Table of Contents

05-source_file-xml_oldCreated with Sketch.07-revisions_historyCreated with Sketch. 08-backlink_link-variantCreated with Sketch.

Configuring Tentacle with security options

Go back to Quick Guides index

Quick access:

Tentacle configuration guide with security options

This guide will explain step by step how to configure both Agent Software and Tentacle server to ensure safe communication.

First, it is recommended to carry out manual tests from the devices to make sure configuration, parameters and certificates are correct.

Then configure permanently the according configuration files:

Tentacle servers

/etc/tentacle/tentacle_server.conf

Unix/Linux software agents

/etc/pandora/pandora_agent.conf

MS Windows® software agents

%ProgramFiles%\pandora_agent\pandora_agent.conf

Satellite servers

ect/pandora/satellite_server.conf

Tentacle Proxy servers

/etc/tentacle/tentacle_server.conf

Remember to restart the according services after any modification. In the case of Unix/Linux, you may also use the option TENTACLE_EXT_OPTS located at /etc/init.d/tentacle_serverd (you may check the rest of the options for said daemon in this link ).

Communication encryption

Both the Tentacle server and the Software Agents can use a secure communication with certificates and password, either direct communication between both, or through a Tentacle Proxy server.

It is ALWAYS necessary to indicate in the parameters the absolute paths where the certificates are located, e.g. /etc/ssl/tentaclecert.pem


To use Tentacle's secure options, please verify that the package perl(IO::Socket::SSL) is installed on your system.

In the previous sections the various combinations are explained in detail; in this section the password options, Tentacle Proxy server and the use of TENTACLE_EXT_OPTS para fijar configuraciones. to set configurations are added. Also review in this earlier section the certificate names and keys on each side. A simplified syntax is used for didactic purposes only:

Simple transfer with password-based authentication:

Extra parameter in the server for password: 

 -x password

Extra parameter in the client for password ( TENTACLE_EXT_OPTS ): 

 -x password

Secure transfer, without client certificate:

Extra parameters on the server: 

 -e tentacle_cert -k tentacle_key

Secure transfer with customer certificate

Extra parameters on the server: 

 -e tentacle_cert -k tentacle_key -f ca_cert

Extra parameters in the client ( TENTACLE_EXT_OPTS ): 

 -e tentacle_client_cert -k tentacle_client_key

Secure transfer with client certificate and additional password authentication:

Extra parameters on the server: 

 -x password -e tentacle_cert -k tentacle_key -f ca_cert

Extra parameters in the client ( TENTACLE_EXT_OPTS ): 

 -x password -e tentacle_client_cert -k tentacle_client_key

Certificate configuration in Tentacle server accepting any certificate in client

For this configuration, just enter the certificate and key used for encryption in Tentacle server configuration.

When laucnhing the server manually, include the parameters -e and -k: 

$ su - pandora -s /bin/bash
# tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

Launch in the client manually, include the -c parameter: 

$ echo test> file.txt
$ tentacle_client -v -c -a 192.168.70.125 file.txt

If this manual execution works properly, you may continue with the permanent configuration in the appropriate file:

  • For Tentacle servers:
ssl_cert tentacle_cert
ssl_key tentacle_key
  • For Software Agents:
server_opts -c
  • For Satellite servers:
server_opts -c

Tentacle server and client certificate configuration verifying the certificate with a specific CA in client

For this configuration, indicate de certificate and key used for encryption in Tentacle server configuration and client encryption certificates.

When launching the server manually, include the -e and -k parameters: 

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -s /tmp

When launching the client manually, include the -e and -f parameters: 

 # echo test> file.txt
 # tentacle_client -v -e tentacle_client_cert -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible in the appropriate file.

  • For Tentacle servers:
 ssl_cert tentacle_cert
 ssl_key tentacle_key
  • For Pandora FMS Software Agents:
server_opts -e tentacle_client_cert -f ca_cert
  • For Pandora FMS Satellite servers:
server_opts -e tentacle_client_cert -f ca_cert

Tentacle server and client certificate configuration verifying the certificate with a specific CA in server

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters: 

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e and -k parameters (notice the use of the line connector \: 

 # echo test> file.txt
 # tentacle_client -v \
            -e tentacle_client_cert \
            -k tentacle_client_key \
            -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible in the appropriate file.

  • For Tentacle servers:
 ssl_cert tentacle_cert
 ssl_ca ca_cert
 ssl_key tentacle_key
  • For Pandora FMS Software Agents:
server_opts -e tentacle_client_cert -k tentacle_client_key
  • For Pandora FMS Satellite servers:
server_opts -e tentacle_client_cert -k tentacle_client_key

Tentacle server and client certificate configuration verifying the certificate with a specific CA in both of them

For this configuration, indicate the certificates and keys used for encryption in Tentacle server and client configuration.

When launching the server manually, include the -e, -k and -f parameters: 

 # su - pandora -s /bin/bash
 # tentacle_server -v -e tentacle_cert -k tentacle_key -f ca_cert -s /tmp

When launching the client manually, include the -e, -k and -f parameters: 

 # echo test> file.txt
 # tentacle_client -v -e tentacle_client_cert -k tentacle_client_key -f ca_cert -a 192.168.70.125 file.txt

If this manual execution works properly, permanent configuration will be possible.

  • For Tentacle servers:
 ssl_cert tentacle_cert
 ssl_ca ca_cert
 ssl_key tentacle_key
  • For Pandora FMS Software Agents:
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert
  • For Pandora FMS Satellite servers:
server_opts -e tentacle_client_cert -k tentacle_client_key -f ca_cert

Safe Tentacle configuration

Both the Tentacle server and the software agents can use safe communication through certificates and password, either directly between them or through a Tentacle Proxy.

ALWAYS indicate in the parameters the absolute paths where the certificates are found, for example /etc/ssl/tentaclecert.pem


To use Tentacle safe options, please verify the package perl(IO::Socket::SSL) is installed on your system.


In previous sections, the different combinations are explained in detail; in this section we add options such as password, Tentacle Proxy server and the use of TENTACLE_EXT_OPTS Check in the previous section the names of the certificates and the keys on each side. A simplified syntax is used just for learning purposes:

Simple transfer with password-based authentication:

Extra parameter in the server for password: 

 -x password

Extra parameter in the client for password ( TENTACLE_EXT_OPTS ): 

 -x password

Safe transfer, with no client certificate:

Extra server parameters: 

 -e tentacle_cert -k tentacle_key

Safe transfer with client certificate

Extra server parameters: 

 -e tentacle_cert -k tentacle_key -f ca_cert

Extra client parameters ( TENTACLE_EXT_OPTS ): 

 -e tentacle_client_cert -k tentacle_client_key

Safe transfer with client certificate and additional authentication with password:

Extra server parameters: 

 -x password -e tentacle_cert -k tentacle_key -f ca_cert

Extra client parameters ( TENTACLE_EXT_OPTS ): 

 -x password -e tentacle_client_cert -k tentacle_client_key

Tentacle proxy safe configuration use case

You are explained step by step how to configure both software agents as well as the Tentacle server for safe communication, using the Tentacle Proxy server too. Check out in the previous section the names of the certificates and the keys on each side. Check the available parameters in this section.

Manual tests:

1. Start tentacle_server manually: 

  sudo -u user tentacle_server \
            -x password \
            -e tentacle_cert \
            -k tentacle_key \
            -f ca_cert -s /tmp -v

2. Start the proxy manually: 

sudo -u user tentacle_server -b ip_server -g 41124

3. Start tentacle_client manually: 

  sudo -u user tentacle_client \
             -a ip_proxy/ip_server \
             -x password \
             -e tentaclecert.pem \
             -k tentaclekey.pem \
             -v file

Once you have checked that the file was sent successfully, proceed to configure tentacle_server permanently as well as the clients.

To configure tentacle_server with the certificate options, edite the starting script of the service tentacle_serverd, usually located at /etc/init.d/tentacle_serverd. An intermidate point should be configured similarly to work as a proxy. To configure software agents to use Tentacle safe communication, edit the configuration files pandora_agent.conf, usually located at /etc/pandora/pandora_agent.conf.

Permanent configuration:

1. Start the server with SSL. Modify the booting script /etc/tentacle/tentacle_server.conf and uncomment and complete the lines password, ssl_cert, ssl_key, ssl_ca with the valid values or paths for your certificate:

Remember that each time you make changes to the tentacle configuration file, it is necessary to restart the service for the changes to take effect: /etc/init.d/tentacle_serverd start .


2. Start the proxy. As in the previous point number 1, modify the configuration file /etc/tentacle/tentacle_server.conf of the machine that is going to act as proxy. Also, uncomment and complete the lines proxy_ip y proxy_port with the configuration valid in your environment:

Remember that each time you make changes to the tentacle configuration file, it is necessary to restart the service for the changes to take effect: /etc/init.d/tentacle_serverd start .

3. Start the Software Agent with the corresponding options. Modify the file pandora_agent.conf, find the line server_opts and add: 

-x password -e tentacle_client_cert -k tentacle_client_key

Remember that the token server_ip must be configurated pointing to Proxy's IP direction instead main server's IP direction: 

server_opts -x password -e tentacle_client_cert -k tentacle_client_key


If you do not want to use any of the options, such as the password, simply do not use the corresponding parameter.

Tentacle data compression


Version NG 725 or later.


Tentacle allows enabling data compression with the option -z of the command line, reducing the size of the transferred data at the expense of the CPU load.

Pandora FMS Agent

Edit the file /etc/pandora/pandora_agent.conf and add -z to server_opts: 

server_opts -z

Satellite server

Edit the file /etc/pandora/satellite_server.conf and add -z to server_opts: 

server_opts -z

Go back to Quick Guides index