New and updated version for Debian Stretch and OCS Inventory NG server 2.5 can be found here!
In our first part we have sucessfuly installed and performed basic configuration of OCS-NG 2.2RC1 server. It all works well. We are able to start managing computers and their inventory. Like in first part of series we are using Debian (Jessie) version 8.2. First part can be found here.
However we are unable to use deployment future since it requires a valid SSL certificate both on server and on clients.
Before deploying agent to the clients be sure to test it with SSL certificate installed on server. If they can talk to each other and if client can succesfuly access /download location on the server you’re ready to deploy it on large scale.
For this example we will use a self signed certificate for SSL. If you have your own, trusted root CA or can request a SSL cert I strongly recommend this, since it will be trusted by your OS, so no annoying popups on accessing HTTPS will be displayed about untrusted self signed certificate.
In this tutorial we will perform following steps in order to enable deployment:
- Generate valid SSL certificate using openssl
- Configure Apache2 to use SSL
- Enable SSL on /download folder
- Disable HTTP on /download folder
- Test access with HTTP and HTTPS to deployment share (/download)
- Include/place ocsng certificate in agent config
1. Generate a valid SSL certificate using openssl
First of all we need a SSL certificate. In order to be able to generate it we need a few things on our Debian environment. Let’s start with:
Installation of packages:
apt-get install –y openssl
Then we need to enable SSL config for apache:
After this command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-enabled/
Ok as we have running openssl we need some certs, don’t we? 🙂
Following command will generate a key for the certificate:
openssl genrsa -des3 -out ocsng.key 2048
Enter and note somewhere (or remember a pass phrase for the key)
Mind, that we are using 2048bit key length because most modern OS will block using keys shorten that that. IETF recommends using at least 2048 or 3072 or even 4096 bit key length since American agency NSA confirmed that they are able to decrypt 1024 keys, so 2048 shouldn’t be a problem in near future.
Back to guide:
Convert the key to RSA:
mv ocsng.key ocsng-old.key
openssl rsa -in ocsng-old.key -out ocsng.key
enter pass phrase
Now, we need a certificate request:
openssl req -new -key ocsng.key -out ocsng.csr
Fill in all fields:
- Country Name (2 letter code)
- State or Province Name (full name) [Some-State]
- Locality Name (eg, city)
- Organization Name (eg, company) [Internet Widgits Pty Ltd]
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
No need to provide extra attributes. There is, however a little trick that can be done. We can provide more than one common name in request to make sure all names are valid: like ocsng.domain.com, ocsng and other dns names or aliases. There is very nice guide how to do that.
If not, simply enter below command to generate certificate in .pem format:1openssl x509 -req -days 3650 -in ocsng.csr -signkey ocsng.key -out ocsng.pem
Ok now in folder currently in, we have 4 files:
- ocsng.key to /etc/ssl/private/
- ocsng.pem to /etc/ssl/certs/
by issuing following commands:12cp ocsng.pem /etc/ssl/certs/cp ocsng.key /etc/ssl/private/
Now we need to
2. Configure Apache2 to use SSL
This part is easy and enables apache to use our newly created certificates.
Edit file:1nano /etc/apache2/sites-enabled/default-ssl.conf
and change lines:12SSLCertificateFileSSLCertificateKeyFile
To:12SSLCertificateFile /etc/ssl/certs/ocsng.pemSSLCertificateKeyFile /etc/ssl/private/ocsng.key
Now, restart apache with command:1service apache2 restart
After issuing above command a prompt for entering cert key password should be displayed. Enter password for the cert key.
It would be nice to avoid this requirement but not lower the security. We can do that by saving a password in specific executable file located somewhere on the disk:1nano /usr/share/apache2/pass
This will open nano editor. Paste below code:123#!/bin/shecho "PASSWORD_FOR_CERT_KEY_GOES_HERE"chmod +x /usr/share/apache2/pass
Press CTRL+X and Y to save the file.
Now, tell apache to use above file as password:1nano /etc/apache2/sites-enabled/default-ssl.conf
and ADD following:1SSLPassPhraseDialog exec:/usr/share/apache2/pass
This will tell apache that upon restart execute file /usr/share/apache2/pass in order to read password.
Ok at this point apache is running with ocsreports that might be accessed with HTTP and HTTPS. This is ok. If you want you can disable HTTP access entirely but I prefer to disable only HTTP access to /download folder. First we need to enable SSL on /download and then, restrict non-ssl session to it:
3. Enable SSL on /download folder
If we have running SSL let’s use it!
edit file:1nano /etc/apache2/sites-enabled/default-ssl.conf
and add followingShell123456Alias /download /var/lib/ocsinventory-reports/download<Directory /var/lib/ocsinventory-reports/download>#Options Indexes FollowSymLinks MultiViewsAllowOverride None Orderallow,deny allow from all</Directory>
4. Disable HTTP on /download folder
edit file:1nano /etc/apache2/sites-enabled/ocsinventory-reports.conf
and replaceShell1234567Alias /download /var/lib/ocsinventory-reports/download<Directory /var/lib/ocsinventory-reports/download>Order Allow,DenyAllow from allRequire all granted</Directory>
with this:Shell1234567Alias /download /var/lib/ocsinventory-reports/download<Directory /var/lib/ocsinventory-reports/download>Order Allow,DenyDeny from allRequire all granted</Directory>
Now restart apache:1service apache2 restart
Ok, after completing above steps it’s time to:
5. Test access with HTTP and HTTPS to deployment share (/download)
Try to access address with HTTP:
- http://ocsngt-ip-address-or-name/download – you should get a 403 error like:
- Now, try to access a file inside /download folder
Now, try to access /download with HTTPS:
- https://ocsngt-ip-address-or-name/download – you should get a 403 error like:
- Now try to access a particular file in that directory:
As you can see in above example in this configuration you won’t be able to access /download directory with HTTP at all. Moreover you won’t be able to view listing of that directory either even with HTTPS. But if you know exact name of file and path to it – you (or client agents) will be able to download files that are meant to be deployed on computers. Since client-agents knows that, they will be able to download packages.
6. Include/place ocsng certificate in agent config
Now as we have working certificate we need to deploy it to agents and tell them to use it in order to be able to communicate and download things from ocs server.
First download the ocsng.pem from your ocs server either by accessing https://fqdn_or_ip_of_ocsserver/ocsreports and saving certificate displayed in your web browser
download it directly from server from folder /etc/ssl/certs/ using winscp or similiar tool
Certificate for Windows agent should be placed in:
C:\ProgramData\OCS Inventory NG\Agent\
By default, certificate files is called: cacert.pem
You can change that in ocsinventory.ini file but I recommend to rename ocsng.pem to cacert.pem and place it in above directory. After that, restart the OCS Service by running command as Administrator on your Windows machine:1sc stop "OCS Inventory Service"
and then:1sc start "OCS Inventory Service"
Now, agent should be able to download packages from OCS server.
Other thing to remember is to change SSL=0 to SSL=1 in ocsinventory.ini! Without that agents will continue to use HTTP which is denied from now. They will be able to detect new package deployment but any download will fail.
There is a way to include couple things in ocs agent install package such as plugins or cert. Just follow this guide to build your own agent install and deploy it with one click!
As you can see there are quite a few commands to be entered before it starts working as it should, but after all as you can see – it’s not that hard. Depend on your needs you may want to restrict HTTP access to OCS server entirely for end users and admins but it is your call. I wouldn’t do that unless you can provide trusted root CA to them (client computer). Otherwise using https with self signed certificate will generate a warning in their web browser each time they access ocs server.
OCS Agents with proper SSL certificate file in their directory will access OCS server without any problems.
As always, please leave a comment!