This article describes how to use self-signed SSL certificates with the opsview agent (monitor) and infrastructure agent (remote end)
If you are trying to use self-signed certificates with the Agents without making the necessary changes to the agent configuration file and the Web UI, you will see errors like the below:
CHECK_NRPE: Error Sendng Query To Host
As the directories and ciphers are different they will need changing:
- On the opsview monitor edit the desired host and click on the variables sub-tab:
Add the variable NRPE_CERTIFICATES (below example)
2. Then add the 2nd variable called NRPE_CIPHERS override cipher list with the string 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:MD5:DSS'
And then proceed to apply changes
3. On the remote end make sure to have the config amended as in the below example config file:
/opt/itrs/infrastructure-agent/cfg/agent.default.yml- Please note the entries for cert_file and key_file are examples, so adjust accordingly for your system
---
# This file has been created as a placeholder for your custom
# configuration overrides. YAML configuration files in the "custom"
# directory will be read in alphanumeric order.
#
server:
allow_multi_packet_response: true
allowed_hosts: 0.0.0.0
bind_address: 0.0.0.0
housekeeping_interval: 300
max_active_connections: 15
max_queued_connections: 30
max_request_time: 120
port: 5666
receive_data_timeout: 5
tls:
ca_cert: null
ca_path: null
cert_file: '/opt/itrs/infrastructure-agent/var/ejf-ub22-infra-qa-server.crt'
key_file: '/opt/itrs/infrastructure-agent/var/ejf-ub22-infra-qa-server.key'
check_client_cert: false
cipher_suite: ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!MD5:!DSS
context_options:
- NO_SSLv3
- NO_TLSv1
- NO_TLSv1_1
tls_enabled: true
tls_handshake_timeout: 3
tls_enabled: true
After the above has been done proceed to a restart for these changes to take effect, make sure to check the status to see if running or not, if not running then you probably have a syntax error within the YAML file:
systemctl restart infrastructure-agent
systemctl status infrastructure-agent
As an example below from my opsview monitor, I have successfully established a handshake with the infrastructure agent on the remote end
If you see any service checks failing with an unknown CHECK_NRPE: Error Sendng Query To Host you must do -C '%NRPE_CERTIFICATES:1%' -k '%NRPE_CERTIFICATES:2%' -r '%NRPE_CERTIFICATES:3%' -y '%NRPE_CIPHERS:1%' so edit the service check and then submit changes, all should be good
check_nrpe output from my 6.7 system to the infrastructure agent box, Example command with '-r' option with no value.
check_nrpe -H '10.140.1.155' -c check_cpu_stats -C '/opt/opsview/etc/ssl/ca.crt' -k '/opt/opsview/etc/ssl/ca.pem' -r '' -y 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ADH-AES256-SHA:ADH-AES128-SHA:MD5:DSS'
OK: utilization:0.3%,guest:0.0%,guest_nice:0.0%,iowait:0.0%,irq:0.0%,nice:0.0%,softirq:0.0%,steal:0.1%,system:0.1%,user:0.1%|'guest'=0.00%;;;0;100 'guest_nice'=0.00%;;;0;100 'iowait'=0.02%;;;0;100 'irq'=0.00%;;;0;100 'nice'=0.00%;;;0;100 'softirq'=0.00%;;;0;100 'steal'=0.12%;;;0;100 'system'=0.08%;;;0;100 'user'=0.10%;;;0;100 'utilization'=0.33%;;;0;100
You now have configured your Infrastructure Agent to use self-signed SSL certificates with Opsview service checks.
If you have any further questions:
- Please contact our Client Services team via the chat service box available on any of our websites or via email to support@itrsgroup.com
- Make sure you provide us:
- ANY LOG FILE OR DIAGNOSTIC
- ANY SCREENSHOT
-
Tags:
- Opsview
- opsview
Comments
0 comments
Article is closed for comments.