- Configures Active Directory as its name resolver
- Using sssd and realmd the rhel server joins the AD domain (DNS record, computer account, host SPN created in the AD)
- Using samba, HTTP spn is created in AD and a keytab that contains the HTTP principal
- Foreman is installed with IPA/AD support, SSO is configured
- This script will add
web-foreman.test.local
SAN to the generated certificate - When
--puppet-dns-alt-names
is used,puppet
andpuppet.test.local
SAN are not added to the web certificate, which will cause foreman deployment issues - Therefore puppet and
puppet.test.local
SAN's also added with--puppet-dns-alt-names
foreman-installer --puppet-dns-alt-names=puppet \
--puppet-dns-alt-names=puppet.test.local \
--puppet-dns-alt-names=web-foreman.test.local
- Port 4000 is dedicated for browser trusted CA
- Port 5000 is dedicated for Foreman various components SSL client authentication via their puppet-ca certificates
- If Hproxy is running on a dedicated server, 443 (browser) and 4443 (Foreman components) ports can be used.
global
user root
group root
defaults
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
echo "192.168.227.154 foreman1.test.local foreman1" >> /etc/hosts; \
echo "192.168.227.154 web-foreman.test.local" >> /etc/hosts; \
echo "192.168.227.156 proxy1.test.local proxy1" >> /etc/hosts; \
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
export IP=`nmcli -f IP4.ADDRESS device show ens33 | tr -s ' ' | cut -d ' ' -f 2 | cut -d '/' -f 1`; \
echo $IP foreman1.test.local foreman1 >> /etc/hosts; \
nmcli con mod "ens33" ipv4.dns-search "test.local"; \
nmcli general hostname foreman1; \
kinit with a domain user:
kinit genadi@TEST.LOCAL
Ones you have a krbtgt you can run nsupdate in GSS-TSIG mode:
nsupdate -g
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend https-in-7000 | |
mode tcp | |
bind *:7000 | |
tcp-request inspect-delay 5s | |
tcp-request content accept if { req_ssl_hello_type 1 } | |
acl cc req_ssl_sni -i foreman-client.localdomain | |
acl dd req_ssl_sni -i foreman-internal.localdomain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkdir dependencies | |
mvn clean compile exec:java -Dmaven.repo.local=dependencies -U | |
mvn org.apache.maven.plugins:maven-dependency-plugin:go-offline -Dmaven.repo.local=dependencies | |
# version | |
mvn org.apache.maven.plugins:maven-dependency-plugin:2.8:go-offline -Dmaven.repo.local=dependencies | |
mvn org.apache.maven.plugins:maven-dependency-plugin:3.0.1:go-offline -Dmaven.repo.local=dependencies | |
mvn org.apache.maven.plugins:maven-dependency-plugin:3.0.2:go-offline -Dmaven.repo.local=dependencies | |
mvn org.apache.maven.plugins:maven-dependency-plugin:3.1.1:go-offline -Dmaven.repo.local=dependencies |
- Say I open a web browser and enter an address. I hit enter. Describe how the connection the works in as much detail as possible. Create full workflow.
- What’s a PTR in DNS?
- What’s a MX record in DNS?
- What is DNS split Horizon? When we will use it.
- Show basic HTTP flow.
- Describe how would you secure a web application
- HTTP vs HTTPS
- How SSL/TLS work. Show full workflow.
- Explain PKI.
- What is Server Name Indication (SNI), why its needed?
OlderNewer