Support for SSL / TSL protocol


(Rckosai) #1

Hi, There.

We have an internal security requirement to deploy encrypted TLS 1.2 (or higher) among check_mk nodes agent and check_mk Management servers.

Is that possible?

If yes, could you point us any documentation on how to enable it and setup?

Else, what is the higher security level, we can enable?

Check_mk: Appliance
Version: Latest version


(Philipp Näther) #2

To secure web access to your appliance over https use this doc https://mathias-kettner.com/cms_cma_ssl.html.


(Rckosai) #3

Hi, Philipp

How about data comunication between agent and cmk servers? I found the chapter talking about data encription
[https://mathias-kettner.com/cms_agent_linux.html] section 6.4. Inbuilt encryption but isn´t clear what type of protocoll is used.


(Philipp Näther) #4

The inbuilt encryption as stated in the doc you linked is done by a “simple” AES 256 encryption via passphrase.

exec > >(openssl enc -aes-256-cbc -md md5 -k "$PASSPHRASE" -nosalt)

The agent - server communication over tcp is not encrypted the way TLS would do it. But I guess you have to deal with this since you can’t rewrite how cmk works. (Well of course you could implement it since the raw version is open source. :smiley: )

To secure the master > slave TCP connections you want to use a tunneling mechanism that supports SSL/TLS (e.g. stunnel).