Howtos:Install OCS on debian

From OCS Inventory NG
Jump to: navigation, search

Install and configure OCS Inventory NG 2.0 on Debian Squeeze


  • A Debian Squeeze server just installed
  • Need of OCS Inventory NG server for inventory, deployment and network scans


make and build-essential MUST be installed.

Install and configure database server

   aptitude install mysql

In /etc/mysql/my.cnf

   max_allowed_packet    = 32M

Install web server

   aptitude install apache2 php5 php5-mysql php5-gd

Install mod_perl

   aptitude install libapache2-mod-perl2

Install perl modules needed

To begin, modules packaged by Debian

   apt-get install libxml-simple-perl libcompress-zlib-perl libdbi-perl libdbd-mysql-perl \
   libapache-dbi-perl libnet-ip-perl libsoap-lite-perl

Then, modules not packaged We update CPAN

   perl -MCPAN -e shell
   install CPAN
   reload CPAN

Then , we install modules





Optionnal modules packaged (see README for more informations)


Optionnal modules not packaged (see README for more informations)


For ipdiscover and snmp, install these modules

   aptitude install nmap snmp

Install OCS Inventory NG 2.0 server

Download the last version of server on and copy in


We uncompress the tarball

   tar -zxvf OCSNG_UNIX_SERVER-x.x.x.tar.gz

Launch presents in install directory of OCSNG_UNIX_SERVER-x.x.x and follow the procedure (presents in OCS wiki)

Create a user ocs with GRANT rights in mysql. Next, we could limit it rights on database ocsweb.

For a best security, create a user different of ocs at the end of installation which is the default account,.

    mysql> GRANT ALL PRIVILEGES ON *.* TO 'ocs'@'localhost' IDENTIFIED BY 'ocs' WITH GRANT OPTION;

Connect to administration console


Define different fields (login/password/database name/server) In our case :

   ocs / ocs / ocsweb / localhost

Validate and wait the end of script execution.

Console is now accessible

Delete install.php file in ocsreports directory, create a new account with a profile Super Administrator, and delete the default account (admin)

Configure HTTPS on web server

If you want to use deployment feature, you HAVE to activate SSL on web server, and configure it correctly. First, you have to generate a SSL certificate. After that, you will rename it in cacert.pem and place it on earch agents directory.

Create SSL certificate

Create public and private SSL keys

   openssl genrsa -des3 -out nunux.key 1024

If the command is interpreted, a passphrase is asked

   Generating RSA private key, 1024 bit long modulus
   e is 65537 (0x10001)
   Enter pass phrase for nunux.key: salut
   Verifying -
   Enter pass phrase for nunux.key:salut

Fix the configuration

Record the passphase in the file to do not have to set it on earch boot

   mv nunux.key nunux-old.key
   openssl rsa -in nunux-old.key -out nunux.key

If command is interpreted correctly, the passphrase is asked

   Enter pass phrase for ardonroyan-old.key: salut
   writing RSA key

Create the certificate

   openssl req -new -key nunux.key -out nunux.csr

You have to answer to questions


You have to specify the hostname server or ip address server if DNS server used. SSL control is based on this value. If SSL control is activated on agents (mandatory on unix unified agent, not on Windows with command line option /SSL=0/1), server will compare CN certificate present in cacert.pem on agent with web server hostname or ip address.

       You are about to be asked to enter information that will be incorporated
       into your certificate request.
       What you are about to enter is what is called a Distinguished Name or a DN.
       There are quite a few fields but you can leave some blank
       For some fields there will be a default value,
       If you enter '.', the field will be left blank.
       Country Name (2 letter code) [AU]:FR
       State or Province Name (full name) [Some-State]:Region
       Locality Name (eg, city) :Ville
       Organization Name (eg, company) [Internet Widgits Pty Ltd]:Entreprise
       Organizational Unit Name (eg, section) :Service
       Email Address
       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password :  <<<<------- vous n'êtes pas obligé de spécifier un mot de passe (ENTREE pour continuer)
       An optional company name :

Self-sign the certificate

    openssl x509 -req -days 3650 -in nunux.csr -signkey nunux.key -out nunux.crt

If command is correctly interpreted, this message display

   Signature ok
   subject=/C=FR/ST=Region/L=Ville/O=Entreprise/CN=hostname.domaine.local     /
   Getting Private key

Set up the certificate

Place these 2 files in certificates directory

   cp nunux.crt /etc/ssl/certs/
   cp nunux.key /etc/ssl/private/

Activate SSL

We verify that default-ssl config is correct.

In /etc/apache2/sites-available/default-ssl we haveto check thse lines

   SSLCertificateFile    /etc/ssl/certs/nunux.crt
   SSLCertificateKeyFile /etc/ssl/private/nunux.key

We can now activate SSL, but we wait to define SSL VirtualHost before (paragraph 9).

Configure php to deploy packages

To deploy OCS packages or simply deploy the OCS agent with the Packager, upload of big files must be available. By default, php can't permit the upload of files bigger than 4 MB.

Modification of the configuration of PHP

Edit php.ini file

    max_execution_time = 180
    max_input_time = 180
    memory_limit = 256M
    upload_max_filesize = 300M   
    post_max_size = 300M

Save the modifications.

Configure OCS server to deploy packages

The configuration is made in 2 times.

Forbid http on download

By default, /download is located in /var/lib/ocsinventory-reports

Now we forbid http access to /download Edit ocsinventory-reports.conf file and declare /download aliase.

# Deployment packages download area
# Alias to put Deployement package files outside Apache document root directory
Alias /download "/var/lib/ocsinventory-reports/download"
    <Directory "/var/lib/ocsinventory-reports/download">
        deny from all

Allow https on download

Edit /etc/apache2/sites-available/default-ssl to permit https access to /var/lib/ocsinventory-reports/download.

 Alias /download /var/lib/ocsinventory-reports/download
    <Directory /var/lib/ocsinventory-reports/download>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

Now activate SSL configuration.

   a2ensite default-ssl

At least, restart apache.

   /etc/init.d/apache2 restart

The result can be tested with browser.

http://serveur/download > Forbidden

https://serveur/download > OK

Follow this documentation : Secure your OCS server to secure your OCS server.