Difference between revisions of "Webmin How To Guide"

From Swivel Knowledgebase
Jump to: navigation, search
m (1 revision imported)
(Changing the Web Certificate)
 
(One intermediate revision by one other user not shown)
Line 4: Line 4:
 
= Overview =
 
= Overview =
  
Webmin is a third party package present on Version 2 and Version 3 Swivel Appliances. It has many administrative uses which are of particular use during a support incident, rather than day-to-day administration:  
+
Webmin is a third party package present on Version 2 and Version 3 Swivel Appliances. It has many administrative functions which are of particular use during a support incident, rather than day-to-day administration:
  
* Retrieving files from the Swivel appliance;
+
* Retrieving files from the Swivel appliance (we recommend [[WinSCP How To Guide|WinSCP]] as an alternative);
* Inspecting the MySQL Swivel database;
+
* Inspecting the MariaDB Swivel database;
* Stopping or Starting services.
+
* Stopping or Starting services (Most of these can be managed from the appliance console).
  
 
Webmin is often useful when it is not possible to get a connection using PuTTY or WinSCP over SSH, such as when access is restricted. For more information on using PuTTY and WinSCP, see the [[PuTTY How To Guide]] and [[WinSCP How To Guide]].
 
Webmin is often useful when it is not possible to get a connection using PuTTY or WinSCP over SSH, such as when access is restricted. For more information on using PuTTY and WinSCP, see the [[PuTTY How To Guide]] and [[WinSCP How To Guide]].
Line 16: Line 16:
 
= Prerequisites =
 
= Prerequisites =
  
* Swivel version 2 appliance (hardware or virtual machine) with Webmin installed;
+
* Swivel version 2 or 3 appliance (hardware or virtual machine) with Webmin installed;
* Web browser to connect to the Swivel server: Note that Internet Explorer is not suitable for use with Webmin, for technical reasons;
+
* Web browser to connect to the Swivel server;
 
* Webmin login credentials.
 
* Webmin login credentials.
  
 
= Accessing Webmin =
 
= Accessing Webmin =
 +
<sup><span style="color:red">WARNING: Webmin does NOT start automatically by default on Version 3 Appliances. You can enable Webmin from the CMI menu, under Appliance > Default Running Services > Webmin. Note that this does NOT start Webmin immediately - it just causes it to start automatically when the appliance starts. To start it immediately, use Appliance > Start or Stop Services.</span></sup>
  
The default credentials are:
+
The default URL for Webmin is:
  
Username: admin
+
<nowiki>https://192.168.0.35:10000/</nowiki>
Password: lockbox
 
  
The default URL for Webmin is:
+
(where 192.168.0.35 is replaced by your Swivel appliance IP. By default a single appliance is 192.168.0.35 and primary and secondary appliances are by default 192.168.0.36 and 192.168.0.37 respectively).
  
https://192.168.0.35:10000/
 
  
(where 192.168.0.35 is replaced by your Swivel appliance IP. By default a single appliance is 192.168.0.35 and primary and secondary appliances are by default 192.168.0.36 and 192.168.0.37 respectively).
+
The default credentials are:
  
 +
*Username: admin
 +
*Password: lockbox
  
 +
Note that the Webmin password is not changed when you change the appliance console password. You must change the Webmin password within Webmin itself.
 
= Logging in =
 
= Logging in =
  
Using a Web browser, visit the URL given above (https://192.168.0.35:10000/) using the IP address or hostname you have assigned to your Swivel appliance.
+
Using a Web browser, visit the URL given above (<nowiki>https://192.168.0.35:10000/</nowiki>) using the IP address or hostname you have assigned to your Swivel appliance.
  
You should reach the following page, where you can enter the default credentials given above, to login:
+
You should reach the following page, where you can enter the default credentials given above, to login (the former on v2 and the latter on v3):
  
[[Image:Webmin login page.PNG|550px]]
+
[[Image:Webmin login page.PNG|550px]][[Image:Webmin login pageV3.PNG|523px]]
  
  
Line 53: Line 55:
 
= Webmin guides =
 
= Webmin guides =
  
[[128-bit encryption enforcement How to Guide]]
+
[[Ciphers_How_To_Guide#Restrict_Webmin_SSL_Ciphers|128-bit encryption enforcement How to Guide]]
  
 
= Troubleshooting =
 
= Troubleshooting =
  
 
== Changing the Web Certificate ==
 
== Changing the Web Certificate ==
 +
 +
=== Generate a New Certificate ===
  
 
The instructions below describe how to install a 2048-bit certificate for Webmin (original source: http://blog.rimuhosting.com/2014/11/18/webmin-sec-err-invalid-key/).
 
The instructions below describe how to install a 2048-bit certificate for Webmin (original source: http://blog.rimuhosting.com/2014/11/18/webmin-sec-err-invalid-key/).
  
* Log into the appliance console.
+
* Log into the appliance console.
* Go to Advanced Menu, Command Line. If you do not know the command line password, please contact support@swivelsecure.com
+
* Go to Advanced Menu, Command Line. If you do not know the command line password, please contact support@swivelsecure.com
* Enter the following commands:
+
* Enter the following commands:
  
 
  file=/etc/webmin/miniserv.pem
 
  file=/etc/webmin/miniserv.pem
Line 76: Line 80:
 
In the above commands, replace the subject with values appropriate to your own country, state, city, company and server name.
 
In the above commands, replace the subject with values appropriate to your own country, state, city, company and server name.
  
== Cannot Access Webmin ==
+
=== Using an Existing Certificate ===
 +
 
 +
If you already have a certificate that is suitable for use - for example, if you want to re-use the same certificate as Tomcat uses, you can convert it to the correct format using [[Keystore Explorer]].
  
Is port 10000 being specified?
+
* Open the certificate (PFX or Java Keystore) in Keystore Explorer.
 +
* Right-click on the certificate, click Export then Export Key Pair.
 +
* Select PEM as the format and don’t enter a password. Save the file.
 +
* Upload the resulting file to the appliance.
 +
* From the appliance command line, take a backup of /etc/webmin/miniserv.pem
 +
* Copy your new PEM certificate and overwrite /etc/webmin/miniserv.pem.
 +
* Restart webmin as above.
  
Is network access to the appliance available, can you ping the appliance?
+
== Cannot Access Webmin ==
  
Is port 10000 blocked by a firewall? Can you telnet to port 10000
+
<p class="note">'''NOTE''' On a Version 3 Appliance, the Webmin service is now disabled by default and must be enabled via the CMI menu (Main Menu -> Appliance -> Start or Stop Services -> Start webmin).</p>
  
Is SSL specified in the request using https?
+
* Is port 10000 being specified in the browser address bar?
 +
* Is network access to the appliance available, can you ping the appliance?
 +
* Is port 10000 blocked by an intermediary firewall? Can you telnet to port 10000 from your workstation?
 +
* Is SSL specified in the request using https?
  
  
Line 106: Line 121:
  
 
=== Webmin not running? ===
 
=== Webmin not running? ===
 +
 +
<p class="note">'''NOTE''' On a Version 3 Appliance, the Webmin service is now disabled by default and must be enabled via the CMI menu (Main Menu -> Appliance -> Start or Stop Services -> Start webmin).</p>
  
 
If you find that you cannot obtain Webmin access, check to see that Webmin is listening for connections. Login to the appliance via SSH using PuTTY (see the [[PuTTY How To Guide]]) and get to the command line:
 
If you find that you cannot obtain Webmin access, check to see that Webmin is listening for connections. Login to the appliance via SSH using PuTTY (see the [[PuTTY How To Guide]]) and get to the command line:
Line 160: Line 177:
 
== Webmin inaccessible after patch upgrade ==
 
== Webmin inaccessible after patch upgrade ==
  
Edit the file /etc/webmin/miniserv.conf locate the line ssl_version=10 line and remove it. Restart webim with;
+
Edit the file /etc/webmin/miniserv.conf locate the line ssl_version=10 line and remove it. Restart webmin with;
  
service webmin restart
+
service webmin restart
  
  

Latest revision as of 13:23, 1 April 2021


Overview

Webmin is a third party package present on Version 2 and Version 3 Swivel Appliances. It has many administrative functions which are of particular use during a support incident, rather than day-to-day administration:

  • Retrieving files from the Swivel appliance (we recommend WinSCP as an alternative);
  • Inspecting the MariaDB Swivel database;
  • Stopping or Starting services (Most of these can be managed from the appliance console).

Webmin is often useful when it is not possible to get a connection using PuTTY or WinSCP over SSH, such as when access is restricted. For more information on using PuTTY and WinSCP, see the PuTTY How To Guide and WinSCP How To Guide.

This article describes how to login to Webmin on an appliance. To discover more about how Webmin can be used to support Swivel, see the Common Uses for Webmin section below.

Prerequisites

  • Swivel version 2 or 3 appliance (hardware or virtual machine) with Webmin installed;
  • Web browser to connect to the Swivel server;
  • Webmin login credentials.

Accessing Webmin

WARNING: Webmin does NOT start automatically by default on Version 3 Appliances. You can enable Webmin from the CMI menu, under Appliance > Default Running Services > Webmin. Note that this does NOT start Webmin immediately - it just causes it to start automatically when the appliance starts. To start it immediately, use Appliance > Start or Stop Services.

The default URL for Webmin is:

https://192.168.0.35:10000/

(where 192.168.0.35 is replaced by your Swivel appliance IP. By default a single appliance is 192.168.0.35 and primary and secondary appliances are by default 192.168.0.36 and 192.168.0.37 respectively).


The default credentials are:

  • Username: admin
  • Password: lockbox

Note that the Webmin password is not changed when you change the appliance console password. You must change the Webmin password within Webmin itself.

Logging in

Using a Web browser, visit the URL given above (https://192.168.0.35:10000/) using the IP address or hostname you have assigned to your Swivel appliance.

You should reach the following page, where you can enter the default credentials given above, to login (the former on v2 and the latter on v3):

Webmin login page.PNGWebmin login pageV3.PNG


Once logged in, you should see the following screen:

Webmin logged in.PNG


If for some reason you cannot establish a connection to the web page, then consult the Troubleshooting section below.


Webmin guides

128-bit encryption enforcement How to Guide

Troubleshooting

Changing the Web Certificate

Generate a New Certificate

The instructions below describe how to install a 2048-bit certificate for Webmin (original source: http://blog.rimuhosting.com/2014/11/18/webmin-sec-err-invalid-key/).

  • Log into the appliance console.
  • Go to Advanced Menu, Command Line. If you do not know the command line password, please contact support@swivelsecure.com
  • Enter the following commands:
file=/etc/webmin/miniserv.pem
 
openssl req -x509 -newkey rsa:2048 -keyout $file  -out $file -days 3650 -nodes -subj \
 "/C=GB/ST=West Yorkshire/L=Wetherby/O=Swivel Secure/CN=pinsafe.swivelsecure.com"
 
openssl x509 -x509toreq -in $file -signkey $file >> $file
 
service webmin restart

In the above commands, replace the subject with values appropriate to your own country, state, city, company and server name.

Using an Existing Certificate

If you already have a certificate that is suitable for use - for example, if you want to re-use the same certificate as Tomcat uses, you can convert it to the correct format using Keystore Explorer.

  • Open the certificate (PFX or Java Keystore) in Keystore Explorer.
  • Right-click on the certificate, click Export then Export Key Pair.
  • Select PEM as the format and don’t enter a password. Save the file.
  • Upload the resulting file to the appliance.
  • From the appliance command line, take a backup of /etc/webmin/miniserv.pem
  • Copy your new PEM certificate and overwrite /etc/webmin/miniserv.pem.
  • Restart webmin as above.

Cannot Access Webmin

NOTE On a Version 3 Appliance, the Webmin service is now disabled by default and must be enabled via the CMI menu (Main Menu -> Appliance -> Start or Stop Services -> Start webmin).

  • Is port 10000 being specified in the browser address bar?
  • Is network access to the appliance available, can you ping the appliance?
  • Is port 10000 blocked by an intermediary firewall? Can you telnet to port 10000 from your workstation?
  • Is SSL specified in the request using https?


IE / Firefox will not login to Webmin

This affects appliance versions up to 2.0.14 and is due to Internet Explorer preventing login to websites with key lengths of less than 1024 bits. Recent versions of Firefox also exhibit the same behaviour. Use another web browser to access the appliance or upgrade to a more recent version of appliance.

If you do not wish to use an alternative browser, then you can enable the "Continue to this website" button in IE, by running the following command on the Windows Command Line:

certutil -setreg chain\minRSAPubKeyBitLength 512

This is mentioned in the article:

http://support.microsoft.com/kb/2661254

If you want to revert this change, run:

certutil -delreg chain\MinRsaPubKeyBitLength

If you prefer to update your certificate to 2048 bits, use the routine detailed above to change the certificate.

Webmin not running?

NOTE On a Version 3 Appliance, the Webmin service is now disabled by default and must be enabled via the CMI menu (Main Menu -> Appliance -> Start or Stop Services -> Start webmin).

If you find that you cannot obtain Webmin access, check to see that Webmin is listening for connections. Login to the appliance via SSH using PuTTY (see the PuTTY How To Guide) and get to the command line:

Enter the following netstat command. If you return a result similar to this then you know that Webmin is installed and running.

[admin@appliance ~]# netstat -anp | grep 10000
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3594/perl
udp        0      0 0.0.0.0:10000               0.0.0.0:*                               3594/perl
[admin@appliance ~]#

If this returns nothing then it could indicate that Webmin is not installed. If this is the case try running the following commands to see if the package exists on the appliance:

[admin@appliance ~]# find /etc/ -iname webmin
/etc/sysconfig/daemons/webmin
/etc/pam.d/webmin
/etc/webmin
/etc/webmin/webmin
/etc/rc.d/init.d/webmin
[admin@appliance ~]#

Also:

[admin@appliance ~]# whereis webmin
webmin: /etc/webmin /usr/libexec/webmin
[admin@appliance ~]# 

If you don't return a result, then it's likely that your appliance is too old to have Webmin installed. If you do return a result then you can use the following stop and start commands to get Webmin stopped and started:

[admin@appliance ~]# service webmin stop
Stopping Webmin server in /usr/libexec/webmin
[admin@appliance ~]# service webmin start

A further check of the listener will confirm if Webmin is now started:

[admin@appliance ~]# netstat -anp | grep 10000
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3185/perl
udp        0      0 0.0.0.0:10000               0.0.0.0:*                               3185/perl
[admin@appliance ~]#

If you're not bringing up anything via a Web Browser check that there are no firewalls between you and the Swivel appliance which could be obstructing access. Try the following command to reveal the Swivel firewall entries, to ensure that the Swivel appliance is allowing access to the Webmin listener:

[admin@appliance ~]# cat /etc/sysconfig/iptables

This will produce the following output.

Iptables webmin.PNG

Ensure that the following ACCEPT line (highlighted in the output above) exists, to be sure that Swivel is allowing access to the Webmin listener:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT


Webmin inaccessible after patch upgrade

Edit the file /etc/webmin/miniserv.conf locate the line ssl_version=10 line and remove it. Restart webmin with;

service webmin restart


Locked out of Webmin?

Using the PuTTY How To Guide SSH to the appliance, goto the Command Line and enter the following command:

/usr/libexec/webmin/changepass.pl /etc/webmin/ admin lockbox

This will reset the password for the admin user to lockbox.

Common Uses for Webmin

Below are articles which describe common use cases for Webmin: