Pandora: QuickGuides EN: Secure communication with tentacle

From Pandora FMS Wiki
Jump to: navigation, search

1 Configure Tentacle to include security options

How to configure both agents and Tentacle server for secure communication, using a Tentacle proxy.

First, we recommend carrying out manual tests from the terminals to to ensure that the configuration, parameters and certificates are correct.

1.1 Manual testing

1. Manually boot the tentacle_server:

sudo -u user tentacle_server -x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem -s /tmp -v

2. Manually boot the proxy (only follow this step if you are using a Tentacle proxy): sudo -u user tentacle_server -b ip_server -g 41124

3. Manually launch tentacle_client:

sudo -u user tentacle_client -a ip_proxy/ip_server -x password -e tentaclecert.pem -k tentaclekey.pem -v /bin/ls (or any file)

Template warning.png

ALWAYS indicate in the parameters the absolute paths where the certificates are, for example,/home/tentaclecert.pem


Once you've checked that the file send has been successful, you can permanently configure the tentacle_server and the clients.

To configure the tentacle_server to include certification options, edit the service start-up script tentacle_serverd, usually found in /etc/init.d/tentacle_serverd, as you would when configuring an intermediate point to function as a proxy.

To configure agents to use Tentacle's secure communications, edit the configuration files pandora_agent.conf, usually found in /etc/pandora/pandora_agent.conf.

1.2 Permanent configuration

Template warning.png

To use tentacle secure improvements, please, verify package perl(IO::Socket::SSL) is available in your system.


1. Launch the Tentacle server with SSL. Modify the launch script /etc/init.d/tentacle_serverd. Find the TENTACLE_EXT_OPTS line and add "-x password -e tentaclecert.pem -k tentaclekey.pem -f cacert.pem". To get:

 TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"

2. Boot up the Tentacle proxy. Modify the launch script /etc/init.d/tentacle_serverd of the machine you're going to use as a proxy. As in the previous step, find the TENTACLE_EXT_OPTS line and add

"-b ip_server -g 41121", to get  TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -b -g 41121"

3. Start the Pandora agent with the corresponding options. Modify the pandora_agent.conf file, find the server_opts line and add "-x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem". Remember: the server_ip token must be configured to connect to the proxy, not the main server if it's going to be used. It should end up like this:

server_opts -x password -e /home/tentaclecert.pem -k /home/tentaclekey.pem


If you don't want to use any of these options, the password, for example, omit the corresponding parameter.