Áú»¢¶Ä²©

Documentation

This is the documentation page for an unsupported version of Áú»¢¶Ä²©.
Is this not what you were looking for? Switch to the current version or choose one from the drop-down menu.
1 Manual structure
2 What is Áú»¢¶Ä²©
3 Áú»¢¶Ä²© features
4 Áú»¢¶Ä²© overview
5 What's new in Áú»¢¶Ä²© 6.2.0
6 What's new in Áú»¢¶Ä²© 6.2.1
7 What's new in Áú»¢¶Ä²© 6.2.2
8 What's new in Áú»¢¶Ä²© 6.2.3
9 What's new in Áú»¢¶Ä²© 6.2.4
10 What's new in Áú»¢¶Ä²© 6.2.5
11 What's new in Áú»¢¶Ä²© 6.2.6
12 What's new in Áú»¢¶Ä²© 6.2.7
13 What's new in Áú»¢¶Ä²© 6.2.8
14 What's new in Áú»¢¶Ä²© 6.2.9
2. Definitions
1 High availability
2 Agent
3 Agent 2
4 Proxy
1 Setup from sources
2 Setup from RHEL/CentOS packages
3 Setup from Debian/Ubuntu packages
6 Sender
7 Get
8 JS
9 Web service
1 Getting Áú»¢¶Ä²©
1 PostgreSQL plugin dependencies
2 MongoDB plugin dependencies
Best practices for secure Áú»¢¶Ä²© setup
Building Áú»¢¶Ä²© agent 2 on Windows
Building Áú»¢¶Ä²© agent on macOS
Building Áú»¢¶Ä²© agent on Windows
1 Red Hat Enterprise Linux/CentOS
2 Debian/Ubuntu/Raspbian
3 SUSE Linux Enterprise Server
4 Windows agent installation from MSI
5 Mac OS agent installation from PKG
6 Unstable releases
5 Installation from containers
6 Web interface installation
1 Red Hat Enterprise Linux/CentOS
2 Debian/Ubuntu
Upgrade from sources
8 Known issues
9 Template changes
10 Upgrade notes for 6.2.0
11 Upgrade notes for 6.2.1
12 Upgrade notes for 6.2.2
13 Upgrade notes for 6.2.3
14 Upgrade notes for 6.2.4
15 Upgrade notes for 6.2.5
16 Upgrade notes for 6.2.6
17 Upgrade notes for 6.2.7
18 Upgrade notes for 6.2.8
19 Upgrade notes for 6.2.9
1 Login and configuring user
2 New host
3 New item
4 New trigger
5 Receiving problem notification
6 New template
6. Áú»¢¶Ä²© appliance
1 Configuring a host
2 Inventory
3 Mass update
1 Item key format
2 Custom intervals
1 Usage examples
2 Preprocessing details
Escaping special characters from LLD macro values in JSONPath
Additional JavaScript objects
5 CSV to JSON preprocessing
Windows Áú»¢¶Ä²© agent
Áú»¢¶Ä²© agent 2
1 Dynamic indexes
2 Special OIDs
3 MIB files
3 SNMP traps
4 IPMI checks
VMware monitoring item keys
6 Log file monitoring
Aggregate calculations
8 Internal checks
9 SSH checks
10 Telnet checks
11 External checks
12 Trapper items
13 JMX monitoring
1 Recommended UnixODBC settings for MySQL
2 Recommended UnixODBC settings for PostgreSQL
3 Recommended UnixODBC settings for Oracle
4 Recommended UnixODBC settings for MSSQL
15 Dependent items
16 HTTP agent
17 Prometheus checks
18 Script items
4 History and trends
1 Extending Áú»¢¶Ä²© agents
6 Loadable modules
7 Windows performance counters
8 Mass update
9 Value mapping
10 Queue
11 Value cache
12 Execute now
13 Restricting agent checks
1 Building loadable plugins
1 Configuring a trigger
2 Trigger expression
3 Trigger dependencies
4 Trigger severity
5 Customizing trigger severities
6 Mass update
7 Predictive trigger functions
1 Trigger event generation
2 Other event sources
3 Manual closing of problems
1 Trigger-based event correlation
2 Global event correlation
6 Tagging
1 Simple graphs
2 Custom graphs
3 Ad-hoc graphs
4 Aggregation in graphs
1 Configuring a network map
2 Host group elements
3 Link indicators
3 Dashboards
4 Host dashboards
1 Configuring a template
2 Linking/unlinking
3 Nesting
4 Mass update
HTTP template operation
IPMI template operation
JMX template operation
ODBC template operation
Standardized templates for network devices
Áú»¢¶Ä²© agent 2 template operation
Áú»¢¶Ä²© agent template operation
1 E-mail
2 SMS
3 Custom alertscripts
Webhook script examples
1 Conditions
1 Sending message
2 Remote commands
3 Additional operations
4 Using macros in messages
3 Recovery operations
4 Update operations
5 Escalations
3 Receiving notification on unsupported items
1 Macro functions
2 User macros
3 User macros with context
4 Secret user macros
5 Low-level discovery macros
6 Expression macros
1 Configuring a user
2 Permissions
3 User groups
CyberArk configuration
HashiCorp configuration
14 Scheduled reports
1 Service tree
2 Service actions
3 SLA
4 Setup example
1 Web monitoring items
2 Real-life scenario
VMware monitoring item keys
Virtual machine discovery key fields
JSON examples for VMware items
11. Maintenance
12. Regular expressions
1. Problem suppression
1 Template groups
2 Host groups
3 Templates
4 Hosts
5 Network maps
6 Media types
1 Configuring a network discovery rule
2 Active agent autoregistration
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Notes on low-level discovery
1 Discovery of mounted filesystems
2 Discovery of network interfaces
3 Discovery of CPUs and CPU cores
4 Discovery of SNMP OIDs
5 Discovery of JMX objects
6 Discovery of IPMI sensors
7 Discovery of systemd services
8 Discovery of Windows services
9 Discovery of Windows performance counter instances
10 Discovery using WMI queries
11 Discovery using ODBC SQL queries
12 Discovery using Prometheus data
13 Discovery of block devices
14 Discovery of host interfaces in Áú»¢¶Ä²©
1 Proxies
1 Using certificates
2 Using pre-shared keys
1 Connection type or permission problems
2 Certificate problems
3 PSK problems
1 Menu
1 Action log
2 Clock
3 Data overview
4 Discovery status
5 Favorite graphs
6 Favorite maps
7 Geomap
8 Graph
9 Graph (classic)
10 Graph prototype
11 Host availability
12 Item value
13 Map
14 Map navigation tree
15 Plain text
16 Problem hosts
17 Problems
18 Problems by severity
19 SLA report
20 System information
21 Top hosts
22 Trigger overview
23 URL
24 Web monitoring
2 Problems
1 Graphs
2 Web scenarios
4 Latest data
5 Maps
6 Discovery
1 Services
2 Service actions
3 SLA
4 SLA report
1 Overview
2 Hosts
1 System information
2 Scheduled reports
3 Availability report
4 Triggers top 100
5 Audit
6 Action log
7 Notifications
1 Template groups
2 Host groups
1 Items
2 Triggers
3 Graphs
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Web scenarios
1 Items
2 Triggers
3 Graphs
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Web scenarios
5 Maintenance
6 Actions
7 Event correlation
8 Discovery
1 General
2 Proxies
3 Authentication
4 User groups
5 User roles
6 Users
7 Media types
8 Scripts
9 Queue
1 Global notifications
2 Sound in browsers
4 Global search
5 Frontend maintenance mode
6 Page parameters
7 Definitions
8 Creating your own theme
9 Debug mode
10 Cookies used by Áú»¢¶Ä²©
11 Time zones
> Action object
action.create
action.delete
action.get
action.update
> Alert object
alert.get
apiinfo.version
> Audit log object
auditlog.get
> Authentication object
authentication.get
authentication.update
> Autoregistration object
autoregistration.get
autoregistration.update
configuration.export
configuration.import
configuration.importcompare
> Correlation object
correlation.create
correlation.delete
correlation.get
correlation.update
> Dashboard object
1 Action log
2 Clock
3 Data overview
4 Discovery status
5 Favorite graphs
6 Favorite maps
7 Geomap
8 Graph
9 Graph (classic)
10 Graph prototype
11 Host availability
12 Item value
13 Map
14 Map navigation tree
15 Plain text
16 Problem hosts
17 Problems
18 Problems by severity
19 SLA report
20 System information
21 Top hosts
22 Trigger overview
23 URL
24 Web monitoring
dashboard.create
dashboard.delete
dashboard.get
dashboard.update
> Discovered host object
dhost.get
> Discovered service object
dservice.get
> Discovery check object
dcheck.get
> Discovery rule object
drule.create
drule.delete
drule.get
drule.update
> Event object
event.acknowledge
event.get
> Graph object
graph.create
graph.delete
graph.get
graph.update
> Graph item object
graphitem.get
> Graph prototype object
graphprototype.create
graphprototype.delete
graphprototype.get
graphprototype.update
> High availability node object
hanode.get
> History object
history.clear
history.get
> Host object
host.create
host.delete
host.get
host.massadd
host.massremove
host.massupdate
host.update
> Host group object
hostgroup.create
hostgroup.delete
hostgroup.get
hostgroup.massadd
hostgroup.massremove
hostgroup.massupdate
hostgroup.propagate
hostgroup.update
> Host interface object
hostinterface.create
hostinterface.delete
hostinterface.get
hostinterface.massadd
hostinterface.massremove
hostinterface.replacehostinterfaces
hostinterface.update
> Host prototype object
hostprototype.create
hostprototype.delete
hostprototype.get
hostprototype.update
> Housekeeping object
housekeeping.get
housekeeping.update
> Icon map object
iconmap.create
iconmap.delete
iconmap.get
iconmap.update
> Image object
image.create
image.delete
image.get
image.update
> Item object
item.create
item.delete
item.get
item.update
> Item prototype object
itemprototype.create
itemprototype.delete
itemprototype.get
itemprototype.update
> LLD rule object
discoveryrule.copy
discoveryrule.create
discoveryrule.delete
discoveryrule.get
discoveryrule.update
> Maintenance object
maintenance.create
maintenance.delete
maintenance.get
maintenance.update
> Map object
map.create
map.delete
map.get
map.update
> Media type object
mediatype.create
mediatype.delete
mediatype.get
mediatype.update
> Problem object
problem.get
> Proxy object
proxy.create
proxy.delete
proxy.get
proxy.update
> Regular expression object
regexp.create
regexp.delete
regexp.get
regexp.update
> Report object
report.create
report.delete
report.get
report.update
> Role object
role.create
role.delete
role.get
role.update
> Script object
script.create
script.delete
script.execute
script.get
script.getscriptsbyhosts
script.update
> Service object
service.create
service.delete
service.get
service.update
> Settings object
settings.get
settings.update
> SLA object
sla.create
sla.delete
sla.get
sla.getsli
sla.update
> Task object
task.create
task.get
> Template object
template.create
template.delete
template.get
template.massadd
template.massremove
template.massupdate
template.update
> Template dashboard object
templatedashboard.create
templatedashboard.delete
templatedashboard.get
templatedashboard.update
> Template group object
templategroup.create
templategroup.delete
templategroup.get
templategroup.massadd
templategroup.massremove
templategroup.massupdate
templategroup.propagate
templategroup.update
> Token object
token.create
token.delete
token.generate
token.get
token.update
> Trend object
trend.get
> Trigger object
trigger.create
trigger.delete
trigger.get
trigger.update
> Trigger prototype object
triggerprototype.create
triggerprototype.delete
triggerprototype.get
triggerprototype.update
> User object
user.checkAuthentication
user.create
user.delete
user.get
user.login
user.logout
user.unblock
user.update
> User directory object
userdirectory.create
userdirectory.delete
userdirectory.get
userdirectory.test
userdirectory.update
> User group object
usergroup.create
usergroup.delete
usergroup.get
usergroup.update
> User macro object
usermacro.create
usermacro.createglobal
usermacro.delete
usermacro.deleteglobal
usermacro.get
usermacro.update
usermacro.updateglobal
> Value map object
valuemap.create
valuemap.delete
valuemap.get
valuemap.update
> Web scenario object
httptest.create
httptest.delete
httptest.get
httptest.update
Appendix 1. Reference commentary
Appendix 2. Changes from 6.0 to 6.2
Áú»¢¶Ä²© API changes in 6.2
20. Modules
1 Frequently asked questions / Troubleshooting
1 Database creation
2 Repairing Áú»¢¶Ä²© database character set and collation
3 Database upgrade to primary keys
1 MySQL encryption configuration
2 PostgreSQL encryption configuration
5 TimescaleDB setup
6 Elasticsearch setup
7 Real-time export of events, item values, trends
8 Distribution-specific notes on setting up Nginx for Áú»¢¶Ä²©
9 Running agent as root
10 Áú»¢¶Ä²© agent on Microsoft Windows
11 SAML setup with Okta
12 Oracle database setup
13 Setting up scheduled reports
14 Additional frontend languages
1 Áú»¢¶Ä²© server
2 Áú»¢¶Ä²© proxy
3 Áú»¢¶Ä²© agent (UNIX)
4 Áú»¢¶Ä²© agent 2 (UNIX)
5 Áú»¢¶Ä²© agent (Windows)
6 Áú»¢¶Ä²© agent 2 (Windows)
1 Ceph plugin
2 Docker plugin
3 Memcached plugin
4 Modbus plugin
5 MongoDB plugin
6 MQTT plugin
7 MySQL plugin
8 Oracle plugin
10 Redis plugin
11 Smart plugin
8 Áú»¢¶Ä²© Java gateway
9 Áú»¢¶Ä²© web service
10 Inclusion
1 Server-proxy data exchange protocol
2 Áú»¢¶Ä²© agent protocol
3 Áú»¢¶Ä²© agent 2 protocol
4 Áú»¢¶Ä²© agent 2 plugin protocol
5 Áú»¢¶Ä²© sender protocol
6 Header
7 Real-time export protocol
1 vm.memory.size parameters
2 Passive and active agent checks
3 Trapper items
4 Minimum permission level for Windows agent items
5 Encoding of returned values
6 Large file support
7 Sensor
8 Notes on memtype parameter in proc.mem items
9 Notes on selecting processes in proc.mem and proc.num items
10 Implementation details of net.tcp.service and net.udp.service checks
11 proc.get parameters
12 Unreachable/unavailable host interface settings
13 Remote monitoring of Áú»¢¶Ä²© stats
14 Configuring Kerberos with Áú»¢¶Ä²©
15 modbus.get parameters
16 Creating custom performance counter names for VMware
1 Foreach functions
2 Bitwise functions
3 Date and time functions
4 History functions
5 Trend functions
6 Mathematical functions
7 Operator functions
8 Prediction functions
9 String functions
1 Supported macros
2 User macros supported by location
8 Unit symbols
9 Time period syntax
10 Command execution
11 Version compatibility
12 Database error handling
13 Áú»¢¶Ä²© sender dynamic link library for Windows
14 Service monitoring upgrade
15 Other issues
16 Agent vs agent 2 comparison
zabbix_agent2
zabbix_agentd
zabbix_get
zabbix_js
zabbix_proxy
zabbix_sender
zabbix_server
zabbix_web_service

1 Using certificates

Overview

Áú»¢¶Ä²© can use RSA certificates in PEM format, signed by a public or in-house certificate authority (CA). Certificate verification is done against a pre-configured CA certificate. Optionally certificate revocation lists (CRL) can be used. Each Áú»¢¶Ä²© component can have only one certificate configured.

For more information how to set up and operate internal CA, how to generate certificate requests and sign them, how to revoke certificates you can find numerous online how-tos, for example, .

Carefully consider and test your certificate extensions - see Limitations on using X.509 v3 certificate extensions.

Certificate configuration parameters

Parameter Mandatory Description
TLSCAFile yes Full pathname of a file containing the top-level CA(s) certificates for peer certificate verification.
In case of certificate chain with several members they must be ordered: lower level CA certificates first followed by certificates of higher level CA(s).
Certificates from multiple CA(s) can be included in a single file.
TLSCRLFile no Full pathname of a file containing Certificate Revocation Lists. See notes in Certificate Revocation Lists (CRL).
TLSCertFile yes Full pathname of a file containing certificate (certificate chain).
In case of certificate chain with several members they must be ordered: server, proxy, or agent certificate first, followed by lower level CA certificates then certificates of higher level CA(s).
TLSKeyFile yes Full pathname of a file containing private key. Set access rights to this file - it must be readable only by Áú»¢¶Ä²© user.
TLSServerCertIssuer no Allowed server certificate issuer.
TLSServerCertSubject no Allowed server certificate subject.

Configuring certificate on Áú»¢¶Ä²© server

1. In order to verify peer certificates, Áú»¢¶Ä²© server must have access to file with their top-level self-signed root CA certificates. For example, if we expect certificates from two independent root CAs, we can put their certificates into file /home/zabbix/zabbix_ca_file like this:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
                   ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ...
       -----BEGIN CERTIFICATE-----
       MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ....
       9wEzdN8uTrqoyU78gi12npLj08LegRKjb5hFTVmO
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root2 CA
                   ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root2 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ....
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ....       
       -----BEGIN CERTIFICATE-----
       MIID3DCCAsSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQB
       ...
       vdGNYoSfvu41GQAR5Vj5FnRJRzv5XQOZ3B6894GY1zY=
       -----END CERTIFICATE-----

2. Put Áú»¢¶Ä²© server certificate chain into file, for example, /home/zabbix/zabbix_server.crt:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
               ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Áú»¢¶Ä²© server
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                       ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Digital Signature, Key Encipherment
                   X509v3 Basic Constraints: 
                       CA:FALSE
                   ...
       -----BEGIN CERTIFICATE-----
       MIIECDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk
       ...
       h02u1GHiy46GI+xfR3LsPwFKlkTaaLaL/6aaoQ==
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 2 (0x2)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
               ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE, pathlen:0
               ...
       -----BEGIN CERTIFICATE-----
       MIID4TCCAsmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ...
       dyCeWnvL7u5sd6ffo8iRny0QzbHKmQt/wUtcVIvWXdMIFJM0Hw==
       -----END CERTIFICATE-----

Here the first is Áú»¢¶Ä²© server certificate, followed by intermediate CA certificate.

Use of any attributes except of the ones mentioned above is discouraged for both client and server certificates, because it may affect certificate verification process. For example, OpenSSL might fail to establish encrypted connection if X509v3 Extended Key Usage or Netscape Cert Type are set. See also: Limitations on using X.509 v3 certificate extensions.

3. Put Áú»¢¶Ä²© server private key into file, for example, /home/zabbix/zabbix_server.key:

-----BEGIN PRIVATE KEY-----
       MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC9tIXIJoVnNXDl
       ...
       IJLkhbybBYEf47MLhffWa7XvZTY=
       -----END PRIVATE KEY-----

4. Edit TLS parameters in Áú»¢¶Ä²© server configuration file like this:

TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSCertFile=/home/zabbix/zabbix_server.crt
       TLSKeyFile=/home/zabbix/zabbix_server.key

Configuring certificate-based encryption for Áú»¢¶Ä²© proxy

1. Prepare files with top-level CA certificates, proxy certificate (chain) and private key as described in Configuring certificate on Áú»¢¶Ä²© server. Edit parameters TLSCAFile, TLSCertFile, TLSKeyFile in proxy configuration accordingly.

2. For active proxy edit TLSConnect parameter:

TLSConnect=cert

For passive proxy edit TLSAccept parameter:

TLSAccept=cert

3. Now you have a minimal certificate-based proxy configuration. You may prefer to improve proxy security by setting TLSServerCertIssuer and TLSServerCertSubject parameters (see Restricting allowed certificate Issuer and Subject).

4. In final proxy configuration file TLS parameters may look like:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© server,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_proxy.crt
       TLSKeyFile=/home/zabbix/zabbix_proxy.key

5. Configure encryption for this proxy in Áú»¢¶Ä²© frontend:

  • Go to: Administration → Proxies
  • Select proxy and click on Encryption tab

In examples below Issuer and Subject fields are filled in - see Restricting allowed certificate Issuer and Subject why and how to use these fields.

For active proxy

proxy_active_cert.png

For passive proxy

proxy_passive_cert.png

Configuring certificate-based encryption for Áú»¢¶Ä²© agent

1. Prepare files with top-level CA certificates, agent certificate (chain) and private key as described in Configuring certificate on Áú»¢¶Ä²© server. Edit parameters TLSCAFile, TLSCertFile, TLSKeyFile in agent configuration accordingly.

2. For active checks edit TLSConnect parameter:

TLSConnect=cert

For passive checks edit TLSAccept parameter:

TLSAccept=cert

3. Now you have a minimal certificate-based agent configuration. You may prefer to improve agent security by setting TLSServerCertIssuer and TLSServerCertSubject parameters. (see Restricting allowed certificate Issuer and Subject).

4. In final agent configuration file TLS parameters may look like:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_agentd.crt
       TLSKeyFile=/home/zabbix/zabbix_agentd.key

(Example assumes that host is monitored via proxy, hence proxy certificate Subject.)

5. Configure encryption for this agent in Áú»¢¶Ä²© frontend:

  • Go to: Configuration → Hosts
  • Select host and click on Encryption tab

In example below Issuer and Subject fields are filled in - see Restricting allowed certificate Issuer and Subject why and how to use these fields.

agent_config.png

Restricting allowed certificate Issuer and Subject

When two Áú»¢¶Ä²© components (e.g. server and agent) establish a TLS connection they both check each others certificates. If a peer certificate is signed by a trusted CA (with pre-configured top-level certificate in TLSCAFile), is valid, has not expired and passes some other checks then communication can proceed. Certificate issuer and subject are not checked in this simplest case.

Here is a risk - anybody with a valid certificate can impersonate anybody else (e.g. a host certificate can be used to impersonate server). This may be acceptable in small environments where certificates are signed by a dedicated in-house CA and risk of impersonating is low.

If your top-level CA is used for issuing other certificates which should not be accepted by Áú»¢¶Ä²© or you want to reduce risk of impersonating you can restrict allowed certificates by specifying their Issuer and Subject strings.

For example, you can write in Áú»¢¶Ä²© proxy configuration file:

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© server,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

With these settings, an active proxy will not talk to Áú»¢¶Ä²© server with different Issuer or Subject string in certificate, a passive proxy will not accept requests from such server.

A few notes about Issuer or Subject string matching:

  1. Issuer and Subject strings are checked independently. Both are optional.
  2. UTF-8 characters are allowed.
  3. Unspecified string means any string is accepted.
  4. Strings are compared "as-is", they must be exactly the same to match.
  5. Wildcards and regexp's are not supported in matching.
  6. Only some requirements from are implemented:
    1. escape characters '"' (U+0022), '+' U+002B, ',' U+002C, ';' U+003B, '<' U+003C, '>' U+003E, '\' U+005C anywhere in string.
    2. escape characters space (' ' U+0020) or number sign ('#' U+0023) at the beginning of string.
    3. escape character space (' ' U+0020) at the end of string.
  7. Match fails if a null character (U+0000) is encountered ( allows it).
  8. Requirements of and are not supported due to amount of work required.

Order of fields in Issuer and Subject strings and formatting are important! Áú»¢¶Ä²© follows recommendation and uses "reverse" order of fields.

The reverse order can be illustrated by example:

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

Note that it starts with low level (CN), proceeds to mid-level (OU, O) and ends with top-level (DC) fields.

OpenSSL by default shows certificate Issuer and Subject fields in "normal" order, depending on additional options used:

$ openssl x509 -noout -in /home/zabbix/zabbix_proxy.crt -issuer -subject
       issuer= /DC=com/DC=zabbix/O=Áú»¢¶Ä²© SIA/OU=Development group/CN=Signing CA
       subject= /DC=com/DC=zabbix/O=Áú»¢¶Ä²© SIA/OU=Development group/CN=Áú»¢¶Ä²© proxy
       
       $ openssl x509 -noout -text -in /home/zabbix/zabbix_proxy.crt
       Certificate:
               ...
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
           ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Áú»¢¶Ä²© proxy

Here Issuer and Subject strings start with top-level (DC) and end with low-level (CN) field, spaces and field separators depend on options used. None of these values will match in Áú»¢¶Ä²© Issuer and Subject fields!

To get proper Issuer and Subject strings usable in Áú»¢¶Ä²© invoke OpenSSL with special options
-nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname:

$ openssl x509 -noout -issuer -subject \
               -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname \
               -in /home/zabbix/zabbix_proxy.crt
       issuer= CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       subject= CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

Now string fields are in reverse order, fields are comma-separated, can be used in Áú»¢¶Ä²© configuration files and frontend.

Limitations on using X.509 v3 certificate extensions

  • Subject Alternative Name (subjectAltName) extension.
    Alternative subject names from subjectAltName extension (like IP address, e-mail address) are not supported by Áú»¢¶Ä²©. Only value of "Subject" field can be checked in Áú»¢¶Ä²© (see Restricting allowed certificate Issuer and Subject).
    If certificate uses the subjectAltName extension then result depends on particular combination of crypto toolkits Áú»¢¶Ä²© components are compiled with (it may or may not work, Áú»¢¶Ä²© may refuse to accept such certificates from peers).
  • Extended Key Usage extension.
    If used then generally both clientAuth (TLS WWW client authentication) and serverAuth (TLS WWW server authentication) are necessary.
    For example, in passive checks Áú»¢¶Ä²© agent acts in a TLS server role, so serverAuth must be set in agent certificate. For active checks agent certificate needs clientAuth to be set.
    GnuTLS issues a warning in case of key usage violation but allows communication to proceed.
  • Name Constraints extension.
    Not all crypto toolkits support it. This extension may prevent Áú»¢¶Ä²© from loading CA certificates where this section is marked as critical (depends on particular crypto toolkit).

Certificate Revocation Lists (CRL)

If a certificate is compromised CA can revoke it by including in CRL. CRLs can be configured in server, proxy and agent configuration file using parameter TLSCRLFile. For example:

TLSCRLFile=/home/zabbix/zabbix_crl_file

where zabbix_crl_file may contain CRLs from several CAs and look like:

-----BEGIN X509 CRL-----
       MIIB/DCB5QIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixkARkWA2Nv
       ...
       treZeUPjb7LSmZ3K2hpbZN7SoOZcAoHQ3GWd9npuctg=
       -----END X509 CRL-----
       -----BEGIN X509 CRL-----
       MIIB+TCB4gIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQBGRYDY29t
       ...
       CAEebS2CND3ShBedZ8YSil59O6JvaDP61lR5lNs=
       -----END X509 CRL-----

CRL file is loaded only on Áú»¢¶Ä²© start. CRL update requires restart.

If Áú»¢¶Ä²© component is compiled with OpenSSL and CRLs are used then each top and intermediate level CA in certificate chains must have a corresponding CRL (it can be empty) in TLSCRLFile.

© 2001-2025 by Áú»¢¶Ä²© SIA. All rights reserved.
Except where otherwise noted, Áú»¢¶Ä²© Documentation is licensed under the following license
Trademark Policy