Skip to main content

Setting up ssl https On Nagios XI Server

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data. Intro Courtesy Wikipedia
Full SSL support requires Nagios XI version 2011R1.6 or later.

Before we start.

Check if the below packages are install, they should be if you are using latest Nagios XI, but check them anyways.
yum install mod_ssl openssl

Creating Key and Certificate

Lets generate the key for the server.
openssl genrsa -out ca.key 2048
Output for the command.
[ahmed@nagiosserver ~]$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................................................................+++
.....................................+++
e is 65537 (0x10001)
Now we create the certificate.
openssl req -new -key ca.key -out ca.csr
Here is the output for the command.
[ahmed@nagiosserver ~]$ openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TR
State or Province Name (full name) []:Istanbul
Locality Name (eg, city) [Default City]:Istanbul
Organization Name (eg, company) [Default Company Ltd]:Ahmed, Inc
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:nagiosserver.ahmed.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
We have not entered anything in the extra attributes, but this is fine.
Checking the certificate.
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Output.
[ahmed@nagiosserver ~]$ openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=TR/ST=Istanbul/L=Istanbul/O=Ahmed, Inc/CN=nagiosserver.ahmed.com
Getting Private key
[ahmed@nagiosserver ~]$

Copy Key/Certificate to Specific Location.

Now we need to copy the certificate files to the correct location and set permissions:
cp ca.crt /etc/pki/tls/certs
cp ca.key ca.csr /etc/pki/tls/private/
Setting permissions.
chmod go-rwx /etc/pki/tls/certs/ca.crt
chmod go-rwx /etc/pki/tls/private/ca.key

Update Apache Configuration

Open the /etc/httpd/conf.d/ssl.conf, find the following lines and update path, this is similar to what we copied earlier.
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Here is how the Configuration looks like.
ssl cert
In that same file add the below contents just before
tag:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]

Here is how a part of the config looks like.
IfModule

Update httpd.conf Configuration.

Update /etc/httpd/conf/httpd.conf, Add the following lines to the end of the file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Here how the file looks like.
httpd config

Next we restart httpd

sudo service httpd restart
Ouput.
[ahmed@nagiosserver ~]$ sudo service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for nagiosserver
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [  OK  ]
Now we can go to https://nagiosserver.ahmed.com/, you get a warning about self certified certificate, add it to exception and we are ready.

[Important] Now we update Nagios XI Configuration.

  • First update the config.inc.php file.
Here is the path to the file.
[ahmed@nagiosserver ~]# vim /usr/local/nagiosxi/html/config.inc.php
Update the below configuration in the file. (Currently $cfg['use_https'] = false;)
// force http/https
$cfg['use_https'] = true; // determines whether cron jobs and other scripts will force the use of HTTPS instead of HTTP
  • Next logon to Nagios XI server as nagiosadmin.
  • Go to Admin -> on the left pane System Config -> System Settings -> General.
  • Change the URL to https. Change http://172.2.2.23/nagiosxi/ to https://172.2.2.23/nagiosxi/
  • Next go to Configure on the top tab -> Core Config Manager -> On the left pane Config Manager Admin -> Core Manager Settings -> Change Server Protocol to HTTPS
Restart nagios, httpd.
NOTE : If you are using filewall make sure to add the entry to iptables
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
service iptables save
Now logon to the server. https://nagiosserver.ahmed.com/

Comments

Post a Comment

Popular posts from this blog

Zabbix History Table Clean Up

Zabbix history table gets really big, and if you are in a situation where you want to clean it up. Then we can do so, using the below steps. Stop zabbix server. Take table backup - just in case. Create a temporary table. Update the temporary table with data required, upto a specific date using epoch . Move old table to a different table name. Move updated (new temporary) table to original table which needs to be cleaned-up. Drop the old table. (Optional) Restart Zabbix Since this is not offical procedure, but it has worked for me so use it at your own risk. Here is another post which will help is reducing the size of history tables - http://zabbixzone.com/zabbix/history-and-trends/ Zabbix Version : Zabbix v2.4 Make sure MySql 5.1 is set with InnoDB as innodb_file_per_table=ON Step 1 Stop the Zabbix server sudo service zabbix-server stop Script. echo "------------------------------------------" echo " 1. Stopping Zabbix Server ...

Installing Zabbix Version 2.4 Offline (Zabbix Server without Internet).

There might be situations where you have a remote/zabbix server which does not have internet connectivity, due to security or other reasons. So we create a custom repo on the remote/zabbix server so that we can install zabbix using rpms Here is how we are planning to do this. Download all the dependency rpms on a machine which has internet connection, using yum-downloadonly or repotrack . Transfer all the rpms to the remote server. Create a repo on the remote server. Update yum configuration. Install. NOTE: This method can be used to install any application, but here we have used zabbix as we had this requirement for a zabbix server. Download dependent rpms . On a machine which has internet connection install the package below. And download all the rpms . Make sure the system are similar (not required to be identical - At-least the OS should be of same version) mkdir /zabbix_rpms yum install yum-downloadonly Downloading all the rpms to location /zabbix_rpms/ ,...

Access Filter in SSSD `ldap_access_filter` [SSSD Access denied / Permission denied ]

Access Filter Setup with SSSD ldap_access_filter (string) If using access_provider = ldap , this option is mandatory. It specifies an LDAP search filter criteria that must be met for the user to be granted access on this host. If access_provider = ldap and this option is not set, it will result in all users being denied access. Use access_provider = allow to change this default behaviour. Example: access_provider = ldap ldap_access_filter = memberOf=cn=allowed_user_groups,ou=Groups,dc=example,dc=com Prerequisites yum install sssd Single LDAP Group Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = memberOf=cn=Group Name,ou=Groups,dc=example,dc=com Multiple LDAP Groups Under domain/default in /etc/sssd/sssd.conf add: access_provider = ldap ldap_access_filter = (|(memberOf=cn=System Adminstrators,ou=Groups,dc=example,dc=com)(memberOf=cn=Database Users,ou=Groups,dc=example,dc=com)) ldap_access_filter accepts standa...