Welcome to docs.opsview.com

Web Authentication

Opsview uses mod_auth_tkt as the mechanism for granting authentication. This provides Single Sign On (SSO) functionality. If you have a valid ticket, then you should get access to the system.

If you do not have a valid ticket, then Opsview will use Catalyst to handle the authentication. By default, authentication occurs based on the password stored for the contact.

Other methods available for configuring Opsview include using LDAP as the authentication system or client SSL certificates.

Note: There maybe a limitation if you use IPv6 to connect between your web browser and the Opsview Web application. You can ignore the IP address to overcome this limitation.

Note: If Opsview Web sees an IPv6 address, it will use the IPv4 portion as the requested address. However, you are recommended to ignore the IP address, as there are reported problems with the Apache auth_tkt module with IPv6 addresses.

Auth Ticket

If a cookie is found with the name of auth_tkt, then Opsview will try to validate that this cookie is correct.

There are various checks in place:

  • Does the cookie exist (called auth_tkt)
  • Is it a valid ticket (based on the shared secret)
  • Has the ticket expired?
  • If there is a session cookie, does the username in the ticket match with the session?
  • Is there a contact in the database with the same username?
    • If so, create the session
    • If not, is authtkt_default_username set in the configuration? Use that contact if set
    • Otherwise error

If all these pass, then the contact is authenticated. Be aware that some dynamic pages are public access, such as viewports, so authentication is not required.

Security of AuthTkt

There are two parts to the security of the auth_tkt:

If this secret or the authtkt_ignore_ip is changed and your browser still has the old auth_tkt cookie, then you will get an error in the Opsview login page that says “Invalid authentication ticket”. Users will need to log back in to be given a new, valid auth_tkt.

Contents of Ticket

The ticket, when created by Opsview Web, will also include a list of tokens. This can be parsed by anything that can read the AuthTkt, such as a perl module or the Apache module.

The tokens describe the access that the user is allowed.

Creating the ticket from an external source

You can use any script to create a valid ticket. We recommend the perl module at http://search.cpan.org/dist/Apache-AuthTkt/AuthTkt.pm.

You must add the originating IP address into the ticket (which is used to create the hash), otherwise it will get rejected by Opsview. For example, the call using Apache::AuthTkt is:

$cookie_value = $at->ticket( uid => $username, ip_addr => $ip );

The name of the cookie is “auth_tkt”.

Mapping authtkt to a contact

You can map a authtkt user to a specific contact in Opsview. To do this, add this entry into /usr/local/opsview-web/opsview_web_local.yml:

authtkt_default_username: guest

This means that if a valid authtkt is received by Opsview and the username within the ticket does not map to an existing contact in Opsview, then use the user listed here.

Authentication Via Opsview Database

By default, Opsview will authenticate a user based on their password in the Opsview configuration database. This is saved as an Apache hashed password in the database. There are no configuration changes required.

Authentication Via LDAP

See ldap for configuration information.

Authentication Via Client SSL Certificates

See client_ssl_cert for configuration information.