Configuring Tentacle with security options

Documentation

Tentacle configuration guide with security options

We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.

This guide will explain step by step how to configure both agents and Tentacle server to ensure safe communication.

First, it is recommended to carry out manual tests from the devices to make sure configuration, parameters and certificates are correct.

Then configure permanently the according configuration files:

Tentacle servers

/etc/tentacle/tentacle_server.conf.

Unix/Linux software agents

/etc/pandora/pandora_agent.conf

MS Windows® software agents

%ProgramFiles%\pandora_agent\pandora_agent.conf

Satellite servers

/ect/pandora/satellite_server.conf

Tentacle Proxy servers

/etc/tentacle/tentacle_server.conf.

Remember to restart the according services after any modification. In the case of Unix/Linux, you may also use the option TENTACLE_EXT_OPTS located at /etc/init.d/tentacle_serverd (you may check the rest of the options for said daemon in this link ).

Communication encryption

To encrypt monunication between clients and Tentacle server, it is necessary to have SSL certificates and keys. This guide will show all possible configuration options, so certificates can be self-signed as well as be signed by a valid CA.

To avoid misunderstandings, hereon we will refer to certificates and each party's keys as follows:

  • ca_cert: The certificate of the CA employed to sign certificates.
  • tentacle_key: The key generated for Tentacle server.
  • tentacle_cert: The certificate generated for Tentacle server.
  • tentacle_client_key: The key generated for Tentacle client.
  • tentacle_client_cert: The certificate generated for Tentacle client.

ALWAYS indicate within parameters the absolute paths where certificates are located, for example /etc/ssl/tentaclecert.pem

To use Tentacle safe options, make sure the perl(IO::Socket::SSL) package is installed in your system.

Certificate configuration in Tentacle server accepting any certificate in client

For this configuration, just enter the certificate and key used for encryption in Tentacle server configuration.

When laucnhing the server manually, include the -e and -k parameters:

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

When launching in the client manually, include the -c parameter:

 # echo test > file.txt
 # tentacle_client -v -c -a 192.168.70.125 file.txt

If this manual execution works properly, you may continue with the permanent configuration in the appropriate file:

 ssl_cert tentacle_cert
 ssl_key tentacle_key
server_opts -c
server_opts -c

Tentacle server and client certificate configuration verifying the certificate with a specific CA in client

For this configuration, indicate de certificate and key used for encryption in Tentacle server configuration and client encryption certificates.

When launching the server manually, include the -e and -k parameters:

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

When launching the client manually, include the -e and -f parameters:

 # echo test > file.txt
 # tentacle_client -v -e tentacle_client_cert -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible in the appropriate file.

 ssl_cert tentacle_cert
 ssl_key tentacle_key
server_opts -e tentacle_client_cert -f ca_cert
server_opts -e tentacle_client_cert -f ca_cert

Tentacle server and client certificate configuration verifying the certificate with a specific CA in server

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters:

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e and -k parameters (notice the use of the line connector \>

 # echo test > file.txt
 # tentacle_client -v \
            -e tentacle_client_cert \
            -k tentacle_client_key \
            -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible in the appropriate file.

 ssl_cert tentacle_cert
 ssl_ca ca_cert
 ssl_key tentacle_key
server_opts -e tentacle_client_cert -k tentacle_client_key
server_opts -e tentacle_client_cert -k tentacle_client_key

Tentacle server and client certificate configuration verifying the certificate with a specific CA in both of them

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters:

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e, -k and -f parameters:

 # echo test > file.txt
 # tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible.

 ssl_cert tentacle_cert
 ssl_ca ca_cert
 ssl_key tentacle_key
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert

Safe Tentacle configuration

Both the Tentacle server and the software agents can use safe communication through certificates and password, either directly between them or through a Tentacle Proxy.

ALWAYS indicate in the parameters the absolute paths where the certificates are found, for example /etc/ssl/tentaclecert.pem

To use Tentacle safe options, please verify the package perl(IO::Socket::SSL) is installed on your system.

In previous sections, the different combinations are explained in detail; in this section we add options such as password, Tentacle Proxy server and the use of TENTACLE_EXT_OPTS to fix settings. Check in the previous section the names of the certificates and the keys on each side. A simplified syntax is used just for learning purposes:

Simple transfer with password-based authentication:

Extra parameter in the server for password:

  1. x password

Extra parameter in the client for password ( TENTACLE_EXT_OPTS ):

  1. x password

Safe transfer, with no client certificate:

Extra server parameters:

  1. e tentacle_cert -k tentacle_key

Safe transfer with client certificate

Extra server parameters:

  1. e tentacle_cert -k tentacle_key -f ca_cert

Extra client parameters ( TENTACLE_EXT_OPTS ):

  1. e tentacle_client_cert -k tentacle_client_key

Safe transfer with client certificate and additional authentication with password:

Extra server parameters:

  1. x password -e tentacle_cert -k tentacle_key -f ca_cert

Extra client parameters ( TENTACLE_EXT_OPTS ):

  1. x password -e tentacle_client_cert -k tentacle_client_key

Tentacle proxy safe configuration use case

You are explained step by step how to configure both software agents as well as the Tentacle server for safe communication, using the Tentacle Proxy server too. Check out in the previous section the names of the certificates and the keys on each side. Check the available parameters in this section.

Manuale tests:

1. Start tentacle_server manually:

  sudo -u user tentacle_server \
            -x password \
            -e tentacle_cert \
            -k tentacle_key \
            -f ca_cert -s /tmp -v

2. Start the proxy manually:

sudo -u user tentacle_server -b ip_server -g 41124

3. Start tentacle_client manually:

  sudo -u user tentacle_client \
             -a ip_proxy/ip_server \
             -x password \
             -e tentaclecert.pem \
             -k tentaclekey.pem \
             -v file

Once you have checked that the file was sent successfully, proceed to configure tentacle_server permanently as well as the clients.

To configure tentacle_server with the certificate options, edite the starting script of the service tentacle_serverd, usually located at /etc/init.d/tentacle_serverd. An intermidate point should be configured similarly to work as a proxy. To configure software agents to use Tentacle safe communication, edit the configuration files pandora_agent.conf, usually located at /etc/pandora/pandora_agent.conf.

Permanent configuration:

1. Start the server with SSL. Modify the booting script /etc/init.d/tentacle_serverd. Look for the line TENTACLE_EXT_OPTS, and add:

  1. x password -e tentacle_cert -k tentacle_key -f ca_cert

The whole line should look like this:

TENTACLE_EXT_OPTS ="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e tentacle_cert -k tentacle_key -f ca_cer"

2. Start the proxy. Similarly to the previous point number 1, modify the booting script /etc/init.d/tentacle_serverd of the machine that will work as proxy. Likewise look for the line TENTACLE_EXT_OPTS, and add:

  1. b ip_server -g 41121

Full line:

TENTACLE_EXT_OPTS ="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b 192.168.70.208 -g 41121"

3. Start the software agent with the corresponding options. Modify the file pandora_agent.conf, look for the line server_opts and add:

  1. x password -e tentacle_client_cert -k tentacle_client_key

Remember that the token server_ip must be configured pointing torwards the proxy's IP instead of that of the main server. It should be like this:

server_opts -x password -e tentacle_client_cert -k tentacle_client_key

If you do not wish to use some of the options, like for instance the password, just do not use the corresponding parameter.

Tentacle data compression

Version NG 725 or superior.

Tentacle allows enabling data compression with the option -z of the command line, reducing the size of the transferred data at the expense of the CPU load.

Pandora FMS Agent

Edit the file /etc/pandora/pandora_agent.conf and add -z to server_opts>

server_opts -z

Satellite server

Edit the file /etc/pandora/satellite_server.conf and add -z to server_opts>

server_opts -z

Go back to Tentacle documentation index

Go back to Quick Guides index