Shulou(Shulou.com)06/01 Report--

I. introduction to encryption

1. Overview

Zabbix version from 3.0 onwards, began to support Zabbix server, Zabbix proxy, Zabbix agent, zabbix_sender and zabbix_get communication encryption, encryption methods include pre-shared key (PSK) and certificate encryption.

Encryption configuration is optional, some proxies and agents can use certificate authentication to encrypt communications, others can use PSK to encrypt communications, and the rest can communicate without encryption.

With regard to the configuration of porxy devices, I will not introduce them here. You can take a look at the official documentation.

But not all communications are encrypted, and the following points are not covered.

Private keys are stored in plain text in files readable by Zabbix components during startup.

Pre-shared keys are entered in Zabbix frontend and stored in Zabbix database in plain text.

Built-in encryption does not protect communications:

Between web server running Zabbix frontend and user web browser

Between Zabbix frontend and Zabbix server

Between Zabbix server (proxy) and Zabbix database.

Currently each encrypted connection opens with a full TLS handshake, no session caching and tickets are implemented.

Adding encryption increases time of checks and actions, depending on network latency.

For example, if packet delay is 100ms then opening a TCP connection and sending unencrypted request takes around 200ms.

With encryption about 1000 ms are added for establishing TLS connection.

Timeouts may need to be increased, otherwise some items and actions running remote scripts on agents may work with unencrypted connections but fail with timeout with encrypted.

Encryption is not supported by network discovery. Zabbix agent checks performed by network discovery will be unencrypted and if Zabbix agent is configured to reject unencrypted connections such checks will not succeed.

2. The compiler supports encryption.

To support encryption, we must compile the encryption library into Zabbix during compilation and installation.

Add-- with-openssl when compiling

. / configure\-- prefix=/usr/local/zabbix\-- sysconfdir=/etc/zabbix\-- enable-server\-- enable-agent\-- with-mysql\-- with-net-snmp\-- with-libcurl\-- with-openssl

Second, use pre-shared key (PSK)

1. Generate psk

# openssl rand-hex 32af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429

2. Configure agent

Create a file / etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.psk and store it in the psk you just generated.

Edit / etc/zabbix/zabbix_agentd.conf and add the following.

TLSConnect=pskTLSAccept=pskTLSPSKFile=/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.pskTLSPSKIdentity=PSK 001

Then restart agent and test the encrypted connection on server.

Zabbix_get-s 127.0.0.1-k "system.cpu.load [all,avg1]"-- tls-connect=psk-- tls-psk-identity= "PSK 001"-- tls-psk-file=/etc/zabbix/zabbix_agentd.conf.d/zabbix_agentd.psk

There is nothing wrong with the test, so let's configure the WEB page.

Wait for a period of time, and it will take effect.

Third, use certificate to encrypt communication

To be finished...

Reference document: https://www.zabbix.com/documentation/3.2/manual/encryption/using_pre_shared_keys

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.