Pandora: QuickGuides EN: Secure communication with tentacle

From Pandora FMS Wiki
Jump to: navigation, search

Template wip.png

We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.

 


1 Tentacle configuration guide with security options

This guide will explain step by step how to configure both agents and Tentacle server to ensure safe communication.

First, it is recommended to carry out manual tests from the devices to make sure configuration, parameters and certificates are correct.

1.1 Communication encryption

To encrypt monunication between clients and Tentacle server, it is necessary to have SSL certificates and keys. This guide will show all possible configuration options, so certificates can be self-signed as well as be signed by a valid CA.

Check out our OpenSSL certificate quick guide if you are not sure about how to configure them.

Although it is not specified in the aforementioned guide, the indicated certificates can be required in DER format instead of PEM for some operating systems (such as Ubuntu or Windows). If that is the case, you may obtain the certificate in said format from the generated PEM:

openssl x509 -outform der -in tentaclecert.pem -out tentaclecert.der

Finally, to avoid misunderstandings, hereon we will refer to certificates and each party's keys as follows:

  • ca_cert: The certificate of the CA employed to sign certificates.
  • tentacle_key: The key generated for Tentacle server.
  • tentacle_cert: The certificate generated for Tentacle server.
  • tentacle_client_key: The key generated for Tentacle client.
  • tentacle_client_cert: The certificate generated for Tentacle client.

Template warning.png

ALWAYS indicate within parameters the absolute paths where certificates are located, for example '/etc/ssl/tentaclecert.pem'

 


Template warning.png

To use Tentacle safe options, make sure the perl(IO::Socket::SSL) package is installed in your system.

 


1.2 Certificate configuration in Tentacle server accepting any certificate in client

For this configuration, just enter the certificate and key used for encryption in Tentacle server configuration.

When laucnhing the server manually, include the -e and -k parameters:

# su - pandora -s /bin/bash
# tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

When launching the client manually, include the -c parameter:

# echo test > file.txt
# tentacle_client -v -c -a 192.168.70.125 file.txt

If this manual execution works properly, you may continue with the permanent configuration.

  • For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert
ssl_key tentacle_key
  • For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on your OS):
server_opts -c
  • For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -c

1.3 Tentacle server and client certificate configuration verifying the certificate with a specific CA in client

For this configuration, indicate de certificate and key used for encryption in Tentacle server configuration and client encryption certificates.

When launching the server manually, include the -e and -k parameters:

# su - pandora -s /bin/bash
# tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

When launching the client manually, include the -e and -f parameters:

# echo test > file.txt
# tentacle_client -v -e tentacle_client_cert -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible.

  • For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert
ssl_key tentacle_key
  • For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -f ca_cert
  • For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -f ca_cert

1.4 Tentacle server and client certificate configuration verifying the certificate with a specific CA in server

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters:

# su - pandora -s /bin/bash
# tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e and -k parameters:

# echo test > file.txt
# tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible.

  • For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert
ssl_ca ca_cert
ssl_key tentacle_key
  • For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -k tentacle_client_key
  • For Pandora FMS satellite servers, modify the /ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -k tentacle_client_key

1.5 Tentacle server and client certificate configuration verifying the certificate with a specific CA in both of them

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters:

# su - pandora -s /bin/bash
# tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e, -k and -f parameters:

# echo test > file.txt
# tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible.

  • For Tentacle server, modify the /etc/tentacle/tentacle_server.conf file:
ssl_cert tentacle_cert
ssl_ca ca_cert
ssl_key tentacle_key
  • For Pandora FMS agents, modify the /etc/pandora/pandora_agent.conf file or C:\Program Files\pandora_agent\pandora_agent.conf (depending on the OS):
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert
  • For Pandora FMS satellite scripts, modify the/ect/pandora/satellite_server.conf file:
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert