Module: check_mk
Branch: master
Commit: 2f88e97a1ea7ea46668c901d4ba561a8c2f90699
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2f88e97a1ea7ea…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Feb 5 21:10:14 2019 +0100
Updated werk 7017 text
Change-Id: I30dceaf11f6583b6813dfae2ee6d6b99765c950f
---
.werks/7017 | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
diff --git a/.werks/7017 b/.werks/7017
index 4896060..346b2db 100644
--- a/.werks/7017
+++ b/.werks/7017
@@ -18,7 +18,7 @@ communication in their local setup.
To improve the security for all users of Check_MK, we have now changed
the Livestatus TCP communication to be encrypted by default using TLS.
This is realized using an internal CA and internally generated
-certificates.
+certificates by default.
Existing sites that already have Livestatus via TCP enabled before
updating to 1.6 still use the unencrypted communication for
@@ -26,6 +26,18 @@ compatibility. An analyze configuration" test will create a CRITICAL
message about the unencrypted Livestatus TCP configuration in this
situation.
+If you want to encrypt the Livestatus communication between two sites,
+you first have to update both sites to use Check_MK 1.6. Then you will
+have to enable the 'omd config' option LIVESTATUS_TCP_TLS. After that
+go to the 'Distributed Monitoring' configuration page on the central
+site and enable "Encryption" for the remote site connection. If you use
+the internal site certificate, you will now have open the
+"Livestatus encryption" detail page of the site which should show you
+that the certificate of the remote site is not trusted by the central
+site. Klick on the "Add to trusted CAs" icon button in the certificate
+chain list to establish the tust with the remote site. Once this is
+done your livestatus connection should be encrypted and working fine.
+
Technical details:
<ul>
@@ -38,14 +50,20 @@ Technical details:
to manage the sites local certificates.</li>
<li>The site local certificate is created automatically during update or
site creation.</li>
-<li>The sites local CA and certificates are stored in 'etc/ssl'. The CA
-certificate is always located at 'etc/ssl/ca.pem'.</li>
+<li>The CA certificate is always located at 'etc/ssl/ca.pem'.</li>
+<li>The site certificate is located at 'etc/ssl/sites/[site].pem'</li>
+<li>Both files are in PEM format and need to have the private key and
+ certificate stored in a single file.</li>
<li>The keys are 2048 bit RSA keys and the certificates are signed using
SHA512.</li>
-<li>The CA certificate is valid for 10 years, the site certificates are
- valid for 3 years.</li>
-<li>Check_MK / OMD code may use 'omdlib.certs.SiteLocalCA(site_id)' to
- use the local CA</li>
+<li>These certificates are valid for 999 years.</li>
+<li>The site PEM file should contain the certificates of the whole
+ certificate chain.</li>
+<li>In case you want to use other site certificates, you are free to
+ replace the site PEM file with your own. Please note that you will
+ have to restart the stunnel process of the site to apply the change.</li>
<li>stunnel is introduced as site internal daemon that serves the TLS
- wrapped socket once it has been enabled through 'omd config'.
+ wrapped socket once it has been enabled through 'omd config'.</li>
+<li>The livestatus_status check is now checking for the livestatus
+ certificate expiration time.</li>
</ul>
Module: check_mk
Branch: master
Commit: 130a3d0e4c55ef3ce58797ed4b8a70c1ef57664d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=130a3d0e4c55ef…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Feb 6 08:25:48 2019 +0100
Enable liveproxy by default when available
CMK-1535
Change-Id: I9beb591bc88ef668dec23232ee8b1dcf4da4e3ff
---
cmk/gui/wato/pages/sites.py | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/cmk/gui/wato/pages/sites.py b/cmk/gui/wato/pages/sites.py
index c68f65b..e9b2f42 100644
--- a/cmk/gui/wato/pages/sites.py
+++ b/cmk/gui/wato/pages/sites.py
@@ -148,6 +148,12 @@ class ModeEditSite(WatoMode):
"replication": None,
}
+ if watolib.ConfigDomainLiveproxy.enabled():
+ self._site.update({
+ "proxy": {},
+ "timeout": 2,
+ })
+
else:
try:
self._site = configured_sites[self._site_id]
@@ -289,11 +295,13 @@ class ModeEditSite(WatoMode):
size=2,
unit=_("Seconds"),
minvalue=0,
- help=_("This sets the time that Multisite waits for a connection "
+ help=_("This sets the time that the GUI waits for a connection "
"to the site to be established before the site is "
- "considered to be unreachable. If not set, the operating system "
- "defaults are begin used and just one login attempt is being. "
- "performed."),
+ "considered to be unreachable. It is highly recommended to set a value "
+ "as low as possible here because this setting directly affects the GUI "
+ "response time when the destionation is not reachable. When using the "
+ "Livestatus Proxy Daemon the GUI connects to the local proxy, in this "
+ "situation a lower value, like 2 seconds is recommended."),
)),
("persist",
Checkbox(
Module: check_mk
Branch: master
Commit: 69009d27e17df21fd3f04bc26884a547c234f4e9
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=69009d27e17df2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Feb 5 16:31:41 2019 +0100
Write certifiate chain to site CA file
This makes the site CA certificate available to the SSL clients
through stunnel. This way the user will be able to add the CA
certficate to the list of trusted CAs using the GUI.
CMK-1535
Change-Id: If6ace1ded887055ea6104c8cf31e9f3980782bd9
---
omd/packages/omd/omdlib/certs.py | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/omd/packages/omd/omdlib/certs.py b/omd/packages/omd/omdlib/certs.py
index e321f2b..5d7c2b1 100644
--- a/omd/packages/omd/omdlib/certs.py
+++ b/omd/packages/omd/omdlib/certs.py
@@ -61,7 +61,8 @@ class CertificateAuthority(object):
"""Initialize the root CA key / certficate in case it does not exist yet"""
if self.is_initialized:
return
- self._write_pem(self._root_cert_path, *self._create_root_certificate())
+ root_cert, root_key = self._create_root_certificate()
+ self._write_pem(self._root_cert_path, [root_cert], root_key)
def _create_root_certificate(self):
# type: () -> Tuple[str, str]
@@ -93,10 +94,7 @@ class CertificateAuthority(object):
def create_site_certificate(self, site_id):
# type: (str) -> str
- """Creates the key / certificate for the given Check_MK site
-
- It lazily initializes the CA in case it has not been initialized yet.
- """
+ """Creates the key / certificate for the given Check_MK site"""
if not self.is_initialized:
raise Exception("Certificate authority is not initialized yet")
@@ -120,7 +118,8 @@ class CertificateAuthority(object):
def write_site_certificate(self, site_id, cert, key):
# type: (str, str, str) -> None
- self._write_pem(self.site_certificate_path(site_id), cert, key)
+ certificate_chain = [cert, self._get_root_certificate()[0]]
+ self._write_pem(self.site_certificate_path(site_id), certificate_chain, key)
def site_certificate_path(self, site_id):
# type: (str) -> Path
@@ -145,12 +144,13 @@ class CertificateAuthority(object):
key.generate_key(crypto.TYPE_RSA, 2048)
return key
- def _write_pem(self, path, cert, key):
- # type: (Path, str, str) -> None
+ def _write_pem(self, path, certificate_chain, key):
+ # type: (Path, List[str], str) -> None
path.parent.mkdir(mode=0o770, parents=True, exist_ok=True)
with path.open(mode="wb") as f:
f.write(crypto.dump_privatekey(FILETYPE_PEM, key))
- f.write(crypto.dump_certificate(FILETYPE_PEM, cert))
+ for cert in certificate_chain:
+ f.write(crypto.dump_certificate(FILETYPE_PEM, cert))
path.chmod(mode=0o660)
def _read_pem(self, path):
Module: check_mk
Branch: master
Commit: a9a20c0d5f81a007ad928b8110ea48d33ef0305d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a9a20c0d5f81a0…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Feb 4 12:07:31 2019 +0100
Add Livestatus TLS detail page
* This page can be used to view information about the server certificate
that is used by Livestatus of the choosen site.
* In case a certficate can not be verified by the central site, a trust
can be established to the current certificate on this site.
CMK-1535
Change-Id: Ia04d6cd98206b7866c7f0fd6365b9769f1ea88cd
---
cmk/gui/wato/pages/sites.py | 293 ++++++++++++++++++++-
cmk/gui/watolib/config_domains.py | 3 +
livestatus/api/python/livestatus.py | 92 ++++---
web/htdocs/images/icon_encrypted.png | Bin 0 -> 3170 bytes
web/htdocs/images/icon_trust.png | Bin 0 -> 5167 bytes
.../themes/facelift/images/icon_encrypted.png | Bin 0 -> 1419 bytes
web/htdocs/themes/facelift/images/icon_trust.png | Bin 0 -> 831 bytes
7 files changed, 344 insertions(+), 44 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a9a20c0d5f…