Guacamole, Tomcat and LetsEncrypt, for VPN-less CCIE Lab Access

So you just built your CCIE lab but you can't access it from work because VPNs are restricted?  No problem!  Guacamole solves this issue, below is a quick dirty method of implementing it properly.

I highly recommend that you use the most current Guacamole release always (not Git).  Once you have compiled Guacamole from source (binaries generally do not work as well and I run my portal on a 7watt ARM dev board).  You can simply follow the guide off the Guacamole site: https://guacamole.incubator.apache.org/ you may have unmet dependencies prior to doing this. For Ubuntu, the following is done:

add-apt-repository ppa:webupd8team/java
apt -y update
apt -y upgrade
apt -y dist-upgrade
apt -y install libcairo2-dev libjpeg-turbo8-dev libpng12-dev libossp-uuid-dev \
libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libpulse-dev libssl-dev libvorbis-dev libwebp-dev git build-essential autoconf \
libtool oracle-java8-installer tomcat8 tomcat8-admin tomcat8-common tomcat8-docs \
tomcat8-user maven mysql-server mysql-client mysql-common mysql-utilities \
libpulse-dev libvorbis-dev freerdp ghostscript wget


Once this is complete you should be good.  Next, you will need to get Letsencrypt:

git clone https://github.com/letsencrypt/letsencrypt ~/letsencrypt
cd ~/letsencrypt
./letsencrypt-auto certonly --expand --webroot --webroot-path \
/<CATALINA_HOME>/webapps/ROOT/ -d <YOURDOMAIN> --staging

Ensure you are using staging until successful, once successful, drop the --staging and rerun.  At this point we now have our certificate issued by LetsEncrypt.  For Tomcat, it's easiest to convert it into a .jks  Once you get the success, cd into the proper directory where your certs are stored.
Then do the following:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 \
-name tomcat -CAfile chain.pem -caname root

fullchain.pem should be the host and the intermediate certificate in a single file, or else you will only present a single certificate, which is a security risk.

Convert the pkcs12 into a jks now:

keytool -importkeystore -deststorepass <changeit> -destkeypass <changeit> \
-destkeystore myKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype \
PKCS12 -srcstorepass <PasswordUsedAbove> -alias tomcat

Now edit your /<CATALINA_HOME>/server.xml with the following connector options:

scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/letsencrypt/live/<YOURDOMAIN>/myKeyStore.jks"
keystorePass="<changeit>" keyAlias="tomcat" keyPass="<changeit>"

Next, lets forward port 443 to 8443 since tomcat doesn't always run on 443 and it's much quicker to do it this way:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

Test your connection from an outside source and done!
I recommend using https://www.ssllabs.com/ssltest/

If you want to install Tomcat 8 from source, use this guide:
https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-ubuntu-14-04

And if you need an init.d script, here's mine:
#!/bin/bash
export CATALINA_HOME=/opt/tomcat
export JAVA_HOME=<WHATEVERYOURJAVAHOMEIS>
export PATH=$JAVA_HOME/bin:$PATH

start() {
 echo "Starting Tomcat 8..."
 sh $CATALINA_HOME/bin/startup.sh
}
stop() {
 echo "Stopping Tomcat 8..."
 sh $CATALINA_HOME/bin/shutdown.sh
}
case $1 in
  start|stop) $1;;
  restart) stop; start;;
  *) echo "Usage : $0 <start|stop|restart>"; exit 1;;
esac

exit 0



Comments

Post a Comment

Popular posts from this blog

Policy Based Routing on a Nexus

First of all, let's just admit, I am a collab guy, doing work on a Nexus is a foreign experience. While some things are intuitive not everything follows RFC's and the Nexus platform is a bit more restrictive. First of all, to get PBR going, I had to change the hardware profile, since I have no intention of using QoS internally in my lab, I decided to steal from it: hardware profile tcam region qos 0 hardware profile tcam region pbr 256 This then requires a reboot.  After this is done and the pbr feature is enabled: feature pbr You can get into creating the route-maps.  However, unlike IOS devices you can only use permits in your acl's and then use a deny statement on the route map itself: ip access-list PBR_DENY statistics per-entry 10 permit ip any 192.168.1.0/24 ip access-list PBR_PERMIT  statistics per-entry  10 permit ip any any route-map PBR_RULE pbr-statistics route-map PBR_RULE deny 10  match ip address PBR_DENY route-map PBR_RULE permit 2
Read more

Adding 2 Factor Authentication to Guacamole through Duo and Yubikey

In order to do this you will need to grab the current duo extension as such: wget  https://gigenet.dl.sourceforge.net/project/guacamole/current/extensions/guacamole-auth-duo-0.9.13-incubating.tar.gz Once downloaded, decompress and move it to the appropriate folder: tar xzf guacamole-auth-duo-0.9.13-incubating.tar.gz && mkdir /etc/guacamole/extensions && mv ./guacamole-auth-duo-0.9.13-incubating/guacamole-auth-duo-0.9.13-incubating.jar /etc/guacamole/extensions/ Now add the Guacamole as an application to your Duo management page.  Select, Protect an Application under the Applications menu, then you will select the Web SDK application, rename it something like Guacamole. Next you will need to edit your /etc/guacamole/guacamole.properties and add the following info to it from the Duo site (minus the last key): duo-api-hostname: <Your API key found on the Duo site> duo-integration-key: <Integration key found on the Duo site> duo-secret-key: <
Read more