New and updated version for Debian Stretch and OCS Inventory NG server 2.5 can be found here!

Introduction

In our first part we have sucessfuly installed and performed basic configuration of OCS-NG 2.2RC1 server. It all works well. We are able to start managing computers and their inventory. Like in first part of series we are using Debian (Jessie) version 8.2. First part can be found here.

However we are unable to use deployment future since it requires a valid SSL certificate both on server and on clients.

Before deploying agent to the clients be sure to test it with SSL certificate installed on server. If they can talk to each other and if client can succesfuly access /download location on the server you’re ready to deploy it on large scale.

IMPORTANT!

For this example we will use a self signed certificate for SSL. If you have your own, trusted root CA or can request a SSL cert I strongly recommend this, since it will be trusted by your OS, so no annoying popups on accessing HTTPS will be displayed about untrusted self signed certificate.

In this tutorial we will perform following steps in order to enable deployment:

  1. Generate valid SSL certificate using openssl
  2. Configure Apache2 to use SSL
  3. Enable SSL on /download folder
  4. Disable HTTP on /download folder
  5. Test access with HTTP and HTTPS to deployment share (/download)
  6. Include/place ocsng certificate in agent config

1. Generate a valid SSL certificate using openssl

First of all we need a SSL certificate. In order to be able to generate it we need a few things on our Debian environment. Let’s start with:

Installation of packages:

apt-get install –y openssl

Then we need to enable SSL config for apache:

a2enmod ssl

After this command a new symbolic link called default-ssl.conf will be created in /etc/apache2/sites-enabled/
Ok as we have running openssl we need some certs, don’t we? :)
Following command will generate a key for the certificate:

openssl genrsa -des3 -out ocsng.key 2048

Enter and note somewhere (or remember a pass phrase for the key)

Mind, that we are using 2048bit key length because most modern OS will block using keys shorten that that. IETF recommends using at least 2048 or 3072 or even 4096 bit key length since American agency NSA confirmed that they are able to decrypt 1024 keys, so 2048 shouldn’t be a problem in near future.

Back to guide:
Convert the key to RSA:

mv ocsng.key ocsng-old.key
openssl rsa -in ocsng-old.key -out ocsng.key

enter pass phrase
Now, we need a certificate request:

openssl req -new -key ocsng.key -out ocsng.csr

Fill in all fields:

  • Country Name (2 letter code)
  • State or Province Name (full name)
    [Some-State]
  • Locality Name (eg, city)
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]
  • Organizational Unit Name (eg, section)
  • Common Name (e.g. server FQDN or YOUR name)
  • Email Address

No need to provide extra attributes. There is, however a little trick that can be done. We can provide more than one common name in request to make sure all names are valid: like ocsng.domain.com, ocsng and other dns names or aliases. There is very nice guide how to do that.

If not, simply enter below command to generate certificate in .pem format:

openssl x509 -req -days 3650 -in ocsng.csr -signkey ocsng.key -out ocsng.pem

Ok now in folder currently in, we have 4 files:

  • ocsng.csr
  • ocsng.key
  • ocsng.pem
  • ocsng-old.key

Copy

  • ocsng.key to /etc/ssl/private/
  • ocsng.pem to /etc/ssl/certs/

by issuing following commands:

cp ocsng.pem /etc/ssl/certs/
cp ocsng.key /etc/ssl/private/

Now we need to

2. Configure Apache2 to use SSL

This part is easy and enables apache to use our newly created certificates.

Edit file:

nano /etc/apache2/sites-enabled/default-ssl.conf

and change lines:

SSLCertificateFile
SSLCertificateKeyFile

To:

SSLCertificateFile      /etc/ssl/certs/ocsng.pem
SSLCertificateKeyFile /etc/ssl/private/ocsng.key

Now, restart apache with command:

service apache2 restart

After issuing above command a prompt for entering cert key password should be displayed. Enter password for the cert key.
It would be nice to avoid this requirement but not lower the security. We can do that by saving a password in specific executable file located somewhere on the disk:

nano /usr/share/apache2/pass

This will open nano editor. Paste below code:

#!/bin/sh
echo "PASSWORD_FOR_CERT_KEY_GOES_HERE"
chmod +x /usr/share/apache2/pass

Press CTRL+X and Y to save the file.
Now, tell apache to use above file as password:

nano /etc/apache2/sites-enabled/default-ssl.conf

and ADD following:

SSLPassPhraseDialog exec:/usr/share/apache2/pass

This will tell apache that upon restart execute file /usr/share/apache2/pass in order to read password.

Ok at this point apache is running with ocsreports that might be accessed with HTTP and HTTPS. This is ok. If you want you can disable HTTP access entirely but I prefer to disable only HTTP access to /download folder. First we need to enable SSL on /download and then, restrict non-ssl session to it:

3. Enable SSL on /download folder

If we have running SSL let’s use it!
edit file:

nano /etc/apache2/sites-enabled/default-ssl.conf

and add following

Alias /download /var/lib/ocsinventory-reports/download 
  <Directory /var/lib/ocsinventory-reports/download> 
     #Options Indexes FollowSymLinks MultiViews 
     AllowOverride None Order 
     allow,deny allow from all
  </Directory>

 

 

4. Disable HTTP on /download folder

edit file:

nano /etc/apache2/sites-enabled/ocsinventory-reports.conf

and replace

Alias /download /var/lib/ocsinventory-reports/download

  <Directory /var/lib/ocsinventory-reports/download>
      Order Allow,Deny
	  Allow from all
	  Require all granted
  </Directory>

 

with this:

Alias /download /var/lib/ocsinventory-reports/download

  <Directory /var/lib/ocsinventory-reports/download>
      Order Allow,Deny
	  Deny from all
	  Require all granted
  </Directory>

 

Now restart apache:

service apache2 restart

Ok, after completing above steps it’s time to:

5. Test access with HTTP and HTTPS to deployment share (/download)

Try to access address with HTTP:

  • http://ocsngt-ip-address-or-name/download – you should get a 403 error like:

HTTP access to /download is forbidden

  • Now, try to access a file inside /download folder

HTTP access to files in /download is forbidden

Now, try to access /download with HTTPS:

  • https://ocsngt-ip-address-or-name/download – you should get a 403 error like:

HTTPS access to directory isn't denied but displaying index isIt’s ok, since displaying index of /download is forbidden.

  • Now try to access a particular file in that directory:

HTTPS access to particular file is allowed, thus client agent will be able to download files!

As you can see in above example in this configuration you won’t be able to access /download directory with HTTP at all. Moreover you won’t be able to view listing of that directory either even with HTTPS. But if you know exact name of file and path to it – you (or client agents) will  be able to download files that are meant to be deployed on computers. Since client-agents knows that, they will be able to download packages.

6. Include/place ocsng certificate in agent config

Now as we have working certificate we need to deploy it to agents and tell them to use it in order to be able to communicate and download things from ocs server.

First download the ocsng.pem from your ocs server either by accessing https://fqdn_or_ip_of_ocsserver/ocsreports and saving certificate displayed in your web browser

or

download it directly from server from folder /etc/ssl/certs/ using winscp or similiar tool

Certificate for Windows agent should be placed in:

C:\ProgramData\OCS Inventory NG\Agent\

By default, certificate files is called: cacert.pem

You can change that in ocsinventory.ini file but I recommend to rename ocsng.pem to cacert.pem and place it in above directory. After that, restart the OCS Service by running command as Administrator on your Windows machine:

sc stop "OCS Inventory Service"

and then:

sc start "OCS Inventory Service"

Now, agent should be able to download packages from OCS server.

Other thing to remember is to change SSL=0 to SSL=1 in ocsinventory.ini! Without that agents will continue to use HTTP which is denied from now. They will be able to detect new package deployment but any download will fail.

There is a way to include couple things in ocs agent install package such as plugins or cert. Just follow this guide to build your own agent install and deploy it with one click!

Conclusion

As you can see there are quite a few commands to be entered before it starts working as it should, but after all as you can see – it’s not that hard. Depend on your needs you may want to restrict HTTP access to OCS server entirely for end users and admins but it is your call. I wouldn’t do that unless you can provide trusted root CA to them (client computer). Otherwise using https with self signed certificate will generate a warning in their web browser each time they access ocs server.

OCS Agents with proper SSL certificate file in their directory will access OCS server without any problems.

As always, please leave a comment!