SSL/Basic Auth support about perfservmon HOT 12 CLOSED

A quick fix commit has been done.
A few other related tasks:

• I will soon update documentation/wiki.

• Properly handle httplib.BadStatusLine Error when wrong port+protocol combination is entered.

from perfservmon.

Wow! ... I'm stunned! Thank you!!

from perfservmon.

Hi Dimos

Using -H http works just fine,
./perfservmon.py -C portalCell01 retrieve -N wasadmin:[email protected] -P 10039 -H http
OK - PerfServlet Data refreshed on Sat Dec 10 01:52:47 2016

But using -H https gives me an error
./perfservmon.py -C portalCell01 retrieve -N wasadmin:[email protected] -P 10042 -H https
CRITICAL - Could not open perfservlet URL - [Errno -2] Name or service not known

Btw I found you in bluepages ;)

from perfservmon.

Hello, I haven't tested it with basic auth enabled.
I will take a look at it.
BTW I guess you can wget https://wasadmin:[email protected]:10042/wasPerfTool/servlet/perfservlet from nagios host isn't it? Have you assigned the Perfservlet at a non-default Virtual Host?

from perfservmon.

I tested on a WebSphere Portal server, so I have a "default host" "host alias" for both *:10039, and *:10042, as this are the default ports that portal is using.

I used wget to check that perfservlet was working, and all the following URLs work:
wget -O - --no-proxy https://wasadmin:[email protected]:10039/wasPerfTool/servlet/perfservlet?module=jvmRuntimeModule
wget -O - --no-proxy --no-check-certificate https://wasadmin:[email protected]:10042/wasPerfTool/servlet/perfservlet?module=jvmRuntimeModule
wget -O - --no-proxy --no-check-certificate https://wasadmin:[email protected]:443/wasPerfTool/servlet/perfservlet?module=jvmRuntimeModule

But wget -O - --no-proxy http://wasadmin:[email protected]:80/wasPerfTool/servlet/perfservlet?module=jvmRuntimeModule doesn't work because I've told IHS to rewrite all requests to https://, and don't carry the BA part of the URL over to the rewitten URL thus resulting in a 401.

PS, I wrote a wsadmin script to install perfservlet, which you can get here, https://docs.google.com/document/d/1Y83R0zgeb-ns1zIb_eCzB23ajzjmVphChCxOim56hjw/edit#bookmark=id.mgnntqet769o

from perfservmon.

ohh just realized that setting the BA prefix on my URL only works with perfservmonm if I use a HTTP proxy. I normally have the env variable http_proxy set to http://proxy:3128, And if I unset it, then perfservmon gives me the same error when using -H http, or -H https.

from perfservmon.

Here's a patch to add BA support

339c339
< def retrieveperfxml(path, cellname, ip, port, httpprotocol='http'):
---
> def retrieveperfxml(path, cellname, ip, port, username, password, httpprotocol='http'):
346a347,348
>     :param username: An user which is authorized to access perfservlet
>     :param password: perfservlet authorized user password
354a357,361
>         passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
>         passman.add_password(None, url, username, password)
>         authhandler = urllib2.HTTPBasicAuthHandler(passman)
>         opener = urllib2.build_opener(authhandler)
>         urllib2.install_opener(opener)
416a424,427
>     retrieve_parser.add_argument("-u", type=str, action="store", dest='Username',
>                                  help="Perfservlet authorized user", default='', required=False)
>     retrieve_parser.add_argument("-p", type=str, action="store", dest='Password',
>                                  help="Perfservlet user password", default='', required=False)
506c517
<                                           port=arguments.Port, httpprotocol=arguments.HttpProtocol)
---
>                                           port=arguments.Port, httpprotocol=arguments.HttpProtocol, username=arguments.Username, password=arguments.Password)

Alternatively I can either fork the master, or you can add me as a contributor

from perfservmon.

Thanks for your patch! It would be more convenient to fork the master, merge and make a pull request.

from perfservmon.

@atterdag I have commited a version that handles both HTTPS and Basic Auth and tested it with both Python 2.7.8 and 2.7.12.
I have not changed the Basic Auth username/password parameters, only the way perfservmon handles them.
Can you also test that version?
Many Thanks!

from perfservmon.

@dvarounis

Hi Dimos

Sorry for not being in contact for a while, but it was Christmas vacation, and a bit of a rough start as I got back to work.

I've tested your last version, and I can see that you decided to manually add the BA HTTP header rather than using the password manager as I did in my fork, but your version works just as fine.

However I do have two small comments.

1. Can you make it optional to check for valid certificates? Personally I would rather solve the CA chain validation in my OS rather just ignoring it.
2. Python picks up my shell variable, http_proxy, and tries to send the request through my proxy server. But the proxy server isn't allowed to communicate with non standard HTTP ports (80/tcp, and 443/tcp), and I get a timeout. For most larger WAS environments that I work with, the you run multiple IHS'es on the same server, where each IHS just uses unique ports, and only the LB's are using standard HTTP ports. But the LBs are so far out in a DMZ, that Nagios isn't allowed to talk to those directly, thus I have to retrieve the data from an IHS.

I can make another fork, and add the changes myself if you are pressed for time.

from perfservmon.

Erhm nm regarding the proxy variable. I can always add my IHS'es to my no_proxy variable. duh!

from perfservmon.

@atterdag
Hello Valdemar,
Unfortunatelly I had some issues with password manager (esp. using https connection) so I choose to work with BA HTTP header.

About your Comments:
You are right! Accepting any certificate by default is BAD. I have changed this behaviour in my last commit and optionally added a --ignorecert option for bepassing this behaviour.
Regarding the proxy issue I have no solution. I only assume that the perfservmon can somehow access the Perfselvlet URL, either directly or through an HTTP Server (in Reverse Proxy role).
If you have any other suggestions you are welcome to fork/PR.

Many thanks!

from perfservmon.