changed mysql password; unable to log into ccm

[kendallchenoweth]

I've attempted to change the default mysql password and clearly missed something since when I attempted to apply the changes from the core configuration manager, I've get the error "Backend login to the Core Config Manager failed".

Below are the changes I made to update the mysql password. Can you please help me determine what I missed? Thanks!

Code: Select all

# mysqladmin -u root -pnagiosxi password <newpass>
# cd ~root
# diff automysqlbackup.original automysqlbackup
31c31,32
< PASSWORD=nagiosxi
---
> #PASSWORD=nagiosxi
> PASSWORD=<newpass>
# diff restore_xi.sh restore_xi.sh.original
12,13c12
< #mysqlpass="nagiosxi"
< mysqlpass="<newpass>"
---
> mysqlpass="<newpass>"
diff restore_xi.sh restore_xi.sh.original
12,13c12
< #mysqlpass="nagiosxi"
< mysqlpass="<newpass>"
---
> mysqlpass="<newpass>"
# diff xi-sys.cfg xi-sys.cfg.original
33c33
< mysqlpass='<newpass>'
---
> mysqlpass='nagiosxi'
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 30551
Server version: 5.1.71 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> set password for 'ndoutils'@'localhost' = password('<newpass>');
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
# pwd
/usr/local/nagiosxi/html
# diff config.inc.php config.inc.php.original
52,53c52
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>,  // block for ndoutils user
---
>               "pwd" => 'n@gweb',
74,75c73
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>',		// block for nagiosql user
---
>               "pwd" => 'n@gweb',
114,115c112
< //            "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
<               "password" => '<newpass>',  // this gets reset when security credentials are reset after installation – block for nagiosql user
---
>               "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
219c216
diff config.inc.dist config.inc.dist.original
52,53c52
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>',		// block for ndoutils user
---
>               "pwd" => 'n@gweb',
74,75c73
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>',			// block for nagiosql user
---
>               "pwd" => 'n@gweb',
114,115c112
< //            "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
<               "password" => '<newpass>',  // this gets reset when security credentials are reset after installation – block for nagiosql user
---
>               "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
219c216
# pwd
/usr/local/nagiosxi/etc/components
# diff config.inc.saved config.inc.saved.original
52,53c52
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>',		// block for nodutils user
---
>               "pwd" => 'n@gweb',
74,75c73
< //            "pwd" => 'n@gweb',
<               "pwd" => '<newpass>',		// block for nagiosql user
---
>               "pwd" => 'n@gweb',
114,115c112
< //            "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
<               "password" => '<newpass>',  // this gets reset when security credentials are reset after installation	- block for nagiosql user
---
>               "password" => 'n@gweb',  // this gets reset when security credentials are reset after installation
219c216
# pwd
/usr/local/nagiosxi/html/includes/components/ccm
# diff config.inc.php config.inc.php.original
22,23c22
< //    'password'     => 'n@gweb',
<       'password'     => '<newpass>',		// block for nagisql user
---
>       'password'     => 'n@gweb',
35c34
# diff ccm.inc.php ccm.inc.php.original
130,131c130
< //            $password = grab_array_var($cfg['db_info']['nagiosql'],'pwd','n@gweb');
<               $password = grab_array_var($cfg['db_info']['nagiosql'],'pwd','<newpass>');
---
>               $password = grab_array_var($cfg['db_info']['nagiosql'],'pwd','n@gweb');
705c704
# pwd
/usr/local/nagios/etc
# diff ndo2db.cfg ndo2db.cfg.original
26,27c26
< #db_pass=n@gweb
< db_pass=<newpass>		// block for nodutils
---
> db_pass=n@gweb
# pwd
/usr/local/nagvis/etc
# diff nagvis.ini.php.original  nagvis.ini.php
312c312,313
< dbpass="n@gweb"
---
> ;dbpass="n@gweb"
> dbpass="<newpass>"

[lmiltchev]

Go to Admin->Reset Security Credentials, and click on "Update Credentials", without changing anything, then try to Apply Configuration again. Let us know if this fixed your problem.

[kendallchenoweth]

Didn't work and I had to reset the nagiosadmin password in order to get access to the CCM again.

Can you explain how the postgres, mysql, ndoutils database passwords relate to the XI subsystem ticket, config manager backend password and nagios core backend password?

-Kendall Chenoweth

[lmiltchev]

The "sub-system credentials" are used internally by various systems to communicate with each other. If you want to know more of a specific item, let us know. It's a vast topic to go through all of them. The "component" credentials are used only to reset the nagiosadmin's password to the CCM.

[kendallchenoweth]

I may have found the problem and this is NOT a mysql database password change problem. The certificate and/or http rewrite I created that's causing the problem. When generating the certiciate I had used a wrong file extension; I've now fixed that issue, but the problem behavior/output is the same.

Code: Select all

# ./reconfigure_nagios.sh
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php.ini on line 432 in Unknown on line 0
URL: http://localhost/nagiosql/index.php
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosql/index.php --no-check-certificate --post-data 'Submit=Login&tfUsername=nagiosxi&tfPassword=0bggt2' -O nagiosql.login--2014-03-10 16:08:47--  http://localhost/nagiosql/index.php
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://localhost/nagiosql/index.php [following]
--2014-03-10 16:08:47--  https://localhost/nagiosql/index.php
Connecting to localhost|::1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “/C=US/ST=MA/L=Natick/O=the MathWorks/OU=SSG/CN=nagiosxidev-00-ah/[email protected]”:
  Self-signed certificate encountered.
WARNING: certificate common name “nagiosxidev-00-ah” doesn’t match requested host name “localhost”.
HTTP request sent, awaiting response... 200 OK
Length: 5259 (5.1K) [text/html]
Saving to: “nagiosql.login”

100%[=========================================================>] 5,259       --.-K/s   in 0s

2014-03-10 16:08:47 (192 MB/s) - “nagiosql.login” saved [5259/5259]

NAGIOSQL LOGIN FAILED!

I've narrowed down one directive in the /etc/httpd/conf.d/https.conf that causes the above command above to fail. I've confirmed that all of the database passwords are reset to their defaults. I've isolated this one change to be the root cause of the problem; with this commented out, there is no problem.

UPDATE
I took a clean install of Nagios XI and made only the rewrite rule change to /etc/httpd/conf.d/https.conf and was able to reproduce the problem of applying configuration changes. You should be able to duplicate my issue by taking a stock instance of Nagios XI and restarting httpd after adding the /etc/httpd/conf.d/https.conf file (without any comments) below. I would be very interested in knowing if you can or cannot reproduce the same issue following these steps.

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I'm including the commands I used to create the certificate and am trying to resolve the issue. If you see the solution before I do (and update this post), please let me know what I'm doing wrong.

Code: Select all

# cd /etc/pki/tls/private
# openssl genrsa -aes256 -out ca.key.pass 4096
Generating RSA private key, 4096 bit long modulus
.....................++
...........++
e is 65537 (0x10001)
Enter pass phrase for ca.key.pass: <passhrase>
Verifying - Enter pass phrase for ca.key.pass: <passhrase>
# openssl rsa -in ca.key.pass -out ca.key
Enter pass phrase for ca.key.pass: <passhrase>
writing RSA key
[root@nagiosxidev-00-ah private]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MA
Locality Name (eg, city) [Default City]:Natick
Organization Name (eg, company) [Default Company Ltd]:the MathWorks
Organizational Unit Name (eg, section) []:SSG
Common Name (eg, your name or your server's hostname) []:<hostname>
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<password>
An optional company name []:the MathWorks
[root@nagiosxidev-00-ah private]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=US/ST=MA/L=Natick/O=the MathWorks/OU=SSG/CN=nagiosxidev-00-ah/[email protected]
Getting Private key
# cp ca.crt ../certs
# cd /etc/httpd/conf.d
# cp ssl.conf ssl.conf.original
# diff ssl.conf ssl.conf.original
105,106c105
< #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
< SSLCertificateFile /etc/pki/tls/certs/ca.crt
---
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113,114c112
< #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
< SSLCertificateKeyFile /etc/pki/tls/private/ca.key
---
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
189,192d186
< <Directory "/usr/local/nagiosxi/html">
<       AllowOverride All
< </Directory>
<

Files created...

Code: Select all

# ls /etc/pki/tls/certs/
ca-bundle.crt  ca-bundle.trust.crt  ca.crt  localhost.crt  make-dummy-cert  Makefile  not_working  renew-dummy-cert
# ls /etc/pki/tls/private
ca.cert  ca.crt  ca.csr  ca.key  ca.key.pass  localhost.key  not_working

Output of ssl.conf

Code: Select all

# cat ssl.conf | grep -v "#"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

<Directory "/usr/local/nagiosxi/html">
        AllowOverride All
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyRequests Off
<Proxy *>
        AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
        AuthName "Nagios Core"
        AuthType Basic
        require valid-user
        Order Deny,allow
        Allow from all
</Proxy>
ProxyPass /nagios/ajaxterm/ http://localhost:8022/
ProxyPassReverse /nagios/ajaxterm/ http://localhost:8022/

</VirtualHost>

Just to help rule out things, I turned iptables off and confirmed that the external URL setting in admin/manage system config is set to empty. I've also restarted the httpd service after each change.

-Kendall Chenoweth

[lmiltchev]

The document below is proven to work.

http://assets.nagios.com/downloads/nagi ... ios_XI.pdf

If you deviate from this doc, we cannot guarantee that your Nagios XI instance will work with SSL.

Did you change the server protocol from "http" to "https" (CCM->Config Manager Admin->Config Manager Settings)?

[kendallchenoweth]

That solved my problem. Thanks for your help. I was working off of this document instead -
http://www.slideshare.net/nagiosinc/spe ... ios-server -
which I didn't see mention that last step. My documentation is now updated and I won't make that mistake again.

-Kendall Chenoweth

[tmcdonald]

Glad to see it's working! Gonna lock this up now, feel free to open another thread if you need.