Trying here to see if anyone has worked out LDAP auth against AD with rundeck. I am using the JRE running method for rundesk. Here is what I have done so far:
I have set up the jaas-ldap.conf as shown on Rundeck authentication users page
I have requested for a ssl certificate from my admin. To use ldaps rundeck requires ssl cert or so it's written on their site. After getting the cert, they mention following two steps:
Once a certificate has been obtained. There are two options for adding the certificate. The first involves updating the truststore for the JRE. If that is not possible or not desirable, then one can set the truststore to be used by the jvm, using any arbitrary truststore that contains the appropriate certificate.
Both options require importing a certificate. The following would import a certificate called, AD.cert into the /etc/rundeck/ssl/truststore.
keytool -import -alias CompanyAD -file AD.cert -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
To add the certificate to the JRE, locate the file $JAVA_HOME/lib/security/cacerts and run
keytool -import -alias CompanyAD -file AD.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
To verify your CA has been added, run keytool list and look for CompanyAD in the output.
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
This is where I am running into issue. I have imported my certificate to the java truststore under $JAVA_HOME/lib/security/cacerts. The ssl.properties files also ask for a keystore, keystore.password, key.password parameters. Now, am I supposed to create a new keystore or omit these and just use the truststore variables?
I also tried creating a new keystore (.jks) and imported the same ssl certificate to it setting keypass and storepass. This did not help. I am getting error saying java.io.IOException: Keystore was tampered with, or password was incorrect
I am deploying the jar using - java -Dloginmodule.conf.name=jaas-ldap.conf -Dloginmodule.name=ldap -Drundeck.ssl.config=ssl.properties -jar rundeck-launcher-2.6.4.jar
I'd appreciate help passing through this.
There is no need to ask your admin for the ssl certificate. If your organization uses ldaps and the certificate installed on the ldap server is a self signed cert which is not in your keystore, then you need to add the cert to your JVM keystore. Now to get that certificate run the below query
openssl s_client -connect <ldapserver>:636
This will give some output with -----BEGIN CERTIFICATE----- and ---------END CERTIFICATE--------. Copy the text between these strings to a file ldap.cert.
keytool -import -alias CompanyAD -file ldap.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit.
If your keystore is tampered probably you may have to reinstall Java in the system.
Related
``
Hello
I am migrating an Ubuntu Bionic 18.4 Linux server to a windows domain
I followed the steps below:
1- update packages first.
2- install the required packages.
sudo apt -y install realmd sssd sssd-tools sssd-ad libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
sudo apt-get install -y krb5-user sssd-krb5
pam ????
3- Server Network config
create file 99_config.yaml (/etc/netplan/99_config.yaml)
configure IP , DNS server and domain
Change server hostname to a fully qualified domain name
sudo hostnamectl set-hostname serverName.mydomain
change /etc/hosts
add or update line 127.0.0.1 serverName.mydomain
apply change : sudo netplan apply
4- Discover the domain
realm discover mydomain (work fine)
5- Keberos config
REALM (EN MAJUSCULE)= mydomain
kdc = my domaine Active Directory Server IP
admin_server = my domaine Active Directory Server Name
6- Join ubuntu server to the domain
realm join MyNameServerIP mamadi.fofana (work fine)
7- Modify pam to automatically create a home directory for AD users
pam-auth-update
Check “activate mkhomedir”.
8- Test to see if the integration is working correctlyPermalink
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
All those 3 above commands work fine
9- Admin config
Update sudoers file to include your domain administrators security group with full sudo access:
sudo nano /etc/sudoers.d/admins
Add the necessary lines to it. For example:
user ALL=(ALL) ALL
%Domain\ Admins ALL=(ALL) ALL
To avoid adding the domain name to the username every time, configure this.
sudo nano /etc/sssd/sssd.conf
Change the ‘use_fully_qualified_names’ value to False.
Restart and check:
sudo systemctl restart sssd
allow authorization for some AD users or groups
sudo realm permit myUserName#myDomain, someUserName#myDomain
sudo realm permit -g 'Domain Admins'
Login using SSH via another terminal:
ssh -l myuserName#myDomain MyUbuntuServerIP
At first it worked; several domain users managed to connect with ssh , fileZilla and directly on the server
with their domain credential.
The only concern was that the resolution didn't work with the ubuntu server name; we used the IP address
To fix the name resolution problem, I had to install and configure samba and nmbd
Suddenly after a few days, I couldn't connect to the server with the domain accounts
with SSH I have the message
Connection closed by ServerIP port 22
directly on the server
i have the message
Sorry that didn't work, please try again
I am however sure of the password, and other users have failed to connect
Do you have an idea of the origin of the problem or a way to debug to identify the source of the problem?
the migration worked at first, then stopped recognizing domain user passwords
I specify that although the users of the domain cannot connect,
the following commands still work and show correct outputs
realm discover mydomain (work fine)
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
Please assist
8- Test to see if the integration is working correctlyPermalink
id myuserName#myDomain
getent myuserName#myDomain
groups myuserName#myDomain
All those 3 above commands work fine
Trying to configure TLS on my MSSQL connections following this article: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-encrypted-connections?view=sql-server-2017
The server-side configuration seems pretty straight-forward with minor differences in the container environment (e.g. systemctl doesn't exist so I kill/respawn pod):
systemctl stop mssql-server
cat /var/opt/mssql/mssql.conf
/opt/mssql/bin/mssql-conf set network.tlscert /var/opt/mssql/ssl/mssql.pem
/opt/mssql/bin/mssql-conf set network.tlskey /var/opt/mssql/ssl/mssqlprivkey.key
/opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2
/opt/mssql/bin/mssql-conf set network.forceencryption 0
systemctl start mssql-server
So I took my PFX from my Windows CA and extracted the key and the client cert to key and pem files, added them to the location for persistent storage (/var/opt), ran the commands (seen above) and sql came back up.
I installed mssql-tools on a different machine and configured it in the trust-anchors to trust my CA.
However, when trying to test the connection (sqlcmd -N -S tcp:1.1.1.1,1433 -U user -P password), I get the error: SSL Provider: [error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:subject name does not match host name]
When I change the connection string to the DNS name, it works (sqlcmd -N -S tcp:mssql.mydomain.com,1433 -U user -P password) -- even though the IP address is listed as a subject alternative name on the cert.
Why are secure connections not working using the IP? What am I missing?
Different TLS client tools differently handle IP Address Subject Alternative Name type. Most Microsoft tools ignore iPAddress name type completely and require IP addresses to be listed as dNSName name type. Try to add IP Address to SAN extension as dNSName name type, it should work.
Is there any way of downloading a https certificate using a batch file (or a powershell script) in Windows? In Linux I can use openssl s_client -connect <URL> ...
How can I do it in windows (without using thirdparty openssl implementations)?
Some time ago I wrote a Test-WebServerSSL PowerShell script that does the thing: Test remote web server SSL certificate. The function utilizes built-in System.Net.WebRequest class and its ServicePoint property.
just copy/paste the function to your PowerShell console and call it by specifying remote server host name:
Test-WebServerSSL www.mydomain.com
Note that you must type only remote server's host name without protocol prefix and relative URL path.
to save the certificate to a file, you can send the output object to Set-Content cmdlet:
$SSL = Test-WebserverSSL www.mydomain.com
Set-Content -Path $CertificateFile -Value $SSL.Certificate.RawData -Encoding Byte
I've made a .bat file to get the SHA1 of my Android app so I don't need to type the command each time
keytool -list -v -keystore "Path/To/My/Key.jks"
When I run the bat file I get asked for the password. Is it possible to either put the password in the command e.g. something like --password MyPassword, or in the .bat file wait for the Enter your password line, and then send the password? I don't have any experience really with .bat files so I don't know if that's possible to do or not.
I looked at the --help for keytool and the only password flags I could see were for changing the password, not specifying it.
The keytool that ships with the Oracle JDK allows you to specify it on the command line with -storepass, you were doing keytool -help instead of keytool -list -help. (I suppose the Android version is the same.)
C:\>keytool.exe -list -help
keytool -list [OPTION]...
Lists entries in a keystore
Options:
-rfc output in RFC style
-alias <alias> alias name of the entry to process
-keystore <keystore> keystore name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism
Use "keytool -help" for all available commands
Specify the keystore password using the -storepass option:
keytool <commands and options> -storepass changeit
changeit being the default keystore password, but use whatever.
For example, to add a certificate using the default password:
keytool -importcert -trustcacerts -alias mycert -file mycert.cer -keystore .../lib/security/cacerts -storepass changeit
As #sastorsl said, if you are worried about putting your password in clear text in your command or script (and you should), you should put your password in a secure file (with 0400 permissions, in Linux) or in an environment variable.
Now keytool does have a similar construct to openssl's file:<filename>, if your password is in a file:
keytool <commands and options> -storepass:file <pass_file>
If your password is in an environment variable:
keytool <commands and options> -storepass:env <pass_var>
Disclaimer: I have tested the -storepass:file option in Bash (not in Windows), but the documentation does not seem to have any difference according to the OS.
From the Oracle keytool doc:
-storepass [:env | :file ] argument
The password that is used to protect the integrity of the keystore.
If the modifier env or file isn’t specified, then the password has the value argument, which must contain at least six characters. Otherwise, the password is retrieved as follows:
env: Retrieve the password from the environment variable named argument.
file: Retrieve the password from the file named argument.
Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).
If you are worried about storing your password in a script, and for it to turn up in your command line history - which you should be, store the password in a separate file instead, secure it, and reference it.
NB! This is Linux / bash specific, and OP seems to be on windows, but I hope this can help somebody else.
keytool -list -v -keystore "Path/To/My/Key.jks" -storepass $(cat < <(cat bin/.pw))
If only keytool would have the file:<filename> construct which the openssl client has.
libcurl can get certificate info by using CURLINFO_CERTINFO, but that info must come after curl_easy_perform, which means you need to log in to the FTP server first without verifying the certificates.
FTP software like FileZilla get the certificates and then ask the user to trust them or not, just before sending username and password.
The following OpenSSL command can also get the certificates with no username or password:
$ openssl s_client -showcerts -connect ftp.godaddy.com:21 -starttls ftp
I also tried using CURLOPT_VERBOSE to monitor the FTP commands. After AUTH TLS command is OK, it'll stop immediately and try to get the cert info. But that didn't work.
You can accomplish this by using the CURLOPT_SSL_CTX_FUNCTION to install a callback function when the SSL_CTX gets created. From that CURL callback, you can install your own verify function callback using the regular OpenSSL API SSL_CTX_set_cert_verify_callback().
The CURL web site provides an example.