Zabbix's psk encryption combined with zabbix_get value

Since Zabbix version 3.0, it has supported encrypted communication between Zabbix server, Zabbix proxy, Zabbix agent, zabbix_sender and zabbix_get. The encryption methods include pre-shared key (PSK) and certificate encryption. Encryption configuration is optional. Some proxies and agents can use certificate authentication to encrypt communication, others can use PSK encryption, and the rest can communicate without encryption. It should be noted that if you want to use encrypted communication, you must add the –with-openssl parameter when compiling.

1. Generate and add PSK shared key

Use the command openssl rand -hex 32 to generate a string of keys. The configuration steps are as follows:

[root@zabbix scripts]# openssl rand -hex 32
ef52cbe2d1a35e6bb3c43b22bd4f1a1d7bf24d1ccb7c47f6a602425970da5432
# Write the generated key to the file vim /data/zabbix/etc/psk/zabbix.psk
vim /data/zabbix/etc/zabbix_agentd.conf
#Add TLSConnect=psk
TLSAccept=psk
TLSPSKFile=/data/zabbix/etc/psk/zabbix.psk
TLSPSKIdentity=PSK ID 
#Restart the zabbix_agent process after the configuration is completed

2. Add in Zabbix Web GUI

3. Test Command

zabbix_get -s 127.0.0.1 -k "system.cpu.load[all,avg1]" --tls-connect=psk --tls-psk-identity="PSK ID" --tls-psk-file=/data/zabbix/etc/psk/zabbix.psk
[[email protected] ~]$/data/zabbix/bin/zabbix_get -s 10.81.47.129 -p 9528 -k "tps" --tls-connect psk --tls-psk-identity="LianYu" --tls-psk-file /data/zabbix/etc/psk/zabbix.psk 
452.05

4..zabbix_get usage

# This command can only be used on the zabbix server: zabbix_get -s host-name-or-IP [ -p port-number ] [ -I IP-address ] -k item-key 
    zabbix_get -s host-name-or-IP [ -p port-number ] [ -I IP -address ] --tls-connect cert --tls-ca-file CA-file [ --tls-crl-file CRL-file ] [ --tls-agent-cert-issuer cert-issuer ] [ --tls-agent-cert-subject cert-subject ] --tls-cert-file cert-file --tls-key-file key-file -k item-key 
    zabbix_get -s host-name-or-IP [ -p port-number ] [ -I IP-address ] --tls-connect psk --tls-psk-identity PSK-identity --tls-psk-file PSK-file -k item-key 
    zabbix_get -h 
    zabbix_get -V 
 
  OPTIONS

    -s, --host host-name-or-IP
      Specifies the host name or IP address of the host.
    -p, --port port-number
      Specifies the port number of the agent running on the host. The default value is 10050.
    -I, --source-address IP-address
      Specifies the source IP address.
    -k, --key item-key Specifies the key of the item whose value you want to retrieve.
    --tls-connect value how to connect to the proxy. Values:
          Encryption method No encrypted connection (default)

          PSK
          Connect using TLS and pre-shared keyscert
          Connect using TLS and certificates --tls-ca-file CA-file The full pathname of a file containing the certificates of the top-level CA(s) to use for peer certificate verification.
    --tls-crl-file CRL file Full pathname of a file containing revoked certificates.
    --tls-agent-cert-issuer Issuer certificate Allowed agent certificate issuers.
    --tls-agent-cert-subject cert-subject
    Allowed proxy certificate subjects.
    --tls-cert-file cert-file Full pathname of a file containing a certificate or certificate chain.
    --tls-key-file keyfile The full pathname of the file containing the private key.
    --tls-psk-identity PSK-identity
    PSK identity string.
    --tls-psk-file PSK file Full pathname of a file containing the pre-shared keys.
    -h, --help
    Display this help and exit.
    -V, --version
    Print version information and exit.

Example:

1 zabbix_get -s 127.0.0.1 -p 10050 -k "system.cpu.load [all,avg1]" 
2 zabbix_get -s 127.0.0.1 -p 10050 -k "system.cpu.load[all,avg1]" --tls-connect cert --tls-ca-file /home/zabbix/zabbix_ca_file --tls-agent-cert-issuer "CN=Signing CA,OU=IT Operations,O=Example Corp,DC=example,DC=com" --tls-agent-cert-subject "CN=server1,OU=IT operations,O=Example Corp,DC=example,DC=com" --tls-cert-file /home/zabbix/zabbix_get.crt --tls-key-file /home/zabbix/zabbix_get.key 
3 zabbix_get -s 127.0.0.1 -p 10050 -k "system.cpu.load [all,avg1]" --tls-connect psk --tls-psk-identity "PSK ID Zabbix agentd" --tls-psk-file /home/zabbix/zabbix_agentd.psk

Summarize

The above is the editor's introduction to Zabbix's psk encryption combined with zabbix_get value. I hope it will be helpful to everyone. If you have any questions, please leave me a message and I will reply to you in time!

You may also be interested in: