19. 10. 2021 Alessandro Valentini NetEye

TLS Certificate Authorities on Satellites

Since the introduction of Satellites in NetEye 4.19 one of the most frequently asked questions has been how CAs and Certificates work on Satellites. In this short blog post I’ll try to answer this question.


First of all a bit of introduction about Satellites. A Satellite is a NetEye machine connected to a Master, which performs several tasks related to distributed monitoring. At the moment of this blog post (NetEye 4.20) the two most relevant features of Satellites are the NATS instance configured as a NATS leaf, and an Icinga 2 instance configured as an Icinga 2 satellite. The former allows data to be sent from the Satellite zone to the Master (for example, metrics collected via Telegraf agents) from hosts which are unable to directly contact the Master, while the latter allows the Master to delegate check execution to the Satellite for specific hosts.


All communications between Master and Satellites are secured via TLS and therefore certificates are required. On a satellite we have three different CAs installed by default:

  • usr/share/pki/ca-trust-source/anchors/master-root-ca.crt which is the certificate authority of the Master
  • neteye/local/icinga2/data/lib/icinga2/certs/ca.crt which is the Icinga 2 CA of the master
  • /usr/share/pki/ca-trust-source/anchors/root-ca.crt which is the certificate generated directly on the Satellites. This CA can also be found under /root/security/ca/root-ca.crt

Let’s see how they are used!

NATS communications between Master and Satellites are secured using certificates generated on the Master, where the related certificate authority is master-root-ca.crt. The master’s CA key is not present on Satellites for security reasons: if a Satellite were to be compromised, an attacker could not then generate valid certificates for the Master.

Unlike other services in NetEye, Icinga 2 uses its own CA. Since the certificates to authenticate icinga2-satellite to icinga2-master are generated on the Master side, we need to also copy this CA to the Satellite.

root-ca.crt is the CA used to validate all certificates generated on the Satellites’ side: for example the Telegraf local instance authenticates to the Satellite’s NATS using a certificate related to this CA. If you check the Satellite NATS configuration, you will find server and client certificates valid for this CA used to secure Host-to-Satellite communications.

As a general rule of thumb, the Satellite user should not care about master-root-ca.crt, ca.crt and the related certificates, since they are generated on the Master side and are automatically handled by the neteye satellite setup command. Instead, if you need to connect an external agent to NATS for example, you should generate certificates using root-ca.crt and the related key.

Alessandro Valentini

Alessandro Valentini

DevOps Engineer at Wuerth Phoenix
DevOps Engineer at Würth Phoenix

Author

Alessandro Valentini

DevOps Engineer at Würth Phoenix

Latest posts by Alessandro Valentini

01. 12. 2023 Development, DevOps
How to Install Matomo on OpenShift
28. 11. 2023 DevOps
My OpenShift Journey #7: Enabling Persistent Monitoring
10. 08. 2023 Bug Fixes, NetEye
Bug Fixes for NetEye 4.31 and 4.30
18. 07. 2023 DevOps
My OpenShift Journey #6: Pipelining Part II
17. 07. 2023 DevOps
My OpenShift Journey #6: Pipelining Part I
See All

Related Content

Tags: , , ,

16. 01. 2024 NetEye, Unified Monitoring

Icinga 2 DSL for Defining the Monitoring Status of Objects with Director

Today I want to present an Icinga 2-based monitoring use case where concepts of the powerful Icinga 2 DSL functional language come into play. The use case is based on mapping the status of a Host/Service Object via passive check Read More
12. 09. 2023 DevOps

How to Convert and Add a .pfx cert to Pulp 3 Operator

On our OpenShift cluster we use pulp3 as the repository manager. One recent task we had to do was to add a certificate before we could expose the repository over TLS. Our IT department provided us with the certificate in Read More
28. 12. 2022 NetEye

Monitoring Automation in Director

Director is one of the most important modules in NetEye 4 because it's used for managing, automating and deploying the configurations of all monitored objects. In all our projects we use automation in Director: through the Import and Synchronization rules Read More
21. 10. 2022 Icinga Web 2, ITOA, NetEye

A Custom Dashboard for Windows and Linux Servers

The performance graphs present in NetEye are very useful for getting an immediate idea of the trend related to a service check, but they're still limited to the metric being viewed. Also, the "Show all graphs" option available from the Read More
22. 03. 2022 ITOA, NetEye, Unified Monitoring

Monitoring Fortigate Firewall SLA Trackers

Recently a customer told me he would like to monitor and graph the values that his Fortigate Firewall was generating for his configured SLA Trackers. What are these SLA Trackers? I informed myself and found the following in a Fortigate Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive