2 PostgreSQL encryption configuration

Overview

This section provides several encryption configuration examples for CentOS 8.2 and PostgreSQL 13.

Connection between Zabbix frontend and PostgreSQL cannot be encrypted (parameters in GUI are disabled), if the value of Database host field begins with a slash or the field is empty.

Pre-requisites

Install the PostgreSQL database using the official repository.

PostgreSQL is not configured to accept TLS connections out-of-the-box. Please follow instructions from PostgreSQL documentation for certificate preparation with postgresql.conf and also for user access control through ph_hba.conf.

By default, the PostgreSQL socket is binded to the localhost, for the network remote connections allow to listen on the real network interface.

PostgreSQL settings for all modes can look like this:

/var/lib/pgsql/13/data/postgresql.conf:

  1. ...
  2. ssl = on
  3. ssl_ca_file = 'root.crt'
  4. ssl_cert_file = 'server.crt'
  5. ssl_key_file = 'server.key'
  6. ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
  7. ssl_prefer_server_ciphers = on
  8. ssl_min_protocol_version = 'TLSv1.3'
  9. ...

For access control adjust /var/lib/pgsql/13/data/pg_hba.conf:

  1. ...
  2. ### require
  3. hostssl all all 0.0.0.0/0 md5
  4. ### verify CA
  5. hostssl all all 0.0.0.0/0 md5 clientcert=verify-ca
  6. ### verify full
  7. hostssl all all 0.0.0.0/0 md5 clientcert=verify-full
  8. ...

Required mode

Frontend

To enable transport-only encryption for connections between Zabbix frontend and the database:

  • Check Database TLS encryption

  • Leave Verify database certificate unchecked

2 PostgreSQL encryption configuration - 图1

Server

To enable transport-only encryption for connections between server and the database, configure /etc/zabbix/zabbix_server.conf:

  1. ...
  2. DBHost=10.211.55.9
  3. DBName=zabbix
  4. DBUser=zbx_srv
  5. DBPassword=<strong_password>
  6. DBTLSConnect=required
  7. ...

Verify CA mode

Frontend

To enable encryption with certificate authority verification for connections between Zabbix frontend and the database:

  • Check Database TLS encryption and Verify database certificate

  • Specify path to Database TLS key file

  • Specify path to Database TLS CA file

  • Specify path to Database TLS certificate file

2 PostgreSQL encryption configuration - 图2

Alternatively, this can be set in /etc/zabbix/web/zabbix.conf.php:

  1. ...
  2. $DB['ENCRYPTION'] = true;
  3. $DB['KEY_FILE'] = '';
  4. $DB['CERT_FILE'] = '';
  5. $DB['CA_FILE'] = '/etc/ssl/pgsql/root.crt';
  6. $DB['VERIFY_HOST'] = false;
  7. $DB['CIPHER_LIST'] = '';
  8. ...

Server

To enable encryption with certificate verification for connections between Zabbix server and the database, configure /etc/zabbix/zabbix_server.conf:

  1. ...
  2. DBHost=10.211.55.9
  3. DBName=zabbix
  4. DBUser=zbx_srv
  5. DBPassword=<strong_password>
  6. DBTLSConnect=verify_ca
  7. DBTLSCAFile=/etc/ssl/pgsql/root.crt
  8. ...

Verify full mode

Frontend

To enable encryption with certificate and database host identity verification for connections between Zabbix frontend and the database:

  • Check Database TLS encryption and Verify database certificate

  • Specify path to Database TLS key file

  • Specify path to Database TLS CA file

  • Specify path to Database TLS certificate file

  • Check Database host verification

2 PostgreSQL encryption configuration - 图3

Alternatively, this can be set in /etc/zabbix/web/zabbix.conf.php:

  1. $DB['ENCRYPTION'] = true;
  2. $DB['KEY_FILE'] = '';
  3. $DB['CERT_FILE'] = '';
  4. $DB['CA_FILE'] = '/etc/ssl/pgsql/root.crt';
  5. $DB['VERIFY_HOST'] = true;
  6. $DB['CIPHER_LIST'] = '';
  7. ...

Server

To enable encryption with certificate and database host identity verification for connections between Zabbix server and the database, configure /etc/zabbix/zabbix_server.conf:

  1. ...
  2. DBHost=10.211.55.9
  3. DBName=zabbix
  4. DBUser=zbx_srv
  5. DBPassword=<strong_password>
  6. DBTLSConnect=verify_full
  7. DBTLSCAFile=/etc/ssl/pgsql/root.crt
  8. DBTLSCertFile=/etc/ssl/pgsql/client.crt
  9. DBTLSKeyFile=/etc/ssl/pgsql/client.key
  10. ...