Skip to main content

Inventory Management

The inventory is IDIAL's central database of all managed endpoints. It stores connection parameters, credentials, certificate status, and PKI assignment for every managed device.

note

The inventory contains cached information from the last monitoring run — not live data from the endpoints. To refresh data, trigger a monitoring run via POST /gds/monitor/crt.

The service field identifies the connection protocol for each entry:

  • gds-push-<identifier> — OPC UA GDS Push protocol. The <identifier> is device- and firmware-specific.
  • ssh-<identifier> — SSH-based certificate management.
  • rest-<identifier> — REST API-based certificate management.

GET /inventory

Returns the full list of all inventory entries across all service types (GDS, SSH, etc.). This is the primary endpoint for monitoring and reporting. Inactive devices are excluded unless show_inactive_devices is enabled via POST /systeminfo.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/inventory \
-H "X-API-Key: your-api-key"

Response 200

[
{
"id": 1,
"name": "PLC Line 1",
"url": "opc.tcp://192.168.1.10:4840",
"service": "gds-push-siemens",
"server": "192.168.1.10",
"port": 4840,
"device_status": 1,
"device_status_name": "active",
"pki_endpoint": "est-production",
"username": "admin",
"cert_subjectdn": "CN=plc-line1,O=ExampleCorp,C=DE",
"cert_issuerdn": "CN=Issuing CA,O=ExampleCorp,C=DE",
"cert_validfrom": "2025-01-01 00:00:00",
"cert_validto": "2026-01-01 00:00:00",
"cert_base64": "MIIDxDCC...",
"cert_expdays": 241,
"cert_revoked": false,
"renewal_days": 30,
"security_policy": 8,
"security_mode": 2,
"security_policys": ["Basic256Sha256"],
"security_modes": ["SignAndEncrypt"]
}
]

Response Fields

FieldTypeDescription
idintegerInternal database identifier.
namestring | nullDisplay name of the endpoint.
urlstringFull connection URL (e.g. opc.tcp://host:port).
servicestringService type identifier.
serverstringIP address or DNS hostname of the endpoint.
portintegerNetwork port of the endpoint.
device_statusinteger | null0 = inactive, 1 = active, 2 = deleted. See reference-parameters.
device_status_namestring | nullHuman-readable status name.
pki_endpointstring | nullConfigured PKI endpoint ID for certificate enrollment.
usernamestring | nullConfigured username for endpoint authentication.
cert_subjectdnstring | nullSubject DN of the certificate currently active at the endpoint.
cert_issuerdnstring | nullIssuer DN of the certificate currently active at the endpoint.
cert_validfromstring | nullCertificate validity start date and time.
cert_validtostring | nullCertificate validity end date and time.
cert_base64string | nullDER certificate encoded as base64.
cert_expdaysinteger | nullDays until certificate expiry.
cert_revokedboolean | nullWhether the certificate is revoked.
renewal_daysinteger | nullDays before expiry at which renewal is triggered.
security_policyinteger | nullSecurity policy bitmask. See reference-parameters.
security_modeinteger | nullSecurity mode bitmask. See reference-parameters.
security_policysstring[]Human-readable security policy names.
security_modesstring[]Human-readable security mode names.

POST /inventory

Adds a raw entry to the database using a low-level db_connect.py payload. Intended for advanced or legacy use. Enforces the license endpoint limit for GDS, OPC, and SSH tables.

Authentication: Required (X-API-Key header)

Request

curl -X POST http://localhost:5000/inventory \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"table": "gds", "add": "{\"server\": \"192.168.1.10\"}"}'

Request Fields

FieldTypeRequiredDescription
tablestringYesTarget table name. Must contain gds, opc, ssh, pki, or ca.
addstringYesJSON or string payload to add.

Response 200

{
"success": true,
"execution": "ok",
"error": "",
"result": null
}

Response Fields

FieldTypeDescription
successbooleanWhether the operation succeeded.
executionstringExecution status string.
errorstringError message if the operation failed.
resultobject | nullParsed result from the operation.

Response 400

{"error": "table must contain one of: gds, opc, ssh, pki, ca"}

Response 403

Returned when the license endpoint limit is reached for GDS/OPC/SSH tables.


PATCH /inventory

Updates a raw entry in the database using a low-level db_connect.py payload.

Authentication: Required (X-API-Key header)

Request

curl -X PATCH http://localhost:5000/inventory \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"table": "gds", "add": "{\"server\": \"192.168.1.10\", \"name\": \"Updated Name\"}"}'

Request Fields

Same as POST /inventory.

Response 200

Same schema as POST /inventory.

Response 400

{"error": "table must contain one of: gds, opc, ssh, pki, ca"}

GET /gds/inventory

Returns all GDS (OPC UA) inventory entries. Inactive devices are excluded unless show_inactive_devices is enabled.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/inventory \
-H "X-API-Key: your-api-key"

Response 200

Array of inventory objects. Response format matches GET /inventory.


POST /gds/inventory

Creates a new GDS inventory entry. Enforces the license endpoint limit.

Authentication: Required (X-API-Key header)

Request

curl -X POST http://localhost:5000/gds/inventory \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"name": "PLC Line 1",
"security_policy": 8,
"security_mode": 2,
"renewal_days": 30
}'

Request Fields

FieldTypeRequiredDescription
serverstringYesHostname or IP address of the endpoint.
portinteger (1–65535)NoOPC UA port (default: 4840).
namestringNoDisplay name.
userinfo_namestringNoAuthentication username. Must be paired with userinfo_password.
userinfo_passwordstringNoAuthentication password (write-only).
userinfo_pkcs12_base64string (≥ 160 chars)NoBase64-encoded PKCS#12 for certificate authentication (write-only).
userinfo_pkcs12_passwordstring (≤ 1024 chars)NoPassword for the PKCS#12 file (write-only).
device_statusinteger (0/1/2)NoDevice status.
pkiinteger ≥ 0NoID of the associated PKI inventory entry.
security_policyintegerNoSecurity policy bitmask. See reference-parameters.
security_modeintegerNoSecurity mode bitmask. See reference-parameters.
renewal_daysinteger ≥ 0NoDays before expiry to trigger renewal.

Response 200

Created inventory entry. Response format matches GET /inventory.

Response 403

Returned when the license endpoint limit is reached.


PATCH /gds/inventory

Updates an existing GDS inventory entry. The entry is identified by server + port.

Authentication: Required (X-API-Key header)

Request

curl -X PATCH http://localhost:5000/gds/inventory \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"server": "192.168.1.10", "name": "Updated Name"}'

Request Fields

Same fields as POST /gds/inventory. All fields are optional except server.

Response 200

Updated inventory entry. Response format matches GET /inventory.

Response 404

{"error": "string"}

GET /gds/inventory/{host_or_url}

Returns a single GDS inventory entry by host or URL.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/inventory/192.168.1.10 \
-H "X-API-Key: your-api-key"

# or using full OPC UA URL:
curl -X GET "http://localhost:5000/gds/inventory/opc.tcp://192.168.1.10:4840" \
-H "X-API-Key: your-api-key"

The {host_or_url} path parameter accepts:

  • Hostname or IP: 192.168.1.10
  • Host and port: 192.168.1.10:4840
  • Full OPC UA URL: opc.tcp://192.168.1.10:4840

Response 200

Single inventory entry. Response format matches GET /inventory.

Response 400

{"error": "string"}

Response 404

{"error": "string"}

DELETE /gds/inventory/{host_or_url}

Deletes a GDS inventory entry and all associated user credential data.

Authentication: Required (X-API-Key header)

Request

curl -X DELETE http://localhost:5000/gds/inventory/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

Deleted inventory entry. Response format matches GET /inventory.

Response 400

{"error": "string"}

Response 404

{"error": "string"}

POST /gds/inventory/user

Writes user credentials (username/password or PKCS#12) for a GDS inventory entry. Creates the entry if it does not exist.

Authentication: Required (X-API-Key header)

Request

curl -X POST http://localhost:5000/gds/inventory/user \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"userinfo_name": "admin",
"userinfo_password": "secret"
}'

Request Fields

FieldTypeRequiredDescription
serverstringYesHostname or IP address.
portinteger (1–65535)NoPort (default: 4840).
userinfo_namestringNoAuthentication username.
userinfo_passwordstringNoAuthentication password (write-only).
userinfo_pkcs12_base64string (≥ 160 chars)NoBase64-encoded PKCS#12 (write-only).
userinfo_pkcs12_passwordstring (≤ 1024 chars)NoPKCS#12 password (write-only).

Response 200

Inventory entry. Response format matches GET /inventory.


PATCH /gds/inventory/user

Updates user credentials for an existing GDS inventory entry. The entry must already exist.

Authentication: Required (X-API-Key header)

Request

curl -X PATCH http://localhost:5000/gds/inventory/user \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"server": "192.168.1.10", "userinfo_password": "new-secret"}'

Request Fields

Same as POST /gds/inventory/user.

Response 200

Updated inventory entry. Response format matches GET /inventory.


GET /gds/inventory/trustlist

Returns GDS trustlist data stored in the inventory database for all managed endpoints.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/inventory/trustlist \
-H "X-API-Key: your-api-key"

Response 200

[
{
"url": "opc.tcp://192.168.1.10:4840",
"trustlist_trusted_ca": ["MIIBxDCC..."],
"trustlist_trusted_crl": [],
"trustlist_issuer_ca": ["MIIBxDCC..."],
"trustlist_issuer_crl": []
}
]

Response Fields

FieldTypeDescription
urlstringOPC UA connection URL identifying the endpoint.
trustlist_trusted_castring[]Trusted endpoint certificates.
trustlist_trusted_crlstring[]CRLs for trusted certificates.
trustlist_issuer_castring[]Issuer CA certificates.
trustlist_issuer_crlstring[]CRLs for issuer CA certificates.

GET /ssh/inventory

Returns all SSH inventory entries.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/ssh/inventory \
-H "X-API-Key: your-api-key"

Response 200

Array of inventory objects. Response format matches GET /inventory.