Software-on-demand certificate

[SisterOfMercy]

I now have a few products in the software-on-demand group, it works good!

However, the user still has to create a security exception, even after importing the certificates. I know the import of the certificates is working now, because the only error is that the certificate isn't valid for the site.
I created an link on the desktop to the URL: https://localhost:4441/swondemand
The certificate installed in "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" that gets imported of course is valid for opsitest32.gcecad-service.local, of course this is the hostname of the client.

Changing the URL to https://opsiclient32.gcecad-service.loc ... swondemand results in OPSI asking for a password. This is of course desired when contacting that client from the network.
Browser is Mozilla Firefox ESR 24.5.0, OPSI is 4.0.4 with clients for that version.

Importing clients is done via the Mozilla NSS utility, with instructions nicked off of the mozilla-nss package. Of course I deleted the local user profile before testing this, so the default profile settings get used.

Code: Alles auswählen

; bookmarks.html is an empty file of 0 bytes
"%ScriptPath%\nss\bin\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Client certificate" -t "PTC,PTC,PTC" -i "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Server certificate" -t "PTC,PTC,PTC" -i "%ScriptPath%\files\opsiconfd.pem" -d "$InstallDir32$\browser\defaults\profile"

So what do I need to do so make software-on-demand doesn't need the security exception on firefox?

[dkoch]

Take a look at this:

wiki/userspace:zertifikats_import for IE
and this
wiki/userspace:mozilla_nss for FF

[SisterOfMercy]

wiki/userspace:mozilla_nss for FF

That is where I copied the instructions from. I downloaded the mozilla-nss package and extracted it.

[dkoch]

mozilla_nss looks like its working out of the box to me. But i have never used that:

Code: Alles auswählen

....
Set $INST_OpsiclientdDir$  = "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd"
Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+"\opsiclientd.pem"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSIclientd" -t "TC,TC,TC" -i "$INST_OpsiclientdCertificateFile$" -d "$akt_prefs_path$"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSIclientd" -d "$akt_prefs_path$"

[SisterOfMercy]

mozilla_nss looks like its working out of the box to me. But i have never used that:

It looks like it works, and also for the certificate of the client. Let me restate the problem:

- Software on demand users connect to https://localhost:4441/swondemand
- Certificate trusted is for %hostname%.domain.name (a fqdn)
- Users get a security warning from Firefox
- Connecting from the client to %hostname%.domain.name asks for a password which lusers do not have

[SisterOfMercy]

Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).

[n.wenselowski]

Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).

After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.


With kind regards

Niko

[SisterOfMercy]

After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.

Ah, so no standard options exist. I thought I might have missed some options or configuration.
It might be more effective to be able to select per product if it can be installed now, or on next boot. Let's say you have multiple groups; software-on-demand and software-on-demand-boot, and the products in the latter group are of course the products that need to be installed on boot.
No worries, though, I'll just have to educate my users (oh my). If I really have nothing left to do I might look in the code as well.

[n.wenselowski]

Interesting thought but this probably isn't so easy to realise with the current backends as we can not store additional information on the product groups.
Maybe removing the event and telling everyone they need to reboot is an option. Reboot, get a coffee and return to your computer with all those shiny new software packages sound quite appealing to me


Kind regards

Niko