Skip to content

redfish sessionservice

Jump to bottom
Pola, Sudhir edited this page May 25, 2026 · 1 revision

Redfish SessionService Resource

Table of Contents

Overview

The SessionService resource provides session management capabilities for the DMT Console's Redfish implementation. This service-level resource handles authentication sessions, token management, and session lifecycle operations while maintaining compatibility with DMTF Redfish standards.

✅ IMPLEMENTED: The SessionService is fully implemented and integrated with DMT Console's JWT authentication system. All 5 core endpoints are operational.

Endpoint Overview:

  • SessionService - Provides centralized session management and configuration
  • Session Creation and Management - Handles Redfish session establishment and lifecycle
  • Authentication Token Handling - Integrates JWT tokens with Redfish sessions
  • Session Timeout and Cleanup - Manages automatic session expiration and resource cleanup (5-minute cleanup interval)
  • Concurrent Session Management - In-memory session storage with concurrent access safety

References

Implementation Guidelines

The SessionService implementation follows these principles:

  1. DMT Integration: Seamlessly integrates with DMT Console's existing JWT authentication system
    • Uses same AdminUsername/AdminPassword credentials from config
    • Uses same JWTKey for token signing
    • Uses same JWTExpiration for session timeout
  2. Standards Compliance: Full compatibility with DMTF Redfish SessionService standards
    • DMTF-compliant JSON response formatting
    • Proper OData annotations (@odata.id, @odata.type)
  3. Security: Robust session security and token management
    • JWT tokens with HS256 signing algorithm
    • X-Auth-Token header for session authentication
  4. Performance: Efficient session management with in-memory storage
    • O(1) token-to-session lookup
    • Automatic cleanup of expired sessions every 5 minutes
  5. Architecture Layers:
    • Entity Layer: Session data model with UUID, username, JWT token, timestamps
    • Repository Layer: In-memory session storage with concurrent access safety (sync.RWMutex)
    • Use Case Layer: Session creation, validation, and JWT integration
    • Handler Layer: HTTP request/response handling via OpenAPI-generated interface

URIs - Supported

Status Indicators

  • Supported - Fully implemented and tested
  • ⚠️ DMT Limitation - Property has limitations due to DMT Console implementation
  • Not Supported - Not implemented in current version

GET /redfish/v1/SessionService - Session Service Root

Status: ✅ Supported

Purpose: Retrieve session service configuration and metadata.

Example Request:

curl -k -u username:password \
  https://localhost:8181/redfish/v1/SessionService

Example Response:

{
  "@odata.id": "/redfish/v1/SessionService",
  "@odata.type": "#SessionService.v1_1_9.SessionService",
  "Id": "SessionService",
  "Name": "Session Service",
  "Description": "Session Service",
  "Status": {
    "State": "Enabled",
    "Health": "OK"
  },
  "ServiceEnabled": true,
  "SessionTimeout": 86400,
  "Sessions": {
    "@odata.id": "/redfish/v1/SessionService/Sessions"
  }
}

GET /redfish/v1/SessionService/Sessions - Sessions Collection

Status: ✅ Supported

Purpose: Retrieve collection of all active sessions.

Example Request:

curl -k -u username:password \
  https://localhost:8181/redfish/v1/SessionService/Sessions

Example Response:

{
  "@odata.id": "/redfish/v1/SessionService/Sessions",
  "@odata.type": "#SessionCollection.SessionCollection",
  "Name": "Session Collection",
  "Members@odata.count": 1,
  "Members": [
    {
      "@odata.id": "/redfish/v1/SessionService/Sessions/550e8400-e29b-41d4-a716-446655440000"
    }
  ]
}

POST /redfish/v1/SessionService/Sessions - Create Session

Status: ✅ Supported

Purpose: Create a new authentication session (login).

Example Request:

curl -k -X POST \
  https://localhost:8181/redfish/v1/SessionService/Sessions \
  -H "Content-Type: application/json" \
  -d '{"UserName":"username","Password":"password"}'

Example Response (HTTP 201 Created):

{
  "@odata.id": "/redfish/v1/SessionService/Sessions/550e8400-e29b-41d4-a716-446655440000",
  "@odata.type": "#Session.v1_7_0.Session",
  "Id": "550e8400-e29b-41d4-a716-446655440000",
  "Name": "User Session",
  "Description": "User Session",
  "UserName": "standalone",
  "CreatedTime": "2024-01-15T10:30:00Z",
  "SessionType": "Redfish"
}

Response Headers:

  • X-Auth-Token: JWT token for subsequent authenticated requests
  • Location: URI of the created session resource

GET /redfish/v1/SessionService/Sessions/{SessionId} - Individual Session

Status: ✅ Supported

Purpose: Retrieve individual session details.

Example Request:

curl -k -u username:password \
  https://localhost:8181/redfish/v1/SessionService/Sessions/{SessionId}

Example Response:

{
  "@odata.id": "/redfish/v1/SessionService/Sessions/550e8400-e29b-41d4-a716-446655440000",
  "@odata.type": "#Session.v1_7_0.Session",
  "Id": "550e8400-e29b-41d4-a716-446655440000",
  "Name": "User Session",
  "Description": "User Session",
  "UserName": "standalone",
  "CreatedTime": "2024-01-15T10:30:00Z",
  "SessionType": "Redfish"
}

DELETE /redfish/v1/SessionService/Sessions/{SessionId} - Delete Session

Status: ✅ Supported

Purpose: Terminate an authentication session (logout).

Example Request:

curl -k -X DELETE -u username:password \
  https://localhost:8181/redfish/v1/SessionService/Sessions/{SessionId}

Response: HTTP 204 No Content

URIs - Not Supported

The following endpoints are not implemented in the current version:

PATCH /redfish/v1/SessionService - Update Session Service Configuration

Status: ❌ Not Supported

Purpose: Update session service settings (e.g., timeout values).

Reason: Session configuration is managed through DMT Console's config.yml file.

GET /redfish/v1/SessionService/Sessions/{SessionId}/Oem - Session OEM Extensions

Status: ❌ Not Supported

Purpose: Retrieve OEM-specific session properties.

Reason: No Intel AMT-specific session extensions are currently required.

POST /redfish/v1/SessionService/Actions/SessionService.ClearSessions - Clear All Sessions

Status: ❌ Not Supported

Purpose: Terminate all active sessions.

Reason: Administrative session management can be accomplished by restarting the service or deleting sessions individually.

Authentication Flow

DMT Console supports two authentication methods for accessing Redfish endpoints:

Option 1: Basic Authentication

HTTP Basic Authentication using credentials from config.yml:

curl -k -u username:password \
  https://localhost:8181/redfish/v1/Systems

Option 2: Session Token Authentication (X-Auth-Token)

Redfish session-based authentication using JWT tokens.

How X-Auth-Token Works

  1. Session Creation: Client POSTs credentials to /SessionService/Sessions
  2. Token Generation: Server generates a JWT token (HS256) and creates a session entry
  3. Token Response: Server returns the JWT in the X-Auth-Token response header
  4. Subsequent Requests: Client includes the token in X-Auth-Token request header
  5. Token Validation: Server validates JWT signature and checks session existence
  6. Session Termination: Client DELETEs the session resource to logout

Authentication Precedence

When both authentication methods are present, X-Auth-Token takes precedence over Basic Authentication (per DMTF Redfish specification).

Request arrives → Check X-Auth-Token header → If valid, grant access
                                            → If missing/invalid, check Basic Auth
                                            → If Basic Auth valid, grant access
                                            → Otherwise, return 401 Unauthorized

Testing X-Auth-Token Authentication

Step 1: Create Session and Capture Token

# Create session and extract token and session ID
RESPONSE=$(curl -k -s -X POST \
  https://localhost:8181/redfish/v1/SessionService/Sessions \
  -H "Content-Type: application/json" \
  -d '{"UserName":"username","Password":"password"}' \
  -D /dev/stdout)

# Extract token from headers
TOKEN=$(echo "$RESPONSE" | grep -i "X-Auth-Token" | cut -d' ' -f2 | tr -d '\r')

# Extract session ID from response body
SESSION_ID=$(echo "$RESPONSE" | tail -1 | jq -r '.Id')

echo "Token: $TOKEN"
echo "Session ID: $SESSION_ID"

Step 2: Use Token for API Requests

The X-Auth-Token can be used to access any protected Redfish endpoint:

# Access Systems collection
curl -k -H "X-Auth-Token: $TOKEN" \
  https://localhost:8181/redfish/v1/Systems

# Access SessionService
curl -k -H "X-Auth-Token: $TOKEN" \
  https://localhost:8181/redfish/v1/SessionService

# Access active sessions
curl -k -H "X-Auth-Token: $TOKEN" \
  https://localhost:8181/redfish/v1/SessionService/Sessions

Step 3: Logout (Delete Session)

# Delete session using the token
curl -k -X DELETE -H "X-Auth-Token: $TOKEN" \
  "https://localhost:8181/redfish/v1/SessionService/Sessions/$SESSION_ID"

# Response: HTTP 204 No Content

Step 4: Verify Token is Invalid After Logout

# This should return 401 Unauthorized
curl -k -H "X-Auth-Token: $TOKEN" \
  https://localhost:8181/redfish/v1/Systems

# Expected response:
# {"error":"Unauthorized access"}

Configuration Integration

The SessionService uses configuration from DMT Console's config.yml:

auth:
  adminUsername: your_username   # Login credentials
  adminPassword: your_password   # Login credentials
  jwtKey: your_secret_jwt_key    # JWT signing key (HS256)
  jwtExpiration: 24h0m0s         # Session timeout
  • Zero additional configuration required - Redfish sessions use the same authentication settings as DMT Console.

Property Support Summary

SessionService Properties

Property Support Notes
@odata.id /redfish/v1/SessionService
@odata.type #SessionService.v1_1_9.SessionService
Id SessionService
Name Session Service
Description Session Service
Status State: Enabled, Health: OK
ServiceEnabled Always true
SessionTimeout Derived from jwtExpiration config (in seconds)
Sessions Link to Sessions collection

Validation Results

DMTF Redfish Interop Validator Analysis

Test Date: December 19, 2025
Validator Version: 2.2.9
Target: https://localhost:8181
Profile: ConsoleBasicProfile v1.0.0

Summary

Metric Count
Pass 21
Fail 0
Warnings 1
Not Tested 0

Validation has succeeded.

Validated Resources

Resource Endpoint Result
ServiceRoot /redfish/v1/ ✅ Pass
SessionService /redfish/v1/SessionService ✅ Pass
SessionCollection /redfish/v1/SessionService/Sessions ✅ Pass
ComputerSystemCollection /redfish/v1/Systems ✅ Pass
ComputerSystem /redfish/v1/Systems/{id} ✅ Pass (1 warning)

Warnings

Resource Warning Notes
ComputerSystem Missing ActionInfo for Reset action @Redfish.ActionInfo not provided for #ComputerSystem.Reset

Profile Requirements Validated

The ConsoleBasicProfile validates the following mandatory properties:

  • ServiceRoot: @odata.id, Id, Name, RedfishVersion, UUID, Systems, SessionService, Sessions
  • SessionService: @odata.id, Id, Name, Status, Sessions
  • SessionCollection: @odata.id, Name, Members, Members@odata.count
  • ComputerSystem: @odata.id, Id, Name, SystemType, Status, PowerState, Actions

DMTF Redfish Service Validator Analysis (Historical)

Test Date: December 19, 2025
Validator Version: 2.5.1
Target: https://localhost:8181

Summary

Metric Count
Pass 25
Fail 6
Warnings 6

Issues Identified (Now Resolved)

Service Root (/redfish/v1/)
Type Issue Status
✅ Fixed Mandatory property Sessions does not exist Resolved
⚠️ Warning Schema not found for NVMeDomainCollection.NVMeDomainCollection Informational
⚠️ Warning Schema not found for StorageSystemCollection.StorageSystemCollection Informational
⚠️ Warning Schema not found for StorageServiceCollection.StorageServiceCollection Informational

Resolution: Added Sessions property to Service Root response in service_root.go:

{
  "Sessions": {
    "@odata.id": "/redfish/v1/SessionService/Sessions"
  }
}
Systems Collection (/redfish/v1/Systems)
Type Issue Status
⚠️ Warning Schema version mismatch - ComputerSystem.v1_26_0 not in schema files Known Issue
⚠️ Warning Schema not found for HostedStorageServices.HostedStorageServices Informational

Note: The implementation uses ComputerSystem.v1_26_0 which is newer than the validator's bundled schema files. This is a validator limitation, not an implementation error.

Individual System (/redfish/v1/Systems/{id})
Type Issue Status
⚠️ Warning Schema version mismatch for ComputerSystem.v1_26_0 Known Issue
⚠️ Warning Deprecated property Status usage Best Practice

Remaining Recommendations

  1. High Priority: Add Sessions link to Service Root responseCOMPLETED
  2. Medium Priority: Evaluate ComputerSystem schema version alignment
  3. Low Priority: Consider migrating from deprecated Status property to Conditions

DMTF Redfish Protocol Validator Analysis

Test Date: December 19, 2025
Validator Version: Latest
Target: https://localhost:8181

Summary

Metric Count
Pass 104
Fail 20
Warnings 0
Not Tested 61

Issues Identified

URI Support
Test ID Issue Status
PROTO_STD_URIS_SUPPORTED /redfish endpoint returns 404 Action Required
PROTO_STD_URI_VERSION /redfish should return {"v1": "/redfish/v1/"} Action Required
REQ_GET_SERVICE_ROOT_NO_AUTH /redfish not accessible without auth Action Required

Fix Required: Add /redfish endpoint that returns:

{"v1": "/redfish/v1/"}
HTTP Methods
Test ID Issue Status
PROTO_HTTP_SUPPORTED_METHODS No successful POST responses Session Auth Issue
HEAD method Returns 405 Method Not Allowed Action Required

Fix Required: Add HEAD method support for all GET endpoints.

Response Headers
Test ID Issue Status
RESP_HEADERS_ALLOW_GET_OR_HEAD Missing Allow header on GET responses Action Required
RESP_HEADERS_LINK_REL_DESCRIBED_BY Missing Link header with rel=describedby Action Required
RESP_HEADERS_WWW_AUTHENTICATE Missing WWW-Authenticate header on 401 Action Required

Fix Required: Add required response headers:

  • Allow: GET, HEAD (or appropriate methods)
  • Link: </redfish/v1/$metadata>; rel=describedby
  • WWW-Authenticate: Basic realm="Redfish" (on 401 responses)
OData
Test ID Issue Status
REQ_HEADERS_ODATA_VERSION Accepts unsupported OData-Version 4.1 Action Required
RESP_ODATA_SERVICE_CONTEXT Wrong @odata.context in /redfish/v1/odata Action Required

Fix Required:

  • Return HTTP 412 for OData-Version: 4.1 (only 4.0 supported)
  • Fix @odata.context to return /redfish/v1/$metadata
Session Management
Test ID Issue Status
REQ_POST_CREATE_VIA_COLLECTION Session creation fails with 401 Auth Configuration
REQ_POST_CREATE_TO_MEMBERS_PROP POST to /Sessions/Members returns 405 Action Required
SEC_REQUIRE_LOGIN_SESSIONS Cannot create login session Auth Configuration

Fix Required:

  • Allow unauthenticated POST to /redfish/v1/SessionService/Sessions for session creation
  • Support POST to both /Sessions and /Sessions/Members
AccountService / Roles
Test ID Issue Status
SEC_PRIV_SUPPORT_PREDEFINED_ROLES Missing Administrator role Not Implemented
SEC_PRIV_SUPPORT_PREDEFINED_ROLES Missing Operator role Not Implemented
SEC_PRIV_SUPPORT_PREDEFINED_ROLES Missing ReadOnly role Not Implemented

Note: AccountService with predefined roles is not currently implemented. This is expected for a proxy/aggregation service.

Priority Fixes

Priority Fix Complexity
🔴 High Add /redfish endpoint Low
🔴 High Add Allow header to responses Low
🔴 High Add Link header with rel=describedby Low
🔴 High Add WWW-Authenticate header on 401 Low
🟡 Medium Add HEAD method support Medium
🟡 Medium Fix OData-Version header validation Low
🟡 Medium Fix @odata.context in OData service doc Low
🟢 Low Allow unauthenticated session creation Medium
🟢 Low Support POST to /Sessions/Members Low

Session Properties

Property Support Notes
@odata.id Session URI
@odata.type #Session.v1_7_0.Session
Id UUID v4 format
Name User Session
Description User Session
UserName Authenticated username
CreatedTime ISO 8601 timestamp
SessionType Always Redfish
Password Never returned (security)
ClientOriginIPAddress ⚠️ Not currently captured
Oem OEM extensions not implemented 

---

## redfishtool Commands

The Redfish SessionService can be tested and managed using the `redfishtool` command-line utility. Below are practical examples for testing session operations.

### Prerequisites

```bash
# Install redfishtool
pip install redfishtool

# For DMT Console (localhost:8181)
export REDFISH_HOST=localhost:8181
export REDFISH_USER=username
export REDFISH_PASS=password

Common Options

Option Description Example
-r Remote host and port -r localhost:8181
-S Security mode -S Always (HTTPS)
-u Username -u standalone
-p Password -p G@ppm0ym
-k Skip certificate verify (curl) -k

1. Get ServiceRoot (Public - No Auth)

Purpose: Test public endpoint access

redfishtool -r localhost:8181 -S Always raw GET /redfish/v1

Response:

{
  "@odata.context": "/redfish/v1/$metadata#ServiceRoot.ServiceRoot",
  "@odata.id": "/redfish/v1",
  "@odata.type": "#ServiceRoot.v1_19_0.ServiceRoot",
  "SessionService": { "@odata.id": "/redfish/v1/SessionService" }
}

2. Get SessionService Metadata (Requires Auth)

Purpose: Get session service configuration

redfishtool -r localhost:8181 -S Always -u username -p password SessionService

Response:

{
  "@odata.id": "/redfish/v1/SessionService",
  "@odata.type": "#SessionService.v1_1_9.SessionService",
  "ServiceEnabled": true,
  "SessionTimeout": 1800,
  "Sessions": { "@odata.id": "/redfish/v1/SessionService/Sessions" },
  "SessionsCount": 0
}

3. Create Session (Login) - No Pre-Auth Required ✅

Purpose: Create a new session and get JWT token

Important: POST is a public endpoint - no pre-authentication needed!

redfishtool -r localhost:8181 -S Always -u username -p password SessionService login

Response:

{
  "SessionId": "48f47e40-d001-4ae7-8dda-c2f1ad0fcb89",
  "SessionLocation": "/redfish/v1/SessionService/Sessions/48f47e40-d001-4ae7-8dda-c2f1ad0fcb89",
  "X-Auth-Token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Key Points:

  • ✅ No pre-authentication required for POST
  • Returns JWT token in X-Auth-Token field
  • Token can be used in subsequent requests with X-Auth-Token header
  • Session ID can be used to identify the session

4. List All Sessions (Requires Auth)

Purpose: Get all active sessions

redfishtool -r localhost:8181 -S Always -u username -p password SessionService Sessions

Response:

{
  "@odata.type": "#SessionCollection.SessionCollection",
  "@odata.id": "/redfish/v1/SessionService/Sessions",
  "Members": [
    { "@odata.id": "/redfish/v1/SessionService/Sessions/48f47e40-d001-4ae7-8dda-c2f1ad0fcb89" }
  ],
  "Members@odata.count": 1
}

5. Get Session Details (Requires Auth)

Purpose: Get detailed information about a specific session

redfishtool -r localhost:8181 -S Always -u username -p password \
  SessionService Sessions 48f47e40-d001-4ae7-8dda-c2f1ad0fcb89

Response:

{
  "@odata.id": "/redfish/v1/SessionService/Sessions/48f47e40-d001-4ae7-8dda-c2f1ad0fcb89",
  "@odata.type": "#Session.v1_7_0.Session",
  "Id": "48f47e40-d001-4ae7-8dda-c2f1ad0fcb89",
  "Name": "User Session",
  "UserName": "standalone",
  "CreatedTime": "2026-01-14T11:13:01+05:30",
  "SessionTimeout": 1800,
  "ClientOriginIPAddress": "127.0.0.1"
}

6. Delete Session (Logout) - Auth Required ✅

Purpose: Terminate a session

Important: DELETE requires authentication credentials!

Method 1: Using Session Location Path

redfishtool -r localhost:8181 -S Always -u username -p password \
  SessionService logout -l /redfish/v1/SessionService/Sessions/48f47e40-d001-4ae7-8dda-c2f1ad0fcb89

Method 2: Using Session ID Only

redfishtool -r localhost:8181 -S Always -u username -p password \
  SessionService logout -i 48f47e40-d001-4ae7-8dda-c2f1ad0fcb89

7. Authentication Summary

Operation Endpoint Auth Required Method
Get ServiceRoot /redfish/v1 ❌ No GET
Get SessionService /redfish/v1/SessionService ✅ Yes GET
Get Sessions /redfish/v1/SessionService/Sessions ✅ Yes GET
Create Session /redfish/v1/SessionService/Sessions No POST
Get Session Details /redfish/v1/SessionService/Sessions/{ID} ✅ Yes GET
Delete Session /redfish/v1/SessionService/Sessions/{ID} Yes DELETE

Console Wiki

ADRs

Clone this wiki locally