Livestatus has been a plain text protocol since it's invention. This is
normally OK for system local connections via unix socket or TCP connections
in secure networks.
Users always had the choice to secure the communication using TLS (e.g.
via stunnel), SSH, VPN or some other solution that encrypts the
communication in their local setup.
To improve the security for all users of Check_MK, we have now changed
the Livestatus TCP communication to be encrypted by default using TLS.
This is realized using an internal CA and internally generated
certificates by default.
Existing sites that already have Livestatus via TCP enabled before
updating to 1.6 still use the unencrypted communication for
compatibility. An analyze configuration" test will create a CRITICAL
message about the unencrypted Livestatus TCP configuration in this
If you want to encrypt the Livestatus communication between two sites,
you first have to update both sites to use Check_MK 1.6. Then you will
have to enable the 'omd config' option LIVESTATUS_TCP_TLS. After that
go to the 'Distributed Monitoring' configuration page on the central
site and enable "Encryption" for the remote site connection. If you use
the internal site certificate, you will now have open the
"Livestatus encryption" detail page of the site which should show you
that the certificate of the remote site is not trusted by the central
site. Klick on the "Add to trusted CAs" icon button in the certificate
chain list to establish the tust with the remote site. Once this is
done your livestatus connection should be encrypted and working fine.
- For new sites Livestatus via TCP is encrypted by default. Existing sites
which already have Livestatus via TCP enabled during the update keep the
communication unencrypted for compatibility reasons. This is managed using
the new 'omd config' option LIVESTATUS_TCP_TLS. This setting can also
be managed through the "Global Settings > Site Management".
- During update or site creation a site local CA certificate is created
to manage the sites local certificates.
- The site local certificate is created automatically during update or
- The CA certificate is always located at 'etc/ssl/ca.pem'.
- The site certificate is located at 'etc/ssl/sites/[site].pem'
- Both files are in PEM format and need to have the private key and
certificate stored in a single file.
- The keys are 2048 bit RSA keys and the certificates are signed using
- These certificates are valid for 999 years.
- The site PEM file should contain the certificates of the whole
- In case you want to use other site certificates, you are free to
replace the site PEM file with your own. Please note that you will
have to restart the stunnel process of the site to apply the change.
- stunnel is introduced as site internal daemon that serves the TLS
wrapped socket once it has been enabled through 'omd config'.
- The livestatus_status check is now checking for the livestatus
certificate expiration time.
To the list of all Werks