User Tools
juju-manual
Differences
This shows you the differences between two versions of the page.
|
juju-manual [2016/12/08 19:31] sgiulitti [Manually adding the Client certs on the target windows machine] |
juju-manual [2016/12/08 21:52] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | Hi guys, I will help you step by step to manual provision a windows machine. :-) | ||
| - | ====== Introduction ====== | ||
| - | |||
| - | Not long ago, manual provisioning in Juju was possible for linux machines. | ||
| - | This feature is quite handy if you want to mange by yourself the cloud or you are providing for your services you own hosted cloud. | ||
| - | |||
| - | ===== For this example we are are using this: ===== | ||
| - | |||
| - | State Machine | ||
| - | | ||
| - | |||
| - | ==== So without further ado let's start the hacking process ==== | ||
| - | |||
| - | |||
| - | ====== Step 1 ====== | ||
| - | |||
| - | '' | ||
| - | Pop up a bash terminal windows in your controller(juju client machine) and execute din commands in order. | ||
| - | |||
| - | |||
| - | <code bash> | ||
| - | go get -v -u https:// | ||
| - | go get -v -u launchpad.net/ | ||
| - | cd $GOPATH/ | ||
| - | git checkout enable-windows-provisioner | ||
| - | godeps -t -u dependencies.tsv | ||
| - | </ | ||
| - | |||
| - | I will supply here a link to the gist where you could download the build script in order to make the process more simpler. | ||
| - | |||
| - | [[https:// | ||
| - | |||
| - | Download all scripts in some location ,make them executable and point the path into $PATH env. | ||
| - | |||
| - | For example(in my order of things). | ||
| - | |||
| - | <code bash> | ||
| - | SCRIPT_PATH = ~/ | ||
| - | mkdir -p $SCRIPT_PATH | ||
| - | cd $SCRIPT_PATH | ||
| - | https:// | ||
| - | mv 3c8f858a3865f3b31a3ee19c58ab2688/ | ||
| - | rmdir 3c8f858a3865f3b31a3ee19c58ab2688 | ||
| - | chmod u+x * | ||
| - | # I usualy do this in my .profile in my $HOME directory. But you can run the line straight in the | ||
| - | # shell, be careful when you close the bash session you will lose all variables saved, so put | ||
| - | # it somewhere, where scripts will always load when you open a shell.(example .bashrc) | ||
| - | export $PATH: | ||
| - | </ | ||
| - | |||
| - | === Now you can build the project running this command === | ||
| - | <code bash> | ||
| - | makejuju.sh enable-windows-provisioner | ||
| - | </ | ||
| - | |||
| - | In the **uploadtools.sh** file make sure on the last line, the path is pointing to the files where the http server has acces to serve them, mine for example is **/ | ||
| - | To make sure. You cand execute this commands in order. | ||
| - | |||
| - | <code bash> | ||
| - | mkdir -p / | ||
| - | chown -R $USER:$USER /var/html/* | ||
| - | </ | ||
| - | |||
| - | We need to do this because the state machine will access the metadata and download the jujud binary based on series. | ||
| - | |||
| - | ====== Step 2 ====== | ||
| - | |||
| - | '' | ||
| - | |||
| - | First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, | ||
| - | |||
| - | If not you will need to do the steps above. | ||
| - | |||
| - | Open PowerShell console(on the windows machine) and type the following command to enable PowerShell remoting and the WinRM http listner: | ||
| - | |||
| - | <code powershell> | ||
| - | Enable-PSRemoting -Force | ||
| - | Set-ExecutionPolicy RemoteSigned | ||
| - | winrm quickconfig | ||
| - | # this will let us use the http listener with password auth | ||
| - | winrm set winrm/ | ||
| - | |||
| - | </ | ||
| - | |||
| - | To enable HTTPS listener you must first create a your own self signed CA cert using openssl or makecert. | ||
| - | This guide will use openssl. | ||
| - | |||
| - | === Download OpenSSL for Windows. === | ||
| - | |||
| - | [[http:// | ||
| - | |||
| - | Package Win32/64 OpenSSL vx.x.x Light is more than enough for generating SSL certificate. | ||
| - | |||
| - | To add Server Authentication to EKU open openssl.cfg and add extendedKeyUsage setting under v3_ca section: | ||
| - | <code bash> | ||
| - | [ v3_ca ] | ||
| - | extendedKeyUsage = serverAuth | ||
| - | subjectAltName = IP: | ||
| - | </ | ||
| - | |||
| - | |||
| - | <code powershell> | ||
| - | set OPENSSL_CONF=C: | ||
| - | cd C: | ||
| - | C: | ||
| - | C: | ||
| - | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
| - | Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert: | ||
| - | winrm set winrm/ | ||
| - | winrm set winrm/ | ||
| - | winrm create winrm/ | ||
| - | netsh advfirewall firewall add rule name=" | ||
| - | </ | ||
| - | |||
| - | |||
| - | === Note: === | ||
| - | Don't forget to add those **'** around the **@{}**. | ||
| - | |||
| - | ====== Step 3 ====== | ||
| - | |||
| - | You need to copy the newly **sever cert** on the controller(juju client) in a specific x509 config folder where juju will look on. | ||
| - | |||
| - | You need to store the file with a specific name of **winrmcacert.crt** | ||
| - | |||
| - | Please make sure that the server cert is in pem format. | ||
| - | |||
| - | <code bash> | ||
| - | mkdir -p $HOME/ | ||
| - | # make here a quick copy of the CA cert because if something is broken juju will delete the x509 dir and regenerate all the client certs but not the CA. | ||
| - | cp winrmcacert.crt $HOME/ | ||
| - | # in order to generate the client certs by juju you must hit the command | ||
| - | juju status | ||
| - | # If you have some custom client cert please rename them into winrmclientkey.pem and winrmclientcert.crt and move them into $HOME/ | ||
| - | # if you list the dirs you should have something like this. | ||
| - | tree x509/ | ||
| - | x509/ | ||
| - | ├── winrmcacert.crt | ||
| - | ├── winrmclientcert.crt | ||
| - | └── winrmclientkey.pem | ||
| - | </ | ||
| - | |||
| - | ====== Step 4 ====== | ||
| - | ( manual provisioning ) | ||
| - | |||
| - | We need to make a new environmnet frist. (juju bootstrap) | ||
| - | |||
| - | <code bash> | ||
| - | juju bootstrap manual/ | ||
| - | </ | ||
| - | |||
| - | Now for the grand finale. | ||
| - | |||
| - | <code bash> | ||
| - | juju add-machine --debug winrm: | ||
| - | </ | ||
| - | |||
| - | |||
| - | ======= Manually adding the Client certs on the target windows machine ====== | ||
| - | |||
| - | Pop up a powershell windows and type these lines with your own credentials in it. | ||
| - | |||
| - | <code powershell> | ||
| - | $username = " | ||
| - | $password = " | ||
| - | $pfx_password = " | ||
| - | $certThumb = " | ||
| - | $CN = "CN OF THE CLIENT CERT" | ||
| - | |||
| - | $secure_password = ConvertTo-SecureString $password -AsPlainText -Force | ||
| - | $pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force | ||
| - | |||
| - | Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert: | ||
| - | Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert: | ||
| - | |||
| - | $cred = New-Object System.Management.Automation.PSCredential " | ||
| - | |||
| - | # CREATE WINRM CERT MAPPING | ||
| - | New-Item -Path WSMan: | ||
| - | |||
| - | # Test client connection with client cert auth without skipping the CA | ||
| - | Test-WSMan -ComputerName $env: | ||
| - | |||
| - | # test client connection with client cert auth and skip the CA verification and CN check | ||
| - | $opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck | ||
| - | Enter-PSSession -ComputerName $env: | ||
| - | |||
| - | |||
| - | # Remove Client mapping (in case you want to remove it) | ||
| - | # THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN | ||
| - | Remove-Item -Path WSMan: | ||
| - | </ | ||
juju-manual.txt · Last modified: 2016/12/08 21:52 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
