Werk #7017: Livestatus via TCP can now be encrypted
| Component | Livestatus |
| Title | Livestatus via TCP can now be encrypted |
| Date | Dec 29, 2018 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 1.6.0b1 |
| Level | Prominent Change |
| Class | New Feature |
| Compatibility | Compatible - no manual interaction needed |
Livestatus has been a plain text protocol since it's invention. This is normally OK for system local connections via unix socket or TCP connections in secure networks.
Users always had the choice to secure the communication using TLS (e.g. via stunnel), SSH, VPN or some other solution that encrypts the communication in their local setup.
To improve the security for all users of Check_MK, we have now changed the Livestatus TCP communication to be encrypted by default using TLS. This is realized using an internal CA and internally generated certificates by default.
Existing sites that already have Livestatus via TCP enabled before updating to 1.6 still use the unencrypted communication for compatibility. An analyze configuration" test will create a CRITICAL message about the unencrypted Livestatus TCP configuration in this situation.
If you want to encrypt the Livestatus communication between two sites, you first have to update both sites to use Check_MK 1.6. Then you will have to enable the 'omd config' option LIVESTATUS_TCP_TLS. After that go to the 'Distributed Monitoring' configuration page on the central site and enable "Encryption" for the remote site connection. If you use the internal site certificate, you will now have open the "Livestatus encryption" detail page of the site which should show you that the certificate of the remote site is not trusted by the central site. Klick on the "Add to trusted CAs" icon button in the certificate chain list to establish the tust with the remote site. Once this is done your livestatus connection should be encrypted and working fine.
Technical details:
- For new sites Livestatus via TCP is encrypted by default. Existing sites which already have Livestatus via TCP enabled during the update keep the communication unencrypted for compatibility reasons. This is managed using the new 'omd config' option LIVESTATUS_TCP_TLS. This setting can also be managed through the "Global Settings > Site Management".
- During update or site creation a site local CA certificate is created to manage the sites local certificates.
- The site local certificate is created automatically during update or site creation.
- The CA certificate is always located at 'etc/ssl/ca.pem'.
- The site certificate is located at 'etc/ssl/sites/[site].pem'
- Both files are in PEM format and need to have the private key and certificate stored in a single file.
- The keys are 2048 bit RSA keys and the certificates are signed using SHA512.
- These certificates are valid for 999 years.
- The site PEM file should contain the certificates of the whole certificate chain.
- In case you want to use other site certificates, you are free to replace the site PEM file with your own. Please note that you will have to restart the stunnel process of the site to apply the change.
- stunnel is introduced as site internal daemon that serves the TLS wrapped socket once it has been enabled through 'omd config'.
- The livestatus_status check is now checking for the livestatus certificate expiration time.
