Cada clave precompartida (PSK) en Zabbix en realidad es una pareja de:
La cadena de identidad PSK es una cadena UTF-8 no vacía. Por ejemplo, "ID de PSK 001 Zabbix agentd". Es un nombre único con el que se identifica este PSK específico. al que se refieren los componentes de Zabbix. No ponga información sensible en la cadena de identidad PSK: se transmite a través de la red sin cifrar.
El valor PSK es una cadena de dígitos hexadecimales difícil de adivinar, por ejemplo, "e560cb0d918d26d31b4f642181f5f570ad89a390931102e5391d08327ba434e9".
There are size limits for PSK identity and value in Zabbix, in some cases a crypto library can have lower limit:
Component | PSK identity max size | PSK value min size | PSK value max size |
---|---|---|---|
Zabbix | 128 UTF-8 characters | 128-bit (16-byte PSK, entered as 32 hexadecimal digits) | 2048-bit (256-byte PSK, entered as 512 hexadecimal digits) |
GnuTLS | 128 bytes (may include UTF-8 characters) | - | 2048-bit (256-byte PSK, entered as 512 hexadecimal digits) |
OpenSSL 1.0.x, 1.1.0 | 127 bytes (may include UTF-8 characters) | - | 2048-bit (256-byte PSK, entered as 512 hexadecimal digits) |
OpenSSL 1.1.1 | 127 bytes (may include UTF-8 characters) | - | 512-bit (64-byte PSK, entered as 128 hexadecimal digits) |
OpenSSL 1.1.1a and later | 127 bytes (may include UTF-8 characters) | - | 2048-bit (256-byte PSK, entered as 512 hexadecimal digits) |
Zabbix frontend allows configuring up to 128-character long PSK identity string and 2048-bit long PSK regardless of crypto libraries used.
If some Zabbix components support lower limits, it is the user's responsibility to configure PSK identity and value with allowed length for these components.
Exceeding length limits results in communication failures between Zabbix components.
Before Zabbix server connects to agent using PSK, the server looks up the PSK identity and PSK value configured for that agent in database (actually in configuration cache). Upon receiving a connection the agent uses PSK identity and PSK value from its configuration file. If both parties have the same PSK identity string and PSK value the connection may succeed.
Each PSK identity must be paired with only one value. It is the user's responsibility to ensure that there are no two PSKs with the same identity string but different values. Failing to do so may lead to unpredictable disruptions of communication between Zabbix components using PSKs with this PSK identity string.
Por ejemplo, se puede generar una PSK de 256 bits (32 bytes) utilizando los siguientes comandos:
$ psktool -u psk_identity -p database.psk -s 32
Generating a random key for user 'psk_identity'
Key stored to database.psk
$ cat database.psk
psk_identity:9b8eafedfaae00cece62e85d5f4792c7d9c9bcc851b23216a1d300311cc4f7cb
Tenga en cuenta que el comando "psktool" anterior genera un archivo de base de datos con una identidad PSK y su PSK asociado. Zabbix espera sólo un PSK en el archivo PSK, por lo que la cadena de identidad y los dos puntos (':') deben eliminarse del archivo.
On the agent host, write the PSK value into a file, for example, /home/zabbix/zabbix_agentd.psk
. The file must contain PSK in the first text string, for example:
Set access rights to PSK file - it must be readable only by Zabbix user.
Edit TLS parameters in agent configuration file zabbix_agentd.conf
, for example, set:
The agent will connect to server (active checks) and accept from server and zabbix_get
only connections using PSK. PSK identity will be "PSK 001".
Restart the agent. Now you can test the connection using zabbix_get
, for example:
$ zabbix_get -s 127.0.0.1 -k "system.cpu.load[all,avg1]" --tls-connect=psk \
--tls-psk-identity="PSK 001" --tls-psk-file=/home/zabbix/zabbix_agentd.psk
(To minimize downtime see how to change connection type in Connection encryption management).
Configure PSK encryption for this agent in Zabbix frontend:
Example:
All mandatory input fields are marked with a red asterisk.
When configuration cache is synchronized with database the new connections will use PSK. Check server and agent logfiles for error messages.
On the proxy, write the PSK value into a file, for example, /home/zabbix/zabbix_proxy.psk
. The file must contain PSK in the first text string, for example:
Set access rights to PSK file - it must be readable only by Zabbix user.
Edit TLS parameters in proxy configuration file zabbix_proxy.conf
, for example, set:
The proxy will connect to server using PSK. PSK identity will be "PSK 002".
(To minimize downtime see how to change connection type in Connection encryption management).
Configure PSK for this proxy in Zabbix frontend. Go to Administration→Proxies, select the proxy, go to "Encryption" tab. In "Connections from proxy" mark PSK
. Paste into "PSK identity" field "PSK 002" and "e560cb0d918d26d31b4f642181f5f570ad89a390931102e5391d08327ba434e9" into "PSK" field. Click "Update".
Restart proxy. It will start using PSK-based encrypted connections to server. Check server and proxy logfiles for error messages.
For a passive proxy the procedure is very similar. The only difference - set TLSAccept=psk
in proxy configuration file and set "Connections to proxy" in Zabbix frontend to PSK
.