Hello everyone, I hope you are all doing well.
I'd like to revisit the following topic: viewtopic.php?t=3038.
After some research, I was able to set up the network boot kernels "ipxe.efi" (UEFI) and "undionly.kpxe" (LEGACY) using a self-signed certificate over HTTPS.
Several settings were required in the header files located in ../src/config/*.h before compiling the boot kernels. I'm currently using the ones provided with the FOGProject solution.
Could you tell me about the initial configuration provided by Tranquil-IT for these header files? At a minimum, I imagine it includes language support and HTTPS protocol support...
I found a Python script for compiling the kernels available in /opt/wapt/waptserver/scripts, but it doesn't seem to provide all the necessary details...
Thank you very much. Have
a good day.
WADS - HTTPS support - self-signed certificate
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Hello, no changes except for the languagedavid.masson wrote: ↑Sep 21, 2023 - 2:07 PM A number of adjustments were necessary to the header files available in ../src/config/*.h before compiling the boot kernels. I am currently using those provided with the FOGProject solution.
You can see the compilation recipe here:
https://wapt.tranquil.it/store/fr/detai ... PROD.wapt/ In the update_package.py file
Out of curiosity, how did you resolve the issue of insecure distribution of the IPXE file via TFTP?
Simon
-
david.masson
- Messages: 4
- Registration: July 24, 2023 - 1:26 PM
Good evening,
thank you for your quick reply.
I'm not sure I fully understand your question; could you elaborate a little (I'm new to the WAPT solution)?
Have a good evening.
Best regards.
thank you for your quick reply.
I'm not sure I fully understand your question; could you elaborate a little (I'm new to the WAPT solution)?
Have a good evening.
Best regards.
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Actually, the question isn't specific to Wapt.
The IPXE binary is distributed to the BIOS using the TFTP protocol (which isn't secure).
Verifying the HTTPS certificate with IPXE therefore amounts to putting the certificate directly into the IPXE binary during compilation.
But this means trusting the IPXE binary distributed via TFTP.
Since I don't really have a way to secure this protocol, I was wondering if you had found a solution to this problem.
The IPXE binary is distributed to the BIOS using the TFTP protocol (which isn't secure).
Verifying the HTTPS certificate with IPXE therefore amounts to putting the certificate directly into the IPXE binary during compilation.
But this means trusting the IPXE binary distributed via TFTP.
Since I don't really have a way to secure this protocol, I was wondering if you had found a solution to this problem.
-
david.masson
- Messages: 4
- Registration: July 24, 2023 - 1:26 PM
Hello,
Not at all, I simply added the certificate to the "ipxe.efi" and "undionly.kpxe" binaries during compilation.
I used the arguments "TRUST=cert.pem" and "DEBUG=tls,x509:3" (just to observe the process). The certificate in question wasn't generated automatically but manually because it also includes an alias and is valid for 10 years.
I'm also open to suggestions for securing this exchange because, indeed, the binaries need to be trusted.
I would have preferred a public certificate issued by a recognized certificate authority, but the validity period is too short for the organizations I work with (1 year).
Best regards.
Not at all, I simply added the certificate to the "ipxe.efi" and "undionly.kpxe" binaries during compilation.
I used the arguments "TRUST=cert.pem" and "DEBUG=tls,x509:3" (just to observe the process). The certificate in question wasn't generated automatically but manually because it also includes an alias and is valid for 10 years.
I'm also open to suggestions for securing this exchange because, indeed, the binaries need to be trusted.
I would have preferred a public certificate issued by a recognized certificate authority, but the validity period is too short for the organizations I work with (1 year).
Best regards.
