This shows you the differences between two versions of the page.
juju-manual [2016/12/08 19:27] sgiulitti [Manually adding the Client certs on the target windows machine] |
juju-manual [2016/12/08 21:52] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | Hi guys, I will help you step by step to manual provision a windows machine. :-) | ||
- | ====== Introduction ====== | ||
- | |||
- | Not long ago, manual provisioning in Juju was possible for linux machines. | ||
- | This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. | ||
- | |||
- | ===== For this example we are are using this: ===== | ||
- | |||
- | State Machine | ||
- | | ||
- | |||
- | ==== So without further ado let's start the hacking process ==== | ||
- | |||
- | |||
- | ====== Step 1 ====== | ||
- | |||
- | '' | ||
- | Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order. | ||
- | |||
- | |||
- | <code bash> | ||
- | go get -v -u https:// | ||
- | go get -v -u launchpad.net/ | ||
- | cd $GOPATH/ | ||
- | git checkout enable-windows-provisioner | ||
- | godeps -t -u dependencies.tsv | ||
- | </ | ||
- | |||
- | I will supply here a link to the gist where you could download the build script in order to make the process more simpler. | ||
- | |||
- | [[https:// | ||
- | |||
- | Download all scripts in some location ,make them executable and point the path into $PATH env. | ||
- | |||
- | For example(in my order of things). | ||
- | |||
- | <code bash> | ||
- | SCRIPT_PATH = ~/ | ||
- | mkdir -p $SCRIPT_PATH | ||
- | cd $SCRIPT_PATH | ||
- | https:// | ||
- | mv 3c8f858a3865f3b31a3ee19c58ab2688/ | ||
- | rmdir 3c8f858a3865f3b31a3ee19c58ab2688 | ||
- | chmod u+x * | ||
- | # I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the | ||
- | # shell, be careful when you close the bash session you will lose all variables saved, so put | ||
- | # it somewhere, where scripts will always load when you open a shell.(example .bashrc) | ||
- | export $PATH: | ||
- | </ | ||
- | |||
- | === Now you can build the project running this command === | ||
- | <code bash> | ||
- | makejuju.sh enable-windows-provisioner | ||
- | </ | ||
- | |||
- | In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/ | ||
- | To make sure. You cand execute this commands in order. | ||
- | |||
- | <code bash> | ||
- | mkdir -p / | ||
- | chown -R $USER:$USER /var/html/* | ||
- | </ | ||
- | |||
- | We need to do this because the state machine will access the metadata and download the jujud binary based on series. | ||
- | |||
- | ====== Step 2 ====== | ||
- | |||
- | '' | ||
- | |||
- | First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, | ||
- | |||
- | If not you will need to do the steps above. | ||
- | |||
- | Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner: | ||
- | |||
- | <code powershell> | ||
- | Enable-PSRemoting -Force | ||
- | Set-ExecutionPolicy RemoteSigned | ||
- | winrm quickconfig | ||
- | # this will let us use the http listener with password auth | ||
- | winrm set winrm/ | ||
- | |||
- | </ | ||
- | |||
- | To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. | ||
- | This guide will use openssl. | ||
- | |||
- | === Download OpenSSL for Windows. === | ||
- | |||
- | [[http:// | ||
- | |||
- | Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate. | ||
- | |||
- | To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: | ||
- | <code bash> | ||
- | [ v3_ca ] | ||
- | extendedKeyUsage = serverAuth | ||
- | subjectAltName = IP: | ||
- | </ | ||
- | |||
- | |||
- | <code powershell> | ||
- | set OPENSSL_CONF=C: | ||
- | cd C: | ||
- | C: | ||
- | C: | ||
- | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
- | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
- | winrm create winrm/ | ||
- | netsh advfirewall firewall add rule name=" | ||
- | </ | ||
- | |||
- | |||
- | === Note: === | ||
- | Don't forget to add those **'** around the **@{}**. | ||
- | |||
- | ====== Step 3 ====== | ||
- | |||
- | You need to copy the newly **sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on. | ||
- | |||
- | You need to store the file with a specific name of **winrmcacert.crt** | ||
- | |||
- | Please make sure that the server cert is in pem format. | ||
- | |||
- | <code bash> | ||
- | mkdir -p $HOME/ | ||
- | # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. | ||
- | cp winrmcacert.crt $HOME/ | ||
- | # in order to generate the client certs by juju you must hit the command | ||
- | juju status | ||
- | # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/ | ||
- | # if you list the dirs you should have something like this. | ||
- | tree x509/ | ||
- | x509/ | ||
- | ├── winrmcacert.crt | ||
- | ├── winrmclientcert.crt | ||
- | └── winrmclientkey.pem | ||
- | </ | ||
- | |||
- | ====== Step 4 ====== | ||
- | ( manual provisioning ) | ||
- | |||
- | We need to make a new environmnet frist. (juju bootstrap) | ||
- | |||
- | <code bash> | ||
- | juju bootstrap manual/ | ||
- | </ | ||
- | |||
- | Now for the grand finale. | ||
- | |||
- | <code bash> | ||
- | juju add-machine --debug winrm: | ||
- | </ | ||
- | |||
- | |||
- | ======= Manually adding the Client certs on the target windows machine ====== | ||
- | |||
- | Pop up a powershell windows and type these lines with your own credentials in it. | ||
- | |||
- | <code powershell> | ||
- | $username = " | ||
- | $password = " | ||
- | $pfx_password = " | ||
- | $certThumb = " | ||
- | $CN = "CN OF THE CLIENT CERT" | ||
- | |||
- | $secure_password = ConvertTo-SecureString $password -AsPlainText -Force | ||
- | $pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force | ||
- | |||
- | Import-PfxCertificate -FilePath ' | ||
- | Import-PfxCertificate -FilePath ' | ||
- | |||
- | $cred = New-Object System.Management.Automation.PSCredential " | ||
- | |||
- | # CREATE WINRM CERT MAPPING | ||
- | New-Item -Path WSMan: | ||
- | |||
- | # Test client connection with client cert auth without skipping the CA | ||
- | Test-WSMan -ComputerName $env: | ||
- | |||
- | # test client connection with client cert auth and skip the CA verification and CN check | ||
- | $opt = $SessionOptions = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck | ||
- | Enter-PSSession -ComputerName $env: | ||
- | |||
- | |||
- | # Remove Client mapping (in case you want to remove it) | ||
- | Remove-Item -Path WSMan: | ||
- | </ |