Setting up Zabbix with certificates

Now, on to making the passive items on A test host use the certificates we just generated. We must provide the certificates to the Zabbix agent. In the directory where the Zabbix agent configuration file is located, create a new directory called zabbix_agent_certs. Restrict access to it, like this:

# chown zabbix zabbix_agent_certs
# chmod 500 zabbix_agent_certs

From the directory where we generated the certificates, copy the relevant certificate files over to the new directory:

# cp zabbix_ca.crt /path/to/zabbix_agent_certs/
# cp zabbix_agent.crt /path/to/zabbix_agent_certs/
# cp zabbix_agent.key /path/to/zabbix_agent_certs/

Edit zabbix_agentd.conf and modify these parameters:

TLSAccept=cert
TLSConnect=unencrypted
TLSCAFile=/path/to/zabbix_agent_certs/zabbix_ca.crt
TLSCertFile=/path/to/zabbix_agent_certs/zabbix_agent.crt
TLSKeyFile=/path/to/zabbix_agent_certs/zabbix_agent.key

This will make the agent only accept connections when they're encrypted and use a certificate signed by that CA, either directly or through intermediates. We'll still use an unencrypted connection for active items. A user could supply certificates and expect all communication to be encrypted now, which would not be the case unless either of the TLSAccept or TLSConnect parameters required encryption. To prevent silently ignoring certificate files, Zabbix enforces one of TLSAccept or TLSConnect when certificates are supplied. Restart the Zabbix agent.

If a certificate becomes compromised, the certificate authority can revoke it by listing the certificate in a Certificate Revocation List (CRL). Zabbix supports CRLs with the TLSCRLFile parameter.

Let's take a look at the host configuration list in the Zabbix frontend:

It looks like connections to A test host don't work anymore. Let's check the agent log file:

failed to accept an incoming connection: from 127.0.0.1: unencrypted connections are not allowed

It looks like we broke it. We set up encryption on the agent but didn't get around to configuring the server side. What if we would like to roll out encryption to all of the agents and deal with the server later? In that case, it would be best to set TLSAccept=cert,unencrypted—then, agents would still accept unencrypted connections from our server. Once the certificates are deployed and configured on the Zabbix server, we only have to remove unencrypted from that parameter and restart the Zabbix agents. Let's try this out; change zabbix_agentd.conf again:

TLSAccept=cert,unencrypted

Restart the agent daemon and observe monitoring resuming from the Zabbix server. Now, let's make the server uses its certificate. We'll place the certificate in a place where the Zabbix server can use it. In the directory where the Zabbix server configuration file is located, create a new directory called zabbix_server_certs. Restrict access to it, like this:

# chown zabbix zabbix_server_certs
# chmod 500 zabbix_server_certs
If using packages that run Zabbix server with a different username, such as zabbixs or zabbixsrv, replace the username with the proper one in the two commands.

From the directory where we generated the certificates, copy the certificates over to the new directory:

# cp zabbix_ca.crt /path/to/zabbix_server_certs/
# cp zabbix_server.crt /path/to/zabbix_server_certs/
# cp zabbix_server.key /path/to/zabbix_server_certs/
Edit zabbix_server.conf, and modify these parameters:
TLSCAFile=/path/to/zabbix_server_certs/zabbix_ca.crt
TLSCertFile=/path/to/zabbix_server_certs/zabbix_server.crt
TLSKeyFile=/path/to/zabbix_server_certs/zabbix_server.key

Now, restart the Zabbix server. Although we have specified the certificates on both agents and the server, passive items still work in unencrypted mode. Let's proceed with making them encrypted. In the Zabbix frontend, navigate to Configuration | Hosts, click on A test host, and switch to the Encryption tab. In the Connections to host selection, choose Certificate, and then click on the Update button. After the server configuration cache has been updated, it'll switch to using certificate-based encryption for this host.

We're changing the configuration for A test host, not encrypted host.

Going back to our scenario where we slowly rolled out certificate-based configuration to our agents and added it to the server later, we can now disable unencrypted connections on the agent side. Change zabbix_agentd.conf:

TLSAccept=cert

Restart the agent. If we had followed this process from the very beginning, monitoring would have continued uninterrupted. Let's try to use zabbix_get:

$ zabbix_get -s 127.0.0.1 -k system.cpu.load
zabbix_get [5746]: Check access restrictions in Zabbix agent configuration

That fails because the agent only accepts encrypted connections now. As we did for zabbix_sender, we can specify the certificate; but we must use the Zabbix server certificate now.

Access to the Zabbix server certificate is required for this command:

$ zabbix_get -s 127.0.0.1 -k system.cpu.load --tls-connect cert --tls-ca-file /path/to/zabbix_server_certs/zabbix_ca.crt --tls-cert-file /path/to/zabbix_server
 _certs/zabbix_server.crt --tls-key-file /path/to/zabbix_server_certs/zabbix_server.key
0.030000

Certainly, this results in a more secure environment. It isn't enough to spoof the IP address to access this agent. It isn't enough to have an account on the Zabbix server to have access to all agents; access to the server certificate is needed, too. On the other hand, it makes debugging a bit more complicated, as we can't query the agent that easily, and sniffing the traffic is much harder, too.

We used PSK and certificate-based encryption with zabbix_sender, zabbix_get, and a passive agent, but the same principles apply for active agents. As an exercise, try to get the active agent items working with encryption, too.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.136.97.64