Pandora: QuickGuides EN: Secure comunication with tentacle

From Pandora FMS Wiki
Jump to: navigation, search

1 Tentacle safe configuration guide

We will explain step by step how to configure the agents and the Tentacle server for a secure connection, using Tentacle proxy as well.

At first, we really recommend completing the previous testing manually from the shell terminal to make sure that the configuration, parameters, and certificates are correct.

1.1 Manual testing

1. Start tentacle_server manually:

 sudo -u user tentacle_server -x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem -s /tmp -v

2. Start up a proxy manually (only if you'll use a Tentacle proxy, if not, skip this step):

 sudo -u user tentacle_server -b ip_server -g 41124

3. Launch tentacle_client manually:

 sudo -u user tentacle_client -a ip_proxy/ip_server -x password -e tentaclecert.pem -k tentaclekey.pem -v /bin/ls (or any file)

Template warning.png

It is necessary to ALWAYS specify the absolute path where certificates are stored, for example /home/tentaclecert.pem


Once we have checked that the sending of the file has been successful, we can proceed to permanently configure tentacle_server and the clients.

To configure tentacle_server with the secure certificate options, we have to edit the starting script of the tentacle_serverd service, commonly found in /etc/init.d/tentacle_serverd, the same applies to the intermediate proxy. To configure the agents to use the secure tentacle communication protocol, we have to edit the configuration files on the pandora_agent.conf agent, commonly on /etc/pandora/pandora_agent.conf.

1.2 Permanent configuration

1. Start the server with SSL. Modify the script /etc/init.d/tentacle_serverd. Search the line TENTACLE_EXT_OPTS, and add "-x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem". It should look like this:

 TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"

2. Boot the proxy address. Modify the script /etc/init.d/tentacle_serverd on the system that will act as a proxy. Same as in the previous step, search for the TENTACLE_EXT_OPTS line, and add "-b ip_server -g 41121". Like this:

 TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b -g 41121"

3. Launch the agent with the related options. Modify the pandora_agent.conf file, search the token server_opts and add "-x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem". Don't forget to set the token server_ip with the proxy IP instead of the real main server one, if you will use it. It should look like this:

 server_opts -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem


If you don't want to use any of the options, like for example the password, just don't set it on the configuration.