14.0

 
Versionv1.14
Release2025.2

Description

The ManagerAccount schema defines the user accounts that are owned by a manager. Changes to a manager account might affect the current Redfish service connection if this manager is responsible for the Redfish service.

URIs

/​redfish/​v1/​AccountService/​Accounts/​{ManagerAccountId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​Accounts/​{ManagerAccountId}

Properties

PropertyTypeAttributesNotes
AccountExpiration (v1.8+)string
(date-time)		read-write
(null)		Indicates the date and time when this account expires. If null, the account never expires.
AccountTypes (v1.4+) [ ]array (string
(enum))		read-write required
(null)		The list of services in the manager that the account is allowed to access. For the possible property values, see AccountTypes in Property details.
Actions (v1.1+) {objectThe available actions for this resource.
      #ManagerAccount.ChangePassword (v1.11+) {}objectThis action changes the account password. For more information, see the Actions section below.
      #ManagerAccount.ClearSecretKey (v1.13+) {}objectThis action clears the secret key for Time-based One-Time Password (TOTP) multi-factor authentication for this account. For more information, see the Actions section below.
      #ManagerAccount.GenerateSecretKey (v1.13+) {}objectThis action randomly generates a new secret key for Time-based One-Time Password (TOTP) multi-factor authentication for this account. For more information, see the Actions section below.
      #ManagerAccount.VerifyTimeBasedOneTimePassword (v1.13+) {}objectThis action verifies a user-provided Time-based One-Time Password (TOTP). This is to ensure the client's copy of the secret key is aligned with the secret key stored by the service. For more information, see the Actions section below.
}
Certificates (v1.2+) {}objectThe link to a collection of user identity certificates for this account.
EmailAddress (v1.11+)stringread-write
(null)		The email address associated with this account.
Enabledbooleanread-writeAn indication of whether an account is enabled. An administrator can disable it without deleting the user information. If true, the account is enabled and the user can log in. If false, the account is disabled and, in the future, the user cannot log in.
HostBootstrapAccount (v1.8+)booleanread-onlyAn indication of whether this account is a bootstrap account for the host interface.
Keys (v1.9+) {}objectThe link to the collection of keys that can be used to authenticate this account. For example, an SSH public key could be added to this collection to allow for SSH public key authentication.
Links {objectThe links to other resources that are related to this resource.
      Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
      Role {}objectThe link to the Redfish role that defines the privileges for this account.
}
Lockedbooleanread-writeAn indication of whether the account service automatically locked the account because the lockout threshold was exceeded. To manually unlock the account before the lockout duration period, an administrator can change the property to false to clear the lockout condition.
MFABypass (v1.10+) {}object
(null)		The multi-factor authentication bypass settings for this account. See the AccountService.v1_18_1 schema for details on this property.
Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
OEMAccountTypes (v1.4+) [ ]array (string, null)read-writeThe OEM account types.
OneTimePasscodeDeliveryAddress (v1.11+)stringread-write
(null)		The address used to receive one-time passcode messages for multi-factor authentication.
Passwordstringread-write required on create
(null)		The password. Use this property with a PATCH or PUT to write the password for the account. This property is null in responses.
PasswordChangeRequired (v1.3+)booleanread-write
(null)		An indication of whether the service requires that the password for this account be changed before further access to the account is allowed.
PasswordExpiration (v1.6+)string
(date-time)		read-write
(null)		Indicates the date and time when this account password expires. If null, the account password never expires.
PhoneNumber (v1.11+)stringread-write
(null)		The contact phone number associated with this account.
RoleIdstringread-write required on createThe role for this account.
SecretKeySet (v1.13+)booleanread-onlyIndicates if the secret key for Time-based One-Time Password (TOTP) multi-factor authentication is set.
SNMP (v1.4+) {object
(null)		The SNMP settings for this account.
      AuthenticationKey (v1.4+)stringread-write
(null)		The secret authentication key for SNMPv3.
      AuthenticationKeySet (v1.5+)booleanread-onlyIndicates if the AuthenticationKey property is set.
      AuthenticationProtocol (v1.4+)string
(enum)		read-write
(null)		The authentication protocol for SNMPv3. For the possible property values, see AuthenticationProtocol in Property details.
      EncryptionKey (v1.4+)stringread-write
(null)		The secret encryption key used in SNMPv3.
      EncryptionKeySet (v1.5+)booleanread-onlyIndicates if the EncryptionKey property is set.
      EncryptionProtocol (v1.4+)string
(enum)		read-write
(null)		The encryption protocol for SNMPv3. For the possible property values, see EncryptionProtocol in Property details.
}
StrictAccountTypes (v1.7+)booleanread-write
(null)		Indicates if the service needs to use the account types exactly as specified when the account is created or updated.
UserNamestringread-write required on createThe username for the account.

Actions

ChangePassword (v1.11+)

Description

This action changes the account password.

Action URI

{Base URI of target resource}/Actions/ManagerAccount.ChangePassword

Action parameters

Parameter NameTypeAttributesNotes
      NewPasswordstringrequiredThe new account password.
      SessionAccountPasswordstringrequiredThe password of the account tied to the current session.

Request Example

{
    "SessionAccountPassword": "secret123",
    "NewPassword": "B3tterS3cur1tY!"
}

ClearSecretKey (v1.13+)

Description

This action clears the secret key for Time-based One-Time Password (TOTP) multi-factor authentication for this account.

Action URI

{Base URI of target resource}/Actions/ManagerAccount.ClearSecretKey

Action parameters

This action takes no parameters.

GenerateSecretKey (v1.13+)

Description

This action randomly generates a new secret key for Time-based One-Time Password (TOTP) multi-factor authentication for this account.

Action URI

{Base URI of target resource}/Actions/ManagerAccount.GenerateSecretKey

Action parameters

This action takes no parameters.

Response Payload

{
      SecretKey (v1.13+)stringread-onlyThe secret key generated for Time-based One-Time Password (TOTP) multi-factor authentication.
}

Response Example

{
    "SecretKey": "JEFDWSHUJOL342324DSFHJ324"
}

VerifyTimeBasedOneTimePassword (v1.13+)

Description

This action verifies a user-provided Time-based One-Time Password (TOTP). This is to ensure the client's copy of the secret key is aligned with the secret key stored by the service.

Action URI

{Base URI of target resource}/Actions/ManagerAccount.VerifyTimeBasedOneTimePassword

Action parameters

Parameter NameTypeAttributesNotes
      TimeBasedOneTimePasswordstringrequiredThe Time-based One-Time Password (TOTP) to verify.

Request Example

{
    "TimeBasedOneTimePassword": "123456789abcdef"
}

Property details

AccountTypes

 

The list of services in the manager that the account is allowed to access.

stringDescription
ControlPanelAllow PIN-based access via an external control panel, such as a keypad, touchscreen, or other human interface.
HostConsoleAllow access to the host's console, which could be connected through Telnet, SSH, or another protocol.
IPMIAllow access to the Intelligent Platform Management Interface service.
KVMIPAllow access to a Keyboard-Video-Mouse over IP session.
ManagerConsoleAllow access to the manager's console, which could be connected through Telnet, SSH, SM CLP, or another protocol.
OEMOEM account type. See the OEMAccountTypes property.
RedfishAllow access to the Redfish service.
SNMPAllow access to SNMP services.
VirtualMediaAllow access to control virtual media.
WebUIAllow access to a web user interface session, such as a graphical interface or another web-based protocol.

AuthenticationProtocol

 

The authentication protocol for SNMPv3.

stringDescription
HMAC128_SHA224 (v1.7+)HMAC-128-SHA-224 authentication.
HMAC192_SHA256 (v1.7+)HMAC-192-SHA-256 authentication.
HMAC256_SHA384 (v1.7+)HMAC-256-SHA-384 authentication.
HMAC384_SHA512 (v1.7+)HMAC-384-SHA-512 authentication.
HMAC_MD5HMAC-MD5-96 authentication.
HMAC_SHA96HMAC-SHA-96 authentication.
NoneNo authentication.

EncryptionProtocol

 

The encryption protocol for SNMPv3.

stringDescription
CBC_DESCBC-DES encryption.
CFB128_AES128CFB128-AES-128 encryption.
CFB128_AES192 (v1.12+)CFB128-AES-192 encryption.
CFB128_AES256 (v1.12+)CFB128-AES-256 encryption.
NoneNo encryption.

idRef

 
@odata.idstring
(URI)		read-onlyThe unique identifier for a resource.

Example response

{
    "@odata.type": "#ManagerAccount.v1_14_1.ManagerAccount",
    "Id": "1",
    "Name": "User Account",
    "Description": "User Account",
    "Enabled": true,
    "Password": null,
    "PasswordChangeRequired": false,
    "AccountTypes": [
        "Redfish"
    ],
    "UserName": "Administrator",
    "RoleId": "Administrator",
    "Locked": false,
    "Links": {
        "Role": {
            "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
        }
    },
    "Actions": {
        "#ManagerAccount.ChangePassword": {
            "target": "/redfish/v1/AccountService/Accounts/1/Actions/ManagerAccount.ChangePassword"
        }
    },
    "@odata.id": "/redfish/v1/AccountService/Accounts/1"
}

Role 1.3.3

 
Versionv1.3
Release2020.4

Description

The Role schema contains a Redfish role to use in conjunction with a manager account.

URIs

/​redfish/​v1/​AccountService/​Roles/​{RoleId}
/​redfish/​v1/​Managers/​{ManagerId}/​RemoteAccountService/​Roles/​{RoleId}

Properties

PropertyTypeAttributesNotes
Actions (v1.1+) {}objectThe available actions for this resource.
AlternateRoleId (v1.3+)stringread-onlyAn equivalent role to use when this role is restricted.
AssignedPrivileges [ ]array (string
(enum))		read-writeThe Redfish privileges for this role. For the possible property values, see AssignedPrivileges in Property details.
IsPredefinedbooleanread-onlyAn indication of whether the role is predefined by Redfish or an OEM rather than a client-defined role.
Oem {}objectThe OEM extension property. See the Resource schema for details on this property.
OemPrivileges [ ]array (string)read-writeThe OEM privileges for this role.
Restricted (v1.3+)booleanread-onlyAn indication of whether use of the role is restricted.
RoleId (v1.2+)stringread-only requiredThe name of the role.

Property details

AssignedPrivileges

 

The Redfish privileges for this role.

stringDescription
AdministrateStorageAdministrator for storage subsystems and storage systems found in the storage collection and storage system collection respectively.
AdministrateSystemsAdministrator for systems found in the systems collection. Able to manage boot configuration, keys, and certificates for systems.
ConfigureComponentsCan configure components that this service manages.
ConfigureCompositionInfrastructureCan view and configure composition service resources.
ConfigureManagerCan configure managers.
ConfigureSelfCan change the password for the current user account, log out of their own sessions, and perform operations on resources they created. Services will need to be aware of resource ownership to map this privilege to an operation from a particular user.
ConfigureUsersCan configure users and their accounts.
LoginCan log in to the service and read resources.
NoAuthAuthentication is not required.
OperateStorageBackupOperator for storage backup functionality for storage subsystems and storage systems found in the storage collection and storage system collection respectively.
OperateSystemsOperator for systems found in the systems collection. Able to perform resets and configure interfaces.

Example response

{
    "@odata.type": "#Role.v1_3_3.Role",
    "Id": "Administrator",
    "Name": "User Role",
    "Description": "Admin User Role",
    "IsPredefined": true,
    "AssignedPrivileges": [
        "Login",
        "ConfigureManager",
        "ConfigureUsers",
        "ConfigureSelf",
        "ConfigureComponents"
    ],
    "OemPrivileges": [
        "OemClearLog",
        "OemPowerControl"
    ],
    "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}