top of page
Search

CONFIGURING A RED HAT ENTERPRISE LINUX 7.X SERVER AS A JAMF HTTPS DISTRIBUTION POINT

When I began configuring a RHEL Server for utilization by my Jamf Pro Environment as a HTTPS DP I realized that no guides existed. This is for Internal / Locally hosted Servers. A lot of modification can & should be done to this to make the setup more secure but this is the base setup that will get you up & going, allowing for modifications later.


Note that to perform the actions in explicit order stated in this guide you must have a base RHEL 7.x Server spun up, running with nothing extra installed/configured, its sole purpose being a distribution point, an IP Address assigned & DNS associated. Also, when I originally took these notes I was using Red Hat Enterprise Linux 7 & Jamf Pro 10.16.1. Both RHEL & Jamf have newer versions available by the time I posted this.


Samba Configuration

Samba needs to be configured for utilization by Jamf & Jamf Admin as the Server Replication Process within Jamf Admin uses Samba to mount & distribute/replicate amongst the various internal DPs.


1. Install Samba

Link: Read about RHEL 7 & Samba Here

samba* includes dependencies, -y accepts all the packages

sudo yum -y install samba*


2. Create Server Users (Read & Write Accounts)

*Note: For your environment, replace "ReadUser" & "WriteUser" with your preferred user account names.

useradd -d /home/ReadUser ReadUser -s /bin/false -N
useradd -d /home/WriteUser WriteUser -s /bin/false -N


3. Grant Users Access to Samba Configuration & Create Passwords

sudo smbpasswd -a ReadUser
sudo smbpasswd -a WriteUser


4. Configure the File Share Directory

*Note: For your environment, replace "FileShare" with your preferred directory name

*Note: Remember /srv/samba/Fileshare path for use Step #24

sudo mkdir -p /srv/samba/FileShare
sudo chown WriteUser /srv/samba/FileShare/
sudo chmod 755 /srv/samba/FileShare/


5. Modify Samba Configuration File

sudo nano /etc/samba/smb.conf

Copy & Paste the information below to the bottom of the smb.conf file

[FileShare]
comment = FileShare
path = /srv/samba/FileShare
browsable = yes
guest ok = no
read only = yes
create mask = 0755
read list = ReadUser
write list = WriteUser
valid users = WriteUser, ReadUser


6. Allow Samba Server through the Firewall

Link: Read about RHEL 7 & Security Regarding Firewall Here

sudo firewall-cmd --add-service=samba --permanent

Confirm Samba is available & Port is Open

sudo firewall-cmd --list-service | grep samba

Alternatively, Disable the Firewall

sudo service firewalld stop
sudo systemctl disable firewalld


7. Disable SELinux

Link: Read about RHEL 7 & Security Regarding SELinux Here

sudo nano /etc/selinux/config

Modify the SELINUX parameter from "SELINUX=enforcing" to "SELINUX=disabled", below is what your SELinux Config file should look like.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are pr$
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted


8. Start Samba Service, Enable Samba Service on Startup & Confirm Listening

sudo systemctl start smb
sudo systemctl enable smb

Confirm Samba is Active & Listening

sudo yum -y install net-tools
sudo netstat -tulpn | egrep "smbd"

Confirm Samba Share is Accessible Locally

*Note: For your environment, replace "00.00.00.00" with your servers ip address.

sudo smbclient -L 00.00.00.00 -U WriteUser

Confirm Samba Share is Accessible via Internal Network Macintosh Terminal

sudo smbutil view smb://WriteUser@00.00.00.00


9. Add Samba Share to Jamf Pro Server

In your Jamf Pro Dashboard, Navigate to the following path Computers -> Management Settings -> Server Infrastructure -> File Share Distribution Points -> + New


General Tab

File Sharing Tab

10. Mount File Share in Jamf Admin, Replicate

Launch Jamf Admin, I'm assuming this is a secondary, tertiary, etc File Share. Bottom of Left Window Pane, Select Your Master DP & the newly added FileShare DP. Then, Select Replicate.


If It successfully mounts & gets past the mounting portion as seen in the image below, it's a success. Now pending the size of your Master DP, sit back, relax & give it a few hours.


If the replication fails, you will know right away. At the bottom of this page you will find a troubleshooting section.


After a successful replication in Jamf Admin, you can always doubly verify by mounting the server on your mac via Finder & triply by creating a policy in Jamf & deploying a package thats marked to explicitly use the new FileShare. I'm not going to get into the details of those steps, I've provided links if you are unfamiliar. This way, after configuring the HTTPS portion, if an error occurs, you can be positive that it isn't the samba portion of the setup that's at fault & makes troubleshooting less tedious.


HTTPS Configuration


11. Install Apache

Link: Read about RHEL 7 & Apache Here

sudo yum -y install httpd


12. Install mod_ssl & OpenSSL toolkit

Link: Read about RHEL 7 & OpenSSL Here & mod_ssl Here

sudo yum -y install mod_ssl


13. Navigate to Certificates Directory

cd /etc/pki/tls/certs

Steps 14, 15 & 16 will be performed while located in the certs directory.


14. Create Request Configuration File

sudo nano req.conf

Copy & Paste the information below to your req.conf file & modify bolded text accordingly

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = DomainHere
emailAddress = EmailHere
O = OrganizationHere
OU = DepartmentHere
L = LocationHere
ST = State/ProvinceHere
C = CountryHere
[ req_ext ]
subjectAltName = DNS: www.DomainHere, DNS: DomainHere


15. Generate Certificate Signing Request

*Note: The Pass phrase you use for the apachekey.pem is very important, save it somewhere safe & accessible.

sudo openssl req -new -config req.conf -keyout apachekey.pem -out apachekey.csr

16. View apachekey.csr, Copy Contents to Clip Board

cat apachekey.csr

Example apachekey.csr file.

Copy the contents in its entirety including the "Begin" & "End" portions.

17. Sign apachekey.csr with Jamfs Built-in Certificate Authority

In your Jamf Pro Dashboard, Navigate to the following path Computers -> Management Settings -> Global Management -> PKI Certificates -> Management Certificate Template


Select "Create Certificate from CSR", Paste your apachkey.csrs contents into the window & for "Certificate Type" select "Web Server Certificate" & select "Create". Depicted below is along the lines of what your end result should be before selecting create.


After you've selected "Create", Your Jamf Pro Server will output a .pem file & prompt you to save it. Locate the newly generated .pem file & rename it "apachecert.pem".


18. Relocate apachecert.pem from Mac to RHEL Server

A quick & easy way to get the apachecert.pem file from your Mac to your FileShare is to mount your FileShare via Finder, drag & drop the file in the FileShare.

19. Relocate apachecert.pem on RHEL FileShare Server

sudo mv /var/www/html/FileShare/apachecert.pem /etc/pki/tls/certs/apachecert.pem


20. Create HTTP Directory, Relocate Cert & Key

The /etc/pki/tls/http/ directory is where the ssl.conf points to, no need to worry about not being titled "https"

sudo mkdir /etc/pki/tls/http/
sudo cp /etc/pki/tls/certs/apachecert.pem /etc/pki/tls/http/apachecert.pem