jumpserver堡垒机搭建以及摆设认证服务器
Jumpserver在线安装及摆设认证服务器CA主机IP功能JumpServer192.168.1.34堡垒机管理资产及权限CA认证服务器192.168.1.37提供HTTPS安全加密 堡垒机一键在线安装
##z在线安装
curl -sSL https://resource.fit2cloud.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
注意事项
##默认密码
admin/admin
##启动JumpServer
首先进入/opt/jumpserver-installer-v3.9.3/
执行 ./jmsctl.sh start
##关闭JumpServer
首先进入/opt/jumpserver-installer-v3.9.3/
执行 ./jmsctl.sh stop
##需要使用HTTPS服务
将文件证书放在/opt/jumpserver/config/nginx/cert路径下
修改配置文件vi /opt/jumpserver/config/config.txt
SSL_CERTIFICATE=/opt/jumpserver/config/nginx/cert/httpd.crt
SSL_CERTIFICATE_KEY=/opt/jumpserver/config/nginx/cert/httpd.key
ps:注意,需要先停止JumpServer服务后再修改配置文件
##关闭setenforce
setenforce 0
摆设CA服务器
###简历CA服务器
##生成密钥
# (umask 007; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
ps:
():表示此命令在子进程中运行,其目的是为了不改变当前Shell中的umask值;
genrsa:生成私钥;
-out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;
2048:密钥长度,默认为1024
##自签证书
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
ps:
req:生成证书签署请求;
-x509:生成自签署证书;
-days n:证书的有效天数;
-new:新请求;
-key /path/to/keyfile:指定私钥文件;
-out /path/to/somefile:输出文件位置
##初始化工作环境
# touch /etc/pki/CA/{index.txt,serial}
# echo 01 > /etc/pki/CA/serial
ps:
index.txt:索引文件,用于匹配证书编号;
serial:证书序列号文件,只在首次生成证书时赋值
实例:堡垒机HTTPS安全加密
登录堡垒机
##生成密钥对
# mkdir -p /etc/httpd/ssl
#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
##生成证书信息
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :JS
Locality Name (eg, city) :SZ
Organization Name (eg, company) :JHFY
Organizational Unit Name (eg, section) :JFHY
Common Name (eg, your name or your server's hostname) :jfhy.com
Email Address :www
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:www
##将刚刚申请的请求文件发送给CA服务器
# scp /etc/httpd/ssl/httpd.csr root@192.168.1.37:/etc/pki/CA/crl
登录CA服务器
##签署证书
#openssl ca -in /etc/pki/CA/crl/httpd.csr -out /etc/pki/CA/crl/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (JFHY) and the request (JHFY)
##将签名好的证书发送给堡垒机
# scp httpd.crt root@192.168.1.34:/etc/httpd/ssl
吊销证书
登录CA服务器
##获取证书serial
# openssl x509 -in httpd.crt -noout -serial -subject
ps:
x509:证书格式;
-in:要吊销的证书;
-noout:不输出额外信息;
-serial:显示序列号;
-subject:显示subject信息
##CA验证信息
# cd /etc/pki/CA/
# cat index.txt
##吊销证书
# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
##删除证书
查看被吊销的证书列表
# cat /etc/pki/CA/index.txt
生成吊销证书的编号(如果是第一次吊销)
# echo 00 > /etc/pki/CA/crlnumber
更新证书吊销列表
# cd crl
# openssl ca -gencrl -out ca.crl
ps: -gencrl:生成证书吊销列表
错误
https://img-blog.csdnimg.cn/direct/7cb7e58b6e07487a8b5cfc3b8f658405.png#pic_center
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下:
-1714440104784)]
如出现以上错误,需要在配置文件中修改https默认443端口 自定义端口 如23443
放通防火墙
firewall-cmd --per --add-port=23443/tcp
firewall-cmd --reload
注意
如果修改了端口,需要在配置文件中修改一下:
https://img-blog.csdnimg.cn/direct/b4101c94d44946aca29f5ed1918bb860.png#pic_center
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]