- This topic has 6 replies, 2 voices, and was last updated 6 days, 8 hours ago by
.
-
Posts
-
Hi!
I need to update nxd certificate on dozens of servers (ED, SBTS).
Each certificate has to be copied from remote servers to ECS to avoid authentication warnings.
How can I do that in a script after collecting all certificates of remote machines ?
Where on ECS do I have to copy certificates from these remote machines ?
Thanks,
Regards,
Steve.
Hi!
Remote nodes are on VLAN administred by local admins.
They don’t have rights on ECS that has its own dedicated admin.
I’ve analyzed the subject and if I well understand we could use –keyadd to register the public keys of nxd of remote nodes in
/var/NX/nx/.nx/config/authorized.crt on ECS.
* Local admin
Each local admin generates new 4096-bit nxd certificate (nx_host_rsa_key) and its public key (nx_host_rsa_key.crt) for all nodes on his VLAN.
A prefix is added to each key:
cp /usr/NX/etc/keys/host/nx_host_rsa_key.crt <source_hostname>_nx_host_rsa_key.crt
All the keys are sent to ECS admin.
* ECS Admin
For each pub key received :
sudo /etc/NX/nxserver –keyadd <source_hostname>_nx_host_rsa_key.crt
=> this command updates /var/NX/nx/.nx/config/authorized.crt
Q1- Please, could you validate my understanding and this procedure ?
Q2- What about inverse mode connection if nxd certificate is changed on remote node ?
Thanks,
Regards,
Steve.
Hi,
If I understood your goal correctly, you’re looking to add a node to ECS without requiring password authentication. You can achieve this by following the steps below:
To add a node to ECS
#1. On the node
scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub#2. On ECS
sudo /etc/NX/nxserver --nodeadd $NODE_IP --node-name $NODE_NAMETo perform the reverse ( adding an inverse node to an ECS )
Follow the same procedure, but switch the roles:
– Run step #1 on the ECS
– Run step #2 on the nodeWould you need help to make the script for this flow?
Hi Fisherman,
Thanks for this quick answer but it is not exactly what I’d want.
Nodes are already added to ECS in “direct connection mode” or “inverse connection mode”.
For security reasons, keys have to be regenerated with 4096-bit instead of 2048-bit standard length.
One part of the subject is the keys for the nxd certificates of the nodes.
nxd certificates will be regenerated by local admin for all nodes of their VLAN (they don’t have admin rights on ECS).
The
nx_host_rsa_key.crtfiles will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?(a script is needed to handle many .crt files )
When I check the last modification date of
/var/NX/nx/.nx/config/authorized.crt,it does not seem to be the right file (unchanged date).
/var/NX/nx/.nx/config/cllient.crtseems to be the right file to put .crt of certificate from nxd of nodes.
The .crt files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?
In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?
I hope it is more clear.
Thanks,
Regards,
Steve.
To replace node certificates, please follow this article:
https://kb.nomachine.com/DT07S00229#7LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa -n 4096And then, based on the direct or inverse node, do the same as mentioned in previous post:
#1. On the node
scp $ECS_IP:/usr/NX/etc/keys/host/node.localhost.id_rsa.pub $ECS_IP_node.localhost.id_rsa.pub
sudo /etc/NX/nxserver --keyadd $ECS_IP_node.localhost.id_rsa.pub#2. On ECS
sudo /etc/NX/nxserver --nodedit #NODE_NAMEHi,
For the moment, my question is about the SSL certificate for nxd and not RSA key pair.
I kwow the article you quote, but alas it is not precise about how to deal with change of SSL certificate for nxd. 🙁
Hence my question : “In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?”
Regards,
Steve.
You must be logged in to reply to this topic. Please login here.