Uploaded image for project: 'ZABBIX FEATURE REQUESTS'
  1. ZABBIX FEATURE REQUESTS
  2. ZBXNEXT-6138

Allow autoregistration with TLS Certificate

XMLWordPrintable

      Hi,

      we are currently evaluating Zabbix for replacing our current monitoring system. As most of our VM deployment is automated, we'd like to automate adding VMs to the Zabbix. Most of our VMs are IPv6 only, so we intend to use active agent auto registration. Our VMs already receive X509 certificates via Puppet, we might also use these certificates for auto registration.
      I can implement this feature myself, but of course we'd prefer this to be integrated into the official version of Zabbix instead of patching ourselfs at each new version. Therefore, I'd like to know you opinion on the changes proposed below and on integrating this into the official version before actually implementing it.

      Changes to database:

      table autoreg_host: add columns "tls_subject" and "tls_issuer" containing the client certs subject/issuer
      table config_autoreg_tls add column "tls_issuer" containing a valid cert issuer

      Changes to zabbix_server code:

      zabbix_server/trapper/active.c:
      db_register_host:

      • add arguments for tls_subject and tls_issuer, passed through to DBregister_host

      get_hostid_by_host:

      • check if TLS_CERT is used in if (SUCCEED == zbx_autoreg_check_permissions(host, ip, port, sock))
      • if so, fill tls_subject and tls_issuer

      zbx_autoreg_check_permissions:

      • If TLS_CERT is used
        • check if cert is signed by CA, fail otherwise.
        • check if issuer matches any issuer from table config_autoreg_tls, fail otherwise.
      • Either check if certificate's subject (capture from /^CN=([^\.]+)/) matches host or extend config_autoreg_tls to also contain valid domains for each issuer and check if host+domain matches the subject.

      libs/zbxdbhigh/db.c:
      DBregister_host:

      • Add argument for tls_subject and tls_issuer, pass through to DBregister_host_prepare
        DBregister_host_prepare:
      • Add argument for tls_subject and tls_issuer, insert into DB

      zabbix_server/operations.c:
      add_discovered_host:

      • copy tls_subject and tls_issuer from autoreg_host to hosts

      Changes to web interface (which would have to be implemented by someone else):
      Administration -> General -> Autoregistration:

      • add Encryption level "TLS Certificate"
      • if selected, add "Change TLS Certificate" similar to "Change PSK"
      • there, allow to specifiy tls_issuer(s) and domain(s) if this is implemented in zbx_autoreg_check_permissions.
      • For our use case, accepting anything which is with the CA cert is OK, so I suggest that these fields should be optional and if they are unspecified, only valiation against the CA cert is done.

      best regards,
      Jan-Martin

        1. tls-cert-autoreg-5.2.3.diff
          12 kB
          Jan-Martin Rämer
        2. zabbix-frontend.patch
          4 kB
          Jan-Martin Rämer
        3. zabbix-tls-cert-autoreg.diff
          12 kB
          Jan-Martin Rämer

            zabbix.dev Zabbix Development Team
            raemer Jan-Martin Rämer
            Votes:
            4 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: