Opsview Monitor 6.0 Released: 29 November 2018
It is critical that you read this page BEFORE you start planning for your upgrade/migration to Opsview Monitor 6.0 as the steps to be taken vary depending on your current version of the software.
Please read carefully the documentation associated with the version of Opsview you are currently running and the methods available to start using Opsview Monitor 6.0 Autumn Update.
If this is the first time you are installing Opsview Monitor, please follow the steps in the Installation pages.
If your current version of Opsview Monitor is:
- Opsview Monitor 6.0 EA - single box installation, please follow the update steps on the Upgrading from Opsview Monitor 6.0 Early Adopter page.
NOTE: if you are running Opsview Monitor 6.0 EA where you have manually moved Components (other than the database and collector components) to a different server than the Master server, please contact our Customer Success Team for assistance.
- Opsview Monitor 5.4.2, you can choose to:
- A version older than Opsview Monitor 5.4.2, then
- we recommend that you first upgrade to 5.4.2 and then proceed to an in-place upgrade or migration as documented above.
Opsview take security very seriously so Opsview Monitor 6.0 defaults to using TLSv1.2 for all inter-process communication only. Consequently agents for versions of Opsview Monitor prior to Opsview Monitor 5.4 are unlikely to work without additional configuration to downgrade encryption to use TLSv1.0 or TLSv1.1. We recommend that you upgrade to later versions of Opsview Agents that support TLSv1.2 however if you have an operational need to run older Opsview Agents then a workaround is available to downgrade to use TLSv1.0 or TLSv1.2 for those specific Opsview Agents only.
Please see https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 for more information on the issues with using TLSv1.0.
The following Opsview Agents support TLSv1.2 and it is recommended that you upgrade to these versions:
- Opsview Windows Agent (NSClient++) - 0.3.9.509 2017-11-21 or 0.3.9.504 2017-07-04
- CentOS6 - 188.8.131.52811091647
- CentOS 7 - 184.108.40.206811091647
- Debian 7 - 220.127.116.11811091647
- Debian 8 - 18.104.22.168811091647
- Oracle Enterprise Linux 7 - 22.214.171.124811091647
- RHEL 6 - 126.96.36.199811091647
- RHEL 7 - 188.8.131.52811091647
- Ubuntu 14.04 - 184.108.40.206811091647
- Ubuntu 16.04 - 220.127.116.11811091647
Agents or operating systems that do not support TLSV1.2 will need the following workaround to be applied to downgrade to TLSv1.0:
- As root user, run the following:
curl -L https://install.opsview.com/hotfixes/20180905_enable_check_nrpe_tlsv1 | sudo -iu opsview bash
NOTE: if you do not have accesss to the root user, run the following command as the nagios user
curl -L https://install.opsview.com/hotfixes/20180905_enable_check_nrpe_tlsv1 | bash
- Go to Configuration > Apply Changes to apply the changes.
This will modify the Opsview Monitor database to do the following:
- Create a new Variable called NRPE_PROTOCOL and sets the default value to be ''\!SSLv2:\!SSLv3" (which allows TLSv1)
- Adds the argument "-P %NRPE_PROTOCOL%" to the args list of every check_nrpe service check (replacing any other "-P ...." setting)
- Makes the Apply Changes Icon change to indicate that Apply Changes is necessary
- To change the configuration for a limited number of hosts instead of all of them, amend the NRPE_PROTOCOL variable (menu => settings -> variables) to exclude TLSv1 (by using: "\!TLSv1:\!SSLv2:\!SSLv3") and then amend the configuration on an individual host by adding the NRPE_PROTOCOL variable to override arg1 using 'TLSv1'.
Running the workaround steps again will result in a prompt to revert the changes done by the script. This can be done once all agents have been updated to the latest version and all old Linux OS distributions have been upgraded to support the latest TLS versions.
curl -L https://install.opsview.com/hotfixes/20180905_enable_check_nrpe_tlsv1 | sudo -iu nagios bash
This will use /usr/local/nagios/utils/cx to modify the opsview database:
- Removes the argument -P TLSv1 from the arguments list of every check_nrpe service check
NOTE: Apply Changes will have to performed again after running the command above.