Welcome to docs.opsview.com

Authentication By Client SSL Certificate

Opsview can be configured to authenticate users with an SSL Client Certificate instead of or in addition to an AuthTKT cookie, LDAP or the in-built authentication routine. Note that each user must still exist in the Opsview system, with a username matching that in the SSL Client Certificate Common Name field.

Apache Configuration

The first step is to set up Apache for SSL Client Certificate authentication. That process is outside the scope of this document, but there are many examples on-line to help.

Once this is done, you must add some additional configuration so that the Opsview application is able to see the Username of the authenticated user. The following directives should be added to the Opsview SSL configuration file for Apache, and then Apache should be restarted:

# Headers added to the proxy request to Opsview, as Opsview cannot see the external
# user certificate nor the Apache environment. Make sure to unset headers first to avoid abuse.
RequestHeader unset X-REMOTE_USER
RequestHeader unset X-SSL_CLIENT_S_DN_CN

When Apache authenticates a user itself, it sets the REMOTE_USER environment variable. However the Opsview application cannot see the server environment, so the above configuration copies that variable into an HTTP Request Header which Opsview can see. Note that first the Request Header is erased (unset), to prevent remote clients from forging the authenticated username.

Opsview Configuration

The next step is to configure a new authentication realm for Opsview which uses the Apache authenticated username. This is similar to setting up an authentication realm for LDAP.

You need to edit /usr/local/opsview-web/opsview_web_local.yml on your Opsview master server to include the following, and then restart the opsview-web service:

        class: 'Upstream::Headers'
        user_header: 'X-REMOTE_USER'

Users Configuration in Opsview

For each user in the Opsview application that you wish to use this feature, the user Realm configuration must be changed.

Go to Settings, Contacts, then select the user. Change the Authentication Realm to be ”certificate”.

You will notice that on the Opsview login page, when a client visits with a trusted SSL Certificate, the username field will automatically be filled-in. If the user is configured with the ”certificate” realm, then they can immediately click the “Sign in” button (without a password). If the user is not configured with this authentication realm, then they must still enter a password.

Authentication Fallback

If you'd like users to have the choice of either using Client SSL Certificate, or traditional Password, this is also possible.

You should configure at least two Authentication Realms. One will be for normal password authentication, and the other is the ”certificate” entry shown above. To these we add a third realm to configure the fallback list.

For example, the /usr/local/opsview-web/opsview_web_local.yml file on your Opsview master server could look like this:

        class: 'Upstream::Headers'
        user_header: 'X-REMOTE_USER'
        class: Password
        password_field: password
        password_type: self_check
        class: LDAP
        # etc...
        class: Fallback
        realms: ['certificate', 'ldap']

For the example above, if the user's browser has access to a compatible Client SSL Certificate then they can use it, or else enter a normal Password.

To enable this feature for a user, go to Settings, Contacts, then select the user. Change the Authentication Realm to be ”fallback”.

More realms can be configured and added to the ”realms” list. Opsview will try each entry in turn until either one succeeds for authenticaiton, or all fail.