Software-on-demand certificate

Antworten
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Software-on-demand certificate

Beitrag von SisterOfMercy »

I now have a few products in the software-on-demand group, it works good! :D

However, the user still has to create a security exception, even after importing the certificates. I know the import of the certificates is working now, because the only error is that the certificate isn't valid for the site.
I created an link on the desktop to the URL: https://localhost:4441/swondemand
The certificate installed in "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" that gets imported of course is valid for opsitest32.gcecad-service.local, of course this is the hostname of the client.

Changing the URL to https://opsiclient32.gcecad-service.loc ... swondemand results in OPSI asking for a password. This is of course desired when contacting that client from the network.
Browser is Mozilla Firefox ESR 24.5.0, OPSI is 4.0.4 with clients for that version.

Importing clients is done via the Mozilla NSS utility, with instructions nicked off of the mozilla-nss package. Of course I deleted the local user profile before testing this, so the default profile settings get used.

Code: Alles auswählen

; bookmarks.html is an empty file of 0 bytes
"%ScriptPath%\nss\bin\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Client certificate" -t "PTC,PTC,PTC" -i "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Server certificate" -t "PTC,PTC,PTC" -i "%ScriptPath%\files\opsiconfd.pem" -d "$InstallDir32$\browser\defaults\profile"
So what do I need to do so make software-on-demand doesn't need the security exception on firefox?
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
dkoch
Beiträge: 309
Registriert: 25 Nov 2011, 14:03

Re: Software-on-demand certificate

Beitrag von dkoch »

Take a look at this:

wiki/userspace:zertifikats_import for IE
and this
wiki/userspace:mozilla_nss for FF
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Software-on-demand certificate

Beitrag von SisterOfMercy »

dkoch hat geschrieben:wiki/userspace:mozilla_nss for FF
That is where I copied the instructions from. I downloaded the mozilla-nss package and extracted it.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
dkoch
Beiträge: 309
Registriert: 25 Nov 2011, 14:03

Re: Software-on-demand certificate

Beitrag von dkoch »

mozilla_nss looks like its working out of the box to me. But i have never used that:

Code: Alles auswählen

....
Set $INST_OpsiclientdDir$  = "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd"
Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+"\opsiclientd.pem"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSIclientd" -t "TC,TC,TC" -i "$INST_OpsiclientdCertificateFile$" -d "$akt_prefs_path$"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSIclientd" -d "$akt_prefs_path$"


Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Software-on-demand certificate

Beitrag von SisterOfMercy »

dkoch hat geschrieben:mozilla_nss looks like its working out of the box to me. But i have never used that:
It looks like it works, and also for the certificate of the client. Let me restate the problem:

- Software on demand users connect to https://localhost:4441/swondemand
- Certificate trusted is for %hostname%.domain.name (a fqdn)
- Users get a security warning from Firefox
- Connecting from the client to %hostname%.domain.name asks for a password which lusers do not have
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Software-on-demand certificate

Beitrag von SisterOfMercy »

Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Software-on-demand certificate

Beitrag von n.wenselowski »

SisterOfMercy hat geschrieben:Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).
After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.


With kind regards

Niko

Code: Alles auswählen

import OPSI
Benutzeravatar
SisterOfMercy
Beiträge: 1556
Registriert: 22 Jun 2012, 19:18

Re: Software-on-demand certificate

Beitrag von SisterOfMercy »

n.wenselowski hat geschrieben:After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.
Ah, so no standard options exist. I thought I might have missed some options or configuration.
It might be more effective to be able to select per product if it can be installed now, or on next boot. Let's say you have multiple groups; software-on-demand and software-on-demand-boot, and the products in the latter group are of course the products that need to be installed on boot.
No worries, though, I'll just have to educate my users (oh my). If I really have nothing left to do I might look in the code as well.
Bitte schreiben Sie Deutsch, when I'm responding in the German-speaking part of the forum!
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: Software-on-demand certificate

Beitrag von n.wenselowski »

Interesting thought but this probably isn't so easy to realise with the current backends as we can not store additional information on the product groups.
Maybe removing the event and telling everyone they need to reboot is an option. Reboot, get a coffee and return to your computer with all those shiny new software packages sound quite appealing to me ;)


Kind regards

Niko

Code: Alles auswählen

import OPSI
Antworten