Setup OpenVPN

OpenVPN was surprisingly easy to setup on in my lab environment. My setup included a CentOS 7 server running the latest version of OpenVPN server and a Windows 7 client running the latest OpenVPN client. I also have a Netgear router which I configured with a static route.

Before we begin you will need certificates
1. A computer to run OpenVPN (I used CentOS 7)
2. OpenVPN server will need a certificate
3. OpenVPN client will need a certificate
4. A home router which can be configured with static routes
5. A way to generate certificates for your vpn server and clients

Download the openVPN source code and compile it into an RPM

wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.8.tar.gz
rpmbuild -tb /root/openvpn-2.3.8.tar.gz
rpm -ivh /root/rpmbuild/RPMS/x86_64/openvpn-2.3.8-1.x86_64.rpm


OpenVPN Server Configuration

Copy the sample server.conf file to /etc/openvpn/server.conf
Here is a list of settings I configured from the defaults server.conf file to get my OpenVPN server working.

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.

dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca lab-ca.pem
cert vpnserver.pem
key vpnserver-key-nopass.pem # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 172.16.1.0 255.255.255.0"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
push "dhcp-option DNS 172.16.1.21"

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
cipher AES-128-CBC # AES

OpenVPN client Configuration
Download the OpenVPN client from here.
OpenVPN client configuration is saved here on Windows:
C:\Program Files\OpenVPN\config\client.ovpn

Here is a list of OpenVPN client settings I configured to get my OpenVPN client connected.

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# put my public IP here
remote 71.XX.XX.XXX 1194

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca lab-ca.pem
cert usercert.pem
key key-pass.pem

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC

Generate Certificates:
I generated my certificates using a Microsoft 2012 Certificate Authority. I generated one for certificate for the VPN server and another for the VPN client. I exported them from Microsoft CA in PFX format and used this Guide to convert them to PEM format.

My openVPN server certificate properties:
CN=vpn.lab.net
Subject Alternative Name=vpn
Subject Alternative Name=test02.lab.net
Subject Alternative Name=test02

My openVPN user certificate properties:
CN=user OU=WAU OU=US DC=lab DC=net

On the OpenVPN server copy the PEM files to /etc/openvpn/
On the OpenVPN Windows client copy the PEM files to C:\Program Files\OpenVPN\config\

Router Configuration
Configure your home router with a static route to the OpeVPN server on your home network
VPN client subnet: 10.8.0.0/255.255.255.0
OpenVPN Server: 172.16.1.36
2015-11-29 19_45_08-NETGEAR Router WNDR3400v2

Start the OpenVPN service on the OpenVPN server

systemctl start openvpn

Test Client Connection
On Windows 7 I noticied it was required to run the OpenVPN as administrator
Program Manager_2015-11-30_19-53-49

If you where successfully connected you should see “client is now connected”
_2015-11-30_19-55-40

Advertisements

Setup Rundeck with SSL

In this blog post I will describe the steps needed to configure rundeck to use SSL. I go through the steps of requesting a certificate from a Microsoft CA then exporting them to a Linux rundeck server. I then go through the steps of importing the certificates into a java keystore. And finally the configuration steps needed to get rundeck working with SSL.

STEP 1. Request a certificate
Open the mmc.exe > add/remove snapin > certificates > local computer
request-cert

STEP 2. Click Next
request-cert2

STEP 3. Configure the CN (common name) and Subject Alternative names.
request-cert3

STEP 4. Mark private key as exportable
request-cert4

STEP 5. Select Enroll
request-cert5

STEP 6. Export the certificate
request-cert6

STEP 7. Export private key
request-cert7

STEP 8. Export the certificate and private key in PKCS #12 format
request-cert8

STEP 9. Set private key password
request-cert9

STEP 10. Export the the Certificate Authorities certificate.
This certificate will be placed in the the trusted CA Java keystore. Do not export the private key for the CA, export the CA as DER format.
export-CA

STEP 10. SFTP the certificate to your Linux Rundeck Server
I placed the rundeck.pfx file in /etc/rundeck/ssl
Also place the ca.cer file in /etc/rundeck/ssl

STEP 11. Create a keystore for the rundeck.pfx certificate
Create a Java keystore to hold the new rundeck certificate

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 12. Retrieve the alias from the PKCS #12 file
Save the alias id, you will need this for the next step

keytool -v -list -storetype pkcs12 -keystore /etc/rundeck/ssl/rundeck.pfx

keystore-alias

STEP 13. Import the Certificate and Private Key into the Java keystore
Use the alias id from the previous command as the source alias and destination alias.

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/rundeck/ssl/keystore -srckeystore /etc/rundeck/ssl/rundeck.pfx -srcstoretype PKCS12 -srcstorepass password -srcalias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10 -alias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10

STEP 14. Create a keystore for the ca.cer certificate authority

keytool -keystore /etc/rundeck/ssl/ca -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 15. Add the CA cert to the CA keystore

keytool -import -alias ca -file /etc/rundeck/ssl/lab-ca-der.cer -keystore /etc/rundeck/ssl/ca -storepass password
Trust this certificate? [no]:  yes
Certificate was added to keystore

STEP 16. Review of previous steps
a. At this point we should have requested and received a certificate from the Microsoft CA
b. Export the CA’s certificate
c. Created a java keystore for our rundeck certificate
d. Created a java keystore for our CA certificate

STEP 17. Configure Rundeck /etc/rundeck/etc/ssl.properties
Configure the path to the certificate keystore and CA keystore you created earlier

keystore=/etc/rundeck/ssl/keystore
keystore.password=password
key.password=password
truststore=/etc/rundeck/ssl/ca
truststore.password=password

STEP 18. Configure /etc/rundeck/profile
Add the following options the rundeck JVM

export RDECK_JVM="
        -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties \
        -Dserver.https.port=${RDECK_HTTPS_PORT}"

STEP 19. Configure /etc/rundeck/rundeck-config.properties
Update the property below with https and 4443

grails.serverURL=https://rundeck.lab.net:4443

STEP 20. Configure /etc/rundeck/framework.properties
Configure the appropriate port 4443 and update the url https

framework.server.port = 4443
framework.server.url = https://rundeck.lab.net:4443

At this point you should be able to hit https://rundeck:4443 and make a secure connection.
For troubleshooting look at the /var/log/rundeck/service.log.

Talend Open Studio and Kerberos authentication integration

Recently I was working to integrate Talend Open Studio into our Windows domain environment via Kerberos authentication. Rather then use the built in tMSSQLConnection component which uses the jTDS driver behind the scenes. I have decided to use the native JDBC Microsoft SQL SERVER JDBC Microsoft SQL SERVER driver.. The Microsoft JDBC driver supports more features then the tMSSqlConnection_1 connector. For example, MSSQL SERVER Always On is supported with the parameter multiSubnetFailover=true or routing to the readonly version of a database applicationIntent=ReadOnly.

Connection string for Active Directory kerberos authenticaiton:

jdbc:sqlserver://mysqlserver01.LAB.NET;database=DBA;integratedSecurity=true;authenticationScheme=JavaKerberos

mssqlserver-kerberos-talend

However, one of the requirements of Kerberos authentication is that you acquire a ticket from the key distribution center (KDC) server. If you have not acquired a ticket from the KDC server you will receive an error from Talend Open studio like the one below.

Starting job cdc_test at 13:54 12/08/2015.

[statistics] connecting to socket on port 4019
[statistics] connected
Exception in component tJDBCConnection_1
com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:219f9461-59d8-41fa-8af6-483f4e2a86bd
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1668)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:140)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:268)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:2709)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:2243)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:42)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:2229)
	at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1716)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1327)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:992)
	at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:828)
	at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
	at java.sql.DriverManager.getConnection(DriverManager.java:571)
	at java.sql.DriverManager.getConnection(DriverManager.java:215)
	at myfirsttalendjob.cdc_test_0_1.cdc_test.tJDBCConnection_1Process(cdc_test.java:552)
	at myfirsttalendjob.cdc_test_0_1.cdc_test$4.run(cdc_test.java:3492)
Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
	at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
	at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
	at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthInit(KerbAuthentication.java:133)
	... 15 more
[statistics] disconnected
Job cdc_test ended at 13:54 12/08/2015. [exit code=1]

To work around this issue I created a Windows batch file. When I start up Talend using the batch file it asks me for my Windows password. I enter my Windows Active Directory password and a ticket is created from the KDC.

c:\program files\java\jre7\bin\kinit.exe tatroc@LAB.NET
C:\Talend_Ent\Talend-Studio-20141207_1530-V5.6.1\Talend-Studio-win-x86_64.exe -vm C:\Program Files\Java\jdk1.7.0_75\bin

The connection to the MSSQL SERVER using kerberos is now successful.
Talend Platform for Data Services with Big Data (5.6.1.20141207_1530) _ myfirstt_2015-08-12_14-34-22

pfx to pem certificate conversion with openssl

I work in a mixed Linux and Windows environment. Our Certificate Authority is Windows. Unfortunately the Windows CA does not support exporting a certificate in PEM (Privacy Enhanced Mail Certificate) format. Fortunatley there is a relativity easy work around. Which requires one to download OpenSSL utilities. Most Linux applications I have supported require the certificate be in a PEM format to be readable.

In this example I export the certificate with the private key from the Windows CA. Using the openssl utility to extract the private key ( .pem file) from .pfx (Personal Information Exchange).

PFX: Defines a file format commonly used to store private with accompanying public key certificates, protected with a password-based symmetric key (standard-PKCS12).

PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.

If you have downloaded the openssl utility, then go to command prompt and run the following commands. If not, download it from openssl, you can either download binary or source and then compile.

Execute the following command to extract the private key from the PFX file.

STEP 1. Extract the private key from the PFX file.

openssl pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

STEP 2. To extract the certificate in PEM format from the publicly signed certificate.

openssl pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem

STEP 3. To remove the password from the private key file. Some applications require that the password be removed from the private key or they will fail to start.

 
openssl rsa -in privateKey.pem -out privateNoPassword.pem 

In addition, the certificate files should be secured so that only root has access to them.

Enable auditing for Windows Firewall

Recently when troubleshooting a new IIS application deployment, I realized how helpful the windows firewall auditing feature is. The IIS application was having difficulty connecting to SQL Server. I had allowed outbound connecting to the SQL Server from IIS. However, after enabling the Windows auditing on packet filtering I discovered that connections back to the IIS server on port 1434 were being blocking.

windowsfirewallaudit

Example of a failure audit
failureaudit