Ocs sous ssl

Pour pouvoir utiliser la fonction de télédéploiment d'Ocs, vous devez obligatoirement le

mettre sous un tunnel SSL.

Au niveau de la config ssl d'apche, rien de plus qu'habituellement, si ce n'est ajouter la ligne suivante : 

SSLOptions +StdEnvVars

Vous pouvez consulter un fichier complet d'un virtual host 443 en bas de cette page.

Pour que le télédéploiment fonctionne, il faudra également installer le certificat de votre ssl

sur CHAQUE poste client

Ce fichier devra être renommé en cacert.pem et copier dans le réperoire d'install d'OCS

Par défaut dans C:\Program Files\OCS Inventory Agent

Ce fichier carcert.pem, en faite correspond à votre fichier qui se trouve dans ligne : 

SSLCertificateFile /etc/apache2/ssl/server.crt

Il n'est pas nécessaire que ce soit un certificat reconnu par une autorité de certification officielle (versign et autres)

Si vous avez un certificat officiel, c'est ce dernier qui devra être installé sur le client : 

SSLCACertificateFile /etc/apache2/ssl/ca_root.crt

Dans mon cas, j'ai 3 autorités de certifications, j'ai donc du installé le certificat qui se trouvait dans ma ligne : 

SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt

Voici un virtualHost complet : 

<VirtualHost _default_:443>
 
    ServerName ocs.mondomaine.be
    DocumentRoot /var/www/ocsreports
    ServerName ocs.mondomaine.be
    <Directory "/var/www/ocsreports">
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Order allow,deny
	allow from all
    </Directory>	
 
    AddDefaultCharset ISO-8859-1
 
 
# Use separate log files:
 
ErrorLog /var/log/apache2/ssl_ocs-error_log
 
TransferLog /var/log/apache2/ssl_ocs-access_log
 
 
# SSL Engine Switch:
 
# Enable/Disable SSL for this virtual host.
 
SSLEngine on
 
 
# SSL Cipher Suite:
 
# List the ciphers that the client is permitted to negotiate.
 
# See the mod_ssl documentation for a complete list.
 
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 
 
# Server Certificate:
 
# Point SSLCertificateFile at a PEM encoded certificate. If
 
# the certificate is encrypted, then you will be prompted for a
 
# pass phrase. Note that a kill -HUP will prompt again. A test
 
# certificate can be generated with `make certificate' under
 
# built time. Keep in mind that if you've both a RSA and a DSA
 
# certificate you can configure both in parallel (to also allow
 
# the use of DSA ciphers, etc.)
 
SSLCertificateFile /etc/apache2/ssl/server.crt
 
 
# Server Private Key:
 
# If the key is not combined with the certificate, use this
 
# directive to point at the key file. Keep in mind that if
 
# you've both a RSA and a DSA private key you can configure
 
# both in parallel (to also allow the use of DSA ciphers, etc.)
 
SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
SSLCertificateChainFile /etc/apache2/ssl/server-ca.crt
 
# SSL Engine Options:
 
# StdEnvVars:
 
# This exports the standard SSL/TLS related `SSL_*' environment variables.
 
# Per default this exportation is switched off for performance reasons,
 
# because the extraction step is an expensive operation and is usually
 
# useless for serving static content. So one usually enables the
 
# exportation for CGI and SSI requests only.
 
SSLOptions +StdEnvVars
 
 
# SSL Protocol Adjustments:
 
# The safe and default but still SSL/TLS standard compliant shutdown
 
# approach is that mod_ssl sends the close notify alert but doesn't wait for
 
# the close notify alert from client. When you need a different shutdown
 
# approach you can use one of the following variables:
 
# o ssl-unclean-shutdown:
 
# This forces an unclean shutdown when the connection is closed, i.e. no
 
# SSL close notify alert is send or allowed to received. This violates
 
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
 
# this when you receive I/O errors because of the standard approach where
 
# mod_ssl sends the close notify alert.
 
# o ssl-accurate-shutdown:
 
# This forces an accurate shutdown when the connection is closed, i.e. a
 
# SSL close notify alert is send and mod_ssl waits for the close notify
 
# alert of the client. This is 100% SSL/TLS standard compliant, but in
 
# practice often causes hanging connections with brain-dead browsers. Use
 
# this only for browsers where you know that their SSL implementation
 
# works correctly.
 
# Notice: Most problems of broken clients are also related to the HTTP
 
# keep-alive facility, so you usually additionally want to disable
 
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
 
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
 
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 
# "force-response-1.0" for this.
 
BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0
 
# Per-Server Logging:
 
# The home of a custom SSL log file. Use this when you want a
 
# compact non-error SSL logfile on a virtual host basis.
 
 
CustomLog /var/log/apache2/ssl_request_ocs_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
</VirtualHost>

Discussion

Entrer votre commentaire
Si vous ne pouvez déchiffrer le code, téléchargez ce fichier .wav pour l'entendre.
 
 
configuration_d_ocs_sous_un_tunnel_ssl.txt · Dernière modification: 2009/03/24 18:55 par admin
 
Sauf mention contraire, le contenu de ce wiki est placé sous la licence suivante:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki