Nagios XI - Configuring SSL for Nagios XI Purpose

Transcription

Nagios XI - Configuring SSL for Nagios XI Purpose
Nagios XI - Configuring SSL for Nagios XI
The Industry Standard in IT Infrastructure Monitoring
Purpose
This document will describe how to setup SSL. This document is also to be used an initial point for troubleshooting SSL connections.
Target Audience
This document is intended for use by Nagios XI Administrators who require encryption.
Installing Necessary Components
Full SSL support requires Nagios XI version 2011R1.6 or later, so if you're using an earlier version, you'll need to upgrade in order for all
of the data to display correctly in the XI interface. Nagios XI comes with most of the SSL components, but just to be sure, open a
terminal and log into the Nagios XI server as root and run the following commands:
yum install mod_ssl openssl -y
Generating a Key
In this demonstration, we will be using a self-signed key. If you are running a bigger production environment you will want to get a key
from a company like VeriSign. However, for smaller uses, self-generated keys should be sufficient. First thing you should do is generate
the key.
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Now we need to move the certificate files to a sensical place:
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
Editing the httpd.conf
Now that we have our key we have to tell httpd where to look for it. In your /etc/httpd/conf.d/ssl.conf , find the
SSLCertificateFile line and change these values:
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
Now restart httpd and test your connection to the server by directing your web browser to https://yourservername/ (note there is no
nagiosxi/ extention yet). If it returns an error check your firewall and backtrack through this document, making sure you've done all the
steps listed.
Now its time to edit your nagiosxi.conf, which is normally in the same directory as the ssl.conf (/etc/httpd/conf.d/).
It should look like this:
#NameVirtualHost *:443
<VirtualHost *:80>
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options None
Nagios Enterprises, LLC US: 1-888-NAGIOS-1
P.O. Box 8154
Int'l: +1 651-204-9102
Saint Paul, MN 55108
Fax: +1 651-204-9103
USA
Web: www.nagios.com
Email:[email protected]
Page 1
Copyright © 2010 - 2014 Nagios Enterprises, LLC
Revision 1.0 – July, 2014
Nagios XI - Configuring SSL for Nagios XI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
#
AuthName "Nagios XI"
#
AuthType Basic
#
AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#
Require valid-user
</Directory>
</VirtualHost>
Now add the following to the end of the document, and the lines noted in the overview paragraph:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Alias /nagiosxi "/usr/local/nagiosxi/html"
When all is said and done the whole document should look like this. This is the overview paragraph:
#NameVirtualHost *:443
<VirtualHost *:80> # Add this line
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
#
AuthName "Nagios XI"
#
AuthType Basic
#
AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#
Require valid-user
</Directory> # Add this line
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Alias /nagiosxi "/usr/local/nagiosxi/html"
Now in the httpd.conf that is in /etc/httpd/conf/httpd.conf add this line to the bottom:
NameVirtualHost *:443
Now restart your httpd service and login to the web interface. If you are unable to login you will need to add the following firewall
exception:
Nagios Enterprises, LLC US: 1-888-NAGIOS-1
P.O. Box 8154
Int'l: +1 651-204-9102
Saint Paul, MN 55108
Fax: +1 651-204-9103
USA
Web: www.nagios.com
Email:[email protected]
Page 2
Copyright © 2010 - 2014 Nagios Enterprises, LLC
Revision 1.0 – July, 2014
Nagios XI - Configuring SSL for Nagios XI
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
service iptables save
Now we will need to edit some Nagios XI files. First thing we'll start off with is editing /usr/local/nagiosxi/html/config.inc.php. Open
that file in a text-editor and change the line:
$cfg['use_https']=false;
To:
$cfg['use_https']=true;
Save and close that file and open up the Nagios XI web
interface.
Navigate to the Admin tab and select Manage System
Config from the System Config side tab.
Change the program URL to https instead of the default
http.
Next, in the web interface, navigate to Configure → Core Config Manager → Config
Manager Admin → Config Manager Settings.
This will bring up the Global CCM Settings page
You will need to change the “Server Protocol” to https as
indicated in the picture to the right.
Click the Save button.
You are now set to use https with your Nagios XI web front-end.
Forcing SSL with a Permanent Redirect
To force all traffic through SSL (even connections originating from port 80), edit the following file as root on the Nagios XI server:
/etc/httpd/conf.d/nagiosxi.conf and add the following line in between the <VirtualHost *:80> and </VirtualHost> tag:
Redirect permanent / https://<Your-XI-Server-Address-or-Hostname>
Nagios Enterprises, LLC US: 1-888-NAGIOS-1
P.O. Box 8154
Int'l: +1 651-204-9102
Saint Paul, MN 55108
Fax: +1 651-204-9103
USA
Web: www.nagios.com
Email:[email protected]
Page 3
Copyright © 2010 - 2014 Nagios Enterprises, LLC
Revision 1.0 – July, 2014
Nagios XI - Configuring SSL for Nagios XI
Then save the file. You file should look like this:
#NameVirtualHost *:443
<VirtualHost *:80> # Add this line
<Directory "/usr/local/nagiosxi/html">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
Redirect permanent / https://<Your-XI-Server-Address-or-Hostname>
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
#
AuthName "Nagios XI"
#
AuthType Basic
#
AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
#
Require valid-user
</Directory> # Add this line
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Alias /nagiosxi "/usr/local/nagiosxi/html"
Finishing Up
If you have any questions about configuring SSL, you can contact our support team on the Nagios Support Forums:
http://support.nagios.com/forum
Nagios Enterprises, LLC US: 1-888-NAGIOS-1
P.O. Box 8154
Int'l: +1 651-204-9102
Saint Paul, MN 55108
Fax: +1 651-204-9103
USA
Web: www.nagios.com
Email:[email protected]
Page 4
Copyright © 2010 - 2014 Nagios Enterprises, LLC
Revision 1.0 – July, 2014