OldDocumentation:Teledeploy/de

From OCS Inventory NG
Jump to: navigation, search

Deploying packages or executing commands on client hosts.

OCS Inventory NG includes package deployment feature on client computers. From the central management server, you can upload packages which will be downloaded through HTTP/HTTPS and launched by agent on client computer.


Hinweis: This feature has been tested with OCS Inventory NG Agent for Windows service only. As software installation requires Administrator privileges, agent launched through a login script or shortcut in start menu under user account may not be able to launch software installation. Also, background download of package may take a long time, and may block login script. So, we do not recommend using package deployment feature using login script inventory.


How does it work?

Ein Paket hat 4 Hauptkomponenten:

  • eine Priorität,
  • eine Aktion,
  • optional eine ZIP- oder TAR.GZ-Datei, die so viele Dateien und Verzeichnisse wie sie wollen enthält,
  • und optional einen auszuführenden Befehl.

Es gibt 11 levels of priority, level 0 to 10. Level 0 is the highest priority and level 10 the lowest. Package of priority level 0 will be deployed before package of priority 1. Package of priority level 1 will be deployed before package of priority 2…


Aktion is associated with file to deploy and command to launch. This triplet may be one of the following:


  • Action Launch: to deploy a ZIP or TAR.GZ file and launch with or without parameters an executable file included in ZIP or TAR.GZ file.ZIP or TAR.GZ file will be uncompressed into a temporary directory, and associated command (name of executable file without path!) will be launched into this temporary directory.This action allows retrieving result code of launched command.
  • Action Execute: to deploy a ZIP or TAR.GZ file (optional), and launch with or without parameters an executable file included or not in ZIP or TAR.GZ file.If executable is not included in ZIP or TAR.GZ file, it must be part of software already installed on client computer. Typcally, it may be a Windows standard command like Windows Installer call, RPM or DPKG or TAR.GZ command on Linux.ZIP or TAR.GZ file will be uncompressed into a temporary directory, and associated command (name of executable file with path or parameters if needed) will be launched into this temporary directory.This action does not allow retrieving result code of launched command. However, this action allows you running command on client computers, without deploying any file. Zum Beispiel, you can use it to run specific operating system configuration command.
  • Action Store: to deploy a ZIP or TAR.GZ file and only store his content on a folder of client computer. There is no command associated with this action, only a path to specify where to store extracted files.


Hinweis: Alle Packete, you want to deploy must be compressed mit ZIP für Windows-Agenten und tar-gzipped für Linux-Computer.

If you want to build your own installer, you may want to look at NullSoft Installer System (http://nsis.sourceforge.net) or Inno Setup (http://www.jrsoftware.org). These tools are GPL installer für Windows able to create one file self extracting installer.


Zum Beispiel, this feature allows you to create a ZIP-Paket including Media Player Classic executable, a Unterverzeichnis including some MP3 files und a play list for Media Player Classic referencing these MP3 into Unterverzeichnis. Associated command will be a call to Media Player Classic with command line switch to launch play list. Once this package will be downloaded on Windows clients, users will have Media Player Classic launched and playing MP3 from play list. Beautifull, isn’t it ;-)


You create through Administrationskonsole your deployment package. It is automatically described by:

  • A reference in database, used by Kommunikationserver to ask agent to download the package.
  • An information file, named “info”. It is an XML file describing the package and action agent will have to launch,
  • 0 oder more data fragment files. File you will upload (if there is one) will be splitted in small parts to allow agents downloading parts by parts, and then easely resuming a failed download. If download of a fragment fails, only this fragment will be downloaded another time, not all the package. You will be able to choose fragment size according to your Netzwerk capabilities.


Hinweis: as you will upload your package through Administrationskonsole, you may configure PHP and Apache to allow uploading large files. See § 11.2.4 Uploads size for package deployment. to know how to configure this.

Once package is built, you must activate it. It indicates where is located SSL enabled Webserver (z.B. Verteilserver) where Agent will able to download information file and fragment files.


Finaly, you must select on which computer you will deploy the package.


From now, agent is able deploying the package.


When agent send an inventory to Kommunikationserver, Kommunikationserver tell the agent if he has one or more packages to deploy, with the level of priority of each package, and where it can find information files.


Agent then begins a download period. A period is composed of cycles, defined by configuration option “DOWNLOAD_PERIOD_LENGTH”. By default, a period contains 10 cycles.


At each cycles, it compute “cycle’s number modulo package priority”. If it equals to 0, it download package fragment files. After each fragment, it will wait “DOWNLOAD_FRAG_LATENCY” (configuration option set to 10 seconds by default) before downloading the next fragment.


When all fragment of package are downloaded, it will launch package command and wait “DOWNLOAD_CYCLE_LATENCY” (configuration option set to 60 seconds by default) before beginning a new cycle and incrementing cycle number.


When all cycle of a period have been processed, it waits “DOWNLOAD_PERIOD_LATENCY” (configuration option set to 0 seconds by default).


If all packages have been successfully downloaded and installed, it stops. If not, it begins a new period of cycles.


VORSICHT: Priority level 0 is a special level. All packages with priority 0 will be downloaded before all others packages with greater priority at the beginning of each cycle. If download fails, agent will retry to download failed packages of priority 0, without checking others package. So it can completely stop deployments. USE PRIORITY LEVEL 0 WITH CARE!

You may use these settings to customize your Netzwerk bandwith usage. By increasing latency options, you will increase time to download fragments and reduce Netzwerk use average.


By increasing period length option, you will delay new download of failed fragments, but also, by decreasing period length to a value lower than 10, you can stop downloading package with priority level higher than this value.

Anforderungen

Deployement server storing information files must have SSL enabled, as downloading the deployement information file is very critical. This information file contains description of package and command to launch. So, if somebody can usurp your deployement server, he may launch any command he wants on your computers. That’s why Verteilserver must use SSL to allow agents authenticating the server and ensuring this is the real Verteilserver.


Agent must have a certificate to validate Verteilserver authentication. This certificate must be stored in a file named “cacert.pem” in OCS Inventory NG agent’s folder under Windows, and in directory “/etc/ocsinventory-client” under Linux.


Unter Windows, you can use OCS Inventory NG Packager (see Uploading Agent for deployement through launcher “OcsLogon.exe”.) to create an agent installer which include certificate, or you can use the following sample login script to copy certificate file in agent’s folder (we assume that agent is installed under “C:\Program Files\OCS Inventory Agent” and certificate file is available on a share “MYSHARE” on server “MYSERVER”).

@echo off
REM Prüfe, ob CA Datei existiert
if exist “C:\Program Files\OCS Inventory Agent\cacert.pem” goto CA_END

REM CA Datei existiert nicht, Datei installieren
Copy \\MYSERVER\MYSHARE\cacert.pem “C:\Program Files\OCS Inventory Agent\cacert.pem”

:CA_END

If you have a Public Key Infrastructure, you must create a valid server certificate for your Verteilserver and copy your Authority certificate file into file “cacert.pem”.


If you do not have a Public Key Infrastructure, you can use a self signed certificate for your deployement server, and copy server certificate into file “cacert.pem”.


Refer to § 8.8 Using SSL certificates in Package deployment. For more informations.

Creating packages.

First of all, you must build your package.


[[Image:]]Point your mouse on “Deployment” menu and select “Build”.


[[Image:]]


Enter a name for your package.


Select operating system for this package. You can choose between Windows and Linux.


Select download protocol for this package. At this time, only HTTP protocol is available.


Select priority on this package. You can choose level 0 to 10 for priority. Package with lesser priority will be downloaded before package of greater priority, except if download fails (siehe #§ 8.7 Deployment statistics and success validation).


You may also choose to warn user that something is being launched on his computer. Set “Warn user” dropdown list to “YES”, fill in text to display to user, how long to display the text before auto validating package installation (set 0 to wait indefinitely) and if user can cancel deployment or delay deployement to next inventory.


You may also specify if package deployment needs a user interaction by setting dropdown list “Installation completion need user action” to “YES”, beispielsweise, if setup needs that user fill in a informations on a dialog to terminate.


Last, you can select your action in “Action” dropdown list. Here are some samples describing what kind of package you can build.


Deploying package through “Launch” command.

Package you want to deploy has one or more files, with at least an executable file for launching package setup. Compress theses files using ZIP tool if package addresses Windows computers, using tar and gzip if package addresses Linux computers.


Choose action “Launch” and click “Browse” button to select your ZIP or TAR.GZ file.


In field “Command”, just fill in name of executable file without path, but with, optionally, parameters. It’s this command which will be launched on client computer once package will be downloaded and uncompressed to a temporary directory.


In our following example, we deploy a new release of OCS Inventory NG Agent for Windows, using silent installation, specifying Kommunikationserver address my_ocs_com_srv, disabling use of IE proxy settings and enabling debugging mode. So, ZIP file only include file “OcsAgentSetup.exe” and the “File name” field contains:


  • OcsAgentSetup.exe /S /SERVER:my_ocs_com_srv /NP /DEBUG

[[Image:]]


Click “Send” button to upload package to Administrationskonsole.


Next, you must specify the size of each fragment of package to allow agent downloading package by small parts. This will allow download resuming. If download of a fragment fails, only this fragment will be downloaded another time, not all the package. So choose fragment size according to your Netzwerk capabilities.


Administrationskonsole will then split package in fragments and store them in a folder named as package timestamp in directory “download” of apache web server root directory. It will also create in the same directory the package information file named “info”, an XML file describing the package and action agent will have to launch.


[[Image:]]


Deploying package through “Execute” command.

Package you want to deploy has one or more files, with optionally an executable file for launching package setup. Compress theses files using ZIP tool if package addresses Windows computers, using tar and gzip if package addresses Linux computers.


Choose action “Execute” and click “Browse” button to select your ZIP or TAR.GZ file.


In field “Command”, just fill in path of executable file to launch with parameters (full path is not required as application executable is listed on system search path, or is included in package). It’s this command which will be launched on client computer once package will be downloaded.


Hinweis: Environnement variables are expanded in “Command”. It enables you to use things such as %SystemDrive%, %SystemRoot%, %windir%, %ProgramFiles%, %CommonProgramFiles% ... etc.

In our following example, we deploy software using silent Windows Installer installation. So, ZIP file only include file “software.msi” und the “Command” field contains:


  • msiexec.exe /i software.msi /quiet

[[Image:]]


Click “Send” button to upload package to Administrationskonsole.


Next, you must specify the size of each fragment of package to allow agent downloading package by small parts. This will allow download resuming. If download of a fragment fails, only this fragment will be downloaded another time, not all the package. So choose fragment size according to your Netzwerk capabilities.


Administrationskonsole will then split package in fragments and store them in a folder named as package timestamp in directory “download” of apache web server root directory. It will also create in the same directory the package information file named “info”, an XML file describing the package and action agent will have to launch.


[[Image:]]


Command through “Execute” command.

Package you want to deploy is only a command launch.


Choose action “Execute” und leave field “File” empty.


In field “Command”, just fill in name of command with, optionally, parameters. It’s this command which will be launched on client computer once package will be downloaded.


Hinweis: Umgebungsvariablen are expanded in “Command”. It enables you to use things such as %SystemDrive%, %SystemRoot%, %windir%, %ProgramFiles%, %CommonProgramFiles% ... usw.

In our following example, we deploy a command to specify Proxyadresse to use for System Applications unter Windows. So the “Command” field contains:

  • Proxycfg.exe /p 192.168.1.1

[[Image:]]


Click “Send” button to upload package to Administrationskonsole.


As you’ve not selected to upload a file, screen to configure fragement size is not displayed. Administrationskonsole will only create, in a folder named as package timestamp in directory “download” of apache web server root directory, the package information file named “info”, an XML file describing the package and action agent will have to launch.


Stored package through “Store” command.

Package you want to deploy has one or more files, to be stored in a specific folder on client computers. Compress theses files using ZIP tool if package addresses Windows computers, using tar and gzip if package addresses Linux computers.


Choose action “Store” and click “Browse” button to select your ZIP or TAR.GZ file.


In field “Path”, just fill in path where agent will store extracted files once package will be downloaded.


Hinweis: Environnement variables are expanded in “Command”. It enables you to use things such as %SystemDrive%, %SystemRoot%, %windir%, %ProgramFiles%, %CommonProgramFiles% ... etc.

Also, if provided folder path does not exist, it will be recursively created.


In our following example, we deploy a file to store in folder “C:\My Folder”:


[[Image:]]


Click “Send” button to upload package to Administrationskonsole.


Next, you must specify the size of each fragment of package to allow agent downloading package by small parts. This will allow download resuming. If download of a fragment fails, only this fragment will be downloaded another time, not all the package. So choose fragment size according to your Netzwerk capabilities.


Administrationskonsole will then split package in fragments and store them in a folder named as package timestamp in directory “download” of apache web server root directory. It will also create in the same directory the package information file named “info”, an XML file describing the package and action agent will have to launch.


[[Image:]]

Activating package

Once package have been created, you must specify where agent can download it.


Agent will first download package information file. As this file is very critical, this download must be done using HTTP over SSL (HTTPS) to ensure that agent can authenticate Verteilserver. Next, download of package fragment described in information file will be done using standard HTTP.


Hinweis: If you do not want to use Administration server as Verteilserver, you must first copy folder “download/package_timestamp” from Administration server Apache document root directory to another Webserver. You may want to use a directory synchronization utility like rsync (http://samba.anu.edu.au/rsync) to automatically do this task; otherwise, we will have to do it manually.

You may also choose to host information file on a different web server than the one which hosts fragment files. Zum Beispiel, if you have multiple geographical sites with only one central Kommunikationserver, you may want to host information files on Kommunikationserver, and fragment files on a web server on each site. For this, you need to activate a package per site, and for each package, information file will be hosted on Kommunikationserver and fragment files on site web server. This will dramatically decrease intersite Netzwerk bandwidth use.


[[Image:]] Point your mouse on “Deployment” menu and select “Activate”. You will view here all built package, and also ALL activated package.


Klicken Sie auf das Symbol mit dem roten Kreuz um Das Paket zu löschen. This will delete package reference from database and also delete information file and fragment files from Administrationskonsole download directory. So, deleted package will be unavailable for activation, all activated packages using this package will be deleted, and also unaffected from computers.


[[Image:]]


Click “Active” button on the line corresponding to the package you want to activate.


In field “HTTPS url”, enter URL for download in HTTPS package information file.

In field “HTTP url”, enter URL for downloading in HTTP package fragment files.


Hinweis: Do not enter localhost as server address in URL! Remenber that these URLs will be processed by agents.

If your HTTPS or HTTP deployement server works on non standard ports, you can specify working port using the standard notation “server_address:server_port/folder”. Zum Beispiel, your deployement server works on Port HTTP 8080 and HTTPS 4343 on Server 192.168.1.1, and packages are located im "/download"-Verzeichnis. You must fill in

https url: 192.168.1.1:4343/download
http url: 192.168.1.1:8080/download

In our case, we’ve choosen to use Administrationserver als Verteilserver for both package information file und package fragments.


So we have filled in in both fill something like “ocs-admin-srv.domain.tld/download”.


[[Image:]]


Click send button. Administrationskonsole will ensure that both information file and package fragment files are available on specified URLs.


“Non notified” column shows you the number of computers which haven’t yet been notified they have corresponding package to deploy.


“Success” column shows you the number of computers which have successfully deploy corresponding package.


“Errors” column shows you the number of computers which encounter errors deploying corresponding package.


The “Stats” icon allows you to view percentile of computers which are waiting for notification, those which are notified (server ask them to deploy the package), and those which have finished deploying with result code (SUCCESS or ERROR).

Affecting packages to computers.

You can affect package to computer one by one, by displaying computer properties, selecting “Customization” icon and adding the package”. However, this is not the best way if you would like to affect package to many computers.


The best way is to use “Search with various creteria” functions to search for computers you want, and to affect package to all these computers in one time.


In the following example, we will affect package we’ve created to all Windows XP computers.


So first, we search for Windows XP computers.


[[Image:]]


This search returns 59 computers on 4 pages.


[[Image:]]


Just click “Deploy” to deploy on all computers returned by the search, not only on visible ones.


[[Image:]]


Click on “Affect” icon of package line to affect this package to all selected computers.


Agents on computers will be notified at next Kommunikationserver contact they have this package to deploy. So, while agent do not contact Kommunikationserver, computer will appear in console with status “WAITING NOTIFICATION”. Once agent has contacted Kommunikationserver, the status will be “NOTIFIED”.


Unactivating packages.

[[Image:]] Point your mouse on “Deployment” menu and select “Activated”. You will see here all packages available for deployments on computers.


[[Image:]]


The red cross icon will unaffect package for ALL computers, and unactivate package. So package is still referenced in database, information and fragment files are still available on Administration server download directory. However, it has the same status as if you have just built it and can be activated again.


Deployment statistics and success validation.

As package may have been activated and then unactivated, deployment statics are in “Activate” menu.


You can show deployement statics by clicking “Stats” icon for a package.


Since you’ve affected package at least to one Computer, you will have graphical stats showing deployment notification Status.


[[Image:]]


Folgende Status-Meldungen sind möglich:

Status Code Bedeutung
WAITING NOTIFICATION Der Server wartet auf die Kommunikation mit dem Agenten, um diesen über einen bereitstehenden Download zu benachrichtigen.
NOTIFIED Der Agent wurde über den bereitstehenden Download benachrichtigt. Er wartet jetzt auf den Ergebnis-Code.
SUCCESS [code] Der Agent hat das Paket erfolgreich heruntergeladen und führt einen Befehl aus oder speichert die extrahierten Daten.

Mit der “Launch”-Aktion, this Status may be completed with command execution return code.

ERR_ALREADY_SETUP Das Packet wurde bereits auf diesem Computer erfolgreich installiert.
ERR_BAD_ID Agent is unable to download package because it cannot find package ID on Verteilserver.
ERR_BAD_DIGEST Downloaded data are has bad digest, so Agent does not execute associated command.
ERR_DOWNLOAD_PACK Der Agent war nicht in der Lage die heruntergeladene ZIP- oder TAR.GZ-Datei auszupacken.
ERR_BUILD Agent was unable to rebuild package fragments.
ERR_EXECUTE Agent was unable to execute associated package command.
ERR_CLEAN Agent was unable to clean downloaded package.
ERR_TIMEOUT Agent was unable to download package during DOWNLOAD_TIMEOUT days.
ERR_ABORTED User canceled package command execution (you’ve choosen to notify him, and allowed him to cancel).
ERR_EXECUTE_PACK (Nicht verwendet)

“Validating Success” will clear Computer-Statistiken which have successfully deployed package.


“Unaffect not notified” will unaffect package from Computers which do not have contacted server since you’ve affected package to Computers. Package will not be deleted, only computers which do not have yet receive order to deploy this package will have this order cancelled.


“Validate all” will clear all statistics, and unaffect package from non notified Computers. It is the same as “Validate Success” + “Unaffect not notified”.


Hinweis: You MUST validate deployment status once deployement ended to clear database deployement status for Computer. Otherwise, database will grow up and speed down !

You can click on number for each status line to display Computers having this deployment status.

Using SSL-Zertifikate in Package deployment

Package deployment infrastructure is too much powerfull, so it requiress SSL access to validate server before trying to download something from. So you need some SSL certificates for use with your Verteilserver.


Certificate definition from http://en.wikipedia.org/wiki/Public_key_certificate


“In cryptography, a public key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority (CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other users ("endorsements"). In either case, the signatures on a certificate are attestations by the certificate signer that the identity information and the public key belong together.”


You can use a quick, easy but limited way, self signed certificate, or a more secure and reliable tool, a PKI with a Zertifizierungsstelle.


Apache Webserver comes with OpenSSL cryptographic library, which allow creating and managing certificates.


Using self signed certificates

Hinweis: Take care about certificate validity period, as web server self signed certificate must be installed on each client computer running the agent. When certificate will expire, you will have to generate and deploy new certificate on each client computer!


Mit OCS Inventory NG-Server für Linux

Üblicherweise werden Apache- oder Mod_SSL-Pakete mit Beispiel-Skripten für die Erzeugung von Zertifikaten ausgeliefert, Besonders für Testzertifikate.

Wir bieten jedoch ein Beispielskript für OpenSSL an um ein selbst signiertes Zertifikat für den Einsatz in Apache zu erzeugen:

#!/bin/sh
#
# First, generate apache server certificate request
#
# Generate 1024 bits RSA key, store private key in a 
# no password protected PEM file server.key, using
# system default openssl configuration file.
#
echo
echo Generating Apache server private key...
echo
openssl genrsa -out server.key 1024

#
# Next, sign the apache server certificate with the apache
# server key
#
# Sign with PEM certificate server.crt, using PEM file
# server.key for server private key, using system default
# openssl configuration file.
#
# The produced certificate will be valid for 1825 days (about 5 years)
#
echo
echo Generating Apache server self signed certificate...
echo
openssl req -outform PEM -new -key server.key -x509 -days 1825 -out server.crt
Abbildung 8: Beispiel für apache_generate_cert.sh Skript


Dieses Skript erzeugt einen privaten RSA-Schlüssel in der Datei “server.key” und ein X.509 selbst-signiertes Zertifikat in der Datei “server.crt”.


Zuerst, starten Sie dieses Skript mit dem Befehl:

  • sh apache_generate_cert.sh

It will generate privaten Schlüssel und prompt you for certificate properties:

  • Country code, usually required
  • State oder province name, usually required
  • Stadt, usually required
  • Organisation or company name, usually required
  • Organisational Unit name, üblicherweise optional
  • Common name (dies ist der DNS-Name oder die IP-Adresse des Servers), required
  • An email Adresse, üblicherweise optional

[[Image:]]


In unserem Beispiel haben wir für unseren Servername “ocs.domain.tld” das Zertifikat selbst erzeugt und selbst signiert.

Next, you just have to copy die Server-Zertifikatdatei “server.crt” und Server private Schlüsseldatei “server.key” into appropriate directories und update Apache/Mod_SSL-Konfigurationsdateien to use these files.

Here is a sample and minimalist Apache/Mod_SSL-Konfiguration for using SSL under CentOS/Fedora/RedHat Linux. (Server certificate is stored im “/etc/httpd/conf/ssl.crt” Verzeichnis und Server key is stored im Verzeichnis “/etc/httpd/conf/ssl.key”).


Hinweis: Generally, Apache/Mod_SSL-Konfiguration is provided for your System. So, do not use following Konfiguration if your System already has a Konfigurationsdatei für Mod_SSL !

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# For the moment, see <URL:http://www.modssl.org/docs/> for this info. 
# The documents are still being prepared from material donated by the
# modssl project.
# 
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned. 
#
LoadModule ssl_module modules/mod_ssl.so

# Until documentation is completed, please check http://www.modssl.org/
# for additional config examples and module docmentation. Directives
# and features of mod_ssl are largely unchanged from the mod_ssl project
# for Apache 1.3.

#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#
# To allow connections to IPv6 addresses add "Listen [::]:443"
#
Listen 0.0.0.0:443

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>
# Use separate log files:
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

# SSL Engine Options:
# StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
SSLOptions +StdEnvVars

# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 
Abbildung 9: Beispiel für Apache/Mod_SSL-Konfigurationsdatei


Sobald Sie Ihren Apache-Webserver konfiguriert haben, vergessen Sie nicht den Apache-Daemon neu zu starten, damit die Änderungen wirksam werden.

Zuletzt müssen Sie die Server-Zertifikat-Datei “server.crt” auf jedem Client-Computer in das OCS Inventory Agent-Installationsverzeichnis unter dem Namen “cacert.pem” installieren.

With OCS Inventory NG Server for Windows.

XAMPP Apache distribution comes with a script “makecert.bat” for generating self signed certificates. This script is located under “INSTALL_PATH\xampp\apache” directory (where INSTALL_PATH is the installation folder of OCS Inventory NG Server)

@echo off
set OPENSSL_CONF=./bin/openssl.cnf

if not exist .\conf\ssl.crt mkdir .\conf\ssl.crt
if not exist .\conf\ssl.key mkdir .\conf\ssl.key

bin\openssl req -new -out server.csr
bin\openssl rsa -in privkey.pem -out server.key
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

set OPENSSL_CONF=
del .rnd
del privkey.pem
del server.csr

move /y server.crt .\conf\ssl.crt
move /y server.key .\conf\ssl.key

echo.
echo -----
echo Das Zertifikat wurde erstellt.
echo The certificate was provided.
echo.
pause
Abbildung 10: XAMPP "makecert.bat" Standardskript


This script generate self signed certificate usable for 365 days. If you want to increase certificate validity, you must update directive “-days 365” to specify in days new validity period (1825 days, about 5 years must be up a good value ;-).


Just double run script “makecert.bat”. It will generate a RSA private key and ask you for a password (at least 4 characters).


Enter Passwort and confirm it.


[[Image:]]


Next, you will be prompted for certificate properties:

  • Country code, usually required
  • State or province name, usually required
  • Stadt, usually required
  • Organisation or company name, usually required
  • Organisational Unit name, usually optional
  • Common name (this is the DNS name or IP address of your server), required
  • An email address, usually optional
  • A challenge password (must be empty, just press enter)
  • An optional company name

Finally, you will be prompted for private key password.


[[Image:]]


Now, self signed certificate is created and installed. Just restart Apache2 service for changes to take effect.


Last, you have to install server certificate file “INSTALL_PATH\xampp\apache\conf\ssl.crt\server.crt” on each client computer into OCS Inventory Agent installation directory, under the name “cacert.pem”.

Using PKI with Certificate Authority.

We assume that you’re already using an internal PKI or commercial one like Verisign.


However, if you don’t have an internal PKI, and don’t want to pay for certificates, you can use services provided by cacert.org (http://www.cacert.org), a free worldwide PKI provider. Using cacert.org services require that you register your email and DNS domain name, before to be able to request server certificate. See cacert.org manuals.


You may take a look at Pablo Iranzo Gómez excellent article (http://alufis35.uv.es/OCS-Inventory-Package-Deployment.html) for more detailled instructions about using [cacert.org] certificates in OCS Inventory NG.


PKI mit OCS Inventory NG Server für Linux.

Usually, Apache oder mod_ssl packages come with sample scripts to generate certificates request to submit to a PKI provider.


However, we provide below a sample script using OpenSSL for generating a certificate request for use in Apache.

#!/bin/sh
#
# Generate server certificate request
#
# Generate 1024 bits RSA key, store private key in a 
# no password protected PEM file server.key, store certificate
# request in a PEM file server.csr, using system default
# configuration file
#
# The produced key will be valid for 1825 days (5 years)
#
echo
echo Generating server private key and certificate request...
echo
openssl req -newkey rsa:1024 -outform PEM -out server.csr -keyout server.key -keyform PEM -days 1825 -nodes
Abbildung 11: Beispiel für apache_request_cert.sh Skript


Dieses Script generates a RSA private key in file “server.key” und a certificate request in der Datei “server.csr”.


First, launch this script using command:

  • sh apache_request_cert.sh

It will generate private key, and prompt you for certificate request properties:

  • Country code, usually required
  • State or province name, usually required
  • Stadt, usually required
  • Organisation or company name, usually required
  • Organisational Unit name, usually optional
  • Common name (this is the DNS name or IP address of your server), required
  • An email address, required to receive certificate generated by Certificate Authority.
  • An optional challenge password
  • An optional company name

[[Image:]]


In our sample, we’ve generated certificate request for our server name “ocs.domain.tld”.


Next, you must transmit your certificate request “server.csr” to your PKI Certificate Authority.


Once you’ve received your server certificate from Certificate Authority, you just have to copy server certificate file “server.crt” and server private key “server.key” files into appropriate directories, and update Apache/mod_ssl configuration files to use these files.


You must also retreive Certificate Authority root certificate into file “ca_root.crt” to specify it in Apache configuration.


Here is a sample and minimalist Apache/mod_ssl configuration for using SSL under CentOS/Fedora/RedHat Linux. (server certificate is stored under “/etc/httpd/conf/ssl.crt” directory and server key is stored under “/etc/httpd/conf/ssl.key” directory).


Hinweis: Generally, Apache for Win32 comes with a predefined Apache/mod_ssl configuration file. So, do not use following configuration if your system already has a configuration file for mod_ssl !

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# For the moment, see <URL:http://www.modssl.org/docs/> for this info. 
# The documents are still being prepared from material donated by the
# modssl project.
# 
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned. 
#
LoadModule ssl_module modules/mod_ssl.so

# Until documentation is completed, please check http://www.modssl.org/
# for additional config examples and module docmentation. Directives
# and features of mod_ssl are largely unchanged from the mod_ssl project
# for Apache 1.3.
#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#
# To allow connections to IPv6 addresses add "Listen [::]:443"
#
Listen 0.0.0.0:443

#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# Use separate log files:
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /usr/share/ssl/certs/ca_root.crt

# SSL Engine Options:
# StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
SSLOptions +StdEnvVars

# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
Abbildung 12: Beispiel für eine Apache/Mod_SSL Konfigurationsdatei


Sobald Sie Ihren Apache-Webserver konfiguriert haben, vergessen Sie nicht den Apache-Daemon neu zu starten, damit die Änderungen wirksam werden.

Zuletzt müssen Sie die Root-Zertifikat-Datei “ca_root.crt” der Zertifizierungsstelle auf jedem Client-Computer in das OCS Inventory Agent-Installationsverzeichnis unter dem Namen “cacert.pem” installieren.

Mit OCS Inventory NG-Server für Windows.

We provide below a sample script using OpenSSL for generating a certificate request for use in XAMPP Apache.

@echo off
REM
REM Generate server certificate request
REM
REM Generate 1024 bits RSA key, store private key in a
REM no password protected PEM file server.key, store certificate
REM request in a PEM file server.csr, using system default
REM configuration file
REM
REM The produced key will be valid for 1825 days (5 years)
REM
echo.
echo Generating server private key and certificate request...
echo.
set OPENSSL_CONF=./bin/openssl.cnf
bin\openssl req -newkey rsa:1024 -outform PEM -out server.csr -keyout server.key -keyform PEM -days 1825 -nodes
Abbildung 13: Beispiel für apache_request_cert.sh Skript


This Skript generates a RSA private key in file “server.key” und a certificate request in file “server.csr”.


Zuerst copy this Skript into “INSTALL_PATH\xampp\apache” directory (where “INSTALL_PATH is the installation folder of OCS Inventory NG) and launch it.


It will generate private key und prompt you for certificate request properties:

  • Country code, usually required
  • State or province name, usually required
  • Stadt, usually required
  • Organisation oder company name, usually required
  • Organisational Unit name, usually optional
  • Common name (this is the DNS name or IP address of your server), required
  • An email address, required to receive certificate generated by Certificate Authority.
  • An optional challenge password
  • An optional company name

[[Image:]]


In our sample, we’ve generated certificate request for our Servername “ocs.domain.tld”.


Next, you must transmit your certificate request “server.csr” to your PKI Certificate Authority.


Once you’ve received your server certificate from Zertifizierungsstelle, you just have to copy server certificate file “server.crt” to directory “INSTALL_PATH\xampp\apache\conf\ssl.crt” und server private key “server.key” files into to directory “INSTALL_PATH\xampp\apache\conf\ssl.key”.


You must also retreive Zertifizierungsstelle Root-Zertifikat into file “ca_root.crt” to specify it in Apache-Konfiguration. Store this file into directory “INSTALL_PATH\xampp\apache\conf\ssl.crt” unter dem Namen “ca-bundle.crt”.


Update Apache/Mod_SSL Konfiguration by editing file ““INSTALL_PATH\xampp\apache\conf\extra\httpd-ssl.conf” und uncommenting line 132 (remove # character at beginning) as follow.

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath conf/ssl.crt
SSLCACertificateFile conf/ssl.crt/ca-bundle.crt
Abbildung 14: Beispiel für Apache/Mod_SSL Konfigurationsdatei


Once you’ve configured your Apache web server, don’t forget to restart Apache2 service for changes to take effect.


Last, you have to install Certificate Authority root certificate file “ca_root.crt” on each client computer into OCS Inventory Agent installation directory, under the name “cacert.pem”.

Beispiel: Deploying new Version of Service Agent für Windows

Create a ZIP “OcsAgentSetup.zip” including file “OcsAgentSetup.exe”.


Next, connect to Administrationskonsole and go to menu “Deployment / Build”.

  • Fill in package name, beispielsweise “Ocs Agent Service 4031”,
  • select target operating system “Windows”,
  • select protocol “HTTP”,
  • select priority “5”,
  • browse to select ZIP file,
  • select action “Launch”
  • and fill in file name with Service Agent setup Kommandozeilenschalter, beispielsweise “OcsAgentSetup.exe /S /NOSPLASH /UPGRADE /NP /DEBUG /SERVER:my_ocs_server.domain.tld” (/S to run installer in silent mode, /NOSPLASH to disable installer spash screen, /UPGRADE to indicate that you’re upgrading an already installed Service Agent, /NP to disable use of IE proxy settings, /DEBUG to enable creation of Logbuch-Dateien, /SERVER to indicate that Agent must connect to Server at address “my_ocs_server.domain.tld”).

Hinweis: Don’t forget /UPGRADE command line switch to allow upgrading an existing OCS Inventory NG Agent installed as a service.

Related Links

cellulite


[[Image:]]


And validate by clicking “Send” button..


Next choose fragment size by moving slider, beispielsweise 500 Kb und click “Send”-Button.


[[Image:]]


Now, deployement package is created. You have to activate it.


Go to menu “Deployment / Activate”.


[[Image:]]


Click on Button “Activate” in the corresponding line.

  • Fill in HTTPS url where metadata file INFO can be downloaded by agents using HTTPS.
  • Fill in HTTP url where fragment files can be downloaded by agent using HTTP.

And click “Send”-Button.


[[Image:]]


Now, package is ready to be affected to computers.


Go to “Search” Menü, search for Computers having Operating System equals to “Windows (ALL)” and click “Search” button.


[[Image:]]


Next, click “Deploy” on “Mass processing” line.


[[Image:]]


To fiinish, click on “Affect” button in the corresponding line to the package you want.


[[Image:]]


That’s all folks !