opsi manual opsi version 4.0.2 - opsi Download - uib

More documents

Recommendations

Info

opsi manual opsi version 4.0.2 which is readable with administrative privileges only. The opsi-host-key is stored at the server in the used backend (e.g at /etc/opsi/pckeys). 95 / 193 In addition to this authentication, you may tell the opsiconfd to check if the client IP address matches the given FQDN. To activate this check, set at the /etc/opsi/opsiconfd.conf: verify ip = yes and reload the opsiconfd: /etc/init.d/opsiconfd reload Caution Do not use this feature if you are not really sure, that your name resolution works properly in both directions for all clients. 12.6 Server authentication at the client Since opsi 4.0.1 there are different possibilities to check the trustworthiness of the contacted server. Caution Do not use them in combination. Choose only one way or you will be locked out from your client. 12.6.1 Variant 1: verify_server_cert At the first contact to a opsi-server, the client will accept the given SSL certificate and store it at C:\opsi.org\opsiclientd\server-certs. On any subsequent contact, the client creates a random string and uses the public key of the stored certificate to encrypt this string (and the own access parameters). These encrypted data will be sent to the server. The server uses the private key of its own SSL certificate to decrypt the data and sends the decrypted random string back to the client. Now the client checks if the correct string was sent back. If not, the communication to the server will be aborted. You can prevent this way that somebody directs your clients to a wrong server, e.g. by manipulating the DNS. If you setup a new server, you may migrate the SSL certificate from the old to the new server without problems. And you must not deploy any certification authority (CA). The disadvantage of this method is, that a man-in-the-middle attack is still possible. This security method checks the communication between client and opsi-config-server. Using the opsi WAN extension and as clientconfig.depot.protocol webdav, also the communication to the opsidepot-server is checked. Section 15.3.1 To activate this check, set at the opsiclientd.conf in the section [global] the option: verify_server_cert = true Run the following command at your opsi-config-server to to create this configuration entry for all clients: opsi-admin -d method config_createBool opsiclientd.global.verify_server_cert "verify_server_cert" false
opsi manual opsi version 4.0.2 96 / 193 Now you can activate this using the opsi-configed at the Server configuration or at the Host parameter of seleted clients by chaning the value from false to true. Caution Be very careful with activating "verify_server_cert", for in case of improper configuration your clients will refuse the connection! 12.6.2 Variant 2: verify_server_cert_by_ca This variant works just like SSL certificates are checked in your browser. The given SSL certificate will be accepted, if it is issued for the exact FQDN (commonName) of the server (or if the DNS verifies that this is the FQDN matching the IP address of the server) and the certificate is issued and signed by the uib gmbh. Is one of these conditions not true, the communication to the server will be aborted. This method is more secure than the first one. But you will have to buy the certificates from uib gmbh. For prizes and conditions have a look at the prize list of uib gmbh: http://uib.de/en/opsi_support/index.html Any profits from selling these certificates will be invested in the maintenance of the opsi security. To activate this security method, set at the opsiclientd.conf in the section [global] the option: verify_server_cert_by_ca = true Run the following command at your opsi-config-server to to create this configuration entry for all clients: opsi-admin -d method config_createBool opsiclientd.global.verify_server_cert_by_ca "verify_server_cert_by_ca" false Now you can activate this using the opsi-configed at the Server configuration or at the Host parameter of seleted clients by chaning the value from false to true. Caution Be very careful with activating "verify_server_cert_by_ca", for in case of improper configuration your clients will refuse the connection! 12.7 Authentication at the control server of the client The opsiclientd provides a web service interface, which allows remote control of the opsiclientd and thus remote control of the client. (Section 7.3.9). In order to access this interface authentication is required. You may authenticate as a local administrator with a not empty password, or with an empty user name and the opsi-host-key as password. 12.8 Admin network configuration The idea of an admin network is to ban any administrative access from the standard production network and allow these accesses only from a special admin network. With opsi all opsi-clients need restricted access to the opsi web service, which allows them to read and change their own data. Administrative access with further privileges is granted to members of the unix group opsiadmin only.
Page 1 and 2:
opsi manual opsi version 4.0.2 Stan
Page 3 and 4:
opsi manual opsi version 4.0.2 4.3.
Page 5 and 6:
opsi manual opsi version 4.0.2 8 Lo
Page 7 and 8:
opsi manual opsi version 4.0.2 14 o
Page 9 and 10:
opsi manual opsi version 4.0.2 20 o
Page 11 and 12:
opsi manual opsi version 4.0.2 24.6
Page 13 and 14:
opsi manual opsi version 4.0.2 3 Ov
Page 15 and 16:
opsi manual opsi version 4.0.2 More
Page 17 and 18:
Page 19 and 20:
opsi manual opsi version 4.0.2 prod
Page 21 and 22:
opsi manual opsi version 4.0.2 4.3.
Page 23 and 24:
opsi manual opsi version 4.0.2 12 /
Page 25 and 26:
opsi manual opsi version 4.0.2 Basi
Page 27 and 28:
opsi manual opsi version 4.0.2 Send
Page 29 and 30:
opsi manual opsi version 4.0.2 Dele
Page 31 and 32:
opsi manual opsi version 4.0.2 20 /
Page 33 and 34:
opsi manual opsi version 4.0.2 Figu
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
opsi manual opsi version 4.0.2 The
Page 41 and 42:
opsi manual opsi version 4.0.2 -p,
Page 43 and 44:
Page 45 and 46:
opsi manual opsi version 4.0.2 •
Page 47 and 48:
opsi manual opsi version 4.0.2 meth
Page 49 and 50:
opsi manual opsi version 4.0.2 Note
Page 51 and 52:
opsi manual opsi version 4.0.2 prod
Page 53 and 54:
] opsi manual opsi version 4.0.2 {
Page 55 and 56: opsi manual opsi version 4.0.2 (...
Page 57 and 58: opsi manual opsi version 4.0.2 soft
Page 59 and 60: opsi manual opsi version 4.0.2 meth
Page 61 and 62: opsi manual opsi version 4.0.2 Supp
Page 63 and 64: opsi manual opsi version 4.0.2 Supp
Page 65 and 66: opsi manual opsi version 4.0.2 6 Ac
Page 67 and 68: opsi manual opsi version 4.0.2 7.3
Page 69 and 70: opsi manual opsi version 4.0.2 shut
Page 71 and 72: opsi manual opsi version 4.0.2 60 /
Page 73 and 74: opsi manual opsi version 4.0.2 7.3.
Page 75 and 76: opsi manual opsi version 4.0.2 veri
Page 77 and 78: opsi manual opsi version 4.0.2 even
Page 79 and 80: opsi manual opsi version 4.0.2 [eve
Page 83 and 84: opsi manual opsi version 4.0.2 Figu
Page 85 and 86: opsi manual opsi version 4.0.2 At t
Page 91 and 92: opsi manual opsi version 4.0.2 - Ch
Page 93 and 94: opsi manual opsi version 4.0.2 82 /
Page 95 and 96: opsi manual opsi version 4.0.2 Call
Page 97 and 98: opsi manual opsi version 4.0.2 imag
Page 101 and 102: opsi manual opsi version 4.0.2 { "C
Page 105: opsi manual opsi version 4.0.2 12.2
Page 121 and 122: opsi manual opsi version 4.0.2 The
Page 125 and 126: opsi manual opsi version 4.0.2 114
Page 127 and 128: opsi manual opsi version 4.0.2 Tabl
Page 133 and 134: opsi manual opsi version 4.0.2 The
Page 135 and 136: opsi manual opsi version 4.0.2 •
Page 139 and 140: opsi manual opsi version 4.0.2 [5]
Page 145 and 146: opsi manual opsi version 4.0.2 ’
Page 147 and 148: opsi manual opsi version 4.0.2 18 o
Page 157 and 158:
opsi manual opsi version 4.0.2 Show
Page 159 and 160:
opsi manual opsi version 4.0.2 148
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
opsi manual opsi version 4.0.2 On R
Page 167 and 168:
opsi manual opsi version 4.0.2 Chec
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
opsi manual opsi version 4.0.2 serv
Page 181 and 182:
Page 183 and 184:
opsi manual opsi version 4.0.2 HARD
Page 185 and 186:
opsi manual opsi version 4.0.2 •
Page 187 and 188:
Page 189 and 190:
opsi manual opsi version 4.0.2 -h s
Page 191 and 192:
opsi manual opsi version 4.0.2 set
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
opsi manual opsi version 4.0.2 [rep
Page 199 and 200:
Page 201 and 202:
opsi manual opsi version 4.0.2 Devi
Page 203 and 204:
show all

opsi manual opsi version 4.0.2 - opsi Download - uib

Create successful ePaper yourself

Delete template?

Save as template?