article Using SSL Communication with Linux-Based Agents

Related Documentation Version of up.time Affected Affected Platforms
Setting the agent port or permissions All Linux

You can secure communication between the up.time monitoring station and the up.time Linux agent by enabling SSL encryption. Enabling SSL is a two-step process:

Enabling SSL on the Linux Agent System

To enable SSL encryption, complete the following steps on each agent system:

NOTE: Do not perform these steps on the monitoring station.

  1. Ensure Stunnel is installed on the agent server. If you do not have access to a distribution, you can download it from Stunnel.org.
  2. Edit the /etc/xinetd.d/uptimeagent file so that it includes the following configuration information:
    service uptimeagent
    {
            disable         = no
            flags           = REUSE
            socket_type     = stream
            wait            = no
            user            = nobody
            server          = /usr/sbin/stunnel
            server_args     = /etc/stunnel/uptimeagent.conf
    }
    
  3. Create the certificate that will be used by Stunnel. For example:
    openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
    
    The following is a sample stunnel.cnf for the openssl program:
    
    # create RSA certs - Server
    
    RANDFILE = stunnel.rnd
    
    [ req ]
    default_bits = 1024
    encrypt_key = yes
    distinguished_name = req_dn
    x509_extensions = cert_type
    
    [ req_dn ]
    countryName = Country Name (2 letter code)
    countryName_default             = PL
    countryName_min                 = 2
    countryName_max                 = 2
    
    stateOrProvinceName             = State or Province Name (full name)
    stateOrProvinceName_default     = Some-State
    
    localityName                    = Locality Name (eg, city)
    
    0.organizationName              = Organization Name (eg, company)
    0.organizationName_default      = Stunnel Developers Ltd
    
    organizationalUnitName          = Organizational Unit Name (eg, section)
    #organizationalUnitName_default =
    
    0.commonName                    = Common Name (FQDN of your server)
    0.commonName_default            = localhost
    
    # To create a certificate for more than one name uncomment:
    # 1.commonName                  = DNS alias of your server
    # 2.commonName                  = DNS alias of your server
    # ...
    # See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
    # to see how Netscape understands commonName.
    
    [ cert_type ]
    nsCertType = server
    
  4. Copy stunnel.pem to /etc/stunnel/uptimeagent.pem.

  5. NOTE: Permissions on the uptimeagent.pem should be set to 600 with the uptimeagent as the owner otherwise a permissions issue may be encountered when the agent is called.

  6. Create the /etc/stunnel/uptimeagent.conf file and add the following lines:
    cert=/etc/stunnel/uptimeagent.pem
    exec=/opt/uptime-agent/bin/uptimeagent
    
  7. Restart the xinetd service. After doing this, your agent should now be in SSL mode.

    You can verify that your agent is communicating securely by running the following command on your monitoring station:

    agentcmd +s -p 9998 <hostname> df-k
     

    NOTE: You can change the port on which to enable SSL to any value. To change the default agent port to something other than 9998, edit the /etc/services file, and restart xinetd. You can also use the agent-configure.sh script (see Setting the agent port or permissions for more information).

Enabling SSL in the up.time UI

If the Linux agent has already been added to up.time, complete the following steps in the up.time Web interface for each agent system that you want to configure to use SSL.

  1. Click My Enterprise.
  2. Click the name of the agent system for which you want to enable SSL.
  3. On the system information page, click the Edit Performance Monitor link in the System Profile section.
  4. In the new Edit Service Monitor window that appears, select the Use SSL (HTTPS) option.
  5. Click Save.

    Once saved, your monitoring station and agent system will be communicating via SSL.

If you have not yet added the agent system to up.time, follow the steps that are detailed in the up.time User Guide. When adding the agent system, ensure that the Agent Port Number option is set to 9998, and that the Use SSL (HTTPS) option is enabled.

Related Articles


Using SSL Communication with Linux-Based Agent

RatingViews
article

Draft...

By: uptime Support | Date Created: 5-22-2013 | Last Modified: 5-25-2013 | Index: 594

  1392

Ensuring that a non-Windows agent is listening

RatingViews
article

Learn how to determine if a non-Windows agent is listening from within the up.time user interface.

By: uptime Support | Date Created: 1-2-2007 | Last Modified: 7-5-2011 | Index: 112

  2886

Why aren't agent-based monitors working on my ESX hosts?

RatingViews
article

Agent based monitors, for example File System Capacity or Check for a Process will not work with ESX elements because those elements are monitored agent-lessly.

By: uptime Support | Date Created: 9-25-2010 | Last Modified: 8-10-2011 | Index: 512

  2069

Configuring up.time to send alerts based on monitor status

RatingViews
article

Alert profiles are attached to one or more service monitors and they are used to tell up.time what groups of users will receive the alert. You can create an alert profile by following the steps...

By: uptime Support | Date Created: 2-3-2009 | Last Modified: 8-25-2011 | Index: 366

  4487

Installing up.time on 64-bit Red Hat Enterprise Linux 6

RatingViews
article

Outlines which 32-bit libraries are needed for 64-bit RHEL installations.

By: uptime Support | Date Created: 5-27-2011 | Last Modified: 10-31-2011 | Index: 521

  4060

User Comments



No comments have been posted.

Copyright © 2021 IDERA, Inc.   Legal   Privacy Statement