Open Source Mobile Device Management?

(Markus Neuberger) #61

I’d replace apt-get with yum and give it a try.

(fpausp) #62

Yes, it worked. The more interesting part is the path and the content of the flyvemdm.conf ?
Looks like this installation will never end… :joy:

(Markus Neuberger) #63

I’d try with following changes:

auth_opt_host server.domain.tld
auth_opt_port 3312
auth_opt_user mosquitto
auth_opt_pass PASSWORD

(fpausp) #64

OK thank you. I am busy the next two days…

(fpausp) #65

OK, next step is: TLS Listener setup

TLS provides security to the communication, through authentication of server and client, besides data encryption.

Use TLS version 1.2, lower versions are no longer considered safe.

Mosquitto does not support SSLv2 or SSLv3 (and they are no longer safe).

- Copy in /etc/mosquitto/certs your certificate, your certificate authority chain and private key.

- Secure your private key

chmod 600 /etc/mosquitto/certs/private-key.key

chown mosquitto:root /etc/mosquitto/certs/private-key.key

- Refresh hash and symlinks to your certificates

c_rehash /etc/mosquitto/certs

Use a certificate signed by a certified authority or you may have trouble with the android devices, using them with custom certification authorities might not work (not tested).

> After sending the certification request, the CA will very likely send back several files.
> One is the certificate, signed by the CA, and the others are intermediate certificates.
> In Mosquitto the certificate must be the concatenation of the certificate delivered + the intermediate certificates.
> The client operating system must contain more certificates to establish a trust chain to the root certificate.

Append the following to /etc/mosquitto/conf.d/flyvemdm.conf.

listener 8883 cafile /etc/mosquitto/certs/cachain.pem certfile /etc/mosquitto/certs/cachain.pem keyfile /etc/mosquitto/certs/private-key.key tls_version tlsv1.2 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-RC4-SHA:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

- Restart Mosquitto

- Test you can successfully connect to Mosquitto

mosquitto_sub -h host_name_of_mosquitto -t "#" -p 8883 -i test-client --cafile /tmp/mycert.pem --capath /etc/ssl/certs/

- Check the ports that Mosquitto listens. You should see only the port 8883.

netstat -taupen | grep mosquitto

You can also use OpenSSL to test the configuration

openssl s_connect -connect fqdn.of.mosquitto:8883

This will launch openssl as a client using the TLS protocol and leave the terminal in a state similar to telnet

Many debug information is displayed during TLS negociation, useful to diagnose TLS problems

(fpausp) #66

Under /etc/pki are a lot of files:

[root@mdmsrv01 pki]# tree
β”œβ”€β”€ CA
β”‚   β”œβ”€β”€ certs
β”‚   β”œβ”€β”€ crl
β”‚   β”œβ”€β”€ newcerts
β”‚   └── private
β”œβ”€β”€ ca-trust
β”‚   β”œβ”€β”€ ca-legacy.conf
β”‚   β”œβ”€β”€ extracted
β”‚   β”‚   β”œβ”€β”€ java
β”‚   β”‚   β”‚   β”œβ”€β”€ cacerts
β”‚   β”‚   β”‚   └── README
β”‚   β”‚   β”œβ”€β”€ openssl
β”‚   β”‚   β”‚   β”œβ”€β”€
β”‚   β”‚   β”‚   └── README
β”‚   β”‚   β”œβ”€β”€ pem
β”‚   β”‚   β”‚   β”œβ”€β”€ email-ca-bundle.pem
β”‚   β”‚   β”‚   β”œβ”€β”€ objsign-ca-bundle.pem
β”‚   β”‚   β”‚   β”œβ”€β”€ README
β”‚   β”‚   β”‚   └── tls-ca-bundle.pem
β”‚   β”‚   └── README
β”‚   β”œβ”€β”€ README
β”‚   └── source
β”‚       β”œβ”€β”€ anchors
β”‚       β”œβ”€β”€ blacklist
β”‚       β”œβ”€β”€ ca-bundle.legacy.crt -> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
β”‚       └── README
β”œβ”€β”€ java
β”‚   └── cacerts -> /etc/pki/ca-trust/extracted/java/cacerts
β”œβ”€β”€ nssdb
β”‚   β”œβ”€β”€ cert8.db
β”‚   β”œβ”€β”€ cert9.db
β”‚   β”œβ”€β”€ key3.db
β”‚   β”œβ”€β”€ key4.db
β”‚   β”œβ”€β”€ pkcs11.txt
β”‚   └── secmod.db
β”œβ”€β”€ nss-legacy
β”‚   └── nss-rhel7.config
β”œβ”€β”€ rpm-gpg
β”‚   β”œβ”€β”€ RPM-GPG-KEY-CentOS-7
β”‚   β”œβ”€β”€ RPM-GPG-KEY-CentOS-Debug-7
β”‚   β”œβ”€β”€ RPM-GPG-KEY-CentOS-SIG-SCLo
β”‚   β”œβ”€β”€ RPM-GPG-KEY-CentOS-Testing-7
β”‚   β”œβ”€β”€ RPM-GPG-KEY-EPEL-7
β”‚   β”œβ”€β”€ RPM-GPG-KEY-NethForge-7
β”‚   β”œβ”€β”€ RPM-GPG-KEY-NethServer-7
β”‚   └── RPM-GPG-KEY-stephdl
β”œβ”€β”€ rsyslog
└── tls
    β”œβ”€β”€ cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    β”œβ”€β”€ certs
    β”‚   β”œβ”€β”€ ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    β”‚   β”œβ”€β”€ -> /etc/pki/ca-trust/extracted/openssl/
    β”‚   β”œβ”€β”€ httpd-admin.crt
    β”‚   β”œβ”€β”€ localhost.crt
    β”‚   β”œβ”€β”€ make-dummy-cert
    β”‚   β”œβ”€β”€ Makefile
    β”‚   β”œβ”€β”€ NSRV.crt
    β”‚   └── renew-dummy-cert
    β”œβ”€β”€ misc
    β”‚   β”œβ”€β”€ CA
    β”‚   β”œβ”€β”€ c_hash
    β”‚   β”œβ”€β”€ c_info
    β”‚   β”œβ”€β”€ c_issuer
    β”‚   └── c_name
    β”œβ”€β”€ openssl.cnf
    └── private
        β”œβ”€β”€ httpd-admin.key
        β”œβ”€β”€ localhost.key
        └── NSRV.key

Which one should I choose/copy for:

cafile /etc/mosquitto/certs/cachain.pem
certfile /etc/mosquitto/certs/cachain.pem
keyfile /etc/mosquitto/certs/private-key.key

(Dan) #67

/etc/pki/tls/certs/localhost.crt. This is created by template from whatever system certificate is selected. Better yet, the result of config get pki ChainFile and config get pki CrtFile, respectively.

/etc/pki/tls/private/localhost.key, or better, config get pki KeyFile.