Last Updated on December 30, 2022 by Thiago Crepaldi
If you have deployed Zabbix Server on your Proxmox infra structure, you might be interested in hardening Zabbix installation with SSL certificates for the web frontend. You might also be interested in encrypting communication between Zabbix Server and the other Zabbix components, such as Agents and Proxies, after all, although it is just monitoring information, they are your infra structure DNA information crossing your network, so why not hide it from curious eyes?!
In this post we are going to discuss how to encrypt communication through the use of TLS Pre-Shared Keys, aka, TLS PSK. that means we will create a strong “password” (accompanied by a friendly name) and configure both ends of the communication with them, so they use this info to encrypt/decrypt data.
Creating a strong PSK
As pointed out by Zabbix documentation, the keys afe hexadecimal digitals with a minimum size of 16 bytes (or 32 hex digits) and a maximum size of 256 bytes (or 512 hex digits). The friendly identity name is a plain text with max length of 127 bytes. In this post I will use 32 digits PSK, but feel free to change it to your preference.
Although you could type any 32 to 512 hex string, using a linux command is always easier. I will use openssl as it is widely available on most Linux and FreeBSD distros, including Debian, Ubuntu, Proxmox and pfSense.
$ openssl rand -hex 32
af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429
Configuring Server – Agent communication
You can refer to Zabbix PSK documentation for a deeper discussion, but in short you have to configure both Zabbix Server through the Web UI and the Agent through the configuration file. Here we go…
Agent configuration
On the agent host, write the PSK value into a file, for example, /etc/zabbix/zabbix_agent2.psk
. The file must contain PSK in the first text string, as shown in the previous section, for example:
af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429
Set access rights to PSK file – it must be readable only by Zabbix user.
# chmod 700 /etc/zabbix/zabbix_agent2.psk
# chown zabbix:zabbix /etc/zabbix/zabbix_agent2.psk
Edit TLS parameters in agent configuration file zabbix_agent2.conf
, for example, set:
# vim /etc/zabbix/zabbix_agent2.conf
TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/home/zabbix/zabbix_agent2.psk
TLSPSKIdentity=MyServerNamePSK
The snippet above assumed you are using Zabbix Agent 2 instead of Zabbix Agent. This is the best route, but if you are stuck with legacy Agent, the file name is actually /etc/zabbix/zabbix_agentd.conf
Let’s restart the agent to apply the changes:
# systemctl restart zabbix-agent2
Server configuration
Visit your Zabbix Web frontend, and after logging in, go to Monitoring >> Hosts, click on your agent name. When a configuration dialog is displayed, head to Encryption tab
- Connections to host: PSK
- Connections from host: PSK
- PSK Identify: MyHostnamePSK (any string with NO sensitive data)
- PSK: af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429
Click on Update to complete. The last step is restarting the Zabbix server to apply the changes:
# systemctl restart zabbix-server
When you go to Zabbix Frontend >> Configuration >> Hosts, you should see your agent encryption as PSK on the agent table.
Configuring Server – Proxy communication
Proxy configuration
On the proxy host, write the PSK value into a file, for example, /etc/zabbix/zabbix_proxy.psk
. The file must contain PSK in the first text string, as shown in the previous section, for example:
af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429
Set access rights to PSK file – it must be readable only by Zabbix user.
# chmod 700 /etc/zabbix/zabbix_proxy.psk
# chown zabbix:zabbix /etc/zabbix/zabbix_proxy.psk
Edit TLS parameters in agent configuration file zabbix_proxy.conf
, for example, set:
# vim /etc/zabbix/zabbix_proxy.conf
TLSAccept=psk # if your proxy is passive
TLSConnect=psk # if your proxy is active
TLSPSKFile=/home/zabbix/zabbix_proxy.psk
TLSPSKIdentity=MyServerNamePSK
DO NOT set both TLSAccept and TLSConnect, pick one whether your proxy is passive or active. Let’s restart the proxy to apply the changes:
# systemctl restart zabbix-proxy
Server configuration
Visit your Zabbix Web frontend, and after logging in, go to Administration >> Proxies, click on your proxy name. When a configuration dialog is displayed, head to Encryption tab
- Connections from proxy: PSK (if your proxy is active)
- Connections to proxy: PSK (if your proxy is passive)
- PSK Identify: MyHostnamePSK (any string with NO sensitive data)
- PSK: af8ced32dfe8714e548694e2d29e1a14ba6fa13f216cb35c19d0feb1084b0429
DO NOT set both Connections from proxy and Connections to proxy, but pick one whether your proxy is active or passive. Click on Update to complete. The last step is restarting the Zabbix server to apply the changes:
# systemctl restart zabbix-server
When you go to Zabbix Frontend >> Administration >> Proxy, you should see your proxy encryption as PSK on the proxy table.
That is it, have fun!
4 thoughts on “Encrypting Zabbix Server communication with Agents using Pre-Shared Keys”