This article is no longer relevant due to the release of Checkmk version 2.3.0p15. Please see Werk 17093 for additional details.
Proceed with caution, as Checkmk does not currently support FIPS configurations.
This article is a workaround only!
LAST TESTED ON CHECKMK 2.2.0P1
Step-by-step guide
Please note that this process is not possible if using the Agent Updater, since the Agent Updater cannot pass the needed --nofiledigest option.
Verify if FIPS is already enabled on the system.
$ fips-mode-setup --check FIPS mode is enabled.
If FIPS is not enabled, you will need to enable it using Red Hat's official methods..
The application works with FIPS mode fine, as the following screens show. The problem is that it doesn't install with the MD5-signed RPM.
GNU Privacy Guard (GPG) signatures are digital signatures that verify the authenticity of data or communication.
To find out which signature a file has, you can use the command below:
[LinuxUser~]$ rpm -qp --qf "%{filedigestalgo}\n" check-mk-agent-2.3.0p4-93d660e1b182fc28.noarch.rpm (none) ###a package was downloaded and executed the same command and here its "8" which means SHA-256. [LinuxUser~]$ rpm -qp --qf "%{filedigestalgo}\n" package/openssh-server-8.7p1-38.el9.x86_64.rpm 8
The algorithms are SHA1, SHA256, SHA384, and SHA512, which are represented as 2, 8, 9, and 10 respectively.
If the RPM is signed by SHA256 or the --nofiledigest option is specified, Checkmk should install without fail.[user@redhat8host ~]$ sudo rpm -ivh --nofiledigest check-mk-agent-2.1.0p16-d88c216c6ads3a29.noarch_1.rpm We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for checkmk: verifying ... #########################################################[100%] preparing ... #########################################################[100%] updating / installing ... l:check-mk-agent-2.1.0p16-3.d88c216######################################################[100%] Deploying systemd units: check-mk-agent-async.service check-mk-agent.socket check-mk-agent@.service cmk-agent-ctl-daemon.service Deployed systemd Creating/updating cmk-agent user account .. WARNING: The agent controller is operating in an insecure mode! To secure the connection run `cmk-agent-ctl register' Activating systemd unit *check-mk-agent-async.service'.. Created symlink /etc/systemd/system/multi-user.target.wants/check-mk-agent-async.service - /usr/lib/systemd/system/check-mk-agent-async.service. Activating systemd unit *check-mk-agent.socket” Created symlink /etc/systemd/system/sockets.target.wants/check-mk-agent.socket ep etstthe - ustf ttorsys teudr /usr/lib/systemd/system/check-mk sys tem/ check-mk-agent. socket. Activating systemd unit *cmk-agent-ctl-daemon.service' ..' Created symlink /etc/systemd/system/multi-user,target.wants/cmk-agent-ctl-daemon.service - /usr/lib/systemd/system/cmk-agent-ctl-daemon.service. [user@redhat8host ~]$
.
While initially, it looks like Checkmk Agent isn't working, please note the “no route to host” error. We will need to enable a few firewall rules within the OS.
Adding Checkmk Agent ports to the firewall.
Add “--permanent” to firewall-cmd to make firewall rules persistent.
Allow port 6556 for both TCP and UDP[user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp success [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp success
[user@redhat8host ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-tnverston: no interfaces: ens18 sources: services: cockpit dhcpv6-cllent ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/tcp Success [user@redhat8host ~]$ sudo firewall-cmd --add-port=6556/udp success [user@redhat8host -]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client ssh ports: 6556/tcp 6556/udp protocols: forward: no masquerade: no forward-ports: source-ports: icnp-blocks: rich rules: [user@redhat8host ~]$
You will then want to rescan the host and accept the changes.
Now we can see that the Check MK agent and Service Discovery are working.
We can now verify that these changes have been applied at the OS level.
.
.
We will need to verify that port 6556 is open for TCP and UDP
[user@redhat8host ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client ssh ports: 6556/tcp 6556/udp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [user@redhat8host ~]$
.
Now we can verify that the checmk-mk-agent is running correctly.
[user@redhat8host ~]$ systemctl status check-mk-agent.socket check-mk-agent.socket - Local Checkmk agent socket loaded: loaded (/usr/lib/systemd/system/check-mk-agent.socket; enabled; vendor preset: disabled) Active: active (running)/ since Mon 2022.12-12 20:35:07 EST: 49min ago Listen: /run/check-mk-ayent.socket (stream) Accepted: 36; Connected: 0; Tasks: 0 (limit: 24726) Memory: 4.0K CGroup: /system.slice/check-mk-agent.socket Dec 12 20:35:07 redhat8host[1]: Starting Local Checkmk agent socket. Dec 12 20:35:07 redhat8host[1]: Listening on Local checkmk agent socket. [user@redhat8host ~]$
[user@redhat8host ~]$ systemctl status cmk-agent-ctl-daemon.service cmk-agent-ctl-daemon.service - Checkmk agent controller daemon Loaded: loaded (/usr/1ib/systemd/system/cmk-agent.ctl-daemon.service; enabled; vendor preset: disabled) Active: active (listening) since Mon 2022-12-12 20:35:07 EST; 49nin ago Main PID: 4975 (cmk-agent-ctl) Tasks: 3 (limit; 24726) Memory; 10.3M CGroup: /system.slice/cmk-agent-ctl-daemon.service - 4975/usr/bin/cmk-agent-ctl daemon Dec 12 20:35:07 redhat8host systemd[1]: Started Checkmk agent controller daemon. [user@redhat8host ~]$
Related articles