XI authentication denied to Fusion

[TBT]

While rebuilding our Fusion environment, one of the Fused servers fails to authenticate though the credentials and Fusekey are correct. Looking on the XI host, I've noticed the following on the /var/log/httpd/error_log

[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/system
[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/authenticate

Please advise.

[scottwilkerson]

somehow depending on how the virtual hosts are setup this host is missing the following from the httpd config it is using

Code: Select all

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
</IfModule>

Our install scripts try to put it in nagiosxi.conf and the ssl config but sometimes if there are custom virtualhost configs it may need to go in there as well

[TBT]

somehow depending on how the virtual hosts are setup this host is missing the following from the httpd config it is using

Code: Select all

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule nagiosxi/api/v1/(.*)$ /usr/local/nagiosxi/html/api/v1/index.php?request=$1 [QSA,NC,L]
</IfModule>

Our install scripts try to put it in nagiosxi.conf and the ssl config but sometimes if there are custom virtualhost configs it may need to go in there as well

I've added the above to /etc/httpd/conf/httpd.conf and restarted apache. Issue remains.

[scottwilkerson]

Would it be possible for you to PM me the contents of

Code: Select all

/etc/httpd/conf
/etc/httpd/conf.d

Also the version of XI and OS.

Thanks!

[TBT]

I verified your suggested config changes (recommended in private message) on two other working XI hosts and they are configured the same. So I'd rather explore other options.

Another thing I noticed in Fusion under Managed Fused Servers UI is that the successfully added XI hosts Authentication Type is "Session Authentication" where as East (the server in question currently deactivated) indicates "Fusekey Authentication".

fusion-1.PNG

Additionally, during setup I noticed when populating the "Fusedkey" filed along with Username and Password, then running a test, the Fusekey returns an alert even though the addition is successful and working.

fusion-2.PNG

On the East server, both Username and Fusekey return an alert. This of course the overall issue.

fusion-3.PNG

Please advise.

[scottwilkerson]

My config change suggestions were to address directly the error you are seeing which would coorelate directly with not being able to authenticate

Code: Select all

[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/system
[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/authenticate

If you are getting this error, you are not getting the re-writes set.

Because your configurations has overlapping VirtualHosts, _default_:443 and *:443 you really need to add the code to both to make sure it is going to run.

I believe this is the solution.

[TBT]

My config change suggestions were to address directly the error you are seeing which would coorelate directly with not being able to authenticate

Code: Select all

[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/system
[Tue Apr 10 12:49:28 2018] [error] [client IP] File does not exist: /usr/local/nagiosxi/html/api/v1/authenticate

If you are getting this error, you are not getting the re-writes set.

Because your configurations has overlapping VirtualHosts, _default_:443 and *:443 you really need to add the code to both to make sure it is going to run.

I believe this is the solution.

Okay, but given that configs are the same on XI instances I've checked (cloned from the same template) and suggested changes are not present on any, I still don't understand why only one isn't working. Is that not odd to you?

I should also mention that these errors are present on other hosts too, but not the authentication error:

File does not exist: /usr/local/nagiosxi/html/api/v1/objects
File does not exist: /usr/local/nagiosxi/html/api/v1/system

[TBT]

In the meantime, I've gone ahead and applied the config change to nagiosxi.conf on ALL XI hosts and the errors are now gone, but issues remain.

1. Using the Test Fusion Settings with both Fusekey and UID/Password populated returns successful (green icon). However, the host in question still fails on the UID check (red icon), with no error in the httpd log for the XI host.

2. For Fused XI hosts which return successful tests, Authentication Type is Fusekey Authentication. But session pass through doesn't work. The documentation isn't very clear, explaining Fusekey and/or Username and Password. I've tried using both or just UID/Pass and the action simply opens the host URL in a new tab at the login screen. Expected result is session pass-through of account credentials configured for the fused host.

[scottwilkerson]

Ok, it's good to see the errors are gone.

I still don't understand why only one isn't working. Is that not odd to you?

I agree here, but I've seen this happen may time with apache and overlapping VirtualHost configs

1. Using the Test Fusion Settings with both Fusekey and UID/Password populated returns successful (green icon). However, the host in question still fails on the UID check (red icon), with no error in the httpd log for the XI host.

I'm going to reach out to a developer and see if they can comment on if they have seen this.

2. For Fused XI hosts which return successful tests, Authentication Type is Fusekey Authentication. But session pass through doesn't work. The documentation isn't very clear, explaining Fusekey and/or Username and Password. I've tried using both or just UID/Pass and the action simply opens the host URL in a new tab at the login screen. Expected result is session pass-through of account credentials configured for the fused host.

As for the pass through authentication, the users need to set their credentials in their account settings (click username upper right) and then they will be logged into each server.

[cnorell]

Hey TBT,

What versions of Fusion and XI are you currently running?

I am attempting to replicate your issue with testing the Fusion settings, with no luck on the latest releases.