Nagios Support Forum

As suggested by Scott in this thread: https://support.nagios.com/forum/viewto ... hilit=+SSL

it would be safer to use:
instead of:
I tried this and i'm not getting the XPOST curl to work properly.
I have to append the -k as we have an SHA-1 cert in our chain (which will be replaced soon).

Yes I have
in my nagiosxi.conf

Grtz

Willem

It's only available via GET because normally in REST a GET is an action that returns something and a POST is something that creates. It was created as a GET command because it doesn't actually create anything in the system, we can always move it or have it as both but right now you can only do it via a GET.

Edit:

After reading your other post I am with you on hardening the API a bit. I have a few ideas on what we can do to help. We can do a couple things right away:

- Change applyconfig to a POST
- Update the links that open in the browser on the right of the curl to not have the API key included
- Allow disabling of API for users
- Ability to reset API keys when editing user
- Ability to reset your own API key

I'm not sure about the rest of the topics yet we will have to go over them internally to come up with ideas.

I'd like to also point out that if you have a user who has "Can access advanced features" checked they will be able to access the CCM. You can then create the user's account in the CCM to allow them access. This does not auto-login like the admins do, but we can work on adding the ability for it to add a ccm user for you in the future (and possibly auto-login if you do add the ccm user).

Jake,

Thanks for reading my posts and understanding my concerns.

All of the things you can do 'right away' seem ok and necessary to me.

I'm a bit confused about:

we can work on adding the ability for it to add a ccm user for you in the future (and possibly auto-login if you do add the ccm user).

As I never explicitly created a CCM user. I only created XI users and assumed CCM access was given based on the role (admin or non-admin) I just tried creating a user and and admin but I'm not seeing any user appear in the CCM Users page. Only nagiosadmin and nagiosxi users are there. So if I create a user there manually that has the exact same name as an existent user, I can give someone CCM access without being admin... Interesting. I'll have to try this at work, but might need some time.

we can work on adding the ability for it to add a ccm user for you in the future (and possibly auto-login if you do add the ccm user).

Seems like a good idea.

Let us know how it goes. If you want to use a separate CCM logins, you can go to Admin->System Settings, select the "Separate CCM Login" check-box, and click on "Update Settings". Next, go to the CCM->Manage Config Access, and click on "Add New" to add "CCM-only" login users.

Yes I saw that setting Are you saying that I'll have to choose between autologin for all admins or no autologin and CCM-only users. I'd rather keep the autologin feature to be honest. (Or please correct me if I assumed wrong)

Are you saying that I'll have to choose between autologin for all admins or no autologin and CCM-only users.

Yes, this is correct. Even if you created an admin user, if you had the "Separate CCM Login" check-box selected (The old way of CCM authentication), this user wouldn't be able to log in the CCM (unless you created a separate "CCM login" user).

Hmm we like the autologin too much. I'm waiting patiently for an update to the REST API to enable an apply with a POST instead of a GET. Or is there another 100 % secure way to initiate an apply configuration without exposing the admin api key anywhere from Reactor?

What ludmil is saying is somewhat true but the option he is talking about is for ADMINS but for generic users who have access to the CCM (advanced user) you can still create a CCM user and they will be able to access the CCM login page and login with a CCM user. Admins do not have a user in the CCM because of the passthrough login.

Using a GET request will definitely show the entire request in the apache access_log on the XI server.

Below is the way you could get this to work -- the reason I was mentioning it was because it's a bit convoluted and I'd like to make it easier for people to do/manage.

Ok, thanks Jake. But at this time people are used to autologin. I can't tell them now that they will have login a 'third' time to use the CCM. (Once for XI, once for NagVis and a third time for CCM). So I'll wait for a more integrated solution.

So what about:

is there another 100 % secure way to initiate an apply configuration without exposing the admin api key anywhere from Reactor?

We will get the POST version working here and send you a patch if you'd like - otherwise it'll go in the next release. As for the login - yeah, we will be working on a better way to integrate it and hopefully the next feature release I can get that in there.

If you're using XI 5.2.0+ you can use the following file and overwrite the one in /usr/local/nagiosxi/html/api/includes which will let you send the applyconfig command as a POST.