HTTPS login check

Troubleshooting
,
1

CMK version:OMD - Open Monitoring Distribution Version 2.0.0p17.cfe
**OS version: Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-94-generic x86_64)
**
Error message: NO error message

Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)

Hello,
I am trying to set up HTTPS login check (if log in is working), by placing an URL of the page, which can be accessed only by loging in. When using the browser - this URL is redirected to a login page.
I have entered:
IP of the host, where the requested URL and a login page are situated
URL, which will require logging in and be redirected to login page
USR/PWD combination for the log in
PORT specified in the URL
Autonegotiating SSL…

THE PROBLEM is that if I type the WRONG PWD - I do not get ERROR.
HOW can I test for successful login?

2

Sounds like a classic RobotMK use case.
https://www.robotmk.org/

1 Like
3

Hello,

I am a bit unsure how you setup this in checkmk. If you use the active check " Check HTTP service" you can fill in the Authorization fields.
In the background a very well know nagios plugin check_http is used. You find this plugin in ~/lib/nagios/plugins. As described in the help of the plugin only Basic Auth is possible.
Nevertheless the way I do is that I test everything on command line with the check_http plugin to find the correct options and then define the rule.

I hope that helps

regards

Michael

1 Like
4

Can you please elaborate?
I have tried everything I remembered worth trying, but all the time I have OK result. Even with wrong credentials…

5

My understanding is that you would write a test using one of the libraries of the Robot framework (i.e. the Selenium library).

With RobotMK you would the monitor the execution and results of the test. So the actual testing is not done by Checkmk itself, but by the robot.

Take a look at this video: checkmk conference #7: Tech Session - E2E Monitoring - YouTube
and maybe @simonm can give some additional explanations.

1 Like
6

If your goal is to simply do a basic auth on a HTTPs page, Robotmk would be too heavy imho.
If you are planning to execute additional actions after the authentication, folllow the advise of @elias.voelker .

Could you show your attempts so far with check_http? As @mike1098 already said, it is a good idea to craft the command on the CLI. The instantaneous feedback form the command (use of -v) is very helpful.

2 Likes
7

Here si one “OK” output even without user:pwd pair:

image
image1193×647 21 KB

When I set it up in GUI:
image
It manifests like this:

image
image797×30 2.52 KB

With much much more data transferred (reported) (448 bytes Vs 6361343 bytes)

8

-f follow allows the plugin to access the second page.
(And if I am not wrong you are missing “-u” before the path in the command line. )

1 Like
9

Exactly :slight_smile:
Thank you simonm.
This is the command given:
/lib/nagios/plugins/check_http -I 10.115.86.91 -u /da/DA/Login -f follow -a nn@isp.nn.rs: -v

The output is now the same size as follows (content stripped for privacy reasons):

GET /da/DA/Login HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Authorization: Basic cmVuYXRhQGlzcC50ZWxla29tLnJzOmR1cm0xdG9yLjc1


http://10.115.86.91:80/da/DA/Login is 6815569 characters
STATUS: HTTP/1.1 200 OK
**** HEADER ****
Server: Oracle GlassFish Server 3.1.2.17
X-Powered-By: JSP/2.2
Cache-Control: private
Set-Cookie: JSESSIONID=4b88a5892b1e2b51fe1d3d39dee5; Path=/da; HttpOnly
Content-Type: text/html;charset=UTF-8
Date: Tue, 24 May 2022 06:19:36 GMT
Connection: close
CONTENT
(importantant part as I understand it)
<BODY onLoad="document.loginForm.elements['Login.LoginID'].focus();">
<form name="loginForm" method="post" action="../DA/Login;jsessionid=4b88a5892b1e2b51fe1d3d39dee5">
  <div id="content">
    <div class="appname">
      <span><H1>Delegated Administrator</H1></span>
    </div>
    <div class="inline_alert">
          <div class="LogErr">
            <table border="0" cellspacing="0" cellpadding="0">
              <tr>
                <td valign="top">
                  
                </td>
              </tr>
            </table>
          </div>
    </div>
    <div class="form">
    <table border="0" cellspacing="0" cellpadding="0">
      <tr>
        <td>
          <span class="LblLev2Txt"><label for="Login.LoginID">Login ID:</label></span>
        </td>
        <td>
          <input type="text" name="Login.LoginID" value="" title="Login ID" class="TxtFld" />
        </td>
      </tr>
      <tr>
        <td>
          <span class="LblLev2Txt"><label for="Login.Password">Password:</label></span>
        </td>
        <td>
          <input type="password" name="Login.Password" value="" title="Password" class="TxtFld" />
        </td>
      </tr>
      <tr>
        <td>&nbsp;</td>
        <td>
          
        </td>
      </tr>
    </table>
    </div>
    <div class="copyright">



HTTP OK: HTTP/1.1 200 OK - 6815569 bytes in 0.132 second response time |time=0.131753s;;;0.000000;10.000000 size=6815569B;;;0

Although I have not provided password - the result is OK (as with provided pwd).

10

Ah ok, for a login form (instead of basic auth) you better should try the rule “Check HTML Form Submit”.

2 Likes
11

Yes! That is the correct check. Do not understand as how I missed it.

However, when I fill the form like this:

Name
DA_login

Check specific host(s)
10.115.86.91

URI to fetch (default is /)
/da/DA/Login

Use SSL/HTTPS for the connection.

Name of the form to populate and submit
loginForm
Send HTTP POST data
usr:pwd

I get the response:
image

12

I think you don’t fill the form properly. Its not a basic auth with username:password.
See this thread with an example.

1 Like
13

Thank you for all the efforts and patience :slight_smile:
I have made corrections but…
Can anyone spot the difference on the picture ? :slight_smile:

image

14

Can you please show the parameters?
Tip: you can also debug the plugin like check_http on the command line. This perhaps better and faster.

1 Like
15

Here are the parameters:
image

Could not find the plugin whose name would suggest the check performed.
EDIT - found it…

~$ sudo /opt/omd/versions/2.0.0p17.cfe/lib/nagios/plugins/check_form_submit -I 10.115.86.91 -u /da/DA/Login -f loginForm  -q username=nn@isp.nn.rs&password=nn
[5] 466235
~$

But still have problem with form name in the WATO.

EDIT - have put “loginForm” instead of loginForm and it works :slight_smile:

16

I would call this a small bug. Because the quotes should not be part of the name…
Great to hear that it worked anyway :+1:

1 Like
17

I have hit another problem/dilemma, described here:

with no apparent solution.

18

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.