6. OCS NG Configuration
In this chapter we will configure few things that I consider useful and nice to have. Those are optional but I just recommend them based on my experience. The following things will be configured:
- Apache default webpage changed to /ocsreports. No more necessity to input /ocsreports after hostname/ip address in order to get to OCS Reports
- We will enable SSL for Apache and OCS-NG
- We will disable HTTP Access to /downloads directory
At the end we will install OCS-NG Agent on Windows machine, collect some data and deploy a sample software.
6.1 Change Apache document Root
Ok, tired of constantly entering /ocsreports in order to get to your reports console? Well, me too. Let’s take care about it:
comment out the following line:
And enter line below:
Now, just restart Apache and that’s it!
service apache2 restart
Now you can access the ocs reports by entering IP/hostname in the address bar:
6.2 Configure SSL for OCS Inventory NG Server
So far have successfully installed and performed basic configuration of OCS-NG 2.3 server. It all works well. We are able to start managing computers and their inventory.
However we are unable to use deployment future since it requires a valid SSL certificate both on server and on clients. HTTPS communication is used to download, the info files from the server.
Before deploying agent to the clients be sure to test it with SSL certificate installed on server. If they can talk to each other and if client can successfully access /download location on the server you’re ready to deploy it on large scale.
For this example we will use a self signed certificate for SSL. If you have your own, trusted root CA or can request a SSL cert I strongly recommend this, since it will be trusted by your OS, so no annoying pop-ups on accessing HTTPS will be displayed about untrusted self signed certificate.
Let’s do it!
First of all we need a SSL certificate. In order to be able to generate it we need a few things on our Debian environment. Let’s start with:
Installation of packages:
apt-get install –y openssl
now, enable ssl mod in Apache and restart Apache daemon:
a2enmod ssl service apache2 restart
After this command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-available
Let’s enable it by creating a sym link:
ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
After above command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-enabled/
Ok as we have running openssl we need some certs, don’t we? ?
Following command will generate a key for the certificate:
openssl genrsa -des3 -out ocsng.key 2048
Enter and note somewhere (or remember) a pass phrase for the key
Mind, that we are using 2048bit key length because most modern OS will block using keys shorten that that. IETF recommends using at least 2048 or 3072 or even 4096 bit key length since American agency NSA confirmed that they are able to decrypt 1024 keys, so 2048 shouldn’t be a problem in near future.
Back to guide:
Convert the key to RSA:
mv ocsng.key ocsng-old.key openssl rsa -in ocsng-old.key -out ocsng.key
enter pass phrase
Now, we need a certificate request:
openssl req -new -key ocsng.key -out ocsng.csr
Fill in all fields:
- Country Name (2 letter code)
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company) [Internet Widgits Pty Ltd]
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
Remember to enter the same name in “Common Name” that will be used for connecting by client computers. Otherwise agents will not be able to communicate with server.
No need to provide extra attributes. There is, however a little trick that can be done. We can provide more than one common name in request to make sure all names are valid: like ocsng.domain.com, ocsng and other dns names or aliases. There is very nice guide how to do that.
If not, simply enter below command to generate certificate in .pem format:
openssl x509 -req -days 3650 -in ocsng.csr -signkey ocsng.key -out ocsng.pem
copy files to Apache SSL directories:
cp ocsng.pem /etc/ssl/certs/ cp ocsng.key /etc/ssl/private/
Now, we need to tell Apache that it should use new certs:
Comment out below lines [with #] and insert below ones:
SSLCertificateFile /etc/ssl/certs/ocsng.pem SSLCertificateKeyFile /etc/ssl/private/ocsng.key
now in default-ssl.conf we need to append /download folder config. Simply add below lines just before </VirtualHost> at the bottom:
<Directory /var/lib/ocsinventory-reports/download> <IfModule mod_authz_core.c> Require all granted </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Allow from all </IfModule> </Directory> Alias /download /var/lib/ocsinventory-reports/download
Restart Apache one more time:
service apache2 restart
Then, echo some file into /download folder by issuing simple command just to make sure it works correctly:
echo test >> /var/lib/ocsinventory-reports/download/test.html
Now, try to access https://IP/download/test.html:
Now, we are be able to set /SSL=1 and enter HTTPS URL in OCS-NG Agent Configuration!