Set passwords on Netprobe commands
Overview Copied
The user can configure commands in their Gateway which will be executed by the machine running one of the Netprobes to which it is connected. Because there are clearly some security implications in permitting one machine to run a command on a different machine, this functionality is by default password controlled, i.e. the user will be prompted for a password when running such a command. There are several options open when setting this up.
Run with no password Copied
The user may choose to allow commands to be able to run on the Netprobe without any prompting for a password. To do this, the Netprobe executable should be launched with the command line option -nopassword
Note
For security reasons, it is NOT recommended to allow commands to be run on the Netprobe without password protection. The user may, however, find this option useful for trying things out while initially creating a setup.
If running with no password then, in the configuration of the command itself in the Gateway Setup, the field “Enable Password” should be unticked (which is its default state).
When running as a service on Windows, no password mode can be enabled by any of the following:
- Checking the [Run Netprobe commands with no password] option during the Netprobe Setup Wizard installation,
- Adding the ‘/nopassword’ option during command line installation, or
- Setting:
NOPASSWORDtrue
in the registry. See Setting Variables for Netprobe on Windows Platforms for details on how to do this.
Configure the command to prompt for a password Copied
If a password is going to be used with a Netprobe command then, in the configuration of the command itself in the Gateway Setup, the field “Enable Password” should be ticked. This will cause a dialogue to be displayed when the command is run, to allow the user to supply the password. If the command already asks for user input to the command, then the input box for the password will be an additional field in the dialogue displayed for the rest of the user input. Having ticked this field, the user now needs to define the password by one of the methods explained in the two sections below.
Set the password from the Gateway configuration Copied
A password can be specified in the Gateway Setup File configuration (see probes > probe > encodedPassword). The user enters the plain text version of the password that they wish to use into a dialogue in the Gateway Setup Editor. An encoded version of the password is stored in the configuration file generated by the Gateway Setup Editor. When the Gateway connects to the Netprobe, it downloads this password to the Netprobe. Whenever a command to run on the Netprobe is subsequently initiated, the user will be prompted to input the plain text version of the password.
Note
The option to set a password via the configuration is not available with Self-Announcing Netprobes; for these the password must be set on the Netprobe itself.
Set the password on the Netprobe Copied
Alternatively, the password can be set on the Netprobe by setting the ENCODED_PASSWORD
variable. For more information, see variables.
To use this method, you first need to generate an encoded password. This is done using the Gateway executable.
On a machine where the Gateway has been installed, run the following command:
<gateway-executable> -pw <plaintext-password>
For example:
gateway2.linux_x64 -pw p@ssw0rd
This command returns the encrypted password string to standard out.
Before you start up the Netprobe, set the encrypted password value in the ENCODED_PASSWORD
variable. Once set, the Netprobe prompts for the plaintext password each time you run a Netprobe command.
Only allow a password to be set on the Netprobe Copied
A user may wish to have a security policy on the Netprobe where the password cannot be set via the Gateway configuration, it can only be set by using the ENCODED_PASSWORD variable on the Netprobe. This policy can be enforced by setting the variable ALLOW_ENCODED_PASSWORD_DOWNLOAD to false before starting the Netprobe. If this is set to false and the Gateway is configured to download a password, then a message appears in the Netprobe log telling the user that the downloaded password has been ignored. If this variable is not set then by default the password can be downloaded from the Gateway.
For more information, see variables.
Transport Layer Security Copied
Geneos components can communicate using Transport Layer Security (TLS) as well as TCP/IP. This is configured using command line options for a listening gateway and using the xml setup file for Floating and Self-Announcing Netprobes. For more information, see Secure Communications.