When I began configuring a RHEL Server for utilization by my Jamf Pro Environment as a HTTPS DP I realized that no guides existed. This is for Internal / Locally hosted Servers. A lot of modification can & should be done to this to make the setup more secure but this is the base setup that will get you up & going, allowing for modifications later.
Note that to perform the actions in explicit order stated in this guide you must have a base RHEL 7.x Server spun up, running with nothing extra installed/configured, its sole purpose being a distribution point, an IP Address assigned & DNS associated. Also, when I originally took these notes I was using Red Hat Enterprise Linux 7 & Jamf Pro 10.16.1. Both RHEL & Jamf have newer versions available by the time I posted this.
Samba needs to be configured for utilization by Jamf & Jamf Admin as the Server Replication Process within Jamf Admin uses Samba to mount & distribute/replicate amongst the various internal DPs.
1. Install Samba
Link: Read about RHEL 7 & Samba Here
samba* includes dependencies, -y accepts all the packages
sudo yum -y install samba*
2. Create Server Users (Read & Write Accounts)
*Note: For your environment, replace "ReadUser" & "WriteUser" with your preferred user account names.
useradd -d /home/ReadUser ReadUser -s /bin/false -N
useradd -d /home/WriteUser WriteUser -s /bin/false -N
3. Grant Users Access to Samba Configuration & Create Passwords
sudo smbpasswd -a ReadUser
sudo smbpasswd -a WriteUser
4. Configure the File Share Directory
*Note: For your environment, replace "FileShare" with your preferred directory name
*Note: Remember /srv/samba/Fileshare path for use Step #24
sudo mkdir -p /srv/samba/FileShare
sudo chown WriteUser /srv/samba/FileShare/
sudo chmod 755 /srv/samba/FileShare/
5. Modify Samba Configuration File
sudo nano /etc/samba/smb.conf
Copy & Paste the information below to the bottom of the smb.conf file
[FileShare] comment = FileShare path = /srv/samba/FileShare browsable = yes guest ok = no read only = yes create mask = 0755 read list = ReadUser write list = WriteUser valid users = WriteUser, ReadUser
6. Allow Samba Server through the Firewall
Link: Read about RHEL 7 & Security Regarding Firewall Here
sudo firewall-cmd --add-service=samba --permanent
Confirm Samba is available & Port is Open
sudo firewall-cmd --list-service | grep samba
Alternatively, Disable the Firewall
sudo service firewalld stop
sudo systemctl disable firewalld
7. Disable SELinux
Link: Read about RHEL 7 & Security Regarding SELinux Here
sudo nano /etc/selinux/config
Modify the SELINUX parameter from "SELINUX=enforcing" to "SELINUX=disabled", below is what your SELinux Config file should look like.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are pr$ # mls - Multi Level Security protection. SELINUXTYPE=targeted
8. Start Samba Service, Enable Samba Service on Startup & Confirm Listening
sudo systemctl start smb
sudo systemctl enable smb
Confirm Samba is Active & Listening
sudo yum -y install net-tools
sudo netstat -tulpn | egrep "smbd"
Confirm Samba Share is Accessible Locally
*Note: For your environment, replace "00.00.00.00" with your servers ip address.
sudo smbclient -L 00.00.00.00 -U WriteUser
Confirm Samba Share is Accessible via Internal Network Macintosh Terminal
sudo smbutil view smb://WriteUser@00.00.00.00
9. Add Samba Share to Jamf Pro Server
In your Jamf Pro Dashboard, Navigate to the following path Computers -> Management Settings -> Server Infrastructure -> File Share Distribution Points -> + New
File Sharing Tab
10. Mount File Share in Jamf Admin, Replicate
Launch Jamf Admin, I'm assuming this is a secondary, tertiary, etc File Share. Bottom of Left Window Pane, Select Your Master DP & the newly added FileShare DP. Then, Select Replicate.
If It successfully mounts & gets past the mounting portion as seen in the image below, it's a success. Now pending the size of your Master DP, sit back, relax & give it a few hours.
If the replication fails, you will know right away. At the bottom of this page you will find a troubleshooting section.
After a successful replication in Jamf Admin, you can always doubly verify by mounting the server on your mac via Finder & triply by creating a policy in Jamf & deploying a package thats marked to explicitly use the new FileShare. I'm not going to get into the details of those steps, I've provided links if you are unfamiliar. This way, after configuring the HTTPS portion, if an error occurs, you can be positive that it isn't the samba portion of the setup that's at fault & makes troubleshooting less tedious.
11. Install Apache
Link: Read about RHEL 7 & Apache Here
sudo yum -y install httpd
12. Install mod_ssl & OpenSSL toolkit
Link: Read about RHEL 7 & OpenSSL Here & mod_ssl Here
sudo yum -y install mod_ssl
13. Navigate to Certificates Directory
Steps 14, 15 & 16 will be performed while located in the certs directory.
14. Create Request Configuration File
sudo nano req.conf
Copy & Paste the information below to your req.conf file & modify bolded text accordingly
[ req ] default_bits = 4096 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] CN = DomainHere emailAddress = EmailHere O = OrganizationHere OU = DepartmentHere L = LocationHere ST = State/ProvinceHere C = CountryHere [ req_ext ] subjectAltName = DNS: www.DomainHere, DNS: DomainHere
15. Generate Certificate Signing Request
*Note: The Pass phrase you use for the apachekey.pem is very important, save it somewhere safe & accessible.
sudo openssl req -new -config req.conf -keyout apachekey.pem -out apachekey.csr
16. View apachekey.csr, Copy Contents to Clip Board
Example apachekey.csr file.
Copy the contents in its entirety including the "Begin" & "End" portions.
17. Sign apachekey.csr with Jamfs Built-in Certificate Authority
In your Jamf Pro Dashboard, Navigate to the following path Computers -> Management Settings -> Global Management -> PKI Certificates -> Management Certificate Template
Select "Create Certificate from CSR", Paste your apachkey.csrs contents into the window & for "Certificate Type" select "Web Server Certificate" & select "Create". Depicted below is along the lines of what your end result should be before selecting create.
After you've selected "Create", Your Jamf Pro Server will output a .pem file & prompt you to save it. Locate the newly generated .pem file & rename it "apachecert.pem".
18. Relocate apachecert.pem from Mac to RHEL Server
A quick & easy way to get the apachecert.pem file from your Mac to your FileShare is to mount your FileShare via Finder, drag & drop the file in the FileShare.
19. Relocate apachecert.pem on RHEL FileShare Server
sudo mv /var/www/html/FileShare/apachecert.pem /etc/pki/tls/certs/apachecert.pem
20. Create HTTP Directory, Relocate Cert & Key
The /etc/pki/tls/http/ directory is where the ssl.conf points to, no need to worry about not being titled "https"
sudo mkdir /etc/pki/tls/http/
sudo cp /etc/pki/tls/certs/apachecert.pem /etc/pki/tls/http/apachecert.pem