Related Documentation | Version of up.time Affected | Affected Platforms |
Setting the agent port or permissions | All | Linux |
You can secure communication between the up.time monitoring station and the up.time Linux agent by enabling SSL encryption. Enabling SSL is a two-step process:
Enabling SSL on the Linux Agent System
To enable SSL encryption, complete the following steps on each agent system:
NOTE: Do not perform these steps on the monitoring station.
service uptmagnt\n{\n disable = no\n flags = REUSE\n socket_type = stream\n wait = no\n user = nobody\n server = /usr/sbin/stunnel\n server_args = /etc/stunnel/uptmagnt.conf\n}\n
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem\nThe following is a sample stunnel.cnf for the openssl program:
# create RSA certs - Server\n\nRANDFILE = stunnel.rnd\n\n[ req ]\ndefault_bits = 1024\nencrypt_key = yes\ndistinguished_name = req_dn\nx509_extensions = cert_type\n\n[ req_dn ]\ncountryName = Country Name (2 letter code)\ncountryName_default = PL\ncountryName_min = 2\ncountryName_max = 2\n\nstateOrProvinceName = State or Province Name (full name)\nstateOrProvinceName_default = Some-State\n\nlocalityName = Locality Name (eg, city)\n\n0.organizationName = Organization Name (eg, company)\n0.organizationName_default = Stunnel Developers Ltd\n\norganizationalUnitName = Organizational Unit Name (eg, section)\n#organizationalUnitName_default =\n\n0.commonName = Common Name (FQDN of your server)\n0.commonName_default = localhost\n\n# To create a certificate for more than one name uncomment:\n# 1.commonName = DNS alias of your server\n# 2.commonName = DNS alias of your server\n# ...\n# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html\n# to see how Netscape understands commonName.\n\n[ cert_type ]\nnsCertType = server\n
cert=/etc/stunnel/uptmagnt.pem\nexec=/opt/uptime-agent/bin/uptmagnt\n
You can verify that your agent is communicating securely by running the following command on your monitoring station:
agentcmd +s -p 9998 <hostname> df-k\n
NOTE: You can change the port on which to enable SSL to any value. To change the default agent port to something other than 9998, edit the /etc/services file, and restart xinetd. You can also use the agent-configure.sh script (see Setting the agent port or permissions for more information).
Enabling SSL in the up.time UI
If the Linux agent has already been added to up.time, complete the following steps in the up.time Web interface for each agent system that you want to configure to use SSL.
If you have not yet added the agent system to up.time, follow the steps that are detailed in the up.time User Guide. When adding the agent system, ensure that the Agent Port Number option is set to 9998, and that the Use SSL (HTTPS) option is enabled.