Enable SSL
Since, everything is working as expected(hopefully!) we can enable SSL and finally force usage HTTPS terms of OCS communication. This will improve security and integrity of data. Let’s start with SSL certificate. In my previous guides there was a bit of confusion regarding SSL Certificate. I strongly advise using certificate that can be easily trusted by all clients (eg. Active Directory PKI generated, Let’s Encrypt and so on). I do not recommend using self signed certificates, unless you want to manually trust it when accessing OCS using web browser. Also, please remember that when deploying client certificate, one must provide valid CA/Issuer cert – not server cert(unless self signed is used). Also there are few tips that can help with certificate creation and trust:
- Multiple common names/dns names should be added as DNS fields, not common names. You can use fqdns as well as netbios names like, dns=ocsng, dns=ocsng.domain.com,dns=ocsng.anotherdomain.com etc.
- Common Name can be a pure display name of the party such as OCS Inventory NG Server when using DNS fields
- Ip address can be added to certificate as well using IP field
Always plan the names and IP addresses ahead!
Ok, now we can configure SSL for ocs and apache.
I do have basic SSL Certificate generated using Microsoft PKI using these values:
OU = IT
O = MyCompany Name
S = stateName
C = PLand DNS Names:
DNS=ocsng.domain.local
DNS=ocsng.domain.pl
DNS=ocsng
I have bundle with .pfx extension so I will need to convert it to Linux .pem/.key format.
I copied the bundle using WinScp into /tmp folder in Debian, now in Shell i enter the tmp folder, convert the bundle and copy it into appropriate directories. Also I need to download and trust my Certification Authority Certificate in Linux(comments are included after //).
- Install OpenSSL and enable SSL in Apache:
apt install openssl -y a2enmod ssl //enable default ssl config for apache: ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf //restart apache: service apache2 restart
- Convert and install the certificate:
cd /tmp //convert pfx to pem, provide pfx key openssl pkcs12 -in ocsng.pfx -out ocsng.pem -nodes //extract key(provide pfx key once and then new password : 10 chars - twice): openssl pkcs12 -in ocsng.pfx -nocerts -out key.pem //remove key pass from the key (new password) openssl rsa -in key.pem -out ocsng.key cp ocsng.pem /etc/ssl/certs/ cp ocsng.key /etc/ssl/private/ //install root certificate! wget -O /usr/local/share/ca-certificates/root-ca.crt http://somedomain.com/crl/root-ca.cer //update the certificate store update-ca-certificates
- Now we need to adjust Apache configuration to support SSL and secure downloads folder
nano /etc/apache2/sites-enabled/default-ssl.conf //** replace original values with below or adjust them to match below: SSLCertificateFile /etc/ssl/certs/ocsng.pem SSLCertificateKeyFile /etc/ssl/private/ocsng.key //** at the end of file, right before </VirtualHost> Alias /download /var/lib/ocsinventory-reports/download <Directory /var/lib/ocsinventory-reports/download> <IfModule mod_authz_core.c> # Apache 2.4 #Require all denied Require host localhost Require ip 127.0.0.1 Require ip 192.168 </IfModule> <IfModule !mod_authz_core.c> Order deny,allow #Deny from all Deny from all Allow from 127.0.0.1 ::1 Allow from 192.168 Allow from localhost </IfModule> </Directory>
- Now, the second OCS config file:
nano /etc/apache2/conf-enabled/ocsinventory-reports.conf # Uncomment following to force use of HTTPS in Administration Server <Directory /var/lib/ocsinventory-reports/download> <IfModule mod_authz_core.c> # Apache 2.4 #Require all denied Require host localhost Require ip 127.0.0.1 Require ip 192.168 </IfModule> <IfModule !mod_authz_core.c> Order deny,allow #Allow from all Deny from all Allow from 127.0.0.1 ::1 Allow from 192.168 Allow from localhost </IfModule> </Directory> Alias /download /var/lib/ocsinventory-reports/download //restart apache service apache2 restart
Hi! Love your tutorials. Really in-depth and with the describing text really makes alot more sence than alot of other How-To’s out there! Keep up the good work :). I see you have Nagios setup aswell, any good reason for going for Nagios vs Zabbix?
Hello Trond, Thanks for your comment! I just write them in a way I could make use of them after a while:) Regarding Nagios vs Zabbix – to be honest I never used Zabbix so I cannot tell which is better. I used Nagios in one of my early jobs and thought that it’s quite good. These days there are many more like Grafana with all the plugins and others as well.
Really Nice Tutorial thank you!
Can you maybe add a Tutorial for Deploying via GPO.
I tried using the PSExec but somehow it does not work. If I run the “OcsPackage.exe” as Admin it works but without this its does not work.
And somehow there should be a easy solution completely via GPO + Deployment Tool.
Thanks!
It’s actually pretty easy! You build a ocspackage.exe using ocs packager tool, place it somewhere on the net like sysvol/scripts and then create a new gpo with scheduled task set to run only once at specific time and run asap when schedule is missed. then task will be removed after run.
trigger can be any, command line will be ocspackage.exe and that’s it! :)
And whats with the Rights Management?
Normal users cant install a Service…?
Maybe im wrong but isnt the Goal to install the Service everywhere?
yes, when you create a task to deploy agent, create it to run with highest privileges as well as set “NT Authority\SYSTEM” as executing user. Also, set the task to run immediately. Then OCS will install as service no matter what user is currently logged on.
Hi Milosz :)
Got my OCS Inventory 2.5 server up and running thanks to you!
Thank you very much.
Do you have any clue as to how I can launch something “verbose”?
Looks like OCS Inventory forces the install to be silent no matter what I do.
I have a installer (exe) that are not designed to be ran silently. So it seems like it doesn’t install.
I tried a dozen of installers, and all work except the one I really need to work.
Suggestions? :)
Hey, good it worked for you! Thanks for your feedback. Regarding that installer I would start with option “Installation completion need user action” enabled. Also, you could wrap that installer in some msi wrapper, provide answers and install that way. When you deploy software it uses SYSTEM account that is why you do not have any screens. I think easiest way is to use msi wrapper software. There are many to choose from:)
Hello, first, thank you for your tutorial, i have a permission denied when i try http://localhost/ocsreports
How to solve that?
Thanks
Hello Milosz, can you help me please to fix my problem? I followed your tutorial but I get an error when I try to access http://localhost/ocsreports.
You don’t have permission to access /ocsreports/ on this server.
at which stage/point this error occurs? If it’s after all steps or right after installation? Also, have you tried to access it from other computer using ip? Seems like permission issue in apache default.conf file to me
hy, thanks for your great installation manual, but i am not able to create adminsitrative radio buttons or checkboxes.
the checkboxes are just not visible
perhaps it has something todo with install of php-gd (i think it is missing)
Please try all types of checkboxes and textboxes. I think you can create a bug report this issue to the ocs-team or change your installation manual.
Fred
hey Fred, yeah, got your point. I will test it tomorrow. If you have pointed the php-gd maybe just give it a try and report back:) I will do some tests from my end, though
Thanks!
225/5000
tutorial very good, your blog has helped me a lot in the past and still today. If you can help me with something extra … I can not configure the snmp issue, if you have any valuable tips or a specific tutorial … thank you!
Hugs
Hey, thank you for this tutorial, everything is fine but unfortunately I have a problem installing the officepack plugin, I’m getting error when I try to install (MySQL error: Installation aborted!)
Any suggestions?
I must double check it but i think office pack is no longer supported. Keep in mind that since office 2013 and up(including offline, CTR and O365) you will not get the keys read as they are encrypted in OS. Only last part of it is available using OSPP.vbs script that comes with office setup
Thank you Milosz for providing these guides to OCS Inventory. Unfortunately I had built my project on CentOS, but regardless, I was able to fix many steps thanks to the information here. (If you’re reading this and stuck using CentOS, check out the guide on the Celerium blog here; https://celerium.org/2018/11/03/setup-install-ocsng-on-centos-7/)
Hi, thanks for the feedback. Unfortunately I’m more into Debian(as this was “my first” distro years ago). CentOS is a bit different but I’m glad you made it!. Thanks for your comment and links!
Great work. Could take a look,I have the same problem
http://ask.ocsinventory-ng.org/9999/installation-issue-in-plugins
Ocs works great but plugins not .
Yeah, I will look into it in some spare time. Maybe even upgrade the guide:) Thanks for the tip. I will post back!
I have the OCS NG installed in a domain with SSL. But when activating a package in Deployment, the system shows in error:
WARNING: Can’t find information file at https://ocsng.domain/download/1557338069/
WARNING: Can’t find fragments files at http://ocsng.domain/download/1557338069/
But
But if from the browser access to the following URL https://ocsng.domain/download/1557338069/info, it you show me the information:
hey, it looks like http/https problems. as i remember correctly i had to allow remote connections in the apache server. Do you test it from remote computers browser or localhost? Please provide apache logs, they should provide more information.
Good morning. Thanks for reply.
I’m using a dedicated Ubuntu server, I can access from any PC in my red, and external devices, like my phone.
x.x.16.103 is my PC.
x.x.16.4 is my external phone.
This is the log file: https://drive.google.com/open?id=11Vz3BFcFAG-PbHYX0XZQGLDFkwzEPeFZ
don’t see anything worrying apart from one 404 in the log. Check if download works from client side. Keep in mind, that in order to use SSL you need to set SSL=1 in the client and provide valid CA cert
ok but does the download actually work? I have the same message but download works correctly. I do not use “advanced features of teledeploy”, however
Hi, i have my OCS test machine on vmware and i’m at the moment where agent on windows is installed but i get
AGENT => Failed to retrieve Label . I don’t use SSL. Not sure in which config file i made mistake.
hey, please check the agent ini config file in C:\programdata\OCS Inventory NG\Agent. Review the URLs in server configuration and check apache2 logs for any access denied, 5xx errors or 404?
Hi, thanks for all, I get a problem with the installation of ssl :
this line : openssl pkcs12 -in ocsng.pfx -out ocsng.pem -nodes
give me : pkcs12: Cannot open input file ocsng.pfx, No such file or directory
pkcs12: Use -help for summary.
I don’t know what i’m supposed to do.
sorry for my english (i’m french)
thanks again if you take time for me.
hi, thanks for your comment. The error tell that openssl cannot find the .pfx file. If you specify name only(every OS) assumes the file is in the current dir(in linux like systems /tmp/some/directory# for example). Double check where .pfx file is and what is the current dir:)
thanks for the answer, but i don’t find ocsng.pfx
root@raspberrypi301:/tmp# find / -name “*.pfx” -print
and the only result is /usr/share/cmake-3.7/Templates/Windows/Windows_TemporaryKey.pfx
it’s like i don’t have any ocsng.pfx
Aaaah, ok. I see. In the guide I wrote that I have ssl certificate already generated but if you do not have any CA to get the cert from(like MS PKI) you can generate self signed cert using this guide:
https://miloszengel.com/ocs-inventory-ng-2-3-complete-install-guide-on-debian-8-7-jessie/5/
:)
Sorry mate but your tutorial was almost good, not that easy after all because i get an error 403 trying to reach http://your_OCS_Server_IP_or_Name/ocsreports
…
hey pls keep in mind that it was tested with specific ocs and debian versions. Please post some logs, maybe I will be able to help!
hello why
//install root certificate!
wget -O /usr/local/share/ca-certificates/root-ca.crt http://somedomain.com/crl/root-ca.cer
//update the certificate store
update-ca-certificates
the certificates created key and pem are not enough?
hey, didn’t get that to be honest. What is not working?
Hi
is there way to extort ocsserver to accept data from host with agent which has cacert itself and denied from whose those that cacert doesn’t?
Hey if you require ssl on server side I believe this should enforce it. I didn’t check it, however. I will build more maintained version of this guide soon as there are many queries regarding it. Thanks!
Hi.
Why we are using below command and tell about somedomain.com.
wget -O /usr/local/share/ca-certificates/root-ca.crt http://somedomain.com/crl/root-ca.cer
This is to place your root ca certificate in publicly available url. Somesomain.com is here just for example😊