we are currently evaluating Zabbix for replacing our current monitoring system. As most of our VM deployment is automated, we'd like to automate adding VMs to the Zabbix. Most of our VMs are IPv6 only, so we intend to use active agent auto registration. Our VMs already receive X509 certificates via Puppet, we might also use these certificates for auto registration.
I can implement this feature myself, but of course we'd prefer this to be integrated into the official version of Zabbix instead of patching ourselfs at each new version. Therefore, I'd like to know you opinion on the changes proposed below and on integrating this into the official version before actually implementing it.
Changes to database:
table autoreg_host: add columns "tls_subject" and "tls_issuer" containing the client certs subject/issuer
table config_autoreg_tls add column "tls_issuer" containing a valid cert issuer
Changes to zabbix_server code:
- add arguments for tls_subject and tls_issuer, passed through to DBregister_host
- check if TLS_CERT is used in if (SUCCEED == zbx_autoreg_check_permissions(host, ip, port, sock))
- if so, fill tls_subject and tls_issuer
- If TLS_CERT is used
- check if cert is signed by CA, fail otherwise.
- check if issuer matches any issuer from table config_autoreg_tls, fail otherwise.
- Either check if certificate's subject (capture from /^CN=([^\.]+)/) matches host or extend config_autoreg_tls to also contain valid domains for each issuer and check if host+domain matches the subject.
- Add argument for tls_subject and tls_issuer, pass through to DBregister_host_prepare
- Add argument for tls_subject and tls_issuer, insert into DB
- copy tls_subject and tls_issuer from autoreg_host to hosts
Changes to web interface (which would have to be implemented by someone else):
Administration -> General -> Autoregistration:
- add Encryption level "TLS Certificate"
- if selected, add "Change TLS Certificate" similar to "Change PSK"
- there, allow to specifiy tls_issuer(s) and domain(s) if this is implemented in zbx_autoreg_check_permissions.
- For our use case, accepting anything which is with the CA cert is OK, so I suggest that these fields should be optional and if they are unspecified, only valiation against the CA cert is done.