Posted: March 14th, 2011 | Author: jordan | Filed under: Mac OS X Server | Tags: leopard, mac os x server, Open Directory, snow leopard | No Comments »
Replicate boot drive to spare drive.
While this post title specifically says Mac Mini Server, this procedure will work with any Macintosh that has more than one hard drive.
- Open Disk Utility
One drive should be labelled “Server HD” and the other “Macintosh HD2” Remember which one is on top and which one is on bottom.
- Select the Hard Drive associated with Macintosh HD2, and then click Restore
- Drag Server HD in to the source and Macintosh HD2 into the destination
- Make it go
Build the spare drive into a RAID of one disk
- Open Disk Utility
- Select the Hard Drive associated with old “Macintosh HD2”, and then click RAID.
If you unsure as to which is which you can select the drive and note the mount point at the bottom of the window. Choose the one that DOES NOT have the mount point of “/”
- Set the following options
RAID Set Name: Server HD RAID
Format: Mac OS Extended (Case-Sensitive, Journaled)
RAID Type: Mirrored RAID Set
- Drag the spare Server HD from the list on the left into the box on the right.
- Select Options and enable “Automatically rebuild RAID mirror sets” Click OK then Enable
- Rename the newly built drive to Server RAID
- Go to System Preferences->Startup Disk and select the newly built RAID.
Integrate Other Drive into RAID
- Once the system is booted verify the RAID drive is the boot volume
To do this open Disk Utility again and select the Server RAID volume, make sure the mount point states “/”
- While in Disk Utility select the RAID device, which is located above “Server RAID” and click on the RAID tab
- Drag “Server HD” into the white box on the right to add it to the RAID
- Click Rebuild, it will take some time. Once done perform one more reboot and you’re finished!
Posted: January 11th, 2011 | Author: jordan | Filed under: Snow Leopard, SSL | Tags: leopard, Open Directory, snow leopard, ssl | No Comments »
As more services are introduced into your network and thus the more users you have, the need for security goes up. Maintaining your own certificate authority is a simple and free way to ensure the highest level of security while not breaking the bank.
1. Create the Certificate Authority
First we’re going to hop into a terminal on any Mac OS X Server box and navigate to `/etc/certificates` and create some directories
sudo mkdir -p myCA/cert myCA/key
We need to create the CA signing certificate and key. After executing the first command you will be asked a series of questions. Enter them as needed.
homer:myCA jordan$ sudo openssl req -new -x509 -keyout key/myca.key -out cert/myca.crt -days 3650
Generating a 1024 bit RSA private key
writing new private key to 'key/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) :Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YAweb2.0CA LTD
Organizational Unit Name (eg, section) :DevOps
Common Name (eg, YOUR name) :yaweb20ca.ca
Email Address :email@example.com
Two files are created:
cert/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable. You will need to load this certificate into all the clients in your network.
key/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:
chmod 0400 /etc/certificates/myCA/key/myca.key
2. Create the Server Key
Next, go up one level to `/etc/certificates` We can now start creating SSL certificates for our various servers and services. Create a directory named hostname.domainname corresponding to the hostname for the computer or service you are creating the certificate for and enter the directory.
Next up on the list is to create a key that corresponds to our server. We will do that with this command:
openssl genrsa -des3 -out hostname.domainname.key 4096
Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later. Don’t forget to store the password somewhere safe, I suggest creating a new keychain on your Mac OS X server box.
Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?
3. Create a Certificate Signing Request
To create the CSR, we do this:
openssl req -new -key hostname.domainname.key -out hostname.domainname.csr
Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) :”. Fill out everything correctly. So for a wildcard cert enter, *.top.level.domain
4. Sign the Certificate
Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely and be valid for 10 years! What value!
The command we’re going to run looks like this:
openssl x509 -req -days 3650 -in hostname..csr -CA ../myCA/myCA.crt -CAkey ../myCA/myCA.key -set_serial XX -out hostname.domainname.crt
It will ask you for the password for the myCA.key file. Which is referenced at the top of this article. The set_serial switch is a two digit value to denote the certificate serial number. Every certificate you sign from this CA must have a unique serial number.
5. Create a Passwordless Certificate
Now, we have a little problem. Our hostname.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:
openssl rsa -in .domainname.key -out .domainname.key.insecure
* Enter the password that you entered when creating this key
mv hostname..key hostname.domainname.key.secure
mv hostname.domainname.key.insecure hostname.domainname.key
Then set permissions for the files
chmod 0600 hostname.key.secure hostname.key hostname.csr hostname.crt
The final list of files and their purpose is as follows:
drwxr-xr-x 2 root root 4096 2008-06-02 13:54 .
drwx------ 10 root root 4096 2008-06-02 13:35 ..
-rw-r--r-- 1 root root 2049 2009-04-02 13:32 hostname.tld.crt [our server certificate]
-rw-r--r-- 1 root root 1748 2009-04-02 13:23 hostname.tld.csr [our server signing request]
-rw-r--r-- 1 root root 3243 2009-04-02 13:54 hostname.tld.key [our password-less server key]
-rw-r--r-- 1 root root 3311 2009-04-02 13:13 hostname.tld.key.secure [our passworded server key]
7. Don’t Forget
Don’t forget to load the myCA.crt file into your various Mac clients. This will allow the computer to verify the identity of the SSL certificates to the end user, mitigating the risk of a MITM (man in the middle) attack. To do so simply copy the file to all your workstations and double click the cert. Keychain manager should load and ask what security setting you would like, select Always Trust.
Posted: October 20th, 2009 | Author: jordan | Filed under: Mac OS X Server, Snow Leopard | Tags: automator, leopard, netboot, netinstall, netrestore, snow, workflow | No Comments »
I administer a small network of about 30 mac clients and was not looking forward to upgrading them all to Snow Leopard. Booting each one off of a DVD, running through the wizard that takes forever and then the first boot song and dance that I am sure will be playing in the waiting room for Hell. Then the idea hit me to use Netboot and Apple’s System Image Utility to automate the whole process!
System Image Utility
Apple’s System Image Utility (SIU) comes with the default install of Mac OS X Server. Its purpose is to create images that can be used in the NetBoot server. There are three types of images you can create, NetBoot; allows macs to boot over the network from a server-based disk image. NetInstall; installs Mac OS X over the network from a hosted disk image. NetRestore; restores a volume over the network from an Apple Software Restore disk image.
We’re going to focus on NetInstall, but more specifically the customization of these images. First insert your DVD of Snow Leopard. Then, open the SIU app and click NetInstall and then click Customize. The SUI window will then turn into an Automator workflow and the Automator Library window should appears beside it. You’ll notice in the Library window there are a bunch of “actions” here. What I want to do is have a workflow that will format the hard drive, change the default packages to install and then setup a user after the install.
Drag in the Customize Package Selection action and place it in between the two pre-existing actions in your work flow, this being Define Image Source and Create Image. Then expand the arrow beside Mac OS X and select the packages you want to install via the “Default” checkbox. Then drag in the Enable Automated Installation action into our workflow and place it between the package selection action and then create image action. You can choose here whether to let the user select the disk to install to or if it should auto install to the disk named: (whatever). Finally add the Add User Account action just before the create image action and enter your user’s account credentials. If you need to you can also add the “Add Package/Post Install Scripts” to install any custom software or post-install scripts that you need. For myself I used this feature to install Radmind tools. Before click “Run” make sure your workflow looks something like…
Once the SUI has completed creating our image then launch Server Admin and enable Netboot and DHCP services. Configure DHCP to hand out address for your network. If you don’t know how to configure DHCP please read up at Apple’s website. Start DHCP and then click NetBoot. From here select Settings and then General. Check off the network adapter(s) that you want to use for serving out NetBoot. The select the Images tab and choose the image we just created as the default, also click the check box labelled Enable. Verify the protocol is set to NFS and click save then start. Note: don’t worry if you don’t have NFS enabled or configure, NetBoot will take care of all of that for you.
Now go to your client that you want to install Mac OS X on, turn it while holding down the “N” key. From here you can sit back and relax. Automator Power!