Issues
- Use newer protocol versions for remote DCOM WMINMS-12788Resolved issue: NMS-12788fooker
- WMI datacollection configuration file include by group nameNMS-11929
- Test DataCollection - WMINMS-11114Resolved issue: NMS-11114Jeff Gehlbach
- Test NRTG on SNMPv2 and v3NMS-11095Resolved issue: NMS-11095fooker
- checkwmi script has java class load errorNMS-10590
- support SMB2 in jcifs MonitorNMS-10194Resolved issue: NMS-10194
- Node label should be able to auto populate from WMINMS-9601
- Enable WMI Opennms Cent OS boxNMS-7279Resolved issue: NMS-7279Seth Leger
- WMI changed naming format for wmiLogicalDisk and wmiPhysicalDisk deviceNMS-7277Resolved issue: NMS-7277
- Add storage & persistence selector strategy support to WMI data collectorNMS-7262Resolved issue: NMS-7262David Schlenk
- WMI collector does not support persistence selectorsNMS-6924Resolved issue: NMS-6924Benjamin Reed
- Add WMI data collection and graphs for paging, disk I/O, and total memoryNMS-6822Resolved issue: NMS-6822Ronny Trommer
- org.opennms.netmgt.config.wmi.Definition package does not existNMS-5997Resolved issue: NMS-5997Benjamin Reed
- I need to create only WMI Connector protocol for my Project,I dont have Experience with Maven.I know tomcat & jboss.Please provide me java code for WMI(using Jinterop) from OpenNMS & it need to be executable in eclipse.provide steps to complete execution.NMS-5989Resolved issue: NMS-5989Benjamin Reed
- checkwmi don't work (WORKAROUND FOUND)NMS-5784
- WMI Capsd plugin mixes up username, domain, and passwordNMS-5707Resolved issue: NMS-5707Jeff Gehlbach
- multiple wmi-collection definitions not supported in wmi-datacollection-config.xmlNMS-5655
- datacollection stops after making changes in "Schedules Outages"NMS-5491Resolved issue: NMS-5491Alejandro Galue
- JCIFS and WMI polling Windows servers with incorrect account credentials and ignoring jcifs.properties filesNMS-5164
- WMI datacollection aliases not longer than 19 charactersNMS-5010Resolved issue: NMS-5010Benjamin Reed
- WMI datacollection stops after changes in Schedules OutagesNMS-4830Resolved issue: NMS-4830Alejandro Galue
- Datacollection for Terminal Services on W2K8+NMS-4763Resolved issue: NMS-4763Ronny Trommer
- WMI timeout parameter ignored and forced to 5 secondsNMS-4258
- WMI: open files leakageNMS-4199Resolved issue: NMS-4199OpenNMS Bug Mailing List
- Add WMI Attributes box on node detail pageNMS-4022
- Labels for collected WMI resources are ambigiousNMS-3805
- No capability to change the namespace from ROOT\CIMV2 on WMI collectorNMS-3639Resolved issue: NMS-3639Benjamin Reed
- WMI caps errorNMS-3600Resolved issue: NMS-3600Jeff Gehlbach
- collecting wmi counters causes exception "Too many open files" in logsNMS-3294Resolved issue: NMS-3294Benjamin Reed
Use newer protocol versions for remote DCOM WMI
Description
Acceptance / Success Criteria
Lucidchart Diagrams
Activity
David Schlenk August 27, 2020 at 7:08 PM
David Schlenk July 13, 2020 at 7:30 PM
I would also point out that very few tests exist for any of this stuff, so beyond the risk presented to TLS operations by the bouncycastle dependency it is probably Very Prudent to do some hands-on testing of each component touched. Happy to assist with that in whatever way I can. In real world testing I can confirm that WMI data collection works, but I haven't done any real world tests of WmiMonitor/detector, SmbMonitor/detector, JcifsMonitor or anything radius related.
Jeff Gehlbach July 7, 2020 at 3:57 PM
We're pulling this issue into the backlog for eng review, but I want to register an important concern about the implementation in the PR.
We excluded out a bunch of implied bouncycastle dependencies years ago because their presence in the classpath was masking JDK-provided JCE classes in some cases, resulting in TLS operations breaking when large key sizes were involved. See for details.
If we do merge this PR, let's be extremely careful to avoid a regression.
David Schlenk July 3, 2020 at 1:55 AM
Ended up being a little more involved to get the JCIFS and SMB monitors to work with the API changes but anyway it's PR #3058. Implementation notes:
the radius monitor was using the JCIFS implementation of MD4 which jcifs-ng removed in favor of BouncyCastle's implementation. No idea if that change actually works!
There's a lot more control over things like timeouts and such in jcifs-ng as you can use different contexts when you're doing different things. Generally speaking I just use the default BaseContext, except for the JCifsMonitor, where I replaced the brute forced implementation of timeout control with the use of a customized context. Cool! Except that timeouts are not behaving like they should. There seems to be a floor of about 5 seconds no matter the timeout you give it, and increasing the timeouts just adds onto that floor. I don't know if this is a big deal or not but I had to adjust the limit on the tests to get them to pass as a result of this behavior.
Yeah I know who in their right mind would care what the remote DCOM WMI code does in the year 2020 but also currently it has two significant deficiencies that are pretty easily rectified:
As is, it uses NTLMv1 for authentication and NTLMv2 for sessions. I didn't know that was possible either, but I found this document helpful in understanding what the various options for NTLM are. Fortunately, turning on full NTLMv2 support involves adding a single line to WmiClient.
Additionally, the version of j-interop and jcifs in use utilize SMBv1 which folks are encouraged to disable and which is no longer installed by default in Server 2016. Fortunately somebody else has already patched them to use SMBv2 and it works pretty okay-ish just by swapping out the jars. A small modification to WmiManager makes it work more betterer, as hosts return an error code about a lack of pipes being available (0x000000AC) when they haven't been queried in awhile, but immediately retrying is successful in every instance I've seen thus far. Will be submitting a PR for this shortly.