1) Install https-tools on each server where monitoring can possibly run, install https-tools:
sudo yum install httpd-tools
generate encrypted password:
htpasswd -c passwordfile username
example:
htpasswd -c passwordfile test
[demo@demo-vm ~]$ cat passwordfile
test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1
2) NOMAD and CONSUL password protected
create consul key for traefik, each “$” should be quoted, it means preceded by a “\” sign:
sudo consul kv put traefik/frontends/nomad/auth/basic/users/0
"test:\$apr1\$01QUySNB\$euQKVb6YCAutVijBxNouu1"
sudo consul kv put traefik/frontends/consul/auth/basic/users/0
"test:\$apr1\$01QUySNB\$euQKVb6YCAutVijBxNouu1"
Now access nomad and consul ui via traefik:
https://127.0.0.1:8443/ui
https://127.0.0.1:8443/consul/ui
3) SERVER MONITORING password protected
take a backup of the abis-monitoring configuration file and edit:
cd /etc/innovatrics/conf.d/
sudo cp -pr abis-monitoring.nomad.hcl abis-monitoring.nomad.hcl.bkp
sudo vim abis-monitoring.nomad.hcl
Add following authentication settings at the end of the service tags (next to the /monitoring_proxy/"):
, "traefik.frontend.auth.basic=test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1",
"traefik.frontends.0.auth.basic=test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1",
"traefik.frontends.1.auth.basic=test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1",
"traefik.frontends.2.auth.basic=test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1",
"traefik.frontends.3.auth.basic=test:$apr1$01QUySNB$euQKVb6YCAutVijBxNouu1"
Example:
Restart abis-monitoring:
cd /etc/innovatrics/conf.d sudo nomad stop abis-monitoring sudo nomad run abis-monitoring.nomad.hcl
Test secured access, please note that once password is entered for e.g. the first link, you have to reopen browser
in order to get login window again for the next link:
https://127.0.0.1:8443/ui https://127.0.0.1:8443/consul/ui https://127.0.0.1:8443/liveness/ https://127.0.0.1:8443/version/ https://127.0.0.1:8443/rest/afismq/status/servers https://127.0.0.1:8443/rest/afismq/status/stats
Example of port forwarding in VirtualBox Manager:
Please also note that port 8443 is specified in this procedure just because of port forwarding set in VM. In real
environment there should be usually no port specification needed if traffic goes through traefik.
4) RESTORE PROCEDURE (Disabling password authentication)
cd /etc/innovatrics/conf.d/ sudo cp -pr abis-monitoring.nomad.hcl.bkp abis-monitoring.nomad.hcl sudo nomad stop abis-monitoring sudo nomad run abis-monitoring.nomad.hcl sudo consul kv delete traefik/frontends/nomad/auth/basic/users/0 sudo consul kv delete traefik/frontends/consul/auth/basic/users/0
PLEASE NOTE that it’s customer’s responsibility to disable direct access towards traefik backends
(defined in https://<IP>/traefik) like http access to the abis monitoring, access to nomad ui on 4646 and
consul on 8500 ports.
5) ActiveMQ PASSWORD PROTECTED
sudo vim /opt/innovatrics/external-activemq515/conf/jetty-realm.properties
Change password, e.g. if new admin password is borovicka123 then edit:
admin: borovicka123, admin
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <property name="name" value="BASIC" /> <property name="roles" value="user,admin" /> <!-- set authenticate=false to disable login <property name="authenticate" value="true" />--> <property name="authenticate" value="true" />
Note: In case of receiving following error while trying to pause AMQ:
curl --user admin:borovicka123 http://127.0.0.1:8161/api/jolokia/exec/org.apache.activemq:brokerName=localhost,destinationNam e=eafis.applicant,destinationType=Queue,type=Broker/pause "error_type":"java.lang.exception","error":"java.lang.exception : origin null is not allowed to call this agent","status":403
Check:
/opt/innovatrics/external-activemq515/webapps/api/WEB-INF/classes/jolokia-access.xml
Remove following 3 lines for strict checking part from jolokia-access.xml:
<cors> <strict-checking/> </cors>
Restart AMQ after editing files:
sudo nomad stop activemq sudo nomad run /etc/innovatrics/conf.d/activemq.nomad.hcl
Now you can test access to ActiveMQ: http://<IP_Address>:8161/activemq/admin/queues.jsp
Relevant ABIS version: 7.X