An additional broker output for Centreon central (centreon-broker-master) has been created during the installation. You can check it in your central Centreon web interface Centreon > Configuration > Pollers > Broker Configuration in the Main menu > Centreon-broker-master.
The output configuration should look like this:
Setup TLS connection between broker and map server¶
The socket connection between broker and map server can be secured by using TLS protocol.
Broker side configuration :¶
You could enable TLS output and set up broker’s private key and public certificate as described in broker TLS output
“Trusted CA’s certificate” field is optional. If you activate broker’s client authentication by setting this “ca_certificate.crt”, then you must setup a keystore for map server
You MUST push the new broker configuration and restart the broker after configuration.
Map server side configuration :¶
First of all, set the following parameter in map server configuration at “/etc/centreon-studio/studio-config.properties“ to enable TLS socket connection with broker :
1. Auto signed broker certificate¶
If the broker public certificate is auto signed, you must create a trust store containing given certificate or its CA certificate with the following command line:
# keytool -import -alias centreon-broker -file broker_public.crt -keystore truststore.jks
- “broker_public.crt” is broker public certificate or its CA certificate in PEM format.
- “truststore.jks” is the generated trust store in JKS format.
- a store password is required during generation
Then, put the generated output file “truststore.jks” into “/etc/centreon-studio“ of map server host.
and add JVM options to tomcat’s configuration file - “/etc/tomcat/tomcat.conf“ :
Replace the trustStorePassword value “xxx” with the password you used when generate the trust store
Finally, restart Tomcat :
# sudo systemctl restart tomcat
2. Recognized CA signed broker certificate¶
If the broker public certificate is signed with a recognized CA, the JVM default trust store “cacerts (/etc/pki/java/cacerts)” will be used. Nothing to configure for Tomcat