Ad Widget

Collapse

TLS PSK Identity between Server - Proxy - Agent

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • fittim
    Junior Member
    • Apr 2016
    • 15
    #1

    TLS PSK Identity between Server - Proxy - Agent

    I'm facing the problem with the "PSK Identity key" when trying configure TLS PSK encryption between Agent -> Proxy -> Server.

    ----------------------------------------------------------------------------------
    Proxy: configured with another "PSK Identity key A" and PSK file fA.
    Agent: configured with "PSK Identiy key B" and PSK file fB.


    ----------------------------------------------------------------------------------
    In zabbix_agentd.conf, Sever and ServerActive is the Proxy IP. I don't want the agent directly sent data to Zabbix server.

    ----------------------------------------------------------------------------------
    Administration -> Proxies: It's ok with the "PSK Identity key A" and fA. This is a PASSIVE PROXY
    Configuration -> Hosts: Add the agent host with "PSK Identity key B" and fB. Proxy through the Proxy server.

    ----------------------------------------------------------------------------------
    ERROR:
    Server
    Code:
    cannot connect to proxy "proxy": TCP successful, cannot establish TLS to [[1.2.3.4]:1111]: SSL_connect() I/O error: [104] Connection reset by peer
    Agent
    Code:
    failed to accept an incoming connection: from 1.2.3.4: TLS handshake returned error code 1: file s3_srvr.c line 2768: error:1408B0DF:SSL routines:ssl3_get_client_key_exchange:psk identity not found: TLS write fatal alert "unknown PSK identity"

    When I use "unencrypted" connection for PROXY and keep "PSK" for Agent. All fine.
    What am I misunderstanding?
    Tags: None
    • vesper1978
      Member
      • Nov 2016
      • 59
      #2
      Sounds like a misconfiguration on either the Zabbix frontend or in the zabbix_proxy.conf on the Zabbix Proxy.

        Comment

        • fittim
          Junior Member
          • Apr 2016
          • 15
          #3
          I'm confusing about the PSK identity of Proxy and Agent, they are the same or not (because the agent connect yo the proxy).
          Is there any docs show how the encryption work between server-proxy-agent?

            Comment

            • vesper1978
              Member
              • Nov 2016
              • 59
              #4
              There's 2 encrypted connections.

              1) Zabbix Server <--> Zabbix Proxy
              Here you need to be sure that you have the Zabbix Proxy configured for PSK in the Zabbix Front End, and in the zabbix_proxy.conf on the Zabbix Proxy. On the Zabbix Front End go to Administration -> Proxies -> Your Proxy > Encryption. This information need to be the same as what's in the zabbix_proxy.conf on your Zabbix Proxy.

              2) Zabbix Proxy <--> Zabbix Agent
              Here's the confusing part. You don't configure this at all on the Zabbix Proxy. You configure it in the Zabbix Front End, and in the zabbix_agent.conf. The Zabbix Server will send the PSK config to the Zabbix Proxy. On the Zabbix Front End find the host the agent is installed on and click on Encryption. This information need to be the same as what's in your zabbix_agent.conf on that host.

                Comment

                • fittim
                  Junior Member
                  • Apr 2016
                  • 15
                  #5
                  Originally posted by vesper1978
                  There's 2 encrypted connections.

                  1) Zabbix Server <--> Zabbix Proxy
                  Here you need to be sure that you have the Zabbix Proxy configured for PSK in the Zabbix Front End, and in the zabbix_proxy.conf on the Zabbix Proxy. On the Zabbix Front End go to Administration -> Proxies -> Your Proxy > Encryption. This information need to be the same as what's in the zabbix_proxy.conf on your Zabbix Proxy.

                  2) Zabbix Proxy <--> Zabbix Agent
                  Here's the confusing part. You don't configure this at all on the Zabbix Proxy. You configure it in the Zabbix Front End, and in the zabbix_agent.conf. The Zabbix Server will send the PSK config to the Zabbix Proxy. On the Zabbix Front End find the host the agent is installed on and click on Encryption. This information need to be the same as what's in your zabbix_agent.conf on that host.
                  Thank you vesper1978, it's working fine. But the change I made is ProxyMode, from PASSIVE to ACTIVE (default). Maby with the Passive mode, the encryption flow work with the other way. I can not find any deeper docs on zabbix for encryption.

                    Comment

                    • vesper1978
                      Member
                      • Nov 2016
                      • 59
                      #6
                      Doesn't matter if the ProxyMode is ACTIVE or PASSIVE, it still works the way I described above. The only difference between an ACTIVE or PASSIVE Proxy is this:

                      Active - the proxy will connect to the Zabbix server and request configuration data
                      Passive - Zabbix server connects to the proxy

                        Comment

                        Previous template Next
                        Working...