Nagios XI - Configuring SSL for Nagios XI Purpose
Transcription
Nagios XI - Configuring SSL for Nagios XI Purpose
Nagios XI - Configuring SSL for Nagios XI The Industry Standard in IT Infrastructure Monitoring Purpose This document will describe how to setup SSL. This document is also to be used an initial point for troubleshooting SSL connections. Target Audience This document is intended for use by Nagios XI Administrators who require encryption. Installing Necessary Components Full SSL support requires Nagios XI version 2011R1.6 or later, so if you're using an earlier version, you'll need to upgrade in order for all of the data to display correctly in the XI interface. Nagios XI comes with most of the SSL components, but just to be sure, open a terminal and log into the Nagios XI server as root and run the following commands: yum install mod_ssl openssl -y Generating a Key In this demonstration, we will be using a self-signed key. If you are running a bigger production environment you will want to get a key from a company like VeriSign. However, for smaller uses, self-generated keys should be sufficient. First thing you should do is generate the key. openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Now we need to move the certificate files to a sensical place: cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr Editing the httpd.conf Now that we have our key we have to tell httpd where to look for it. In your /etc/httpd/conf.d/ssl.conf , find the SSLCertificateFile line and change these values: SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key Now restart httpd and test your connection to the server by directing your web browser to https://yourservername/ (note there is no nagiosxi/ extention yet). If it returns an error check your firewall and backtrack through this document, making sure you've done all the steps listed. Now its time to edit your nagiosxi.conf, which is normally in the same directory as the ssl.conf (/etc/httpd/conf.d/). It should look like this: #NameVirtualHost *:443 <VirtualHost *:80> <Directory "/usr/local/nagiosxi/html"> # SSLRequireSSL Options None Nagios Enterprises, LLC US: 1-888-NAGIOS-1 P.O. Box 8154 Int'l: +1 651-204-9102 Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Web: www.nagios.com Email:sales@nagios.com Page 1 Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – July, 2014 Nagios XI - Configuring SSL for Nagios XI AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 # AuthName "Nagios XI" # AuthType Basic # AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users # Require valid-user </Directory> </VirtualHost> Now add the following to the end of the document, and the lines noted in the overview paragraph: <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Alias /nagiosxi "/usr/local/nagiosxi/html" When all is said and done the whole document should look like this. This is the overview paragraph: #NameVirtualHost *:443 <VirtualHost *:80> # Add this line <Directory "/usr/local/nagiosxi/html"> # SSLRequireSSL Options None AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 # AuthName "Nagios XI" # AuthType Basic # AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users # Require valid-user </Directory> # Add this line </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Alias /nagiosxi "/usr/local/nagiosxi/html" Now in the httpd.conf that is in /etc/httpd/conf/httpd.conf add this line to the bottom: NameVirtualHost *:443 Now restart your httpd service and login to the web interface. If you are unable to login you will need to add the following firewall exception: Nagios Enterprises, LLC US: 1-888-NAGIOS-1 P.O. Box 8154 Int'l: +1 651-204-9102 Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Web: www.nagios.com Email:sales@nagios.com Page 2 Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – July, 2014 Nagios XI - Configuring SSL for Nagios XI iptables -I INPUT -p tcp --dport 443 -j ACCEPT service iptables save Now we will need to edit some Nagios XI files. First thing we'll start off with is editing /usr/local/nagiosxi/html/config.inc.php. Open that file in a text-editor and change the line: $cfg['use_https']=false; To: $cfg['use_https']=true; Save and close that file and open up the Nagios XI web interface. Navigate to the Admin tab and select Manage System Config from the System Config side tab. Change the program URL to https instead of the default http. Next, in the web interface, navigate to Configure → Core Config Manager → Config Manager Admin → Config Manager Settings. This will bring up the Global CCM Settings page You will need to change the “Server Protocol” to https as indicated in the picture to the right. Click the Save button. You are now set to use https with your Nagios XI web front-end. Forcing SSL with a Permanent Redirect To force all traffic through SSL (even connections originating from port 80), edit the following file as root on the Nagios XI server: /etc/httpd/conf.d/nagiosxi.conf and add the following line in between the <VirtualHost *:80> and </VirtualHost> tag: Redirect permanent / https://<Your-XI-Server-Address-or-Hostname> Nagios Enterprises, LLC US: 1-888-NAGIOS-1 P.O. Box 8154 Int'l: +1 651-204-9102 Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Web: www.nagios.com Email:sales@nagios.com Page 3 Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – July, 2014 Nagios XI - Configuring SSL for Nagios XI Then save the file. You file should look like this: #NameVirtualHost *:443 <VirtualHost *:80> # Add this line <Directory "/usr/local/nagiosxi/html"> # SSLRequireSSL Options None AllowOverride None Order allow,deny Allow from all Redirect permanent / https://<Your-XI-Server-Address-or-Hostname> # Order deny,allow # Deny from all # Allow from 127.0.0.1 # AuthName "Nagios XI" # AuthType Basic # AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users # Require valid-user </Directory> # Add this line </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Alias /nagiosxi "/usr/local/nagiosxi/html" Finishing Up If you have any questions about configuring SSL, you can contact our support team on the Nagios Support Forums: http://support.nagios.com/forum Nagios Enterprises, LLC US: 1-888-NAGIOS-1 P.O. Box 8154 Int'l: +1 651-204-9102 Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Web: www.nagios.com Email:sales@nagios.com Page 4 Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – July, 2014