Difference between revisions of "Pandora: QuickGuides EN: Secure comunication with tentacle"

From Pandora FMS Wiki
Jump to: navigation, search
(Tentacle secure configuration guide)
 
(Tentacle secure configuration guide)
 
Line 1: Line 1:
 
__TOC__
 
__TOC__
= Tentacle secure configuration guide =
+
= Tentacle safe configuration guide =
  
 
We will explain step by step how to configure the agents and the Tentacle server for a secure connection, using Tentacle proxy as well.
 
We will explain step by step how to configure the agents and the Tentacle server for a secure connection, using Tentacle proxy as well.
  
At first, we really recommend to make the previous testing manually from the shell terminal to make sure that the configuration, parameters and certificates are correct.
+
At first, we really recommend completing the previous testing manually from the shell terminal to make sure that the configuration, parameters, and certificates are correct.
  
 
== Manual testing ==
 
== Manual testing ==
Line 11: Line 11:
 
   sudo -u ''user'' tentacle_server -x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem -s /tmp -v
 
   sudo -u ''user'' tentacle_server -x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem -s /tmp -v
  
2. Start proxy manually (only if you will use a Tentacle proxy, if not, skip this step):
+
2. Start up a proxy manually (only if you'll use a Tentacle proxy, if not, skip this step):
 
   sudo -u ''user'' tentacle_server -b ''ip_server'' -g 41124
 
   sudo -u ''user'' tentacle_server -b ''ip_server'' -g 41124
  
Line 18: Line 18:
  
  
{{Warning|It is necessary to '''ALWAYS''' specify the absolute path where the certificates are stored, for example ''/home/tentaclecert.pem''}}
+
{{Warning|It is necessary to '''ALWAYS''' specify the absolute path where certificates are stored, for example ''/home/tentaclecert.pem''}}
  
 
Once we have checked that the sending of the file has been successful, we can proceed to permanently configure tentacle_server and the clients.
 
Once we have checked that the sending of the file has been successful, we can proceed to permanently configure tentacle_server and the clients.
  
To configure tentacle_server with the secure certificate options, we have to edit the starting script of the '''tentacle_serverd''' service, commonly on ''/etc/init.d/tentacle_serverd'', the same for the intermediate proxy.  
+
To configure tentacle_server with the secure certificate options, we have to edit the starting script of the '''tentacle_serverd''' service, commonly found in ''/etc/init.d/tentacle_serverd'', the same applies to the intermediate proxy.  
To configure the agents to use the secure tentacle comunication, we have to edit the configuration files of the agent '''pandora_agent.conf''', commonly on ''/etc/pandora/pandora_agent.conf''.
+
To configure the agents to use the secure tentacle communication protocol, we have to edit the configuration files on the '''pandora_agent.conf''' agent, commonly on ''/etc/pandora/pandora_agent.conf''.
  
 
== Permanent configuration ==
 
== Permanent configuration ==
Line 30: Line 30:
 
   TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"
 
   TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"
  
2. Start the proxy. Modify the script ''/etc/init.d/tentacle_serverd'' on the system that will act as a proxy. Same as in the previous step, search for the line TENTACLE_EXT_OPTS, and add "-b ''ip_server'' -g 41121". Like this:
+
2. Boot the proxy address. Modify the script ''/etc/init.d/tentacle_serverd'' on the system that will act as a proxy. Same as in the previous step, search for the TENTACLE_EXT_OPTS line, and add "-b ''ip_server'' -g 41121". Like this:
 
   TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b 192.168.70.208 -g 41121"
 
   TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b 192.168.70.208 -g 41121"
  
3. Launch the agent with the related options. Modify the pandora_agent.conf file, search the token server_opts and add "-x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem". Don't forget to set the token ''server_ip'' with the ip of the proxy instead of the main server if you will use it. It should look like this:
+
3. Launch the agent with the related options. Modify the pandora_agent.conf file, search the token server_opts and add "-x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem". Don't forget to set the token ''server_ip'' with the proxy IP instead of the real main server one, if you will use it. It should look like this:
 
   server_opts -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem
 
   server_opts -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem
  

Latest revision as of 14:54, 22 February 2016

1 Tentacle safe configuration guide

We will explain step by step how to configure the agents and the Tentacle server for a secure connection, using Tentacle proxy as well.

At first, we really recommend completing the previous testing manually from the shell terminal to make sure that the configuration, parameters, and certificates are correct.

1.1 Manual testing

1. Start tentacle_server manually:

 sudo -u user tentacle_server -x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem -s /tmp -v

2. Start up a proxy manually (only if you'll use a Tentacle proxy, if not, skip this step):

 sudo -u user tentacle_server -b ip_server -g 41124

3. Launch tentacle_client manually:

 sudo -u user tentacle_client -a ip_proxy/ip_server -x password -e tentaclecert.pem -k tentaclekey.pem -v /bin/ls (or any file)


Template warning.png

It is necessary to ALWAYS specify the absolute path where certificates are stored, for example /home/tentaclecert.pem

 


Once we have checked that the sending of the file has been successful, we can proceed to permanently configure tentacle_server and the clients.

To configure tentacle_server with the secure certificate options, we have to edit the starting script of the tentacle_serverd service, commonly found in /etc/init.d/tentacle_serverd, the same applies to the intermediate proxy. To configure the agents to use the secure tentacle communication protocol, we have to edit the configuration files on the pandora_agent.conf agent, commonly on /etc/pandora/pandora_agent.conf.

1.2 Permanent configuration

1. Start the server with SSL. Modify the script /etc/init.d/tentacle_serverd. Search the line TENTACLE_EXT_OPTS, and add "-x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem". It should look like this:

 TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"

2. Boot the proxy address. Modify the script /etc/init.d/tentacle_serverd on the system that will act as a proxy. Same as in the previous step, search for the TENTACLE_EXT_OPTS line, and add "-b ip_server -g 41121". Like this:

 TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b 192.168.70.208 -g 41121"

3. Launch the agent with the related options. Modify the pandora_agent.conf file, search the token server_opts and add "-x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem". Don't forget to set the token server_ip with the proxy IP instead of the real main server one, if you will use it. It should look like this:

 server_opts -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem


Info.png

If you don't want to use any of the options, like for example the password, just don't set it on the configuration.