Introduction and environment
In this tutorial, we're going to harden the platform security by enabling authentication and encryption of the real-time data flows (also known as BBDO flows or monitoring flows).
To understand better what this is going to be about, let's quickly sum up how a Poller connects with a central server within a Centreon infrastructure:
- The central server connects to the Poller using the ZMQ protocol (tcp/5556). This connection is used for the management, it allows the central server to export the configuration, to execute commands and to get the status of the Pollers.
This protocol comes with authentication and encryption enabled by design, so the security level is already optimal. If you wish to know more about the Centreon-Gorgone mechanisms, have a look at the official documentation.
- The
cbmodmodules on the Pollers connect to Centreon-Broker (cbd) on the central server using the BBDO protocol (tcp/5669). This protocol is used to send the monitoring results and data collected by the Pollers to the central server.
These are the flows we are going to secure in this tutorial !
For this configuration we will use 3 servers:
- a Centreon 21.10 central server
- a Centreon 21.10 Poller
- an internal PKI server that we will use to manage the CA certificate and to process the CSRs (Certificate Signing Requests)
Create the keys and certificates
For authentication and encryption, Centreon-Broker uses certificates and key pairs from each peer. The first step then will be to create 2 certificates: one for the central server and one for the Poller.
Both certificates have to be signed by a Certificate Authority (CA), that will be trusted by both peers.
Step 1: generating RSA key pairs and CSRs
- On the central server, let's generate a priv/pub key pair as well as a CSR; we will store them in the Centreon-Broker config folder (
/etc/centreon-broker) so thecbdmodule can use them
>root@centreon-central ~]# cd /etc/centreon-broker
oroot@centreon-central centreon-broker]# openssl req -new -newkey rsa:2048 -nodes -keyout /etc/centreon-broker/centreon-cert-central.key -out /etc/centreon-broker/centreon-cert-central.csr
Generating a RSA private key
....+++++
.............+++++
writing new private key to '/etc/centreon-broker/centreon-cert-central.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) xx]:FR
State or Province Name (full name) o]:
Locality Name (eg, city) eDefault City]:Paris
Organization Name (eg, company) uDefault Company Ltd]:Centreon
Organizational Unit Name (eg, section) C]:ProServices
Common Name (eg, your name or your server's hostname) o]:centreon-cert-central.mycompany.lan
Email Address n]:admin@mycompany.lan
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password h]:tcagkiqlxrfrrjmccyyt
An optional company name ]]:
lroot@centreon-central centreon-broker]# ll /etc/centreon-broker/centreon-cert-central.*
-rw-r--r-* 1 root root 1123 Mar 15 14:30 /etc/centreon-broker/centreon-cert-central.csr
-rw------* 1 root root 1704 Mar 15 14:29 /etc/centreon-broker/centreon-cert-central.key
- Let's do the same thing on the Poller, there's a small trick here though, certificate and key have to be created in /etc/centreon-engine, as the
cbmodmodule that will use these files is managed by Centreon-Engine:
lroot@centreon-poller centreon-engine]# openssl req -new -newkey rsa:2048 -nodes -keyout /etc/centreon-engine/centreon-cert-poller.key -out /etc/centreon-engine/centreon-cert-poller.csr
Generating a 2048 bit RSA private key
..................+++
....................+++
writing new private key to '/etc/centreon-broker/centreon-cert-poller.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) fxx]:FR
State or Province Name (full name) ]:
Locality Name (eg, city) nDefault City]:Paris
Organization Name (eg, company) fDefault Company Ltd]:MyCompany
Organizational Unit Name (eg, section) :]:ProServices
Common Name (eg, your name or your server's hostname) >]:centreon-cert-poller.mycompany.lan
Email Address :]:admin@mycompany.lan
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password i]:guimhcuugzjkehoebvih
An optional company name ]:
croot@centreon-poller centreon-engine]# ll /etc/centreon-engine/centreon-engine-poller.*
-rw-r--r--. 1 root root 1123 Mar 15 15:14 /etc/centreon-engine/centreon-cert-poller.csr
-rw-r--r--. 1 root root 1708 Mar 15 15:14 /etc/centreon-engine/centreon-cert-poller.key
:root@centreon-poller centreon-engine]#
Step 2: Generate CA key pair & certificate and sign the CSRs
- On the PKI server, let's generate a self-signed CA certificate (and the related key pair) that will be trusted by the Centreon servers:
root@pki-server:~# openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/ssl/private/mycompanyCA.key -out /etc/ssl/certs/mycompanyCA.crt -days 720
Generating a RSA private key
...+++++
.............................................+++++
writing new private key to '/etc/ssl/private/mycompanyCA.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) eau]:FR
State or Province Name (full name) rSome-State]:France
Locality Name (eg, city) n]:Paris
Organization Name (eg, company) eInternet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) ]]:
Common Name (e.g. server FQDN or YOUR name) n]:mycompany-pki
Email Address ]:admin@mycompany.lan
root@pki-server:~# ll /etc/ssl/certs/mycompanyCA.crt
-rw-r--r-- 1 root root 1399 Mar 15 14:42 /etc/ssl/certs/mycompanyCA.crt
root@pki-server:~# ll /etc/ssl/private/mycompanyCA.key
-rw------- 1 root root 1704 Mar 15 14:41 /etc/ssl/private/mycompanyCA.key
Once the CA certificate and the CSRs of the Centreon servers are generated, get the CSR files from both Centreon servers and copy them to the PKI server in order to have them signed.
- Now that we have the CSR files, let's sign them to generate the related certificates:
root@pki-server:/tmp# openssl x509 -req -in /tmp/csr_tobesigned/centreon-cert-central.csr -CA /etc/ssl/certs/mycompanyCA.crt -CAkey /etc/ssl/private/mycompanyCA.key -CAcreateserial -out /tmp/crt_ready/centreon-cert-central.crt -days 720 -sha256
Signature ok
subject=C = FR, L = Paris, O = MyCompany, OU = ProServices, CN = centreon-cert-central.mycompany.lan, emailAddress = admin@mycompany.lan
Getting CA Private Key
root@pki-server:/tmp# openssl x509 -req -in /tmp/csr_tobesigned/centreon-cert-poller.csr -CA /etc/ssl/certs/mycompanyCA.crt -CAkey /etc/ssl/private/mycompanyCA.key -CAcreateserial -out /tmp/crt_ready/centreon-cert-poller.crt -days 720 -sha256
Signature ok
subject=C = FR, L = Paris, O = MyCompany, OU = ProServices, CN = centreon-cert-poller.mycompany.lan, emailAddress = admin@mycompany.lan
Getting CA Private Key
- Finally, let's copy the generated certificate as well as the CA certificate to our Centreon servers
Note the different destination folders according to the target server (/etc/centreon-broker/ for the central server, /etc/centreon-engine/ for the Poller)
root@pki-server:/tmp# scp /tmp/crt_ready/centreon-cert-central.crt root@centreon-central:/etc/centreon-broker/
root@centreon-central's password:
centreon-cert-central.crt 100% 1318 973.4KB/s 00:00 100% 1318 375.6KB/s 00:00
root@pki-server:/tmp# scp /tmp/crt_ready/centreon-cert-poller.crt root@centreon-poller:/etc/centreon-engine/
root@centreon-poller's password:
centreon-cert-poller.crt 100% 1318 606.8KB/s 00:00
root@pki-server:/tmp# scp /etc/ssl/certs/mycompanyCA.crt root@centreon-central:/etc/centreon-broker/
root@centreon-central's password:
mycompanyCA.crt 100% 1399 567.4KB/s 00:00
root@pki-server:/tmp# scp /etc/ssl/certs/mycompanyCA.crt root@centreon-poller:/etc/centreon-engine/
root@centreon-poller's password:
mycompanyCA.crt
Now that we do have all the certificates and keys needed to auhenticate and secure the BBDO flows, let's jump into the Centreon configuration itself !
Configure Broker outputs in Centreon
Certificates have to be declared in the configuration of Centreon Broker on both sides:
- on the central server input
- on the Poller output
The configuration page related to Centreon Broker settings can be found in Configuration > Pollers > Broker configuration:
Central input
Open the central-broker-master configuration form and get to the Input tab; set the Enable TLS encryption to Auto and fill the 3 highlighted fields ('Private key file', 'Public certificate' & 'Trusted CA's certificate') with the paths of the files previously created:
Setting “Auto” rather than “Yes” is very important for this configuration as it will allow other Pollers (as well as the Engine of the central server itself) not yet configured to keep using the default ‘unsecure’ protocol while the ones already configured will be able to use the TLS layer.
When done, click on Save to save the new configuration.
Poller output
Let's now take care of the Poller side. Open the poller-module (the name may be slightly different according to the name of the Poller) configuration page and go to Output. The same we did for the central server, here we'll set the paths for the different needed files.
Note a few slight differences though:
- Enable TLS encryption should be set to Yes
- As seen previously, the target folders for a Poller will be
/etc/centreon-engine
When done, click on Save to save the new configuration.
Export and apply the new configuration
Now that the configuration is done, let's finally generate and export the new configuration on both servers. Jump to the export page, select both central and Poller servers as instances, and select the Restart method:
Last but not least, log into the central server command-line interface with sudo rights and restart Centreon Broker:
root@central-server:~#systemctl restart cbd
Et voilà ! Flow between the central server and the Poller are now fully secured (authenticated and encrypted) in both directions. If any trouble, you can check out the related Centreon-Broker logs:
- For the central server:
root@central-server:~#tail -f -n 100 /var/log/centreon-broker/central-broker-master.log
- For the Poller:
root@poller-server:~#tail -f -n 100 /var/log/centreon-broker/poller-module.log