General

This feature enables to keep up-to-date the OpenSync CA certificate without firmware upgrade.

OpenSync has CA certificate named opensync_ca.pem to reach secure URL 3rd party services for validation, like Ookla endpoint, logpull, …
With this feature, we enable that opensync_ca.pem certificate is up to date without firmware upgrade which results in many benefits (no customer interruption, more secure, easier maintenance, faster rollout).

Platform Manager (PM) (pm_cert_update.c) with this new feature can download, validate and replace the CA certificate. OpenSync Kconfig option CONFIG_TARGET_OPENSYNC_CAFILE defines the CA file path and now is under supervision. Northbound API provides URL about where the new CA certificate is and PM will validate it and compare also differences before replacing the existing one.

Northbound API

We added a new OVSDB field in the AWLAN_Node called pm_update_cert:

"pm_update_cert": {
  "type": {
    "key": {
      "type": "string",
      "minLength": 0,
      "maxLength": 256
    },
    "min": 0,
    "max": 1
  }
}

This field will be used for the URL where the certificate will be downloaded from. URL can be customer specific otherwise it will use default OpenSync one.

Southbound API

None

Requirements

Correct file permissions on OpenSync CA certificate