opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>opsi</strong> <strong>manual</strong> <strong>opsi</strong> <strong>version</strong> <strong>4.0.2</strong><br />
96 / 193<br />
Now you can activate this using the <strong>opsi</strong>-configed at the Server configuration or at the Host parameter of seleted<br />
clients by chaning the value from false to true.<br />
Caution<br />
Be very careful with activating "verify_server_cert", for in case of improper configuration your clients will refuse<br />
the connection!<br />
12.6.2 Variant 2: verify_server_cert_by_ca<br />
This variant works just like SSL certificates are checked in your browser.<br />
The given SSL certificate will be accepted, if it is issued for the exact FQDN (commonName) of the server (or if the<br />
DNS verifies that this is the FQDN matching the IP address of the server) and the certificate is issued and signed by<br />
the <strong>uib</strong> gmbh.<br />
Is one of these conditions not true, the communication to the server will be aborted.<br />
This method is more secure than the first one. But you will have to buy the certificates from <strong>uib</strong> gmbh. For prizes<br />
and conditions have a look at the prize list of <strong>uib</strong> gmbh:<br />
http://<strong>uib</strong>.de/en/<strong>opsi</strong>_support/index.html<br />
Any profits from selling these certificates will be invested in the maintenance of the <strong>opsi</strong> security.<br />
To activate this security method, set at the <strong>opsi</strong>clientd.conf in the section [global] the option:<br />
verify_server_cert_by_ca = true<br />
Run the following command at your <strong>opsi</strong>-config-server to to create this configuration entry for all clients:<br />
<strong>opsi</strong>-admin -d method config_createBool <strong>opsi</strong>clientd.global.verify_server_cert_by_ca "verify_server_cert_by_ca" false<br />
Now you can activate this using the <strong>opsi</strong>-configed at the Server configuration or at the Host parameter of seleted<br />
clients by chaning the value from false to true.<br />
Caution<br />
Be very careful with activating "verify_server_cert_by_ca", for in case of improper configuration your clients will<br />
refuse the connection!<br />
12.7 Authentication at the control server of the client<br />
The <strong>opsi</strong>clientd provides a web service interface, which allows remote control of the <strong>opsi</strong>clientd and thus remote control<br />
of the client.<br />
(Section 7.3.9).<br />
In order to access this interface authentication is required. You may authenticate as a local administrator with a not<br />
empty password, or with an empty user name and the <strong>opsi</strong>-host-key as password.<br />
12.8 Admin network configuration<br />
The idea of an admin network is to ban any administrative access from the standard production network and allow<br />
these accesses only from a special admin network.<br />
With <strong>opsi</strong> all <strong>opsi</strong>-clients need restricted access to the <strong>opsi</strong> web service, which allows them to read and change their<br />
own data. Administrative access with further privileges is granted to members of the unix group <strong>opsi</strong>admin only.