OpenVPN ALS Adito SSL VPN Gateway on CentOS

Overview

OpenVPN ALS Adito SSL VPN Gateway is a web-based SSL-VPN server written in Java and it is completely free and open-source.
The installation on CentOS 6 Linux Operating System is fairly simple using the next few steps (we will use CentOS Minimal x86_64).

Prerequisites

Another Neat Tool – ANT

“Ant is a Java-based build tool. In theory, it is kind of like Make, without Make’s wrinkles and with the full portability of pure Java code.”

yum install ant

Java JDK – Open JDK or Oracle JDK

Open JDK

To use the open-source version of Java JDK – Open JDK:

yum install openjdk

Next Select this package as your default Java:
alternatives --config java

Select the OpenJDK: ‘/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java’

Oracle JDK

  1. Download Oracle JDK x64 (not JRE)
  2. Install JDK:
    rpm -Uvh jdk-*-linux-x64.rpm
  3. Configure JDK:
    alternatives --install /usr/bin/java java /usr/java/latest/jre/bin/java 20000
    alternatives --install /usr/bin/javaws javaws /usr/java/latest/jre/bin/javaws 20000
    alternatives --install /usr/bin/javac javac /usr/java/latest/bin/javac 20000
    alternatives --install /usr/bin/jar jar /usr/java/latest/bin/jar 20000
    
  4. Next Select this package as your default Java:
    alternatives --config java

    Select the OpenJDK: ‘/usr/java/latest/jre/bin/java’

Verify Java Version

java -version

java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

Subversion – SVN

yum install svn

OpenVPN ALS Adito SSL VPN Gateway Installation

Download and install from SVN

cd /opt/
svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito/trunk /opt/openvpn-als
cd /opt/openvpn-als
ant install

Initial Configuration

Wait until you’ll get this notice – DO NOT PRESS CTRL+C:

[java] Starting installation wizard........................Point your browser to http://localhost.localdomain:28080.
[java]
[java] Press CTRL+C or use the 'Shutdown' option from the web interface to leave the installation wizard.

Go to your browser and visit http://localhost.localdomain:28080 where localhost.localdomain is your OpenVPN ALS Adito SSL VPN Gateway host name and continue with the installation wizard.

    1. First select to create a Self Signed Certificate – if you want to use a CA Certificate we will do it later:
      OpenVPN ALS Adito SSL VPN Gateway
    2. Fill in your pass phrase (whatever you want):
      OpenVPN ALS Adito SSL VPN Gateway
    3. Input the info for your SSL Certificate:
      OpenVPN ALS Adito SSL VPN Gateway
    4. We will use a Built-in user database (default) if you want to use Active Directory check for instructions below.
      OpenVPN ALS Adito SSL VPN Gateway
    5. Select Port as 443
      Select Protocol as SSL
      Input valid external hotnames
      And change Invalid hostname action to Redirect…
      OpenVPN ALS Adito SSL VPN Gateway
    6. We will not use a proxy (default)
      OpenVPN ALS Adito SSL VPN Gateway
    7. Click Finish
      OpenVPN ALS Adito SSL VPN Gateway

Click Exit installer and wait for it to finish its 10 second countdown.
OpenVPN ALS Adito SSL VPN Gateway

Install OpenVPN ALS Adito SSL VPN Gateway Java Agent

You will need to create a NEW Self Signed SSL Certificate since the bundled Agent certificate has expired and needs to be recreated.

Create a Certificate Key file

openssl req -nodes -newkey rsa:2048 -keyout server_name.domain.key -out server_name.domain.csr

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:server_name.domain
Email Address []:yourname@server_name.domain

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (click enter, no password)
An optional company name []: (click enter, no password)

Use the key and csr file to generate a new Certificate – .crt file:

openssl x509 -req -days 3650 -in /path/to/server_name.domain.csr -signkey /path/to/server_name.domain.key -out /path/to/selfsigned.crt
openssl pkcs12 -export -in /path/to/selfsigned.crt -inkey /path/to/key-file.key -out /opt/openvpn-als/certificate/selfsigned.p12 -name selfsigned

ChangeSecret is the secret in this tutorial.
To create the combined-root-and-chain-certificate-file.ca-bundle check below.

Now we need to edit the Agent certificate.conf file:

vi /opt/openvpn-als/certificate/certificate.properties

certificate.alias=1
certificate.keystore=selfsigned.p12
certificate.storetype=pkcs12
certificate.password=ChangeSecret

Copy the new cert to /opt/openvpn-als/certificate/selfsigned.p12

Rebuild the agent:

ant install-agent

Install OpenVPN ALS Adito SSL VPN Gateway Linux Service

ant install-service
chkconfig adito on
service adito start

Install Applications/Extensions

Download Adito Applications from SVN:

svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito-applications/

Create Application ZIP file (for example Cross-Platform Remote Desktop):

cd adito-aplications
cd adito-application-rdp-xplatform-embedded
ant

All you have to do now is copy the file to your archive folder and restart Adito:

cp /opt/openvpn-als/adito-applications/adito-application-rdp-xplatform-embedded/adito-application-rdp-xplatform-embedded.zip /opt/openvpn-als/adito/conf/repository/archives/
service adito restart

Signed CA SSL Certificates

The OpenVPN ALS Adito needs two kinds of SSL certificates:

Web Page Signed CA Certificate

Standard SSL Certificate in P12 format.

Agent Code Signing Signed CA Certificates

Code Signing Certificate in P12 format.

Create SSL P12 file

First Create the combined-root-and-chain-certificate-file.ca-bundle:

cat AddTrustExternalCARoot.crt chain-file.ca-bundle > combined-root-and-chain-certificate-file.ca-bundle

Now you can create the P12 file:

openssl pkcs12 -export -in /path/to/certificate-file.crt -inkey /path/to/key-file.key -out /opt/openvpn-als/certificate/newcert.p12 -name newcert -CAfile /path/to/combined-root-and-chain-certificate-file.ca-bundle -caname root -chain

Import the New P12 Certificate for Adito Web

service adito stop
cd /opt/openvpn-als/
ant install

Visit http://localhost.localdomain:28080 and import the New Certificate using the installation Wizard.

Active Directory Integration

During the Installation process select Active Directory as your user database.

  1. Select Active Directory:
    OpenVPN ALS Adito SSL VPN Gateway
  2. Fill in Domain Controller Hostname or IP address
    Fill in Backup Domain Controllers Hostnames or IP addresses
    Fill in Domain as: example.com
    Fill in an Active Directory username and password with account operator permissions
    OpenVPN ALS Adito SSL VPN Gateway
  3. Select OU Filter tab
    Fill in the OUs containing the users you want to include, for example: cn=users,dc=domain,dc=com
    Fill in the OUs containing the users you want to exclude, for example: ou=nousers,dc=domain,dc=com
    OpenVPN ALS Adito SSL VPN Gateway
  4. Select the Active Directory user to be the Adito Administrator (default is Administrator)
    OpenVPN ALS Adito SSL VPN Gateway

Fix Java Permissions attribute warning

In Java 7 there is a new warning:
“”This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute.””

To solve this issue you just need to add a few lines to adito-agent/build.xml:

Find the section where the “launcher.jar” and “launcher-en.jar” jarfiles get built (starting from line 460) and add the manifest attributes at the end of the jar block as follows:

<jar jarfile="${build.dist}/launcher.jar" basedir="${build.extension.output}">
<include name="com/adito/agent/client/launcher/*.class"></include>
<include name="com/adito/agent/client/util/**/*.class"></include>
<include name="com/sshtools/ui/awt/UIUtil.class"></include>
<include name="com/sshtools/ui/awt/Messages.class"></include>
<include name="com/sshtools/ui/awt/ImageCanvas.class"></include>
<include name="com/sshtools/ui/awt/MultilineLabel.class"></include>
<include name="com/sshtools/ui/awt/options/Messages.class"></include>
<include name="com/sshtools/ui/awt/options/OptionDialog*.class"></include>
<include name="com/sshtools/ui/awt/options/Option.class"></include>
<include name="com/sshtools/ui/awt/options/OptionCallback.class"></include>
<include name="images/**/launcher-*.gif"></include>
	<manifest>
	<attribute name="Permissions" value="all-permissions"></attribute>
	<attribute name="Codebase" value="*"></attribute>
	</manifest>
</jar>

<jar jarfile="${build.dist}/launcher-en.jar" basedir="${build.extension.output}">
<include name="**/*.properties"></include>
	<manifest>
	<attribute name="Permissions" value="all-permissions"></attribute>
	<attribute name="Codebase" value="*"></attribute>
	</manifest>
</jar>

Now you need to rebuild the agent using:

ant install-agent

Enjoy.

7 thoughts on “OpenVPN ALS Adito SSL VPN Gateway on CentOS

  1. Mohanasundaram Kaliyannan

    Adam Mallul,

    Great Job, I followed the steps and works fine. I am having challenges below steps:-

    1. Create SSL P12 file for web and java agent . Can you guide me how to install the signed CA certificate for Java agent and Web SSL ?

    Thanks.

    Reply
    1. admin

      To install the SSL cert in for the Adito Web Access use the installation wizard.
      To install a signed cert for the Agent you need a different certificate – Code Sign SSL Certificate.
      Just follow the steps for the Agent installation and use your Code sign cert instead of the Self Signed cert.

      Reply
  2. Stanley Ho

    hello Adam,

    I followed the above instructions but not work at all. I was able to create certificate by the wizard and then no luck to get on the web console. Any further steps I need to follow?
    Currently,I was using Vmware esxi 5.1 host. any troubleshooting hints?

    Regards
    Stanley

    Reply
  3. Espen

    Great overview of how to get this extremely useful, but apparently abandoned tool to work, I’ve been looking for replacements, but none seem as solid as this.

    Some additional notes which may be useful though are:

    1) The is line in /opt/openvpn-als/maverick-multiplex/build.xml which may need editing so that has both target=”1.1″ and source=”1.1″ is set for javac (at least for OpenJDK)

    2) The agent signing with your own certificate may not work if you certificate doesn’t allow code signing.

    3) There may be an upcoming issue with future Java security updates as users are now reporting a warning about:
    “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more Information.”

    If anyone has a quick fix for the latter it would be much appreciated.

    Reply
    1. Espen

      I believe I’ve found a solution to the “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute.” issue, as follows:

      Before building the agent, modify the build.xml file in adito-agent/ as follows:

      Find the section where the launcher.jar and launcher-en.jar jarfiles get built (starting from line 460) and add the manifest attributes as follows:

      <jar jarfile="${build.dist}/launcher.jar" basedir="${build.extension.output}">
      <include name="com/adito/agent/client/launcher/*.class"></include>
      <include name="com/adito/agent/client/util/**/*.class"></include>
      <include name="com/sshtools/ui/awt/UIUtil.class"></include>
      <include name="com/sshtools/ui/awt/Messages.class"></include>
      <include name="com/sshtools/ui/awt/ImageCanvas.class"></include>
      <include name="com/sshtools/ui/awt/MultilineLabel.class"></include>
      <include name="com/sshtools/ui/awt/options/Messages.class"></include>
      <include name="com/sshtools/ui/awt/options/OptionDialog*.class"></include>
      <include name="com/sshtools/ui/awt/options/Option.class"></include>
      <include name="com/sshtools/ui/awt/options/OptionCallback.class"></include>
      <include name="images/**/launcher-*.gif"></include>
      <manifest>
      <attribute name="Permissions" value="all-permissions"></attribute>
      <attribute name="Codebase" value="*"></attribute> </manifest>
      </jar>
      
      <jar jarfile="${build.dist}/launcher-en.jar" basedir="${build.extension.output}">
      <include name="**/*.properties"></include>
      <manifest>
      <attribute name="Permissions" value="all-permissions"></attribute>
      <attribute name="Codebase" value="*"></attribute>
      </manifest>
      </jar>

      Then rebuild the agent using : ant install-agent
      and restart adito

      Reply
  4. Adam Mallul Post author

    Hi Espen
    I’ve been looking around for a way to solve the issue of the new Java warning.
    It works like a charm

    I’ve added your instructions to the end of the tutorial.
    Thanx for your help

    Reply

Leave a Reply

Your email address will not be published.

*