Hi, Henrik
Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
Thanks
tj
-- T.J. Yang
I would second that. I'm hoping to have Xymon approved at work, but we have to comply with DoD *and* PCI standards. We're not supposed to have unencrypted data moving across the network.
At present, I have a work-around. Instead of using bin/xymon to send messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
Ralph Mitchell
On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <tjyang2001 at gmail.com> wrote:
Hi, Henrik
Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
Thanks
tj
-- T.J. Yang
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On Mon, Oct 10, 2011 at 3:26 PM, Ralph Mitchell <ralphmitchell at gmail.com> wrote:
I would second that. I'm hoping to have Xymon approved at work, but we have to comply with DoD *and* PCI standards. We're not supposed to have unencrypted data moving across the network.
At present, I have a work-around. Instead of using bin/xymon to send messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
Good idea. I almost can copy this approach.
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.
tj
Ralph Mitchell
On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <tjyang2001 at gmail.com> wrote:
Hi, Henrik
Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
Thanks
tj
-- T.J. Yang
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
-- T.J. Yang
At present, I have a work-around. Instead of using bin/xymon to send
messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
Good idea. I almost can copy this approach.
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.
Actually....
http://curl.haxx.se/download.html
Wanna run it on Haiku? How about an Amiga? :)
On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <Munsch at phillycarshare.org>wrote:
At present, I have a work-around. Instead of using bin/xymon to send
messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
Good idea. I almost can copy this approach.
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.
Actually....
http://curl.haxx.se/download.html
Wanna run it on Haiku? How about an Amiga? :)
Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet).
I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain.
Ralph Mitchell
An HTML attachment was scrubbed... URL: <http://lists.xymon.com/pipermail/xymon/attachments/20111011/195fb177/attachment.html>
That's close to what I am doing using curl to post to a secure web server. Secure http over port 443 is already blessed by management and security. Opening another port requires paperwork...
Ralph Mitchell On Oct 10, 2011 5:34 PM, "Roland Soderstrom" <rolands at logicaltech.com.au> wrote:
This feature would please my managers a lot, getting all traffic encrypted. To me it seems like all the stones are there like SSL, xymond isn't that just an RPC? Just need to put it together. (sounds easy doesn't it)
I had another thought that I haven't played around with yet. Could you create an ssh tunnel and just pipe all xymon traffic through it?
client % ssh -N -g -f -L 1984:xymonserver.local:1984 xymonserver.local -l roland And let XYMSRV be localhost:1984 or something similar...
I don't have a test rig to test it out right now.
- Roland
On 11/10/11 08:07 AM, Ralph Mitchell wrote:
On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <Munsch at phillycarshare.org>wrote:
At present, I have a work-around. Instead of using bin/xymon to send
messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
Good idea. I almost can copy this approach.
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.
Actually....
http://curl.haxx.se/download.html
Wanna run it on Haiku? How about an Amiga? :)
Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet).
I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain.
Ralph Mitchell
Xymon mailing listXymon at xymon.comhttp://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
An HTML attachment was scrubbed... URL: <http://lists.xymon.com/pipermail/xymon/attachments/20111011/96ba9a78/attachment.html>
On 10/10/11 14:58, T.J. Yang wrote:
Hi, Henrik
Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
Thanks
tj
Why not use stunnel?
--[snip]-- The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code --[snip]--
I have used it in quite a few scenarios, including sending Xymon reports to me server from clients (web server, email server etc) on the Internet.
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/
On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <tjyang2001 at gmail.com> wrote:
Hi, Henrik
Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
I was taking another crack at this today and found some interesting things. The xymon command, which delivers messages to the server, can take a URL for a parameter. Also, lurking in xymon-4.3.5/xymonproxy there is a little program called xymoncgimsg, which takes an HTTP-delivered Xymon message and hands it directly to Xymon. I went a step further and poked around in the code to see what was being sent, and came up with this:
Discover the state of some service, including the color. Assemble the report:
MESSAGE="status $MACHINE.$TEST $COLOR
datesome message(s) relating to the test we're reporting"instead of doing: $XYMON $XYMSRV "$MESSAGE" to deliver, do this:
curl -s -S -L --cacert /path/to/secure/xymon-server/cert.pem
-H "Content-Ty[e: application/octet-stream"
-H "MIME-version: 1.0"
-d "$MESSAGE"
https://secure-xymon.server.com/xymon-cgi/xymoncgimsg.cgi
Curl validates the server certificate and manages the encrypted connection. $MESSAGE is shoved down the pipe to the cgi script and directly to xymon.
Ralph Mitchell
participants (5)
-
Munsch@phillycarshare.org
-
ralphmitchell@gmail.com
-
rolands@logicaltech.com.au
-
tjyang2001@gmail.com
-
waa-hobbitml@revpol.com