6. OCS NG Configuration

In this chapter we will configure few things that I consider useful and nice to have. Those are optional but I just recommend them based on my experience. The following things will be configured:

  • Apache default webpage changed to /ocsreports. No more necessity to input /ocsreports after hostname/ip address in order to get to OCS Reports
  • We will enable SSL for Apache and OCS-NG
  • We will disable HTTP Access to /downloads directory

At the end we will install OCS-NG Agent on Windows machine, collect some data and deploy a sample software.

6.1  Change Apache document Root

Ok, tired of constantly entering /ocsreports in order to get to your reports console? Well, me too. Let’s take care about it:

nano /etc/apache2/sites-enabled/000-default.conf

comment out the following line:

DocumentRoot /var/www/html

And enter line below:

DocumentRoot /usr/share/ocsinventory-reports/ocsreports

Now, just restart Apache and that’s it!

service apache2 restart

Now you can access the ocs reports by entering IP/hostname in the address bar:

6.2 Configure SSL for OCS Inventory NG Server

So far have successfully installed and performed basic configuration of OCS-NG 2.3 server. It all works well. We are able to start managing computers and their inventory.

However we are unable to use deployment future since it requires a valid SSL certificate both on server and on clients. HTTPS communication is used to download, the info files from the server.

Before deploying agent to the clients be sure to test it with SSL certificate installed on server. If they can talk to each other and if client can successfully access /download location on the server you’re ready to deploy it on large scale.

IMPORTANT!

For this example we will use a self signed certificate for SSL. If you have your own, trusted root CA or can request a SSL cert I strongly recommend this, since it will be trusted by your OS, so no annoying pop-ups on accessing HTTPS will be displayed about untrusted self signed certificate.

Let’s do it!

First of all we need a SSL certificate. In order to be able to generate it we need a few things on our Debian environment. Let’s start with:

Installation of packages:

apt-get install –y openssl

now, enable ssl mod in Apache and restart Apache daemon:

a2enmod ssl
service apache2 restart

After this command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-available

Let’s enable it by creating a sym link:

ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf

After above command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-enabled/

Ok as we have running openssl we need some certs, don’t we? ?
Following command will generate a key for the certificate:

openssl genrsa -des3 -out ocsng.key 2048

Enter and note somewhere (or remember) a pass phrase for the key

Mind, that we are using 2048bit key length because most modern OS will block using keys shorten that that. IETF recommends using at least 2048 or 3072 or even 4096 bit key length since American agency NSA confirmed that they are able to decrypt 1024 keys, so 2048 shouldn’t be a problem in near future.

Back to guide:
Convert the key to RSA:

mv ocsng.key ocsng-old.key
openssl rsa -in ocsng-old.key -out ocsng.key

enter pass phrase
Now, we need a certificate request:

openssl req -new -key ocsng.key -out ocsng.csr

Fill in all fields:

  • Country Name (2 letter code)
  • State or Province Name (full name)
  • [Some-State]
  • Locality Name (eg, city)
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]
  • Organizational Unit Name (eg, section)
  • Common Name (e.g. server FQDN or YOUR name)
  • Email Address

IMPORTANT!

Remember to enter the same name in “Common Name” that will be used for connecting by client computers. Otherwise agents will not be able to communicate with server.

No need to provide extra attributes. There is, however a little trick that can be done. We can provide more than one common name in request to make sure all names are valid: like ocsng.domain.com, ocsng and other dns names or aliases. There is very nice guide how to do that.
If not, simply enter below command to generate certificate in .pem format:

openssl x509 -req -days 3650 -in ocsng.csr -signkey ocsng.key -out ocsng.pem

copy files to Apache SSL directories:

cp ocsng.pem /etc/ssl/certs/
cp ocsng.key /etc/ssl/private/

Now, we need to tell Apache that it should use new certs:

nano /etc/apache2/sites-enabled/default-ssl.conf

Comment out below lines [with #] and insert below ones:

 

SSLCertificateFile      /etc/ssl/certs/ocsng.pem
SSLCertificateKeyFile /etc/ssl/private/ocsng.key

now in default-ssl.conf we need to append /download folder config. Simply add below lines just before </VirtualHost> at the bottom:

<Directory /var/lib/ocsinventory-reports/download>
                <IfModule mod_authz_core.c>
                 Require all granted
                </IfModule>
                <IfModule !mod_authz_core.c>
                 Order deny,allow
                 Allow from all
                </IfModule>
        </Directory>
        Alias /download /var/lib/ocsinventory-reports/download

Restart Apache one more time:

service apache2 restart

Then, echo some file into /download folder by issuing simple command just to make sure it works correctly:

echo test >> /var/lib/ocsinventory-reports/download/test.html

Now, try to access https://IP/download/test.html:

Now, we are be able to set /SSL=1 and enter HTTPS URL in OCS-NG Agent Configuration!

Loading