Seite 1 von 1

Software-on-demand certificate

Verfasst: 06 Mai 2014, 18:44
von SisterOfMercy
I now have a few products in the software-on-demand group, it works good! :D

However, the user still has to create a security exception, even after importing the certificates. I know the import of the certificates is working now, because the only error is that the certificate isn't valid for the site.
I created an link on the desktop to the URL: https://localhost:4441/swondemand
The certificate installed in "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" that gets imported of course is valid for opsitest32.gcecad-service.local, of course this is the hostname of the client.

Changing the URL to https://opsiclient32.gcecad-service.loc ... swondemand results in OPSI asking for a password. This is of course desired when contacting that client from the network.
Browser is Mozilla Firefox ESR 24.5.0, OPSI is 4.0.4 with clients for that version.

Importing clients is done via the Mozilla NSS utility, with instructions nicked off of the mozilla-nss package. Of course I deleted the local user profile before testing this, so the default profile settings get used.

Code: Alles auswählen

; bookmarks.html is an empty file of 0 bytes
"%ScriptPath%\nss\bin\certutil.exe" -N -f "%ScriptPath%\files\bookmarks.html" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 1 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-root.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "CAcert.org - Class 3 PKI Key" -t "C,C,C" -i "%ScriptPath%\files\cacert.org-class3.der" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Client certificate" -t "PTC,PTC,PTC" -i "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.pem" -d "$InstallDir32$\browser\defaults\profile"
"%ScriptPath%\nss\bin\certutil.exe" -A -f "%ScriptPath%\files\bookmarks.html" -n "OPSI Server certificate" -t "PTC,PTC,PTC" -i "%ScriptPath%\files\opsiconfd.pem" -d "$InstallDir32$\browser\defaults\profile"
So what do I need to do so make software-on-demand doesn't need the security exception on firefox?

Re: Software-on-demand certificate

Verfasst: 06 Mai 2014, 19:13
von dkoch
Take a look at this:

wiki/userspace:zertifikats_import for IE
and this
wiki/userspace:mozilla_nss for FF

Re: Software-on-demand certificate

Verfasst: 06 Mai 2014, 19:44
von SisterOfMercy
dkoch hat geschrieben:wiki/userspace:mozilla_nss for FF
That is where I copied the instructions from. I downloaded the mozilla-nss package and extracted it.

Re: Software-on-demand certificate

Verfasst: 06 Mai 2014, 23:14
von dkoch
mozilla_nss looks like its working out of the box to me. But i have never used that:

Code: Alles auswählen

....
Set $INST_OpsiclientdDir$  = "%ProgramFiles32Dir%\opsi.org\opsi-client-agent\opsiclientd"
Set $INST_OpsiclientdCertificateFile$ = $INST_OpsiclientdDir$+"\opsiclientd.pem"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -A -n "certifikatOPSIclientd" -t "TC,TC,TC" -i "$INST_OpsiclientdCertificateFile$" -d "$akt_prefs_path$"
....
%SCRIPTPATH%\nss-3.12.4\bin\certutil.exe -L -n "certifikatOPSIclientd" -d "$akt_prefs_path$"



Re: Software-on-demand certificate

Verfasst: 08 Mai 2014, 01:07
von SisterOfMercy
dkoch hat geschrieben:mozilla_nss looks like its working out of the box to me. But i have never used that:
It looks like it works, and also for the certificate of the client. Let me restate the problem:

- Software on demand users connect to https://localhost:4441/swondemand
- Certificate trusted is for %hostname%.domain.name (a fqdn)
- Users get a security warning from Firefox
- Connecting from the client to %hostname%.domain.name asks for a password which lusers do not have

Re: Software-on-demand certificate

Verfasst: 02 Jun 2014, 19:08
von SisterOfMercy
Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).

Re: Software-on-demand certificate

Verfasst: 04 Jun 2014, 09:55
von n.wenselowski
SisterOfMercy hat geschrieben:Other question: Is it possible to remove the 'process now' button in the software-on-demand interface?
I have several products that need to install something for every user profile, and a logged-in user of course blocks the access to his/her own registry (HKEY_CURRENT_LUSER).
After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.


With kind regards

Niko

Re: Software-on-demand certificate

Verfasst: 04 Jun 2014, 12:51
von SisterOfMercy
n.wenselowski hat geschrieben:After a quick glance over the code it probably is possible if there is no active event with "sw on demand"-type.
Ah, so no standard options exist. I thought I might have missed some options or configuration.
It might be more effective to be able to select per product if it can be installed now, or on next boot. Let's say you have multiple groups; software-on-demand and software-on-demand-boot, and the products in the latter group are of course the products that need to be installed on boot.
No worries, though, I'll just have to educate my users (oh my). If I really have nothing left to do I might look in the code as well.

Re: Software-on-demand certificate

Verfasst: 06 Jun 2014, 12:29
von n.wenselowski
Interesting thought but this probably isn't so easy to realise with the current backends as we can not store additional information on the product groups.
Maybe removing the event and telling everyone they need to reboot is an option. Reboot, get a coffee and return to your computer with all those shiny new software packages sound quite appealing to me ;)


Kind regards

Niko