Zabbix Documentation 5.0

3.04.05.0 (current)| In development:5.2 (devel)| Unsupported:1.82.02.22.43.23.44.24.4Guidelines

User Tools

Site Tools


Sidebar

manual:appendix:install:db_encrypt

3 Secure connections to database

Overview

It is possible to configure secure TLS connections to MySQL and PostgreSQL databases from:

  • Zabbix frontend
  • Zabbix server or proxy

Frontend configuration

Options for configuring secure connections to the database become available when the TLS encryption checkbox is marked in the Configure DB connection step of installing Zabbix frontend.

ParameterDescription
TLS encryption Mark this checkbox to activate encryption for connections to Zabbix database.
Even if no other parameters are filled, connections will be TLS-encrypted if this checkbox is marked.
TLS parameters
TLS key file Specify the full path to a valid TLS key file.
TLS certificate file Specify the full path to a valid TLS certificate file.
TLS certificate authority file Specify the full path to a valid TLS certificate authority file.
With host verification Mark this checkbox to activate host verification.
TLS cipher list Specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard.
This field is available for MySQL only.
TLS parameters must point to valid files. If they point to non-existent or invalid files, a connection error will be displayed. If TLS parameters point to files that are open for writing, the frontend generates a warning in the System information report that "TLS certificate files must be read-only."
Use cases
ConfigurationResult
None (leave TLS encryption unmarked) Connection to the database without encryption.
1. Mark TLS encryption only Secure TLS connection to the database.
1. Mark TLS encryption
2. Specify TLS certificate authority file
Secure TLS connection to the database;
Database server certificate is verified and verified that it is signed by a trusted center.
1. Mark TLS encryption
2. Specify TLS certificate authority file
3. Mark With host verification
4. Specify TLS cipher list (optional)
Secure TLS connection to the database;
Database server certificate is checked by comparing the host name specified in the certificate with the name of the host to which it is connected;
It is confirmed that the certificate is signed by a trusted center.
1. Mark TLS encryption
2. Specify TLS key file
3. Specify TLS certificate file
4. Specify TLS certificate authority file
5. Mark With host verification
6. Specify TLS cipher list (optional)
Secure TLS connections to the database are established with maximum security. The requirement for the client part to present their certificates is configured on the server side.

Zabbix server/proxy configuration

Secure connections to the database can be configured with the respective parameters in the Zabbix server and/or proxy configuration file.

ConfigurationResult
None Connection to the database without encryption.
1. Set DBTLSConnect=required Server/proxy make a TLS connection to the data base. Unencrypted connection is not allowed.
1. Set DBTLSConnect=verify_ca
2. Set DBTLSCAFile - specify TLS certificate authority file
Server/proxy make a TLS connection to the database after verifying the database certificate.
1. Set DBTLSConnect=verify_full
2. Set DBTLSCAFile - specify TLS certificate authority file
Server/proxy make a TLS connection to database after verifying the database certificate and the database host identity.
1. Set DBTLSCAFile - specify TLS certificate authority file
2. Set DBTLSCertFile - specify the client public key certificate file
3. Set DBTLSKeyFile - specify the client private key file
Server/proxy provide a client certificate while connecting to database.
1. Set DBTLSCipher - the list of encryption ciphers that the client permits for connections using TLS protocols up to TLS 1.2

or DBTLSCipher13 - the list of encryption ciphers that the client permits for connections using TLS 1.3 protocol
(MySQL) TLS connection is made using a cipher from the provided list.
(PostgreSQL) Setting this option will be considered as error.