Welcome to docs.opsview.com

Security Wallet

Opsview has a feature called Security Wallet, where the aim is to avoid storing passwords for external systems in the filesystem and in the database. The user interface will not display any stored passwords and it will not be possible to retrieve any passwords once they have been set.

Note: If you have any passwords stored in the audit log or any log files before an upgrade, these will not be altered. However, no passwords will be added in any new audit log entries.

The master key file is stored in /usr/local/nagios/etc/sw.key and is randomly generated on installation or upgrade.

If this key file is lost, then all passwords will need to be re-entered.

Nagios has been changed so that the Nagios configuration will hold a special macro, of the form @SW{TYPE:ID:KEYNAME}, which will be expanded just before execution of a plugin.

Where possible, plugins have been updated to hide any sensitive arguments in their command line. Net-SNMP, which provides the snmpget and snmpwalk commands, have been confirmed to hide sensitive arguments in version 5.3.2.2 (on Centos5) and 5.4.3 (Debian 7/wheezy).

Attributes

Opsview allows specific arguments to be marked as encrypted.

When this has been chosen, a message will appear to confirm that this is what you want to do.

When you save, the default arg value will be encrypted for the attribute object and all related host attributes will be encrypted as well.

If you decide to mark the arg as unencrypted, then the argument will be cleared from this attribute and all related host attributes. There is no way in the UI to recover these arguments.

On an install of Opsview, we will set the Password argument of the following attributes to be secure:

  • MSSQLCREDENTIALS
  • MYSQLCREDENTIALS
  • ORACREDENTIALS
  • VMWAREGUESTCREDENTIALS
  • VMWAREHOSTCREDENTIALS
  • WINCREDENTIALS

On an upgrade, none of the existing attribute configuration will be converted to be encrypted. We recommend you manually convert the above attribute args to be encrypted.

Database Connection Passwords

Database connection passwords, specified in /usr/local/nagios/etc/opsview.conf, can optionally be encrypted. This is the default for new installations.

To convert passwords to be encrypted, you will need to manually follow the instructions below for each database:

Opsview DB

The process for the Opsview database is:

  • Run /usr/local/nagios/bin/db_opsview db_exists. This will return no output with an exit code of 0 as the credentials will be correct
  • Note the current database password, $dbpasswd, used in the /usr/local/nagios/etc/opsview.conf file
  • Run /usr/local/nagios/bin/opsview_crypt and enter the password when prompted. This will print the encrypted password to screen for cut-and-paste
  • Edit /usr/local/nagios/etc/opsview.conf and set the new encrypted value, eg:
$dbpasswd_encrypted = "53f0990f9ddfaec4769c6facbb93e66bdefcc80cb6913faa74559eeafb5863da";

(The encrypted password will be based on your randomly generated key, so the value above will not work on other systems.)

  • Run /usr/local/nagios/bin/db_opsview db_exists to confirm the database connection works with the new password
  • Remove the previous $dbpasswd value. Run /usr/local/nagios/bin/db_opsview db_exists to confirm the connection still works

Runtime DB

The process for the Runtime database is:

  • Run /usr/local/nagios/bin/db_runtime db_exists. This will return no output with an exit code of 0 as the credentials will be correct
  • Note the current database password, $runtime_dbpasswd, used in the /usr/local/nagios/etc/opsview.conf file
  • Run /usr/local/nagios/bin/opsview_crypt and enter the password when prompted. This will print the encrypted password to screen for cut-and-paste
  • Edit /usr/local/nagios/etc/opsview.conf and set the new encrypted value, eg:
$runtime_dbpasswd_encrypted = "53f0990f9ddfaec4769c6facbb93e66bdefcc80cb6913faa74559eeafb5863da";
  • Run /usr/local/nagios/bin/db_runtime db_exists to confirm the database connection works with the new password
  • Remove the previous $runtime_dbpasswd value. Run /usr/local/nagios/bin/db_runtime db_exists to confirm the connection still works

ODW DB

The process for the ODW database is:

  • Run /usr/local/nagios/bin/db_odw db_exists. This will return no output with an exit code of 0 as the credentials will be correct
  • Note the current database password, $odw_dbpasswd, used in the /usr/local/nagios/etc/opsview.conf file
  • Run /usr/local/nagios/bin/opsview_crypt and enter the password when prompted. This will print the encrypted password to screen for cut-and-paste
  • Edit /usr/local/nagios/etc/opsview.conf and set the new encrypted value, eg:
$odw_dbpasswd_encrypted = "53f0990f9ddfaec4769c6facbb93e66bdefcc80cb6913faa74559eeafb5863da";
  • Run /usr/local/nagios/bin/db_odw db_exists to confirm the database connection works with the new password
  • Remove the previous $odw_dbpasswd value. Run /usr/local/nagios/bin/db_odw db_exists to confirm the connection still works

Dashboard DB

The process for the Dashboard database is:

  • Run /usr/local/nagios/bin/db_dashboard db_exists. This will return no output with an exit code of 0 as the credentials will be correct
  • Note the current database password, $dashboard_dbpasswd, used in the /usr/local/nagios/etc/opsview.conf file
  • Run /usr/local/nagios/bin/opsview_crypt and enter the password when prompted. This will print the encrypted password to screen for cut-and-paste
  • Edit /usr/local/nagios/etc/opsview.conf and set the new encrypted value, eg:
$dashboard_dbpasswd_encrypted = "53f0990f9ddfaec4769c6facbb93e66bdefcc80cb6913faa74559eeafb5863da";
  • Run /usr/local/nagios/bin/db_dashboard db_exists to confirm the database connection works with the new password
  • Remove the previous $dashboard_dbpasswd value. Run /usr/local/nagios/bin/db_dashboard db_exists to confirm the connection still works

SMSGateway DB

The process for the SMSGateway database is:

  • Run bin/check_smsgateway. This will return
     SMSGATEWAY OK |  queued=0 failed=0 total=0 

    if connection parameters are correct and there is nothing in the queue.

  • Note the current database password, $dbpasswd, used in the smsqueued.conf file (Note: This is not the same as the opsview dbpasswd)
  • Run opsview_crypt and enter the password when prompted. This will print the encrypted password to screen for cut-and-paste
  • Edit smsqueued.conf and set the new encrypted value, eg:
$dbpasswd_encrypted = "53f0990f9ddfaec4769c6facbb93e66bdefcc80cb6913faa74559eeafb5863da";
  • Run bin/check_smsgateway to confirm the database connection works with the new password
  • Remove the previous $dbpasswd value. Run bin/check_smsgateway to confirm the connection still works

You will need to do this on each Opsview system (master or slave) where smsgateway is installed.

ServiceDesk Connector DB

The process of encrypting the password for Opsview servicedesk connector DB is:

  • Make sure you have run the grant all on notifications.* to notifications@'%' identified by 'your new password unencrypted here' in your mysql.
  • Run opsview_crypt and enter the new password when prompted for encryption.
  • Edit the YAML config file notifications.yml in 'etc/opt/opsview/notifications' and fill in the encrypted_password string.
  • Send a DB notification to confirm.

Web Authentication

Opsview uses authticket to authenticate to the web application.

On an install, a randomly generated secret will be used and will be encrypted.

On an upgrade, if you have got the old default shared secret (shared-secret-please-change), a new secret will be generated and encrypted. Otherwise, no changes will occur.

To convert your shared secret to be encrypted:

  • Ensure your live Apache includes /usr/local/opsview-web/etc/apache-authtkt.conf
  • Run /usr/local/nagios/bin/opsview_crypt and enter the shared secret to encrypt
  • Edit /usr/local/nagios/etc/opsview.conf and set $authtkt_shared_secret_encrypted=“encryptedvalue”;
  • Run /usr/local/opsview-web/bin/postinstall to generate the new Apache configuration file
  • Restart opsview-web and apache

Nagios Results Distributor (NRD)

Opsview uses NRD to distribute results from slaves.

On an install, a randomly generated secret will be used and will be encrypted.

On an upgrade, if you have got the default shared secret, no changes will occur.

To convert your shared secret to be encrypted:

  • Run /usr/local/nagios/bin/opsview_crypt and enter the shared secret to encrypt
  • Edit /usr/local/nagios/etc/opsview.conf and set $nrd_shared_secret_encrypted=“encryptedvalue”;
  • Reload to send settings to all the slaves

NSCA

Opsview starts an NSCA daemon on the Opsview master and slaves for integration with any existing NSCA clients you may use.

On an install, a randomly generated secret will be created. However, as the secret needs to be known to external clients that Opsview does not control, the secret will not be encrypted.

To convert your shared secret to be encrypted:

  • Run /usr/local/nagios/bin/opsview_crypt and enter the shared secret to encrypt
  • Edit /usr/local/nagios/etc/opsview.conf and set $nsca_shared_password_encrypted=“encryptedvalue”;
  • Reload to generate the nsca.cfg file
  • Restart Opsview to restart the nsca daemon
  • You can now use send_nsca from any NSCA clients

Key and Password Reset Tool

Opsview provides a reset tool which will do the following

  • Stop Opsview processes.
  • Create a new keys for encryption.
  • Back up the current key files used for encryption in the var/sw-migration/ directory.
  • Back up the opsview databases in the var/sw-migration/ directory.
  • Re-encrypt all the passwords stored in the databases into temporary store.
  • Re-encrypt all the configuration files into temporary location.
  • Replace old encrypted data with new one.
  • Replace old configuration files with new one.
  • Generate the nagios configuration.
  • Start opsview and opsview-web.

If your Opsview installation is using distributed monitoring please stop Opsview on each slave node:

nagios@slave-node$ rc.opsview stop

The command can be ran as follows and there are no arguments required for the command.

nagios@opsview-master$ securewallet_reset

You will also be asked to restart Apache HTTPD server manually.

If any Opsview modules have been installed on slave nodes, you would need to re-run the command on each node

nagios@slave-node$ securewallet_reset

Rollback process

This process prompt for an confirmation before proceeding. There is no automatic revert from this process so if it fails the user can re-instate the database from the backup which the tool creates, also restore all the config files from the same directory which is var/sw-migration/.

Also move the etc directory back and run the following commmand

nagios@opsview-master$ rc.opsview stop
nagios@opsview-master$ opsview-web stop

To restore previous databases user will have to now run

nagios@opsview-master$ /usr/local/nagios/bin/db_opsview db_restore < var/backups/sw-migration/opsview_backup.sql
nagios@opsview-master$ /usr/local/nagios/bin/db_dashboard db_restore < var/backups/sw-migration/dashboard_backup.sql

Once the Database has been restored run the following

nagios@opsview-master$ rc.opsview gen_config
nagios@opsview-master$ opsview-web start

The process stops if the backup steps fail and no changes are made to the system so the above restoring process is not needed in case backup failure. After the process has finished successfully, the user will have to verify some of the stored password e.g. service checks, snmp or notification methods that they are still working as they can be verfied without making any changes to the system. If most of them are working the reset was successful. Otherwise follow the process above to restore from previous config and database.

Navigation
Print/export
Toolbox