Let's start with a simple situation—a single new host for which the Zabbix server will accept PSK-encrypted incoming connections only for the ones we will send some values to using zabbix_sender. For that to work, both Zabbix server and zabbix_sender must be compiled with TLS support. The PSK configuration consists of a PSK identity and key. The identity is some string that is not considered to be secret—it is not encrypted during the communication; do not put sensitive information in the identity string. The key is a hex string.
We could just type the key in manually, but a slightly easier method might be using the openssl command:
$ openssl rand -hex 64
This will generate a 512-bit key, which we will use in a moment. Navigate to Configuration | Hosts, click on Create host, and fill in these values:
- Hostname:
Encrypted host - Groups: Have only Linux servers in the In groups block
Switch to the Encryption tab, and in the Connections from host section, leave only PSK marked. In the PSK identity field, enter secret and paste the key we generated earlier in the PSK field:
When done, click on the Add button at the bottom. Take a look at the AGENT ENCRYPTION column for this host:
The first block has only one field and currently says NONE. For connections to the agent, only one type was possible, so this column must be showing the currently selected types for outgoing connections from the server perspective. The second block has three fields. We could choose a combination of the acceptable incoming connection types, so this column must be showing what types of incoming connections from the server perspective are accepted for this host.
Now, click on Items next to Encrypted host, and click on Create item. Fill in these values:
- Name:
Beers in the fridge - Type: Zabbix trapper
- Key:
fridge.beers
Click on the Add button at the bottom. Let's try to send a value now, like we did in Chapter 11, Advanced Item Monitoring:
$ zabbix_sender -z 127.0.0.1 -s "Encrypted host" -k fridge.beers -o 1
That should fail:
info from server: "processed: 0; failed: 1; total: 1; seconds spent: 0.000193"
Notice how the processed count is 0 and the failed count is 1. Let's check the Zabbix server log file:
12254:20160122:231030.702 connection of type "unencrypted" is not allowed for host "Encrypted host" item "fridge.beers" (not every rejected item might be reported)
Now that's actually quite a helpful message—we did not specify any encryption for zabbix_sender, but we did require an encrypted connection for our host. Notice the text in parentheses—if multiple items on the same host fail because of this reason, we might only see some of them, and searching the log file only by item key might not reveal the reason.
Now is the time to get the PSK working for zabbix_sender. Run it with the --help parameter, and look at the TLS connection options section. Oh yes, there are quite a lot of those. Luckily, for PSK encryption, we only need three of them: --tls-connect, --tls-psk-identity, and --tls-psk-file. Before running the command, create a file in the current directory called zabbix_encrypted_host_psk.txt, and paste the hex key we generated earlier in it.
Tip
It is more secure to create an empty file first, change its permissions to 400 or 600, and paste the key in the file afterwards—that way, another user won't have a chance to snatch the key from the file. If a specific user is supposed to invoke zabbix_sender, make sure to set that user as the owner of the file.
Run zabbix_sender again, but with the three additional encryption parameters:
$ zabbix_sender -z 127.0.0.1 -s "Encrypted host" -k fridge.beers -o 1 --tls-connect psk --tls-psk-identity secret --tls-psk-file zabbix_encrypted_host_psk.txt
We set the connection type to psk with the --tls-connect flag and specified the PSK identity and key file now.
This time, the value should be sent successfully:
info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000070"
To be sure, verify that this item now has data in the frontend.