Áú»¢¶Ä²©

Documentation

1 Manual structure
2 What is Áú»¢¶Ä²©
3 Áú»¢¶Ä²© features
4 Áú»¢¶Ä²© overview
5 What's new in Áú»¢¶Ä²© 7.2.0
6 What's new in Áú»¢¶Ä²© 7.2.1
7 What's new in Áú»¢¶Ä²© 7.2.2
8 What's new in Áú»¢¶Ä²© 7.2.3
9 What's new in Áú»¢¶Ä²© 7.2.4
10 What's new in Áú»¢¶Ä²© 7.2.5
17 What's new in Áú»¢¶Ä²© 7.2.6
2 Definitions
1 High availability
2 Agent
3 Agent 2
4 Proxy
1 Setup from sources
2 Setup from RHEL packages
3 Setup from Debian/Ubuntu packages
6 Sender
7 Get
8 JS
9 Web service
1 Getting Áú»¢¶Ä²©
1 PostgreSQL plugin dependencies
2 MongoDB plugin dependencies
1 Building Áú»¢¶Ä²© agent on Windows
2 Building Áú»¢¶Ä²© agent 2 on Windows
3 Building Áú»¢¶Ä²© agent on macOS
1 Red Hat Enterprise Linux and derivatives
2 Debian/Ubuntu/Raspbian
3 SUSE Linux Enterprise Server
4 Windows agent installation from MSI
5 Mac OS agent installation from PKG
6 Unstable releases
5 Installation from containers
6 Web interface installation
1 Upgrade from sources
1 Red Hat Enterprise Linux
2 Debian/Ubuntu
3 Upgrade from containers
1 Compilation issues
2 Escaping-related upgrade issues
9 Template changes
10 Upgrade notes for 7.2.0
11 Upgrade notes for 7.2.1
12 Upgrade notes for 7.2.2
13 Upgrade notes for 7.2.3
14 Upgrade notes for 7.2.4
15 Upgrade notes for 7.2.5
16 Upgrade notes for 7.2.6
1 Login and configuring user
2 New host
3 New item
4 New trigger
5 Receiving problem notification
6 New template
6 Áú»¢¶Ä²© appliance
1 Configuring a host
2 Configuring a host group
3 Inventory
4 Mass update
1 Item key format
2 Custom intervals
1 Preprocessing testing
2 Preprocessing details
3 Preprocessing examples
1 Escaping special characters from LLD macro values in JSONPath
1 Additional JavaScript objects
2 Browser item JavaScript objects
6 CSV to JSON preprocessing
1 Áú»¢¶Ä²© agent 2
2 Windows Áú»¢¶Ä²© agent
1 Dynamic indexes
2 Special OIDs
3 MIB files
3 SNMP traps
4 IPMI checks
1 VMware monitoring item keys
6 Log file monitoring
1 Aggregate calculations
8 Internal checks
9 SSH checks
10 Telnet checks
11 External checks
12 Trapper items
13 JMX monitoring
14 ODBC monitoring
15 Dependent items
16 HTTP agent
17 Prometheus checks
18 Script items
19 Browser items
4 History and trends
1 Extending Áú»¢¶Ä²© agents
6 Windows performance counters
7 Mass update
8 Value mapping
9 Queue
10 Value cache
11 Execute now
12 Restricting agent checks
1 Configuring a trigger
2 Trigger expression
3 Trigger dependencies
4 Trigger severity
5 Customizing trigger severities
6 Mass update
7 Predictive trigger functions
1 Trigger event generation
2 Other event sources
3 Manual closing of problems
1 Trigger-based event correlation
2 Global event correlation
6 Tagging
1 Simple graphs
2 Custom graphs
3 Ad-hoc graphs
4 Aggregation in graphs
1 Configuring a network map
2 Host group elements
3 Link indicators
3 Dashboards
1 Configuring a template
2 Configuring a template group
3 Linking/unlinking
4 Nesting
5 Mass update
1 Áú»¢¶Ä²© agent template operation
2 Áú»¢¶Ä²© agent 2 template operation
3 HTTP template operation
4 IPMI template operation
5 JMX template operation
6 ODBC template operation
7 Standardized templates for network devices
8 VMware template operation
1 Email
2 SMS
3 Custom alert scripts
1 Webhook script examples
1 Conditions
1 Sending message
2 Remote commands
3 Additional operations
4 Using macros in messages
3 Recovery operations
4 Update operations
5 Escalations
3 Receiving notification on unsupported items
1 Macro functions
2 User macros
3 User macros with context
4 Secret user macros
5 Low-level discovery macros
6 Expression macros
1 Configuring a user
2 Permissions
3 User groups
1 CyberArk configuration
2 HashiCorp configuration
14 Scheduled reports
1 Export to files
2 Streaming to external systems
3 SNMP gateway
1 Service tree
2 SLA
3 Setup example
1 Web monitoring items
2 Real-life scenario
1 VMware monitoring item keys
2 Virtual machine discovery key fields
3 JSON examples for VMware items
4 VMware monitoring setup example
11 Maintenance
12 Regular expressions
1 Problem suppression
1 Template groups
2 Host groups
3 Templates
4 Hosts
5 Network maps
6 Media types
1 Configuring a network discovery rule
2 Active agent autoregistration
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Notes on low-level discovery
1 Discovery of mounted filesystems
2 Discovery of network interfaces
3 Discovery of CPUs and CPU cores
4 Discovery of SNMP OIDs
5 Discovery of SNMP OIDs (legacy)
6 Discovery of JMX objects
7 Discovery of IPMI sensors
8 Discovery of systemd services
9 Discovery of Windows services
10 Discovery of Windows performance counter instances
11 Discovery using WMI queries
12 Discovery using ODBC SQL queries
13 Discovery using Prometheus data
14 Discovery of block devices
15 Discovery of host interfaces in Áú»¢¶Ä²©
7 Custom LLD rules
1 Synchronization of monitoring configuration
2 Proxy load balancing and high availability
1 Using certificates
2 Using pre-shared keys
1 Connection type or permission problems
2 Certificate problems
3 PSK problems
1 Event menu
2 Host menu
3 Item menu
1 Action log
2 Clock
3 Discovery status
4 Favorite graphs
5 Favorite maps
6 Gauge
7 Geomap
8 Graph
9 Graph (classic)
10 Graph prototype
11 Honeycomb
12 Host availability
13 Host card
14 Host navigator
15 Item history
16 Item navigator
17 Item value
18 Map
19 Map navigation tree
20 Pie chart
21 Problem hosts
22 Problems
23 Problems by severity
24 SLA report
25 System information
26 Top hosts
27 Top items
28 Top triggers
29 Trigger overview
30 URL
31 Web monitoring
1 Cause and symptom problems
1 Graphs
2 Host dashboards
3 Web scenarios
3 Latest data
4 Maps
5 Discovery
1 Services
2 SLA
3 SLA report
1 Overview
2 Hosts
1 System information
2 Scheduled reports
3 Availability report
4 Top 100 triggers
5 Audit log
6 Action log
7 Notifications
1 Template groups
2 Host groups
1 Items
2 Triggers
3 Graphs
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Web scenarios
1 Items
2 Triggers
3 Graphs
1 Item prototypes
2 Trigger prototypes
3 Graph prototypes
4 Host prototypes
5 Web scenarios
5 Maintenance
6 Event correlation
7 Discovery
1 Actions
2 Media types
3 Scripts
1 User groups
2 User roles
3 Users
4 API tokens
1 HTTP
2 LDAP
3 SAML
4 MFA
1 General
2 Audit log
3 Housekeeping
4 Proxies
5 Proxy groups
6 Macros
7 Queue
1 Global notifications
2 Sound in browsers
4 Global search
5 Frontend maintenance mode
6 Page parameters
7 Definitions
8 Creating your own theme
9 Debug mode
10 Cookies used by Áú»¢¶Ä²©
11 Time zones
12 Resetting password
13 Time period selector
1 Securing MySQL/MariaDB
2 Securing PostgreSQL/TimescaleDB
2 Cryptography
3 Web server
2 Configuration best practices
Action object
action.create
action.delete
action.get
action.update
Alert object
alert.get
apiinfo.version
Audit log object
auditlog.get
Authentication object
authentication.get
authentication.update
Autoregistration object
autoregistration.get
autoregistration.update
configuration.export
configuration.import
configuration.importcompare
Connector object
connector.create
connector.delete
connector.get
connector.update
Correlation object
correlation.create
correlation.delete
correlation.get
correlation.update
Dashboard object
dashboard.create
dashboard.delete
dashboard.get
dashboard.update
1 Action log
2 Clock
3 Discovery status
4 Favorite graphs
5 Favorite maps
6 Gauge
7 Geomap
8 Graph
9 Graph (classic)
10 Graph prototype
11 Honeycomb
12 Host availability
13 Host card
14 Host navigator
15 Item history
16 Item navigator
17 Item value
18 Map
19 Map navigation tree
20 Pie chart
21 Problem hosts
22 Problems
23 Problems by severity
24 SLA report
25 System information
26 Top hosts
27 Top items
28 Top triggers
29 Trigger overview
30 URL
31 Web monitoring
Discovered host object
dhost.get
Discovered service object
dservice.get
Discovery check object
dcheck.get
Discovery rule object
drule.create
drule.delete
drule.get
drule.update
Event object
event.acknowledge
event.get
Graph object
graph.create
graph.delete
graph.get
graph.update
Graph item object
graphitem.get
Graph prototype object
graphprototype.create
graphprototype.delete
graphprototype.get
graphprototype.update
High availability node object
hanode.get
History object
history.clear
history.get
history.push
Host object
host.create
host.delete
host.get
host.massadd
host.massremove
host.massupdate
host.update
Host group object
hostgroup.create
hostgroup.delete
hostgroup.get
hostgroup.massadd
hostgroup.massremove
hostgroup.massupdate
hostgroup.propagate
hostgroup.update
Host interface object
hostinterface.create
hostinterface.delete
hostinterface.get
hostinterface.massadd
hostinterface.massremove
hostinterface.replacehostinterfaces
hostinterface.update
Host prototype object
hostprototype.create
hostprototype.delete
hostprototype.get
hostprototype.update
Housekeeping object
housekeeping.get
housekeeping.update
Icon map object
iconmap.create
iconmap.delete
iconmap.get
iconmap.update
Image object
image.create
image.delete
image.get
image.update
Item object
item.create
item.delete
item.get
item.update
Item prototype object
itemprototype.create
itemprototype.delete
itemprototype.get
itemprototype.update
LLD rule object
discoveryrule.create
discoveryrule.delete
discoveryrule.get
discoveryrule.update
Maintenance object
maintenance.create
maintenance.delete
maintenance.get
maintenance.update
Map object
map.create
map.delete
map.get
map.update
Media type object
mediatype.create
mediatype.delete
mediatype.get
mediatype.update
MFA object
mfa.create
mfa.delete
mfa.get
mfa.update
Module object
module.create
module.delete
module.get
module.update
Problem object
problem.get
Proxy object
proxy.create
proxy.delete
proxy.get
proxy.update
Proxy group object
proxygroup.create
proxygroup.delete
proxygroup.get
proxygroup.update
Regular expression object
regexp.create
regexp.delete
regexp.get
regexp.update
Report object
report.create
report.delete
report.get
report.update
Role object
role.create
role.delete
role.get
role.update
Script object
script.create
script.delete
script.execute
script.get
script.getscriptsbyevents
script.getscriptsbyhosts
script.update
Service object
service.create
service.delete
service.get
service.update
Settings object
settings.get
settings.update
SLA object
sla.create
sla.delete
sla.get
sla.getsli
sla.update
Task object
task.create
task.get
Template object
template.create
template.delete
template.get
template.massadd
template.massremove
template.massupdate
template.update
Template dashboard object
templatedashboard.create
templatedashboard.delete
templatedashboard.get
templatedashboard.update
Template group object
templategroup.create
templategroup.delete
templategroup.get
templategroup.massadd
templategroup.massremove
templategroup.massupdate
templategroup.propagate
templategroup.update
Token object
token.create
token.delete
token.generate
token.get
token.update
Trend object
trend.get
Trigger object
trigger.create
trigger.delete
trigger.get
trigger.update
Trigger prototype object
triggerprototype.create
triggerprototype.delete
triggerprototype.get
triggerprototype.update
User object
user.checkAuthentication
user.create
user.delete
user.get
user.login
user.logout
user.provision
user.resettotp
user.unblock
user.update
User directory object
userdirectory.create
userdirectory.delete
userdirectory.get
userdirectory.test
userdirectory.update
User group object
usergroup.create
usergroup.delete
usergroup.get
usergroup.update
User macro object
usermacro.create
usermacro.createglobal
usermacro.delete
usermacro.deleteglobal
usermacro.get
usermacro.update
usermacro.updateglobal
Value map object
valuemap.create
valuemap.delete
valuemap.get
valuemap.update
Web scenario object
httptest.create
httptest.delete
httptest.get
httptest.update
Appendix 1. Reference commentary
Appendix 2. Changes from 7.0 to 7.2
Appendix 3. Changes in 7.2
1 Loadable modules
1 Building loadable plugins
3 Frontend modules
1 Database creation
2 Repairing Áú»¢¶Ä²© database character set and collation
3 Database upgrade to primary keys
4 Preparing auditlog table for partitioning
1 MySQL encryption configuration
2 PostgreSQL encryption configuration
6 TimescaleDB setup
7 Elasticsearch setup
8 Distribution-specific notes on setting up Nginx for Áú»¢¶Ä²©
9 Running agent as root
10 Áú»¢¶Ä²© agent on Microsoft Windows
11 SAML setup with Microsoft Entra ID
12 SAML setup with Okta
13 SAML setup with OneLogin
14 Setting up scheduled reports
15 Additional frontend languages
1 Áú»¢¶Ä²© server
2 Áú»¢¶Ä²© proxy
3 Áú»¢¶Ä²© agent (UNIX)
4 Áú»¢¶Ä²© agent 2 (UNIX)
5 Áú»¢¶Ä²© agent (Windows)
6 Áú»¢¶Ä²© agent 2 (Windows)
1 Ceph plugin
2 Docker plugin
3 Ember+ plugin
4 Memcached plugin
5 Modbus plugin
6 MongoDB plugin
7 MQTT plugin
8 MSSQL plugin
9 MySQL plugin
10 NVIDIA GPU plugin
11 Oracle plugin
12 PostgreSQL plugin
13 Redis plugin
14 SMART plugin
8 Áú»¢¶Ä²© Java gateway
9 Áú»¢¶Ä²© web service
10 Environment variables
11 Inclusion
1 Server-proxy data exchange protocol
2 Áú»¢¶Ä²© agent/agent2 protocol
4 Áú»¢¶Ä²© agent 2 plugin protocol
5 Áú»¢¶Ä²© sender protocol
6 Header
7 Newline-delimited JSON export protocol
1 vm.memory.size parameters
2 Passive and active agent checks
3 Minimum permission level for Windows agent items
4 Encoding of returned values
5 Large file support
6 Sensor
7 Notes on memtype parameter in proc.mem items
8 Notes on selecting processes in proc.mem and proc.num items
9 Implementation details of net.tcp.service and net.udp.service checks
10 proc.get parameters
11 Unreachable/unavailable host interface settings
12 Remote monitoring of Áú»¢¶Ä²© stats
13 Configuring Kerberos with Áú»¢¶Ä²©
14 modbus.get parameters
15 Creating custom performance counter names for VMware
16 Return values for system.sw.packages.get
17 Return values for net.dns.get
18 Notes on system.cpu.util items on Windows
1 Foreach functions
2 Bitwise functions
3 Date and time functions
4 History functions
5 Trend functions
6 Mathematical functions
7 Operator functions
8 Predictive functions
9 String functions
1 Supported macros
2 User macros supported by location
7 Unit symbols
8 Time period syntax
9 Command execution
10 Version compatibility
12 Áú»¢¶Ä²© sender dynamic link library for Windows
13 Python library for Áú»¢¶Ä²© API
14 Service monitoring upgrade
15 Other issues
16 Agent vs agent 2 comparison
17 Escaping examples
1 Monitor Linux with Áú»¢¶Ä²© agent
2 Monitor Windows with Áú»¢¶Ä²© agent
3 Monitor Apache via HTTP
4 Monitor MySQL with Áú»¢¶Ä²© agent 2
5 Monitor VMware with Áú»¢¶Ä²©
6 Monitor network traffic with Áú»¢¶Ä²©
7 Monitor network traffic using active checks
8 Monitor websites with Browser items
9 Monitor website certificates with Áú»¢¶Ä²© agent 2 (passive)
10 Monitor a network switch or router with Áú»¢¶Ä²©
manifest.json
Actions
Views
Assets
Register a new module
Configuration
Presentation
Create a module (tutorial)
Create a widget (tutorial)
Examples
Examples
Create a plugin (tutorial)
Plugin interfaces
Changes to extension development
zabbix_agent2
zabbix_agentd
zabbix_get
zabbix_js
zabbix_proxy
zabbix_sender
zabbix_server
zabbix_web_service

1 Using certificates

Overview

Áú»¢¶Ä²© can use RSA certificates in PEM format, signed by a public or an in-house certificate authority (CA).

Certificate verification is performed against a pre-configured CA certificate. Optionally, Certificate Revocation Lists (CRL) can be used.

Each Áú»¢¶Ä²© component can have only one certificate configured.

For more information on setting up and operating an internal CA, generating and signing certificate requests, and revoking certificates, refer to tutorials such as the .

Carefully consider and test your certificate extensions. For more details, see Limitations on using X.509 v3 certificate extensions.

Certificate configuration parameters

The following configuration parameters are supported for setting up certificates on Áú»¢¶Ä²© components.

Parameter Mandatory Description
TLSCAFile yes Full pathname of a file containing the top-level CA(s) certificates for peer certificate verification.
If using a certificate chain with multiple members, order the certificates with lower level CA(s) certificates first, followed by higher level CA(s) certificates.
Certificates from multiple CAs can be included in a single file.
TLSCRLFile no Full pathname of a file containing Certificate Revocation Lists (CRL).
TLSCertFile yes Full pathname of a file containing the certificate.
If using a certificate chain with multiple members, order the certificates with the server, proxy, or agent certificate first, followed by lower level CA(s) certificates, and concluded by higher level CA(s) certificates.
TLSKeyFile yes Full pathname of a file containing the private key.
Ensure that this file is readable only by the Áú»¢¶Ä²© user by setting appropriate access rights.
TLSServerCertIssuer no Allowed server certificate issuer.
TLSServerCertSubject no Allowed server certificate subject.

Configuration examples

After setting up the necessary certificates, configure Áú»¢¶Ä²© components to use certificate-based encryption.

Below are detailed steps for configuring:

Áú»¢¶Ä²© server

1. Prepare the CA certificate file.

In order to verify peer certificates, Áú»¢¶Ä²© server must have access to the file containing the top-level, self-signed root CA certificates. For example, if certificates from two independent root CAs are needed, place them into a file at /home/zabbix/zabbix_ca_file.crt:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
                   ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ...
       -----BEGIN CERTIFICATE-----
       MIID2jCCAsKgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ....
       9wEzdN8uTrqoyU78gi12npLj08LegRKjb5hFTVmO
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root2 CA
                   ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root2 CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ....
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE
                   ....       
       -----BEGIN CERTIFICATE-----
       MIID3DCCAsSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQB
       ...
       vdGNYoSfvu41GQAR5Vj5FnRJRzv5XQOZ3B6894GY1zY=
       -----END CERTIFICATE-----

2. Place the Áú»¢¶Ä²© server certificate/certificate chain into a file, for example, at /home/zabbix/zabbix_server.crt. The first certificate is the Áú»¢¶Ä²© server certificate, followed by the intermediate CA certificate:

Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 1 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
               ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Áú»¢¶Ä²© server
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                       ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Digital Signature, Key Encipherment
                   X509v3 Basic Constraints: 
                       CA:FALSE
                   ...
       -----BEGIN CERTIFICATE-----
       MIIECDCCAvCgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixk
       ...
       h02u1GHiy46GI+xfR3LsPwFKlkTaaLaL/6aaoQ==
       -----END CERTIFICATE-----
       Certificate:
           Data:
               Version: 3 (0x2)
               Serial Number: 2 (0x2)
           Signature Algorithm: sha1WithRSAEncryption
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Root1 CA
               ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
               Subject Public Key Info:
                   Public Key Algorithm: rsaEncryption
                       Public-Key: (2048 bit)
                   ...
               X509v3 extensions:
                   X509v3 Key Usage: critical
                       Certificate Sign, CRL Sign
                   X509v3 Basic Constraints: critical
                       CA:TRUE, pathlen:0
               ...
       -----BEGIN CERTIFICATE-----
       MIID4TCCAsmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB+MRMwEQYKCZImiZPyLGQB
       ...
       dyCeWnvL7u5sd6ffo8iRny0QzbHKmQt/wUtcVIvWXdMIFJM0Hw==
       -----END CERTIFICATE-----

Use only the attributes mentioned above for both client and server certificates to avoid affecting the certificate verification process. For example, OpenSSL might fail to establish an encrypted connection if X509v3 Subject Alternative Name or Netscape Cert Type extensions are used. For more information, see Limitations on using X.509 v3 certificate extensions.

3. Place the Áú»¢¶Ä²© server private key into a file, for example, at /home/zabbix/zabbix_server.key:

-----BEGIN PRIVATE KEY-----
       MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC9tIXIJoVnNXDl
       ...
       IJLkhbybBYEf47MLhffWa7XvZTY=
       -----END PRIVATE KEY-----

4. Edit the TLS configuration parameters in the Áú»¢¶Ä²© server configuration file:

TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSCertFile=/home/zabbix/zabbix_server.crt
       TLSKeyFile=/home/zabbix/zabbix_server.key
Áú»¢¶Ä²© proxy

1. Prepare files with the top-level CA certificates, the Áú»¢¶Ä²© proxy certificate/certificate chain, and the private key as described in the Áú»¢¶Ä²© server section. Then, edit the TLSCAFile, TLSCertFile, and TLSKeyFile parameters in the Áú»¢¶Ä²© proxy configuration file accordingly.

2. Edit additional TLS parameters in the Áú»¢¶Ä²© proxy configuration file:

  • For active proxy: TLSConnect=cert
  • For passive proxy: TLSAccept=cert

To improve proxy security, you can also set the TLSServerCertIssuer and TLSServerCertSubject parameters. For more information, see Restricting allowed certificate issuer and subject.

TLS parameters in the final proxy configuration file may look as follows:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© server,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_proxy.crt
       TLSKeyFile=/home/zabbix/zabbix_proxy.key

3. Configure encryption for this proxy in Áú»¢¶Ä²© frontend:

  • Go to: Administration ¡ú Proxies.
  • Select the proxy and click the Encryption tab.

In the examples below, the Issuer and Subject fields are filled in. For more information on why and how to use these fields, see Restricting allowed certificate issuer and subject.

For active proxy:

For passive proxy:

Áú»¢¶Ä²© agent

1. Prepare files with the top-level CA certificates, the Áú»¢¶Ä²© agent certificate/certificate chain, and the private key as described in the Áú»¢¶Ä²© server section. Then, edit the TLSCAFile, TLSCertFile, and TLSKeyFile parameters in the Áú»¢¶Ä²© agent configuration file accordingly.

2. Edit additional TLS parameters in the Áú»¢¶Ä²© agent configuration file:

  • For active agent: TLSConnect=cert
  • For passive agent: TLSAccept=cert

To improve agent security, you can set the TLSServerCertIssuer and TLSServerCertSubject parameters. For more information, see Restricting allowed certificate issuer and subject.

The TLS parameters in the final agent configuration file may look as follows. Note that the example assumes that the host is monitored by a proxy, hence it is specified as the certificate Subject:

TLSConnect=cert
       TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSCertFile=/home/zabbix/zabbix_agentd.crt
       TLSKeyFile=/home/zabbix/zabbix_agentd.key

3. Configure encryption in Áú»¢¶Ä²© frontend for the host monitored by this agent.

  • Go to: Data collection ¡ú Hosts.
  • Select the host and click the Encryption tab.

In the example below, the Issuer and Subject fields are filled in. For more information on why and how to use these fields, see Restricting allowed certificate issuer and subject.

Áú»¢¶Ä²© web service

1. Prepare files with the top-level CA certificates, the Áú»¢¶Ä²© web service certificate/certificate chain, and the private key as described in the Áú»¢¶Ä²© server section. Then, edit the TLSCAFile, TLSCertFile, and TLSKeyFile parameters in the Áú»¢¶Ä²© web service configuration file accordingly.

2. Edit an additional TLS parameter in the Áú»¢¶Ä²© web service configuration file: TLSAccept=cert

TLS parameters in the final web service configuration file may look as follows:

TLSAccept=cert
       TLSCAFile=/home/zabbix/zabbix_ca_file
       TLSCertFile=/home/zabbix/zabbix_web_service.crt
       TLSKeyFile=/home/zabbix/zabbix_web_service.key

3. Configure Áú»¢¶Ä²© server to connect to the TLS-configured Áú»¢¶Ä²© web service by editing the WebServiceURL parameter in the Áú»¢¶Ä²© server configuration file:

WebServiceURL=https://example.com

Restricting allowed certificate issuer and subject

When two Áú»¢¶Ä²© components (for example, server and agent) establish a TLS connection, they validate each other's certificates. If a peer certificate is signed by a trusted CA (with a pre-configured top-level certificate in TLSCAFile), is valid, has not expired, and passes other checks, then the communication between components can proceed. In this simplest case, the certificate issuer and subject are not verified.

However, this presents a risk: anyone with a valid certificate can impersonate anyone else (for example, a host certificate could be used to impersonate a server). While this may be acceptable in small environments where certificates are signed by a dedicated in-house CA and the risk of impersonation is low, it may not be sufficient in larger or more security-sensitive environments.

If your top-level CA issues certificates that should not be accepted by Áú»¢¶Ä²© or if you want to reduce the risk of impersonation, you can restrict allowed certificates by specifying their issuer and subject.

For example, in the Áú»¢¶Ä²© proxy configuration file, you could specify:

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© server,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

With these settings, an active proxy will not communicate with a Áú»¢¶Ä²© server whose certificate has a different issuer or subject. Similarly, a passive proxy will not accept requests from such a server.

Rules for matching Issuer and Subject strings

The rules for matching Issuer and Subject strings are as follows:

  • Issuer and Subject strings are checked independently. Both are optional.
  • An unspecified string means that any string is accepted.
  • Strings are compared as is and must match exactly.
  • UTF-8 characters are supported. However, wildcards (*) or regular expressions are not supported.
  • The following requirements are implemented - characters that require escaping (with a '\' backslash, U+005C):
    • anywhere in the string: '"' (U+0022), '+' (U+002B), ',' (U+002C), ';' (U+003B), '<' (U+003C), '>' (U+003E), '\\' (U+005C);
    • at the beginning of the string: space (' ', U+0020) or number sign ('#', U+0023);
    • at the end of the string: space (' ', U+0020).
  • Null characters (U+0000) are not supported. If a null character is encountered, the matching will fail.
  • and standards are not supported.

For example, if Issuer and Subject organization (O) strings contain trailing spaces and the Subject organizational unit (OU) string contains double quotes, these characters must be escaped:

TLSServerCertIssuer=CN=Signing CA,OU=Development head,O=\ Example SIA\ ,DC=example,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© server,OU=Development group \"5\",O=\ Example SIA\ ,DC=example,DC=com
Field order and formatting

Áú»¢¶Ä²© follows the recommendations of , which specifies a "reverse" order for these fields, starting with the lowest-level fields (CN), proceeding to the mid-level fields (OU, O), and concluding with the highest-level fields (DC).

TLSServerCertIssuer=CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       TLSServerCertSubject=CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

In contrast, OpenSSL by default displays the Issuer and Subject strings in top-level to low-level order. In the following example, Issuer and Subject fields start with the top-level (DC) and end with the low-level (CN) field. The formatting with spaces and field separators also varies based on the options used, and thus will not match the format required by Áú»¢¶Ä²©.

$ openssl x509 -noout -in /home/zabbix/zabbix_proxy.crt -issuer -subject
       issuer= /DC=com/DC=zabbix/O=Áú»¢¶Ä²© SIA/OU=Development group/CN=Signing CA
       subject= /DC=com/DC=zabbix/O=Áú»¢¶Ä²© SIA/OU=Development group/CN=Áú»¢¶Ä²© proxy
       
       $ openssl x509 -noout -text -in /home/zabbix/zabbix_proxy.crt
       Certificate:
           ...
               Issuer: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Signing CA
               ...
               Subject: DC=com, DC=zabbix, O=Áú»¢¶Ä²© SIA, OU=Development group, CN=Áú»¢¶Ä²© proxy

To format Issuer and Subject strings correctly for Áú»¢¶Ä²©, invoke OpenSSL with the following options:

$ openssl x509 -noout -issuer -subject \
           -nameopt esc_2253,esc_ctrl,utf8,dump_nostr,dump_unknown,dump_der,sep_comma_plus,dn_rev,sname\
           -in /home/zabbix/zabbix_proxy.crt

The output will then be in reverse order, comma-separated, and usable in Áú»¢¶Ä²© configuration files and frontend:

issuer= CN=Signing CA,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com
       subject= CN=Áú»¢¶Ä²© proxy,OU=Development group,O=Áú»¢¶Ä²© SIA,DC=zabbix,DC=com

Limitations on using X.509 v3 certificate extensions

When implementing X.509 v3 certificates within Áú»¢¶Ä²©, certain extensions may not be fully supported or could result in inconsistent behavior.

Subject Alternative Name extension

Áú»¢¶Ä²© does not support the Subject Alternative Name extension, which is used to specify alternative DNS names such as IP addresses or email addresses. Áú»¢¶Ä²© can only validate the value in the Subject field of the certificate (see Restricting Allowed Certificate Issuer and Subject). If certificates include the subjectAltName field, the outcome of certificate validation may vary depending on the specific crypto toolkits used to compile Áú»¢¶Ä²© components. As a result, Áú»¢¶Ä²© may either accept or reject certificates based on these combinations.

Extended Key Usage extension

Áú»¢¶Ä²© supports the Extended Key Usage extension. However, if used, it is generally required that both clientAuth (for TLS WWW client authentication) and serverAuth (for TLS WWW server authentication) attributes are specified. For example:

  • In passive checks, where Áú»¢¶Ä²© agent operates as a TLS server, the serverAuth attribute must be included in the agent's certificate.
  • For active checks, where the agent operates as a TLS client, the clientAuth attribute must be included in the agent's certificate.

While GnuTLS may issue a warning for key usage violations, it typically allows communication to proceed despite these warnings.

Name Constraints extension

Support for the Name Constraints extension varies among crypto toolkits. Ensure that your chosen toolkit supports this extension. This extension may restrict Áú»¢¶Ä²© from loading CA certificates if this section is marked as critical, depending on the specific toolkit in use.

Certificate Revocation Lists (CRL)

If a certificate is compromised, the Certificate Authority (CA) can revoke it by including the certificate in a Certificate Revocation List (CRL). CRLs are managed through configuration files and can be specified using the TLSCRLFile parameter in server, proxy, and agent configuration files. For example:

TLSCRLFile=/home/zabbix/zabbix_crl_file.crt

In this case, zabbix_crl_file.crt may contain CRLs from multiple CAs, and could look like this:

-----BEGIN X509 CRL-----
       MIIB/DCB5QIBATANBgkqhkiG9w0BAQUFADCBgTETMBEGCgmSJomT8ixkARkWA2Nv
       ...
       treZeUPjb7LSmZ3K2hpbZN7SoOZcAoHQ3GWd9npuctg=
       -----END X509 CRL-----
       -----BEGIN X509 CRL-----
       MIIB+TCB4gIBATANBgkqhkiG9w0BAQUFADB/MRMwEQYKCZImiZPyLGQBGRYDY29t
       ...
       CAEebS2CND3ShBedZ8YSil59O6JvaDP61lR5lNs=
       -----END X509 CRL-----

The CRL file is loaded only when Áú»¢¶Ä²© starts. To update the CRL, restart Áú»¢¶Ä²©.

If Áú»¢¶Ä²© components are compiled with OpenSSL and CRLs are used, ensure that each top-level and intermediate CA in the certificate chains has a corresponding CRL (even if it is empty) included in the TLSCRLFile.

? 2001-2025 by Áú»¢¶Ä²© SIA. All rights reserved.
Except where otherwise noted, Áú»¢¶Ä²© Documentation is licensed under the following license
Trademark Policy