Collecting data over WinRM in OpenNMS

Problem:
I am configuring Ws-Man data collector for nodes in OpenNMS. OpenNMS is running on Windows 10 machine.

Configuration is done by following the tutorial: https://www.opennms.com/en/blog/2019-08-28-winrm-in-opennms/.

/etc/kerb5.conf

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = false
rdns = false
kdc_timesync = 1
ccache_type = 4
default_realm = MYDOMAIN.LOCAL

[realms]
MYDOMAIN.LOCAL = {
kdc = dc1.mydomain.local
admin_server = dc1.mydomain.local
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

/etc/winrm-login.confg

WSManClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTGT=true
debug=true
principal="monitor@MYDOMAIN.LOCAL"
ticketCache="C:/Users/monitor/krb5cc_monitor";
};

I generated ticket cache with java kinit:

kinit monitor@MYDOMAIN.LOCAL

alsto tried with:

kinit -f monitor@MYDOMAIN.LOCAL

/etc/opennms.conf

# Configure WinRM/WSMAN
ADDITIONAL_MANAGER_OPTIONS="${ADDITIONAL_MANAGER_OPTIONS} -Dsun.security.krb5.debug=true"
ADDITIONAL_MANAGER_OPTIONS="${ADDITIONAL_MANAGER_OPTIONS} -Djava.security.krb5.conf=${OPENNMS_HOME}/etc/krb5.conf"
ADDITIONAL_MANAGER_OPTIONS="${ADDITIONAL_MANAGER_OPTIONS} -Djava.security.krb5.realm=MYDOMAIN.LOCAL"
ADDITIONAL_MANAGER_OPTIONS="${ADDITIONAL_MANAGER_OPTIONS} -Djava.security.krb5.kdc=dc1.mydomain.local"
ADDITIONAL_MANAGER_OPTIONS="${ADDITIONAL_MANAGER_OPTIONS} -Djava.security.auth.login.config=${OPENNMS_HOME}/etc/winrm-login.conf"

I also tried with absolute path instead of ${OPENNMS_HOME}.

/etc/collectd-configuration.xml

<service name="WS-Man" interval="300000" user-defined="false" status="on">
   <parameter key="collection" value="default"/>
   <parameter key="thresholding-enabled" value="true"/>
</service>
<collector service="WS-Man" class-name="org.opennms.netmgt.collectd.WsManCollector"/>

/etc/wsman-datacollection-config.xml

<?xml version="1.0"?>
<wsman-datacollection-config rrd-repository="C:/OpenNMS_2.4/share/rrd/snmp/">
    <collection name="default">
        <rrd step="300">
            <rra>RRA:AVERAGE:0.5:1:2016</rra>
            <rra>RRA:AVERAGE:0.5:12:1488</rra>
            <rra>RRA:AVERAGE:0.5:288:366</rra>
            <rra>RRA:MAX:0.5:288:366</rra>
            <rra>RRA:MIN:0.5:288:366</rra>
        </rrd>

        <!--
             Include all of the available system definitions
         -->
        <include-all-system-definitions/>        
    </collection>
</wsman-datacollection-config>

/etc/wsman-config.xml

<?xml version="1.0"?>
<wsman-config retry="3" timeout="30000" ssl="false" strict-ssl="false" path="/wsman">
    <definition ssl="false" strict-ssl="false" port="5985" path="/wsman" gss-auth="true">
        <specific xmlns="">192.168.1.170</specific>
    </definition>
</wsman-config>

In /etc/wsman-datacollection.d, there is microsoft-windows.xml

/etc/poller-configuration.xml

<service name="WS-Man" interval="300000" user-defined="false" status="on">
   <parameter key="retry" value="2"/>
   <parameter key="banner" value="*"/>
   <parameter key="timeout" value="3000"/>
   <parameter key="service-name" value="WinRM"/>
</service>
<monitor service="WS-Man" class-name="org.opennms.netmgt.poller.monitors.WsManMonitor" />

OpenNMS version:

24.1.3

Other relevant data:
When I start OpenNMS and try capability rescan for the client1, I get following error in provisiond.log:

2020-04-10 15:42:52,954 INFO  [scanExecutor-6] o.o.n.p.d.w.WsManDetector: Identify failed for address /192.168.1.170 with endpoint WSManEndpoint[url='http://client1.mydomain.local:5985/wsman', isGSSAuth='true', isBasicAuth='false', isStrictSSL='false', serverVersion='WSMAN_1_0',  maxElements='null', maxEnvelopeSize='null'connectionTimeout='null', receiveTimeout='null'].
org.opennms.core.wsman.exceptions.WSManException: javax.xml.ws.soap.SOAPFaultException: No LoginModules configured for WSManClient
    at org.opennms.core.wsman.cxf.CXFWSManClient.wrapException(CXFWSManClient.java:489) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
    at org.opennms.core.wsman.cxf.CXFWSManClient.identify(CXFWSManClient.java:157) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
    at org.opennms.netmgt.provision.detector.wsman.WsManDetector.isServiceDetected(WsManDetector.java:91) [org.opennms.features.wsman-24.1.3.jar:?]
    at org.opennms.netmgt.provision.detector.wsman.WsManDetector.detect(WsManDetector.java:74) [org.opennms.features.wsman-24.1.3.jar:?]
    at org.opennms.netmgt.provision.detector.client.rpc.DetectorClientRpcModule$1.get(DetectorClientRpcModule.java:89) [opennms-detectorclient-rpc-24.1.3.jar:?]
    at org.opennms.netmgt.provision.detector.client.rpc.DetectorClientRpcModule$1.get(DetectorClientRpcModule.java:85) [opennms-detectorclient-rpc-24.1.3.jar:?]
    at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_172]
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_172]
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_172]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_172]
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [?:1.8.0_172]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_172]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_172]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_172]
Caused by: javax.xml.ws.soap.SOAPFaultException: No LoginModules configured for WSManClient
    at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:195) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
    at com.sun.proxy.$Proxy363.identify(Unknown Source) ~[?:?]
    at org.opennms.core.wsman.cxf.CXFWSManClient.identify(CXFWSManClient.java:155) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
    ... 12 more
Caused by: java.lang.RuntimeException: No LoginModules configured for WSManClient
    at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:83) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:37) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:811) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:564) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:47) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.2.8.jar:3.2.8]
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
    at com.sun.proxy.$Proxy363.identify(Unknown Source) ~[?:?]
    at org.opennms.core.wsman.cxf.CXFWSManClient.identify(CXFWSManClient.java:155) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
    ... 12 more
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for WSManClient
    at javax.security.auth.login.LoginContext.init(LoginContext.java:264) ~[?:1.8.0_172]
    at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512) ~[?:1.8.0_172]
    at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getToken(AbstractSpnegoAuthSupplier.java:119) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:80) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:37) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:811) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:564) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
    at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:47) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) ~[cxf-core-3.2.8.jar:3.2.8]
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.2.8.jar:3.2.8]
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
    at com.sun.proxy.$Proxy363.identify(Unknown Source) ~[?:?]
    at org.opennms.core.wsman.cxf.CXFWSManClient.identify(CXFWSManClient.java:155) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
    ... 12 more

Running check with WSMan CLI returns data, command:

java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=C:/OpenNMS_2.4/etc/krb5.conf -Djava.security.krb5.realm=MYDOMAIN.LOCAL -Djava.security.krb5.kdc=dc1.mydomain.local -Djava.security.auth.login.config=C:/OpenNMS_2.4/etc/winrm-login.conf -jar C:/wsman_test/org.opennms.core.wsman.cli-1.2.3.jar -gssAuth -r http://client1.mydomain.local:5985/wsman -resourceUri http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_OperatingSystem -o enum -w WSMAN_1_0 -vvv

Do you have any suggestion or tip?

Hi gb_06,

I am also seeking to get WinRM and WSMan working with Kerberos in OpenNMS. I’m using OpenNMS 27.0.3 and following the same OpenNMS setup guide.

I am getting the same problem you saw: collectd.log has errors “No LoginModules configured for WSManClient”. A longer trace is below. If I change wsman-config.xml to use a username and password (not gss-auth=“true” to use Kerberos), WSMan data is collected fine. It’s not clear if wsman-config.xml needs different formatting or if it is correct and the actual problem is some underlying Kerberos authentication problem.

I’m wondering if you got any further with this issue?

Thanks,
Tim

Caused by: org.opennms.core.wsman.exceptions.WSManException: javax.xml.ws.WebServiceException: java.lang.RuntimeException: No LoginModules configured for WSManClient
        at org.opennms.core.wsman.cxf.CXFWSManClient.wrapException(CXFWSManClient.java:489) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerate(CXFWSManClient.java:202) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:209) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:284) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collectGroupUsing(WsManCollector.java:210) ~[org.opennms.features.wsman-27.0.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collect(WsManCollector.java:169) ~[org.opennms.features.wsman-27.0.3.jar:?]
        ... 6 more
Caused by: javax.xml.ws.WebServiceException: java.lang.RuntimeException: No LoginModules configured for WSManClient
        at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:193) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
        at com.sun.proxy.$Proxy372.enumerate(Unknown Source) ~[?:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerate(CXFWSManClient.java:200) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:209) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:284) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collectGroupUsing(WsManCollector.java:210) ~[org.opennms.features.wsman-27.0.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collect(WsManCollector.java:169) ~[org.opennms.features.wsman-27.0.3.jar:?]
        ... 6 more
Caused by: java.lang.RuntimeException: No LoginModules configured for WSManClient
        at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:83) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:37) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:811) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:564) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:47) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.2.8.jar:3.2.8]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
        at com.sun.proxy.$Proxy372.enumerate(Unknown Source) ~[?:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerate(CXFWSManClient.java:200) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:209) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:284) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collectGroupUsing(WsManCollector.java:210) ~[org.opennms.features.wsman-27.0.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collect(WsManCollector.java:169) ~[org.opennms.features.wsman-27.0.3.jar:?]
        ... 6 more
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for WSManClient
        at javax.security.auth.login.LoginContext.init(LoginContext.java:261) ~[?:?]
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:501) ~[?:?]
        at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getToken(AbstractSpnegoAuthSupplier.java:119) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:80) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:37) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:811) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:564) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:47) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) ~[cxf-rt-frontend-simple-3.2.8.jar:3.2.8]
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) ~[cxf-rt-frontend-jaxws-3.2.8.jar:3.2.8]
        at com.sun.proxy.$Proxy372.enumerate(Unknown Source) ~[?:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerate(CXFWSManClient.java:200) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:209) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.core.wsman.cxf.CXFWSManClient.enumerateAndPull(CXFWSManClient.java:284) ~[org.opennms.core.wsman.cxf-1.2.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collectGroupUsing(WsManCollector.java:210) ~[org.opennms.features.wsman-27.0.3.jar:?]
        at org.opennms.netmgt.collectd.WsManCollector.collect(WsManCollector.java:169) ~[org.opennms.features.wsman-27.0.3.jar:?]
        ... 6 more

No LoginModules configured for WSManClient

This usually means that Kerberos auth failed, and/or that you’re missing your login.conf, or it’s invalid.

-Djava.security.auth.login.config= should point to a file. What is the content of this file?