Enable SSL

Since, everything is working as expected(hopefully!) we can enable SSL and finally force usage  HTTPS terms of OCS communication. This will improve security and integrity of data. Let’s start with SSL certificate. In my previous guides there was a bit of confusion regarding SSL Certificate. I strongly advise using certificate that can be easily trusted by all clients (eg. Active Directory PKI generated, Let’s Encrypt and so on). I do not recommend using self signed certificates, unless you want to manually trust it when accessing OCS using web browser. Also, please remember that when deploying client certificate, one must provide valid CA/Issuer cert – not server cert(unless self signed is used). Also there are few tips that can help with certificate creation and trust:

  1. Multiple common names/dns names should be added as DNS fields, not common names. You can use fqdns as well as netbios names like, dns=ocsng, dns=ocsng.domain.com,dns=ocsng.anotherdomain.com etc.
  2. Common Name can be a pure display name of the party such as OCS Inventory NG Server when using DNS fields
  3. Ip address can be added to certificate as well using IP field

Always plan the names and IP addresses ahead!

Ok, now we can configure SSL for ocs and apache.
I do have basic SSL Certificate generated using Microsoft PKI using these values:

  • CN = OCS Inventory NG
    OU = IT
    O = MyCompany Name
    S = stateName
    C = PLand DNS Names:
  • DNS=ocsng.domain.local
    DNS=ocsng.domain.pl
    DNS=ocsng

    I have bundle with .pfx extension so I will need to convert it to Linux .pem/.key format.
    I copied the bundle using WinScp into /tmp folder in Debian, now in Shell i enter the tmp folder, convert the bundle and copy it into appropriate directories. Also I need to download and trust my Certification Authority Certificate in Linux(comments are included after //).

    1. Install OpenSSL and enable SSL in Apache:
      apt install openssl -y
      a2enmod ssl
      
      //enable default ssl config for apache:
      ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
      
      //restart apache:
      service apache2 restart
      
    2. Convert and install the certificate:
      cd /tmp
      
      //convert pfx to pem, provide pfx key
      openssl pkcs12 -in ocsng.pfx -out ocsng.pem -nodes
      
      //extract key(provide pfx key once and then new password : 10 chars - twice):
      openssl pkcs12 -in ocsng.pfx -nocerts -out key.pem
      
      //remove key pass from the key (new password)
      openssl rsa -in key.pem -out ocsng.key
      
      cp ocsng.pem /etc/ssl/certs/
      cp ocsng.key /etc/ssl/private/
      
      //install root certificate!
      wget -O /usr/local/share/ca-certificates/root-ca.crt http://somedomain.com/crl/root-ca.cer
      
      //update the certificate store
      update-ca-certificates
      
    3. Now we need to adjust Apache configuration to support SSL and secure downloads folder
      nano /etc/apache2/sites-enabled/default-ssl.conf
      
      	//** replace original values with below or adjust them to match below:
      	SSLCertificateFile      /etc/ssl/certs/ocsng.pem            
      	SSLCertificateKeyFile /etc/ssl/private/ocsng.key
      
      	//** at the end of file, right before </VirtualHost>
      	
      	Alias /download /var/lib/ocsinventory-reports/download
      		<Directory /var/lib/ocsinventory-reports/download>
      			<IfModule mod_authz_core.c>
      			 # Apache 2.4
      			 #Require all denied
      			 Require host localhost
      			Require ip 127.0.0.1
      			Require ip 192.168
      		   </IfModule>
      		   <IfModule !mod_authz_core.c>
      			Order deny,allow
      			#Deny from all
      			Deny from all
      			Allow from 127.0.0.1 ::1
      			Allow from 192.168
      			Allow from localhost
      	   </IfModule>
      	</Directory>
    4. Now, the second OCS config file:
      nano /etc/apache2/conf-enabled/ocsinventory-reports.conf
      
       # Uncomment following to force use of HTTPS in Administration Server
      		
      	<Directory /var/lib/ocsinventory-reports/download>
      	   <IfModule mod_authz_core.c>
      		 # Apache 2.4
      		 #Require all denied
      		Require host localhost
      		Require ip 127.0.0.1
      		Require ip 192.168
      		
      	   </IfModule>
      	   <IfModule !mod_authz_core.c>
      		 Order deny,allow
      		  #Allow from all
      		Deny from all
      		Allow from 127.0.0.1 ::1
      		Allow from 192.168
      		Allow from localhost
      	   </IfModule>
      	</Directory>
      	Alias /download /var/lib/ocsinventory-reports/download
      
      //restart apache
      service apache2 restart