Pandora: QuickGuides EN: Secure communication with tentacle
Go back to Tentacle documentation index
Contents
- 1 Documentation
- 2 Tentacle configuration guide with security options
- 2.1 Communication encryption
- 2.2 Certificate configuration in Tentacle server accepting any certificate in client
- 2.3 Tentacle server and client certificate configuration verifying the certificate with a specific CA in client
- 2.4 Tentacle server and client certificate configuration verifying the certificate with a specific CA in server
- 2.5 Tentacle server and client certificate configuration verifying the certificate with a specific CA in both of them
1 Documentation
- Tentacle User Guide GNU/Linux
- Tentacle Windows Guide
- Tentacle Protocol Definition
- OpenSSL Certificates Quick Guide
- Secure communication with tentacle (this guide).
- Cross-compiling the Windows client from Linux
2 Tentacle configuration guide with security options
This guide will explain step by step how to configure both agents and Tentacle server to ensure safe communication.
First, it is recommended to carry out manual tests from the devices to make sure configuration, parameters and certificates are correct.
2.1 Communication encryption
To encrypt monunication between clients and Tentacle server, it is necessary to have SSL certificates and keys. This guide will show all possible configuration options, so certificates can be self-signed as well as be signed by a valid CA.
Check out our OpenSSL certificate quick guide if you are not sure about how to configure them.
Although it is not specified in the aforementioned guide, the indicated certificates can be required in DER format instead of PEM for some operating systems (such as Ubuntu or Windows). If that is the case, you may obtain the certificate in said format from the generated PEM:
openssl x509 -outform der -in tentaclecert.pem -out tentaclecert.der
Finally, to avoid misunderstandings, hereon we will refer to certificates and each party's keys as follows:
- ca_cert: The certificate of the CA employed to sign certificates.
- tentacle_key: The key generated for Tentacle server.
- tentacle_cert: The certificate generated for Tentacle server.
- tentacle_client_key: The key generated for Tentacle client.
- tentacle_client_cert: The certificate generated for Tentacle client.
ALWAYS indicate within parameters the absolute paths where certificates are located, for example '/etc/ssl/tentaclecert.pem' |
|
To use Tentacle safe options, make sure the perl(IO::Socket::SSL) package is installed in your system. |
|
2.2 Certificate configuration in Tentacle server accepting any certificate in client
For this configuration, just enter the certificate and key used for encryption in Tentacle server configuration.
When laucnhing the server manually, include the -e and -k parameters:
# su - pandora -s /bin/bash # tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp
When launching the client manually, include the -c parameter:
# echo test > file.txt # tentacle_client -v -c -a 192.168.70.125 file.txt
If this manual execution works properly, you may continue with the permanent configuration.
- For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert ssl_key tentacle_key
- For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on your OS):
server_opts -c
- For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -c
2.3 Tentacle server and client certificate configuration verifying the certificate with a specific CA in client
For this configuration, indicate de certificate and key used for encryption in Tentacle server configuration and client encryption certificates.
When launching the server manually, include the -e and -k parameters:
# su - pandora -s /bin/bash # tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp
When launching the client manually, include the -e and -f parameters:
# echo test > file.txt # tentacle_client -v -e tentacle_client_cert -f ca_cert -a 192.168.70.125 file.txt
If this manual execution works properly, permanent configuration will be possible.
- For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert ssl_key tentacle_key
- For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -f ca_cert
- For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -f ca_cert
2.4 Tentacle server and client certificate configuration verifying the certificate with a specific CA in server
For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.
When launching the server manually, include the -e, -k and -f parameters:
# su - pandora -s /bin/bash # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp
When launching the client manually, include the -e and -k parameters:
# echo test > file.txt # tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -a 192.168.70.125 file.txt
If this manual execution works properly, permanent configuration will be possible.
- For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert ssl_ca ca_cert ssl_key tentacle_key
- For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -k tentacle_client_key
- For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -k tentacle_client_key
2.5 Tentacle server and client certificate configuration verifying the certificate with a specific CA in both of them
For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.
When launching the server manually, include the -e, -k and -f parameters:
# su - pandora -s /bin/bash # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp
When launching the client manually, include the -e, -k and -f parameters:
# echo test > file.txt # tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -f ca_cert -a 192.168.70.125 file.txt
If this manual execution works properly, permanent configuration will be possible.
- For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert ssl_ca ca_cert ssl_key tentacle_key
- For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert
- For Pandora FMS satellite scripts, modify the/ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert