Cloudbase Solutions Wiki

User Tools

Site Tools

Trace:
juju-manual

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
juju-manual [2016/12/08 19:15]
sgiulitti 		juju-manual [2016/12/08 21:52] (current)
Line 70: Line 70:
  
 First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine. First ,we need check if the windows machine has enabled all WinRM listeners. It's important because, in the provisioning process, the juju client directly communicate, using this protocol in order to fully provision the machine.
- 
-===== This is how would look if both listeners are enabled  ===== 
- 
-{{:winrm_display_listeners.png?nolink|}} 
  
 If not you will need to do the steps above. If not you will need to do the steps above.
Line 84: Line 80:
 winrm quickconfig winrm quickconfig
 # this will let us use the http listener with password auth # this will let us use the http listener with password auth
-winrm set winrm/config/service '@{AllowUnencrypted="true"}' +winrm set winrm/config/service '@{AllowUnencrypted="true"}' 
 + 
 +# make sure this settings are set like this. 
 +winrm set winrm/config/client '@{TrustedHosts="*"}' 
 +winrm set winrm/config/client/auth '@{Basic="true"}' 
 +winrm set winrm/config/client/auth '@{Certificate="true"}' 
 +winrm set winrm/config/service/auth '@{Basic="true"}' 
 +winrm set winrm/config/service/auth '@{Certificate="true"}' 
 +winrm set winrm/config/service '@{AllowRemoteAccess="true"}'
  
 </code> </code>
Line 111: Line 115:
 C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass: C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out winrmcacert.pfx -inkey winrmcacert.key -in winrmcacert.cer -name "maas-win2k12r2" -passout pass:
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\My
 +############################################################################################
 +# THIS IS ONLY IF YOU WANT TO TEST THE CA VERIFICATION ON THE HOST WITH Enter-PSSession cmd
 Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root Import-PfxCertificate -FilePath .\winrmcacert.pfx -CertStoreLocation Cert:\LocalMachine\Root
 +############################################################################################
 +winrm set winrm/config/service/auth '@{Certificate="true"}'
 +winrm set winrm/config/client/auth '@{Certificate="true"}'
 winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}' winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="maas-win2k12r2";CertificateThumbprint="THUMBPRINT"}'
 netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986 netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=5986
Line 158: Line 167:
 </code> </code>
  
 +
 +======= Manually adding the Client certs on the target windows machine ======
 +
 +Pop up a powershell windows and type these lines with your own credentials in it.
 +
 +<code powershell>
 +$username = "Administrator"
 +$password = "Pa$$sword"
 +$pfx_password = "SomePfxPassword"
 +$certThumb = "PASTE-HERE-CLIENT-CERT-THUMBPRINT"
 +$CN = "CN OF THE CLIENT CERT"
 +
 +$secure_password = ConvertTo-SecureString $password -AsPlainText -Force
 +$pfx_secure_password = ConvertTo-SecureString $pfx_password -AsPlainText -Force
 +
 +Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\My -Passsword $pfx_secure_password
 +Import-PfxCertificate -FilePath winrmclientcert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Passsword $pfx_secure_password
 +
 +$cred = New-Object System.Management.Automation.PSCredential "$ENV:COMPUTERNAME\$username", $secure_password
 +
 +# CREATE WINRM CERT MAPPING
 +New-Item -Path WSMan:\localhost\ClientCertificate -Issuer $certThumb -Subject $CN -Uri * -Credential $cred -Force
 +
 +# Test client connection with client cert auth without skipping the CA
 +Test-WSMan -ComputerName $env:COMPUTERNAME -Authentication ClientCertificate -CertificateThumbprint $certThumb
 +
 +# test client connection with client cert auth and skip the CA verification and CN check
 +$opt = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck
 +Enter-PSSession -ComputerName $env:COMPUTERNAME -CertificateThumbprint $thumbprint -Authentication Default -SessionOption $opt
 +
 +
 +# Remove Client mapping (in case you want to remove it)
 +# THIS WILL REMOVE ALL CLIENT CERTITIFACTES IN WSMAN
 +Remove-Item -Path WSMan:\localhost\ClientCertificate\ClientCertificate_* -Recurse -force | Out-null
 +</code>
juju-manual.1481217352.txt.gz · Last modified: 2016/12/08 19:15 by sgiulitti

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki