In the first versions, one of the things that was missing most was encryption in the communications between the various elements of the architecture.
This caused the need, in order to guarantee the
security of our installations, to be solved by means of VPNs, SSH tunnels and other common solutions to protect non-secure services. This meant an overload of the systems and complicated their administration and maintenance.
Fortunately, the people at
Zabbix have solved it and there is now support,
since version 3.0, for encrypting communications
based on TLS v.1.2. As a first technical point, and we think it is an excellent idea, is the support they have given to
3 different libraries: OpenSSL, GnuTLS and mbedTLS. This, besides giving a great flexibility when using some specific feature that may interest us from any of these libraries, may be vital in case a vulnerability is discovered in one of them (the infamous Heartbleed for example), allowing to change to another more secure one in a more or less simple way.
Having said that, let's see what 2 encryption methods are proposed:
- Pre-Shared Key: this is the easiest method to configure, but probably the most difficult to manage on a large scale.
Essentially it involves generating a key - between 32 and 512 characters - that has both - and ideally only both - ends of the communication complex enough to be difficult to guess. It is configured in the field we see in the image called "PSK". The field "PSK identity" is a basic identifier that is not secret and is not encrypted; we could put "muutech", for example, or a domain.
- Based on certificates: it is the most complex method to configure (if you are not used to work with certificates) but it is also the option that best scales and can be better managed because there are several methods and software for secure management of certificates.
As almost always when working with certificates, it is necessary a certification authority (CA or Certificate Authority) to sign the certificates we generate. Zabbix does not accept "self-signed" certificates. This certification authority can be ourselves (it is a matter of trust) or use an external agent (such as FNMT, GlobalSign, etc.). On the Internet you can find 1001 tutorials that will explain how these certificates can be generated and signed. The idea is to generate and sign a certificate for the server, for each agent, proxy, etc whose communication we want to encrypt. These certificates are put in the right directory for each element, we configure in the host/proxy what we need as you can see in the image... et voilà!