zhmcclient · vkathir82 · Jun 9, 2021 · Jun 8, 2021
diff --git a/docs/source/modules/zhmc_adapter.rst b/docs/source/modules/zhmc_adapter.rst
@@ -36,7 +36,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -56,6 +56,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 name
   The name of the target adapter. In case of renaming an adapter, this is the new name of the adapter.

diff --git a/docs/source/modules/zhmc_cpc.rst b/docs/source/modules/zhmc_cpc.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 name
   The name of the target CPC.

diff --git a/docs/source/modules/zhmc_crypto_attachment.rst b/docs/source/modules/zhmc_crypto_attachment.rst
@@ -36,7 +36,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -56,6 +56,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC that has the partition and the crypto adapters.

diff --git a/docs/source/modules/zhmc_hba.rst b/docs/source/modules/zhmc_hba.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC with the partition containing the HBA.

diff --git a/docs/source/modules/zhmc_nic.rst b/docs/source/modules/zhmc_nic.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC with the partition containing the NIC.

diff --git a/docs/source/modules/zhmc_partition.rst b/docs/source/modules/zhmc_partition.rst
@@ -36,7 +36,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of userid, password.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -56,6 +56,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC with the target partition.

diff --git a/docs/source/modules/zhmc_storage_group.rst b/docs/source/modules/zhmc_storage_group.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC associated with the target storage group.

diff --git a/docs/source/modules/zhmc_storage_group_attachment.rst b/docs/source/modules/zhmc_storage_group_attachment.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC that has the partition and is associated with the storage group.

diff --git a/docs/source/modules/zhmc_storage_volume.rst b/docs/source/modules/zhmc_storage_volume.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC associated with the storage group containing the target storage volume.

diff --git a/docs/source/modules/zhmc_user.rst b/docs/source/modules/zhmc_user.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 name
   The userid of the target user (i.e. the 'name' property of the User object).

diff --git a/docs/source/modules/zhmc_virtual_function.rst b/docs/source/modules/zhmc_virtual_function.rst
@@ -35,7 +35,7 @@ hmc_host
 
 
 hmc_auth
-  The authentication credentials for the HMC, as a dictionary of ``userid``, ``password``.
+  The authentication credentials for the HMC.
 
   | **required**: True
   | **type**: dict
@@ -55,6 +55,21 @@ hmc_auth
     | **type**: str
 
 
+  ca_certs
+    Path name of certificate file or certificate directory to be used for verifying the HMC certificate. If null (default), the path name in the 'REQUESTS_CA_BUNDLE' environment variable or the path name in the 'CURL_CA_BUNDLE' environment variable is used, or if neither of these variables is set, the certificates in the Mozilla CA Certificate List provided by the 'certifi' Python package are used for verifying the HMC certificate.
+
+    | **required**: False
+    | **type**: str
+
+
+  verify
+    If True (default), verify the HMC certificate as specified in the ``ca_certs`` parameter. If False, ignore what is specified in the ``ca_certs`` parameter and do not verify the HMC certificate.
+
+    | **required**: False
+    | **type**: bool
+    | **default**: True
+
+
 
 cpc_name
   The name of the CPC with the partition containing the virtual function.

diff --git a/docs/source/release_notes.rst b/docs/source/release_notes.rst
@@ -29,6 +29,13 @@ Released: not yet
 
 **Incompatible changes:**
 
+* The new support for verifying HMC certificates will by default verify the
+  HMC certificate using the "Mozilla CA Certificate List" provided by the
+  'certifi' Python package, causing self-signed HMC certificates to be
+  rejected. The verification behavior can be controlled with the new
+  'ca_certs' and 'verify' sub-parameters of the 'hmc_auth' module parameter
+  of each module.
+
 **Deprecations:**
 
 **Bug fixes:**
@@ -65,7 +72,15 @@ Released: not yet
 * Docs: The idempotency of each module and possible limitations are now
   described for each module. (issue #375)
 
-* Increased minimum version of zhmcclient to 0.29.0 to pick up fixes.
+* Increased minimum version of zhmcclient to 0.31.0 in order to have
+  the support for certificate verification and to pick up fixes.
+
+* Added support for verifying HMC certificates by adding module sub-parameters
+  'ca_certs' and 'verify' to the 'hmc_auth' module parameter of all modules.
+  (issue #401)
+
+* Changed module input parameter 'hmc_auth.userid' to no longer be hidden in
+  logs, for better debugging. The password is still hidden in any logs.
 
 **Cleanup:**
 

diff --git a/minimum-constraints.txt b/minimum-constraints.txt
@@ -87,8 +87,8 @@ wheel==0.33.5; python_version >= '3.8'
 
 ansible==2.9.0.0
 requests==2.20.1
-# git+https://github.com/zhmcclient/python-zhmcclient@master#egg=zhmcclient
-zhmcclient==0.29.0
+# TODO: Enable zhmcclient 0.31.0 once released on Pypi
+# zhmcclient==0.31.0
 
 # Indirect dependencies for installation (must be consistent with requirements.txt)