Broker configuration

An additional broker output for Centreon central (centreon-broker-master) has been created during the installation. You can check it in your central Centreon web interface Centreon > Configuration > Pollers > Broker Configuration in the Main menu > Centreon-broker-master.

The output configuration should look like this:

../_images/output_broker1.png

Setup TLS connection between broker and map server

The socket connection between broker and map server can be secured by using TLS protocol.

Broker side configuration :

You could enable TLS output and set up broker’s private key and public certificate as described in broker TLS output

../_images/output_broker_tls.png

Note

“Trusted CA’s certificate” field is optional. If you activate broker’s client authentication by setting this “ca_certificate.crt”, then you must setup a keystore for map server

Note

You MUST push the new broker configuration and restart the broker after configuration.

Map server side configuration :

First of all, set the following parameter in map server configuration at “/etc/centreon-studio/studio-config.properties“ to enable TLS socket connection with broker :

broker.tls=true

1. Auto signed broker certificate

If the broker public certificate is auto signed, you must create a trust store containing given certificate or its CA certificate with the following command line:

# keytool -import -alias centreon-broker -file broker_public.crt -keystore truststore.jks

  • “broker_public.crt” is broker public certificate or its CA certificate in PEM format.

  • “truststore.jks” is the generated trust store in JKS format.

  • a store password is required during generation

Then, put the generated output file “truststore.jks” into “/etc/centreon-studio“ of map server host.

and add JVM options to tomcat’s configuration file - “/etc/tomcat/tomcat.conf“ :

JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/centreon-studio/truststore.jks -Djavax.net.ssl.trustStorePassword=xxx"

Note

Replace the trustStorePassword value “xxx” with the password you used when generate the trust store

Finally, restart Tomcat :

# sudo systemctl restart tomcat

2. Recognized CA signed broker certificate

If the broker public certificate is signed with a recognized CA, the JVM default trust store “cacerts (/etc/pki/java/cacerts)” will be used. Nothing to configure for Tomcat