From d21de84141dfbcb461e4836d480510f1776d1a33 Mon Sep 17 00:00:00 2001 From: smau Date: Fri, 27 Mar 2026 15:57:42 +0100 Subject: [PATCH 1/8] Add Secure your MBI platform topic --- .../reporting/secure-your-mbi-platform.md | 561 ++++++++++++++++++ .../version-25.10-sidebars.json | 4 + 2 files changed, 565 insertions(+) create mode 100644 versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md diff --git a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md new file mode 100644 index 000000000000..ec37ee17a2ab --- /dev/null +++ b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -0,0 +1,561 @@ +--- +id: secure-your-mbi-platform +title: Secure your MBI platform +--- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +This chapter describes advanced procedures to secure your Centreon MBI platform. + +> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](../administration/secure-platform.md#secure-the-web-server-with-https) if needed. + +> Mistakes when editing configuration files can lead to malfunctions of the software. We recommend that you make a backup of the file before editing it and that you only change the settings advised by Centreon. + +## Configure TLS on a MySQL or MariaDB database + +This section describes how to enable SSL between Centreon MBI and a MySQL or MariaDB server using certificate authority verification (VERIFY\_CA / verify-ca mode). + +> **Note:** This procedure covers the VERIFY\_CA mode only. In this mode, the server certificate is validated against a trusted Certificate Authority, but the hostname/IP address is not verified. For other SSL verification modes, see the [SSL Mode reference](#ssl-mode-reference) section. + +Select the tab corresponding to the database you want to use. + + + + +### Step 1 - Generate keys and certificates + +> If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate. + +**1. Create a directory** (`/etc/mysql/newcerts` in this example) to store your certificate files: + +```shell +mkdir -p /etc/mysql/newcerts +cd /etc/mysql/newcerts +``` + +**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + +```shell +# Generate the CA private key +openssl genrsa 2048 > ca-key.pem +# Generate the CA self-signed certificate +openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem +``` + +**3. Generate the server certificate.** The server certificate is presented by MariaDB to clients during the SSL handshake. + +```shell +# Generate the server private key and CSR (Certificate Signing Request) +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + +# Convert the server key to RSA format (required by MariaDB) +openssl rsa -in server-key.pem -out server-key.pem + +# Sign the server certificate with the CA +openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem +``` + +**4. Generate the client certificate (optional — mTLS only).** The client certificate is used by the application to authenticate itself to MariaDB. Skip this section if you only need `REQUIRE SSL`. + +```shell +# Generate the client private key and CSR +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + +# Convert the client key to RSA format +openssl rsa -in client-key.pem -out client-key.pem + +# Sign the client certificate with the CA +openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem +``` + +**5. Verify the certificates.** Ensure both certificates are correctly signed by the CA before proceeding. + +```shell +openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem +# Expected output: +# server-cert.pem: OK +# client-cert.pem: OK +``` + +**6. Set the file ownership.** + +```shell +chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem +chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem +chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem +``` + +### Step 2 - Configure the MariaDB server + +**1. Add the following block** to your MariaDB server configuration file (typically `/etc/mysql/mariadb.conf.d/50-server.cnf`): + +```ini +[mariadb] +ssl-ca=/etc/mysql/newcerts/ca-cert.pem +ssl-cert=/etc/mysql/newcerts/server-cert.pem +ssl-key=/etc/mysql/newcerts/server-key.pem +# Restrict to secure TLS versions only +tls_version=TLSv1.2,TLSv1.3 +``` + +**2. Restart MariaDB.** + +```shell +systemctl restart mariadb +``` + +**3. Verify SSL is active.** + +```sql +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl should be YES +-- ssl_ca, ssl_cert, ssl_key should point to your certificate files +``` + +### Step 3 - Configure the MariaDB user + +Centreon MBI uses the `centreonbi` user. + +**1. Require SSL for the user.** + +```sql +-- SSL only (no client certificate required) +ALTER USER 'centreonbi'@'' REQUIRE SSL; + +-- Or mutual TLS (client certificate required) +-- ALTER USER 'centreonbi'@'' REQUIRE X509; + +-- Verify: ssl_type should now show ANY (for SSL) or X509 (for mTLS) +SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; +``` + +**2. Grant privileges.** + +```sql +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; +``` + +### Step 4 - Configure JDBC (Centreon MBI / BIRT) + +Unlike MySQL Connector/J, **MariaDB Connector/J 3.x supports PEM files natively** via the `serverSslCert` parameter directly in the JDBC URL. No Java KeyStore conversion is needed for simple SSL mode. + +A PKCS12 keystore is only needed for mTLS (client certificate authentication): + +| File | Contains | Purpose | Required | +|------|----------|---------|----------| +| `ca-cert.pem` | CA certificate | Lets the driver verify the MariaDB server's identity | ✓ Always | +| `keystore.p12` | Client cert + private key | Lets MariaDB verify the application's identity | Only if `REQUIRE X509` | + +> **Note: mTLS is optional.** It is only needed if the MariaDB user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only `serverSslCert` pointing to the CA is needed. + +**Step 4.1 — (Optional) Create the PKCS12 KeyStore for mTLS.** + +Skip this step if `centreonbi` was created with `REQUIRE SSL`. + +```shell +openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/keystore.p12 \ + -name mbiClient \ + -passout pass:changeit +``` + +**Step 4.2 — Set file permissions.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem +chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # only if mTLS +chmod 640 /etc/mysql/newcerts/ca-cert.pem +chmod 640 /etc/mysql/newcerts/keystore.p12 # only if mTLS +``` + +**Step 4.3 — Update the BIRT XML profile files.** + +> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. + +Two files must be updated, each containing two profiles. + +**/etc/cbis-conf/cbis-profile.xml** + +Profile **Centreon** (`centreon` database): + +```xml + + +``` + +Profile **Censtorage** (`centreon_storage` database): + +```xml + +``` + +**/etc/cbis-conf/reports-profile.xml** + +Profile **Centreon** (`centreon_mbi` database): + +```xml + +``` + +Profile **Censtorage** (`centreon_storage_mbi` database): + +```xml + +``` + +**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: + +```xml + +``` + +Apply the same pattern to the three other profiles. + +### Step 5 - Restart Centreon MBI + +```shell +systemctl restart cbis +``` + +### Step 6 - Check Certificate Expiry + +**CA certificate:** + +```shell +openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates +# notBefore=... +# notAfter=... +``` + +**Server certificate:** + +```shell +openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates +``` + +**PKCS12 KeyStore (mTLS only):** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit +# Look for: Valid from ... until ... +``` + + + + +### Step 1 - Generate keys and certificates + +> If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate. + +**1. Create a directory** (`/etc/mysql/newcerts` in this example) to store your certificate files: + +```shell +mkdir -p /etc/mysql/newcerts +cd /etc/mysql/newcerts +``` + +**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + +```shell +# Generate the CA private key +openssl genrsa 2048 > ca-key.pem +# Generate the CA self-signed certificate +openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem +``` + +**3. Generate the server certificate.** The server certificate is presented by MySQL to clients during the SSL handshake. + +```shell +# Generate the server private key and CSR (Certificate Signing Request) +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + +# Convert the server key to RSA format (required by MySQL) +openssl rsa -in server-key.pem -out server-key.pem + +# Sign the server certificate with the CA +openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem +``` + +**4. Generate the client certificate (optional — mTLS only).** Skip this section if you only need `REQUIRE SSL`. + +```shell +# Generate the client private key and CSR +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + +# Convert the client key to RSA format +openssl rsa -in client-key.pem -out client-key.pem + +# Sign the client certificate with the CA +openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem +``` + +**5. Verify the certificates.** + +```shell +openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem +# Expected output: +# server-cert.pem: OK +# client-cert.pem: OK +``` + +**6. Set the file ownership.** + +```shell +chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem +chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem +chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem +``` + +### Step 2 - Configure the MySQL server + +> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. + +**1. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically `/etc/mysql/mysql.conf.d/mysqld.cnf`): + +```ini +[mysqld] +ssl-ca=/etc/mysql/newcerts/ca-cert.pem +ssl-cert=/etc/mysql/newcerts/server-cert.pem +ssl-key=/etc/mysql/newcerts/server-key.pem +# Restrict to secure TLS versions only +tls_version=TLSv1.2,TLSv1.3 +``` + +**2. Restart MySQL.** + +```shell +systemctl restart mysqld +``` + +**3. Verify SSL is active.** + +```sql +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl should be YES +-- ssl_ca, ssl_cert, ssl_key should point to your certificate files +``` + +### Step 3 - Configure the MySQL user + +Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. + +**1. Require SSL for the user.** + +```sql +-- SSL only (no client certificate required) +ALTER USER 'centreonbi'@'' REQUIRE SSL; + +-- Or mutual TLS (client certificate required) +-- ALTER USER 'centreonbi'@'' REQUIRE X509; + +-- Verify: ssl_type should show ANY (for SSL) or X509 (for mTLS) +SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; +``` + +**2. Grant privileges.** + +```sql +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + +GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; +``` + +### Step 4 - Configure JDBC (Centreon MBI / BIRT) + +Centreon MBI uses MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), which does not support PEM files directly. Certificates must be stored in a Java KeyStore (JKS or PKCS12). + +| File | Contains | Purpose | Required | +|------|----------|---------|----------| +| `truststore.jks` | CA certificate | Lets Java verify the database server's identity | ✓ Always | +| `keystore.jks` | Client cert + private key | Lets the database verify the application's identity | Only if `REQUIRE X509` | + +> **Note: mTLS is optional.** It is only needed if the MySQL user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only the TrustStore is required. + +**Step 4.1 — Create the TrustStore.** The TrustStore contains the CA certificate. Java uses it to validate that the MySQL server's certificate was signed by a trusted authority. + +```shell +keytool -importcert -alias mysqlServerCACert \ + -file /etc/mysql/newcerts/ca-cert.pem \ + -keystore /etc/mysql/newcerts/truststore.jks \ + -storepass changeit \ + -noprompt +``` + +**Step 4.2 — Create the KeyStore (optional — mTLS only).** Skip if the `centreonbi` user was created with `REQUIRE SSL`. + +Step 4.2a — Bundle the client cert and key into a PKCS12 file: + +```shell +openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/client.p12 \ + -name mbiClient \ + -passout pass:changeit +``` + +Step 4.2b — Convert PKCS12 to JKS: + +```shell +keytool -importkeystore \ + -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ + -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit +``` + +**Step 4.3 — Set file permissions.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/*.jks +chmod 640 /etc/mysql/newcerts/*.jks +``` + +**Step 4.4 — Update the BIRT XML profile files.** + +> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. + +Two files must be updated, each containing two profiles. + +**/etc/cbis-conf/cbis-profile.xml** + +Profile **Centreon** (`centreon` database): + +```xml + +``` + +Profile **Censtorage** (`centreon_storage` database): + +```xml + +``` + +**/etc/cbis-conf/reports-profile.xml** + +Profile **Centreon** (`centreon_mbi` database): + +```xml + +``` + +Profile **Censtorage** (`centreon_storage_mbi` database): + +```xml + +``` + +**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: + +```xml + +``` + +Apply the same pattern to the three other profiles. + +### Step 5 - Restart Centreon MBI + +```shell +systemctl restart cbis +``` + +### Step 6 - Check Certificate Expiry + +**TrustStore (CA certificate):** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/truststore.jks -storepass changeit +# Look for: Valid from ... until ... +``` + +**KeyStore (client certificate, mTLS only):** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/keystore.jks -storepass changeit +# Look for: Valid from ... until ... +``` + +**CA certificate (PEM):** + +```shell +openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates +``` + + + + +### SSL Mode reference + + + + +The `verify-ca` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: + +| Mode | Server cert verified | Hostname/IP verified | Use case | +|------|---------------------|---------------------|----------| +| `disable` | No | No | Development only — no encryption | +| `trust` | No | No | Encrypts traffic but does not validate the server cert | +| `verify-ca` | Yes | No | Used in this procedure — validates the CA chain | +| `verify-full` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + +> **Note:** If you want to use the `verify-full` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. The CN field alone is not sufficient for IP-based connections. + + + + +The `VERIFY_CA` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: + +| Mode | Server cert verified | Hostname/IP verified | Use case | +|------|---------------------|---------------------|----------| +| `DISABLED` | No | No | Development only — no encryption | +| `PREFERRED` | No | No | Uses SSL if available, fallback to plain | +| `REQUIRED` | No | No | Enforces SSL, but does not validate the server cert | +| `VERIFY_CA` | Yes | No | Used in this procedure — validates the CA chain | +| `VERIFY_IDENTITY` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + +> **Note:** If you want to use the `VERIFY_IDENTITY` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. + + + diff --git a/versioned_sidebars/version-25.10-sidebars.json b/versioned_sidebars/version-25.10-sidebars.json index bb29b28b1e54..6856b8609013 100644 --- a/versioned_sidebars/version-25.10-sidebars.json +++ b/versioned_sidebars/version-25.10-sidebars.json @@ -225,6 +225,10 @@ { "type": "doc", "id": "graph-views/secure-your-map-platform" + }, + { + "type": "doc", + "id": "reporting/secure-your-mbi-platform" } ] }, From 5cb1868e9ab0230350e7291b746de6100a688deb Mon Sep 17 00:00:00 2001 From: smau Date: Tue, 31 Mar 2026 17:11:16 +0200 Subject: [PATCH 2/8] Document TLS on MBI (new topic Secure your MBI platform) --- .../graph-views/secure-your-map-platform.md | 2 +- .../reporting/secure-your-mbi-platform.md | 650 +++++++++--------- 2 files changed, 332 insertions(+), 320 deletions(-) diff --git a/versioned_docs/version-25.10/graph-views/secure-your-map-platform.md b/versioned_docs/version-25.10/graph-views/secure-your-map-platform.md index 704587fde7af..7a2e768a0bf2 100644 --- a/versioned_docs/version-25.10/graph-views/secure-your-map-platform.md +++ b/versioned_docs/version-25.10/graph-views/secure-your-map-platform.md @@ -380,7 +380,7 @@ This section describes how to enable SSL on a MySQL/MariaDB server and configure chown -Rv mysql:root /etc/mysql/newcerts/* ``` -**2. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically /etc/mysql/mysql.conf.d/mysqld.cnf): +**2. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically `/etc/mysql/mysql.conf.d/mysqld.cnf`): ```shell [mysqld] diff --git a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md index ec37ee17a2ab..a1a58e403013 100644 --- a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md +++ b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -9,7 +9,6 @@ This chapter describes advanced procedures to secure your Centreon MBI platform. > If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](../administration/secure-platform.md#secure-the-web-server-with-https) if needed. -> Mistakes when editing configuration files can lead to malfunctions of the software. We recommend that you make a backup of the file before editing it and that you only change the settings advised by Centreon. ## Configure TLS on a MySQL or MariaDB database @@ -17,21 +16,87 @@ This section describes how to enable SSL between Centreon MBI and a MySQL or Mar > **Note:** This procedure covers the VERIFY\_CA mode only. In this mode, the server certificate is validated against a trusted Certificate Authority, but the hostname/IP address is not verified. For other SSL verification modes, see the [SSL Mode reference](#ssl-mode-reference) section. -Select the tab corresponding to the database you want to use. - - - +- Select the tab corresponding to the database you want to use. ### Step 1 - Generate keys and certificates > If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate. + + + **1. Create a directory** (`/etc/mysql/newcerts` in this example) to store your certificate files: -```shell -mkdir -p /etc/mysql/newcerts -cd /etc/mysql/newcerts -``` + ```shell + mkdir -p /etc/mysql/newcerts + cd /etc/mysql/newcerts + ``` + +**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + + ```shell + # Generate the CA private key + openssl genrsa 2048 > ca-key.pem + # Generate the CA self-signed certificate + openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem + ``` + +**3. Generate the server certificate.** The server certificate is presented by MySQL to clients during the SSL handshake. + + ```shell + # Generate the server private key and CSR (Certificate Signing Request) + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + + # Convert the server key to RSA format (required by MariaDB) + openssl rsa -in server-key.pem -out server-key.pem + + # Sign the server certificate with the CA + openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem + ``` + +**4. Generate the client certificate (optional — mTLS only).** The client certificate is used by the application to authenticate itself to MySQL. Skip this section if you only need `REQUIRE SSL`. + + ```shell + # Generate the client private key and CSR + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + + # Convert the client key to RSA format + openssl rsa -in client-key.pem -out client-key.pem + + # Sign the client certificate with the CA + openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem + ``` + +**5. Verify the certificates.** Ensure both certificates are correctly signed by the CA before proceeding. + + ```shell + openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem + # Expected output: + # server-cert.pem: OK + # client-cert.pem: OK + ``` + +**6. Set the file ownership.** + + ```shell + chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem + chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem + chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem + ``` + + + + +**1. Create a directory** (`/etc/mariadb/newcerts` in this example) to store your certificate files: + + ```shell + mkdir -p /etc/mariadb/newcerts + cd /etc/mariadb/newcerts + ``` **2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. @@ -48,7 +113,7 @@ openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem # Generate the server private key and CSR (Certificate Signing Request) openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -# Convert the server key to RSA format (required by MariaDB) +# Convert the server key to RSA format (required by MySQL) openssl rsa -in server-key.pem -out server-key.pem # Sign the server certificate with the CA @@ -57,7 +122,7 @@ openssl x509 -req -in server-req.pem -days 365000 \ -out server-cert.pem ``` -**4. Generate the client certificate (optional — mTLS only).** The client certificate is used by the application to authenticate itself to MariaDB. Skip this section if you only need `REQUIRE SSL`. +**4. Generate the client certificate (optional — mTLS only).** Skip this section if you only need `REQUIRE SSL`. ```shell # Generate the client private key and CSR @@ -72,7 +137,7 @@ openssl x509 -req -in client-req.pem -days 365000 \ -out client-cert.pem ``` -**5. Verify the certificates.** Ensure both certificates are correctly signed by the CA before proceeding. +**5. Verify the certificates.** ```shell openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem @@ -84,376 +149,292 @@ openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem **6. Set the file ownership.** ```shell -chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem -chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem -chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem -``` - -### Step 2 - Configure the MariaDB server - -**1. Add the following block** to your MariaDB server configuration file (typically `/etc/mysql/mariadb.conf.d/50-server.cnf`): - -```ini -[mariadb] -ssl-ca=/etc/mysql/newcerts/ca-cert.pem -ssl-cert=/etc/mysql/newcerts/server-cert.pem -ssl-key=/etc/mysql/newcerts/server-key.pem -# Restrict to secure TLS versions only -tls_version=TLSv1.2,TLSv1.3 -``` - -**2. Restart MariaDB.** - -```shell -systemctl restart mariadb -``` - -**3. Verify SSL is active.** - -```sql -SHOW VARIABLES LIKE '%ssl%'; --- have_ssl should be YES --- ssl_ca, ssl_cert, ssl_key should point to your certificate files +chown -Rv mariadb:mariadb /etc/mariadb/newcerts/*.pem +chmod 600 /etc/mariadb/newcerts/server-key.pem /etc/mariadb/newcerts/client-key.pem +chmod 644 /etc/mariadb/newcerts/ca-cert.pem /etc/mariadb/newcerts/server-cert.pem /etc/mariadb/newcerts/client-cert.pem ``` -### Step 3 - Configure the MariaDB user + + -Centreon MBI uses the `centreonbi` user. +### Step 2 - Configure the MySQL/MariaDB server -**1. Require SSL for the user.** + + -```sql --- SSL only (no client certificate required) -ALTER USER 'centreonbi'@'' REQUIRE SSL; +> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. --- Or mutual TLS (client certificate required) --- ALTER USER 'centreonbi'@'' REQUIRE X509; +> Ensure you are using the directory you previously created (`/etc/mysql/newcerts` in this example). --- Verify: ssl_type should now show ANY (for SSL) or X509 (for mTLS) -SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; -``` +**1. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically `/etc/mysql/mysql.conf.d/mysqld.cnf`): -**2. Grant privileges.** + ```shell + [mysqld] + ssl-ca=/etc/mysql/newcerts/ca-cert.pem + ssl-cert=/etc/mysql/newcerts/server-cert.pem + ssl-key=/etc/mysql/newcerts/server-key.pem + # Restrict to secure TLS versions only + tls_version=TLSv1.2,TLSv1.3 + ``` -```sql -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_storage`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_mbi`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_storage_mbi`.* - TO `centreonbi`@``; -``` +**3. Verify SSL is active.** -### Step 4 - Configure JDBC (Centreon MBI / BIRT) + ```sql + SHOW VARIABLES LIKE '%ssl%'; + -- have_ssl should be YES + -- ssl_ca, ssl_cert, ssl_key should point to your certificate files + ``` -Unlike MySQL Connector/J, **MariaDB Connector/J 3.x supports PEM files natively** via the `serverSslCert` parameter directly in the JDBC URL. No Java KeyStore conversion is needed for simple SSL mode. + + -A PKCS12 keystore is only needed for mTLS (client certificate authentication): +> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. -| File | Contains | Purpose | Required | -|------|----------|---------|----------| -| `ca-cert.pem` | CA certificate | Lets the driver verify the MariaDB server's identity | ✓ Always | -| `keystore.p12` | Client cert + private key | Lets MariaDB verify the application's identity | Only if `REQUIRE X509` | +> Ensure you are using the directory you previously created (`/etc/mariadb/newcerts` in this example). -> **Note: mTLS is optional.** It is only needed if the MariaDB user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only `serverSslCert` pointing to the CA is needed. +**1. Edit the MariaDB server configuration.** Add the following block to your MariaDB server configuration file (typically `etc/mariadb/mariadb.conf.d/50-server.cnf`): -**Step 4.1 — (Optional) Create the PKCS12 KeyStore for mTLS.** + ```shell + [mariadb] + ssl-ca = /etc/mariadb/newcerts/ca-cert.pem + ssl-cert = /etc/mariadb/newcerts/server-cert.pem + ssl-key = /etc/mariadb/newcerts/server-key.pem + + # Restrict to secure TLS versions only + tls_version = TLSv1.2,TLSv1.3 -Skip this step if `centreonbi` was created with `REQUIRE SSL`. + # Restart MariaDB + systemctl restart mariadb + ``` -```shell -openssl pkcs12 -export \ - -in /etc/mysql/newcerts/client-cert.pem \ - -inkey /etc/mysql/newcerts/client-key.pem \ - -out /etc/mysql/newcerts/keystore.p12 \ - -name mbiClient \ - -passout pass:changeit -``` - -**Step 4.2 — Set file permissions.** +**3. Verify SSL is active.** ```shell -chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem -chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # only if mTLS -chmod 640 /etc/mysql/newcerts/ca-cert.pem -chmod 640 /etc/mysql/newcerts/keystore.p12 # only if mTLS +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl should be YES +-- ssl_ca, ssl_cert, ssl_key should point to your certificate files ``` -**Step 4.3 — Update the BIRT XML profile files.** - -> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. - -Two files must be updated, each containing two profiles. - -**/etc/cbis-conf/cbis-profile.xml** - -Profile **Centreon** (`centreon` database): - -```xml - - -``` + + -Profile **Censtorage** (`centreon_storage` database): +### Step 3 - Configure the MySQL/MariaDB user -```xml - -``` + + -**/etc/cbis-conf/reports-profile.xml** +Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. -Profile **Centreon** (`centreon_mbi` database): +**1. Require SSL for the user.** -```xml - -``` + ```sql + -- SSL only (no client certificate required) + ALTER USER 'centreonbi'@'' REQUIRE SSL; -Profile **Censtorage** (`centreon_storage_mbi` database): + -- Or mutual TLS (client certificate required) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; -```xml - -``` + -- Verify: ssl_type should now show ANY (for SSL) or X509 (for mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` -**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: +**2. Grant privileges.** -```xml - -``` + ```sql + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; -Apply the same pattern to the three other profiles. + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; -### Step 5 - Restart Centreon MBI + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; -```shell -systemctl restart cbis -``` - -### Step 6 - Check Certificate Expiry + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` -**CA certificate:** + + -```shell -openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates -# notBefore=... -# notAfter=... -``` +Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. -**Server certificate:** +**1. Require SSL for the user.** -```shell -openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates -``` + ```shell + -- SSL only (no client certificate required) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + -- Or mutual TLS (client certificate required) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + -- Verify: ssl_type should show ANY (for SSL) or X509 (for mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` -**PKCS12 KeyStore (mTLS only):** +**2. Grant privileges.** -```shell -keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit -# Look for: Valid from ... until ... -``` + ```shell + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` - + -### Step 1 - Generate keys and certificates - -> If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate. - -**1. Create a directory** (`/etc/mysql/newcerts` in this example) to store your certificate files: - -```shell -mkdir -p /etc/mysql/newcerts -cd /etc/mysql/newcerts -``` +### Step 4 - Configure JDBC (Centreon MBI / BIRT) -**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + + -```shell -# Generate the CA private key -openssl genrsa 2048 > ca-key.pem -# Generate the CA self-signed certificate -openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -``` +Centreon MBI uses MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), which does not support PEM files directly. Certificates must be stored in a Java KeyStore (JKS or PKCS12). -**3. Generate the server certificate.** The server certificate is presented by MySQL to clients during the SSL handshake. +| File | Contains | Purpose | Required | +|------|----------|---------|----------| +| `truststore.jks` | CA certificate | Lets Java verify the database server's identity | ✓ Always | +| `keystore.jks` | Client cert + private key | Lets the database verify the application's identity | Only if `REQUIRE X509` | -```shell -# Generate the server private key and CSR (Certificate Signing Request) -openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem +> **Note: mTLS is optional.** It is only needed if the MySQL user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only the TrustStore is required. -# Convert the server key to RSA format (required by MySQL) -openssl rsa -in server-key.pem -out server-key.pem +**1. Create the TrustStore.** The TrustStore contains the CA certificate. Java uses it to validate that the MySQL server's certificate was signed by a trusted authority. -# Sign the server certificate with the CA -openssl x509 -req -in server-req.pem -days 365000 \ - -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ - -out server-cert.pem -``` + ```shell + keytool -importcert -alias mysqlServerCACert \ + -file /etc/mysql/newcerts/ca-cert.pem \ + -keystore /etc/mysql/newcerts/truststore.jks \ + -storepass changeit \ + -noprompt + ``` -**4. Generate the client certificate (optional — mTLS only).** Skip this section if you only need `REQUIRE SSL`. +**2. Create the KeyStore (optional — mTLS only).** Skip if the `centreonbi` user was created with `REQUIRE SSL`. -```shell -# Generate the client private key and CSR -openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + 2.1 Bundle the client cert and key into a PKCS12 file: -# Convert the client key to RSA format -openssl rsa -in client-key.pem -out client-key.pem + ```shell + openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/client.p12 \ + -name mbiClient \ + -passout pass:changeit + ``` + + 2.2 Convert PKCS12 to JKS: -# Sign the client certificate with the CA -openssl x509 -req -in client-req.pem -days 365000 \ - -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ - -out client-cert.pem -``` + ```shell + keytool -importkeystore \ + -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ + -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit + ``` -**5. Verify the certificates.** +**3. Set file permissions.** ```shell -openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem -# Expected output: -# server-cert.pem: OK -# client-cert.pem: OK +chown centreon-bi: /etc/mysql/newcerts/*.jks +chmod 640 /etc/mysql/newcerts/*.jks ``` -**6. Set the file ownership.** - -```shell -chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem -chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem -chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem -``` +**4. Update the BIRT XML profile files.** -### Step 2 - Configure the MySQL server +> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. -> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. +Two files must be updated, each containing two profiles. -**1. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically `/etc/mysql/mysql.conf.d/mysqld.cnf`): +**/etc/cbis-conf/cbis-profile.xml** -```ini -[mysqld] -ssl-ca=/etc/mysql/newcerts/ca-cert.pem -ssl-cert=/etc/mysql/newcerts/server-cert.pem -ssl-key=/etc/mysql/newcerts/server-key.pem -# Restrict to secure TLS versions only -tls_version=TLSv1.2,TLSv1.3 -``` + Profile **Centreon** (`centreon` database): -**2. Restart MySQL.** + ```xml + + ``` -```shell -systemctl restart mysqld -``` + Profile **Censtorage** (`centreon_storage` database): -**3. Verify SSL is active.** + ```xml + + ``` -```sql -SHOW VARIABLES LIKE '%ssl%'; --- have_ssl should be YES --- ssl_ca, ssl_cert, ssl_key should point to your certificate files -``` +**/etc/cbis-conf/reports-profile.xml** -### Step 3 - Configure the MySQL user + Profile **Centreon** (`centreon_mbi` database): -Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. + ```xml + + ``` -**1. Require SSL for the user.** + Profile **Censtorage** (`centreon_storage_mbi` database): -```sql --- SSL only (no client certificate required) -ALTER USER 'centreonbi'@'' REQUIRE SSL; + ```xml + + ``` --- Or mutual TLS (client certificate required) --- ALTER USER 'centreonbi'@'' REQUIRE X509; +**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: --- Verify: ssl_type should show ANY (for SSL) or X509 (for mTLS) -SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; -``` + ```xml + + ``` -**2. Grant privileges.** + Apply the same pattern to the three other profiles. -```sql -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_storage`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_mbi`.* - TO `centreonbi`@``; - -GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, - CREATE TEMPORARY TABLES, LOCK TABLES - ON `centreon_storage_mbi`.* - TO `centreonbi`@``; -``` + + -### Step 4 - Configure JDBC (Centreon MBI / BIRT) +Unlike MySQL Connector/J, **MariaDB Connector/J 3.x supports PEM files natively** via the `serverSslCert` parameter directly in the JDBC URL. No Java KeyStore conversion is needed for simple SSL mode. -Centreon MBI uses MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), which does not support PEM files directly. Certificates must be stored in a Java KeyStore (JKS or PKCS12). +A PKCS12 keystore is only needed for mTLS (client certificate authentication): | File | Contains | Purpose | Required | |------|----------|---------|----------| -| `truststore.jks` | CA certificate | Lets Java verify the database server's identity | ✓ Always | -| `keystore.jks` | Client cert + private key | Lets the database verify the application's identity | Only if `REQUIRE X509` | - -> **Note: mTLS is optional.** It is only needed if the MySQL user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only the TrustStore is required. - -**Step 4.1 — Create the TrustStore.** The TrustStore contains the CA certificate. Java uses it to validate that the MySQL server's certificate was signed by a trusted authority. +| `ca-cert.pem` | CA certificate | Lets the driver verify the MariaDB server's identity | ✓ Always | +| `keystore.p12` | Client cert + private key | Lets MariaDB verify the application's identity | Only if `REQUIRE X509` | -```shell -keytool -importcert -alias mysqlServerCACert \ - -file /etc/mysql/newcerts/ca-cert.pem \ - -keystore /etc/mysql/newcerts/truststore.jks \ - -storepass changeit \ - -noprompt -``` +> **Note: mTLS is optional.** It is only needed if the MariaDB user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only `serverSslCert` pointing to the CA is needed. -**Step 4.2 — Create the KeyStore (optional — mTLS only).** Skip if the `centreonbi` user was created with `REQUIRE SSL`. +**1. (Optional) Create the PKCS12 KeyStore for mTLS.** -Step 4.2a — Bundle the client cert and key into a PKCS12 file: +Skip this step if `centreonbi` was created with `REQUIRE SSL`. ```shell openssl pkcs12 -export \ -in /etc/mysql/newcerts/client-cert.pem \ -inkey /etc/mysql/newcerts/client-key.pem \ - -out /etc/mysql/newcerts/client.p12 \ + -out /etc/mysql/newcerts/keystore.p12 \ -name mbiClient \ -passout pass:changeit ``` -Step 4.2b — Convert PKCS12 to JKS: +**2. Set file permissions.** ```shell -keytool -importkeystore \ - -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ - -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit +chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem +chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # only if mTLS +chmod 640 /etc/mysql/newcerts/ca-cert.pem +chmod 640 /etc/mysql/newcerts/keystore.p12 # only if mTLS ``` -**Step 4.3 — Set file permissions.** +**3. Update XML profile files.** -```shell -chown centreon-bi: /etc/mysql/newcerts/*.jks -chmod 640 /etc/mysql/newcerts/*.jks -``` - -**Step 4.4 — Update the BIRT XML profile files.** +The `odaURL` must use the `jdbc:mariadb://` scheme and include SSL parameters. > **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. @@ -461,39 +442,43 @@ Two files must be updated, each containing two profiles. **/etc/cbis-conf/cbis-profile.xml** -Profile **Centreon** (`centreon` database): + Profile **Centreon** (`centreon` database): -```xml - -``` + ```xml + + + ``` -Profile **Censtorage** (`centreon_storage` database): + Profile **Censtorage** (`centreon_storage` database): -```xml - -``` + ```xml + + ``` **/etc/cbis-conf/reports-profile.xml** -Profile **Centreon** (`centreon_mbi` database): + Profile **Centreon** (`centreon_mbi` database): -```xml - -``` + ```xml + + ``` -Profile **Censtorage** (`centreon_storage_mbi` database): + Profile **Censtorage** (`centreon_storage_mbi` database): -```xml - -``` + ```xml + + ``` **Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: -```xml - -``` + ```xml + + ``` -Apply the same pattern to the three other profiles. + Apply the same pattern to the three other profiles. + + + ### Step 5 - Restart Centreon MBI @@ -503,6 +488,9 @@ systemctl restart cbis ### Step 6 - Check Certificate Expiry + + + **TrustStore (CA certificate):** ```shell @@ -524,25 +512,35 @@ openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates ``` - + -### SSL Mode reference +**CA certificate:** - - + ```shell + openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates + # notBefore=... + # notAfter=... + ``` -The `verify-ca` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: +**Server certificate:** -| Mode | Server cert verified | Hostname/IP verified | Use case | -|------|---------------------|---------------------|----------| -| `disable` | No | No | Development only — no encryption | -| `trust` | No | No | Encrypts traffic but does not validate the server cert | -| `verify-ca` | Yes | No | Used in this procedure — validates the CA chain | -| `verify-full` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + ```shell + openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates + ``` -> **Note:** If you want to use the `verify-full` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. The CN field alone is not sufficient for IP-based connections. +**PKCS12 KeyStore (mTLS only):** + + ```shell + keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit + # Look for: Valid from ... until ... + ``` + + +### SSL Mode reference + + The `VERIFY_CA` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: @@ -557,5 +555,19 @@ The `VERIFY_CA` mode is the recommended minimum for production. This table lists > **Note:** If you want to use the `VERIFY_IDENTITY` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. + + + +The `verify-ca` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: + +| Mode | Server cert verified | Hostname/IP verified | Use case | +|------|---------------------|---------------------|----------| +| `disable` | No | No | Development only — no encryption | +| `trust` | No | No | Encrypts traffic but does not validate the server cert | +| `verify-ca` | Yes | No | Used in this procedure — validates the CA chain | +| `verify-full` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + +> **Note:** If you want to use the `verify-full` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. The CN field alone is not sufficient for IP-based connections. + From 5c52a44490eaacdb2d4090774a394120160afbc0 Mon Sep 17 00:00:00 2001 From: smau Date: Wed, 1 Apr 2026 11:23:08 +0200 Subject: [PATCH 3/8] Fix broken link --- .../version-25.10/reporting/secure-your-mbi-platform.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md index a1a58e403013..af60ac67335c 100644 --- a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md +++ b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -7,7 +7,7 @@ import TabItem from '@theme/TabItem'; This chapter describes advanced procedures to secure your Centreon MBI platform. -> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](../administration/secure-platform.md#secure-the-web-server-with-https) if needed. +> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](..//administration/secure-platform.md#secure-the-web-server-with-https) if needed. ## Configure TLS on a MySQL or MariaDB database From f95026552f3cdcf456c82285962b05157e51ddcd Mon Sep 17 00:00:00 2001 From: smau Date: Wed, 1 Apr 2026 15:20:56 +0200 Subject: [PATCH 4/8] Fix link --- .../version-25.10/reporting/secure-your-mbi-platform.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md index af60ac67335c..48ed563fe6fc 100644 --- a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md +++ b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -7,8 +7,7 @@ import TabItem from '@theme/TabItem'; This chapter describes advanced procedures to secure your Centreon MBI platform. -> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](..//administration/secure-platform.md#secure-the-web-server-with-https) if needed. - +> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](../administration/secure-platform.md#secure-the-web-server-with-https) if needed. ## Configure TLS on a MySQL or MariaDB database From 6937351d6a099794197d5c233e07fd06f4ed68a7 Mon Sep 17 00:00:00 2001 From: smau Date: Wed, 1 Apr 2026 15:38:06 +0200 Subject: [PATCH 5/8] New try --- .../version-25.10/reporting/secure-your-mbi-platform.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md index 48ed563fe6fc..13a35a661f88 100644 --- a/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md +++ b/versioned_docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -7,7 +7,7 @@ import TabItem from '@theme/TabItem'; This chapter describes advanced procedures to secure your Centreon MBI platform. -> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](../administration/secure-platform.md#secure-the-web-server-with-https) if needed. +> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](https://docs.centreon.com/docs/administration/secure-platform/#secure-the-web-server-with-https) if needed. ## Configure TLS on a MySQL or MariaDB database From aa367f9b964274ec75d4bba020b3cf652e25de6e Mon Sep 17 00:00:00 2001 From: smau Date: Wed, 1 Apr 2026 17:56:21 +0200 Subject: [PATCH 6/8] Add 26.10 and FR versions --- .../reporting/secure-your-mbi-platform.md | 572 ++++++++++++++++++ .../reporting/secure-your-mbi-platform.md | 572 ++++++++++++++++++ .../reporting/secure-your-mbi-platform.md | 572 ++++++++++++++++++ .../version-26.10-sidebars.json | 4 + 4 files changed, 1720 insertions(+) create mode 100644 i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md create mode 100644 i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md create mode 100644 versioned_docs/version-26.10/reporting/secure-your-mbi-platform.md diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md new file mode 100644 index 000000000000..a2c9b5b5bc9e --- /dev/null +++ b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -0,0 +1,572 @@ +--- +id: secure-your-mbi-platform +title: Sécuriser votre plateforme MBI +--- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +Ce chapitre décrit les procédures avancées pour sécuriser votre plateforme Centreon MBI. + +> Si vous souhaitez utiliser MBI avec une connexion à la base de données sécurisée, nous vous recommandons également de sécuriser votre plateforme Centreon. Suivez cette [procédure](https://docs.centreon.com/fr/docs/administration/secure-platform/#secure-the-web-server-with-https) si nécessaire. + +## Configurer TLS sur une base de données MySQL ou MariaDB + +Cette section décrit comment activer SSL entre Centreon MBI et un serveur MySQL ou MariaDB en utilisant la vérification par autorité de certification (mode VERIFY\_CA / verify-ca). + +> **Remarque :** Cette procédure couvre uniquement le mode VERIFY\_CA. Dans ce mode, le certificat du serveur est validé par rapport à une autorité de certification de confiance, mais le nom d'hôte/l'adresse IP n'est pas vérifié. Pour les autres modes de vérification SSL, consultez la section [Référence des modes SSL](#référence-des-modes-ssl). + +- Sélectionnez l'onglet correspondant à la base de données que vous souhaitez utiliser. + +### Étape 1 - Générer les clés et les certificats + +> Si vous avez déjà généré des certificats (par exemple lors de la configuration de Centreon MAP), vous pouvez ignorer cette section et réutiliser le certificat CA existant. + + + + +**1. Créez un répertoire** (`/etc/mysql/newcerts` dans cet exemple) pour stocker vos fichiers de certificats : + + ```shell + mkdir -p /etc/mysql/newcerts + cd /etc/mysql/newcerts + ``` + +**2. Générez l'autorité de certification (CA).** La CA est utilisée pour signer les certificats du serveur et du client, établissant ainsi une chaîne de confiance. + + ```shell + # Générer la clé privée de la CA + openssl genrsa 2048 > ca-key.pem + # Générer le certificat auto-signé de la CA + openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem + ``` + +**3. Générez le certificat du serveur.** Le certificat du serveur est présenté par MySQL aux clients lors de la négociation SSL. + + ```shell + # Générer la clé privée du serveur et la CSR (Certificate Signing Request) + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + + # Convertir la clé du serveur au format RSA (requis par MariaDB) + openssl rsa -in server-key.pem -out server-key.pem + + # Signer le certificat du serveur avec la CA + openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem + ``` + +**4. Générez le certificat client (optionnel — mTLS uniquement).** Le certificat client est utilisé par l'application pour s'authentifier auprès de MySQL. Ignorez cette section si vous n'avez besoin que de `REQUIRE SSL`. + + ```shell + # Générer la clé privée du client et la CSR + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + + # Convertir la clé du client au format RSA + openssl rsa -in client-key.pem -out client-key.pem + + # Signer le certificat client avec la CA + openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem + ``` + +**5. Vérifiez les certificats.** Assurez-vous que les deux certificats sont correctement signés par la CA avant de continuer. + + ```shell + openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem + # Résultat attendu : + # server-cert.pem: OK + # client-cert.pem: OK + ``` + +**6. Définissez les droits sur les fichiers.** + + ```shell + chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem + chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem + chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem + ``` + + + + +**1. Créez un répertoire** (`/etc/mariadb/newcerts` dans cet exemple) pour stocker vos fichiers de certificats : + + ```shell + mkdir -p /etc/mariadb/newcerts + cd /etc/mariadb/newcerts + ``` + +**2. Générez l'autorité de certification (CA).** La CA est utilisée pour signer les certificats du serveur et du client, établissant ainsi une chaîne de confiance. + +```shell +# Générer la clé privée de la CA +openssl genrsa 2048 > ca-key.pem +# Générer le certificat auto-signé de la CA +openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem +``` + +**3. Générez le certificat du serveur.** Le certificat du serveur est présenté par MariaDB aux clients lors de la négociation SSL. + +```shell +# Générer la clé privée du serveur et la CSR (Certificate Signing Request) +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + +# Convertir la clé du serveur au format RSA (requis par MySQL) +openssl rsa -in server-key.pem -out server-key.pem + +# Signer le certificat du serveur avec la CA +openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem +``` + +**4. Générez le certificat client (optionnel — mTLS uniquement).** Ignorez cette section si vous n'avez besoin que de `REQUIRE SSL`. + +```shell +# Générer la clé privée du client et la CSR +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + +# Convertir la clé du client au format RSA +openssl rsa -in client-key.pem -out client-key.pem + +# Signer le certificat client avec la CA +openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem +``` + +**5. Vérifiez les certificats.** + +```shell +openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem +# Résultat attendu : +# server-cert.pem: OK +# client-cert.pem: OK +``` + +**6. Définissez les droits sur les fichiers.** + +```shell +chown -Rv mariadb:mariadb /etc/mariadb/newcerts/*.pem +chmod 600 /etc/mariadb/newcerts/server-key.pem /etc/mariadb/newcerts/client-key.pem +chmod 644 /etc/mariadb/newcerts/ca-cert.pem /etc/mariadb/newcerts/server-cert.pem /etc/mariadb/newcerts/client-cert.pem +``` + + + + +### Étape 2 - Configurer le serveur MySQL/MariaDB + + + + +> Si le serveur est déjà configuré pour SSL (par exemple pour Centreon MAP), ignorez cette section. + +> Assurez-vous d'utiliser le répertoire que vous avez précédemment créé (`/etc/mysql/newcerts` dans cet exemple). + +**1. Modifiez la configuration du serveur MySQL.** Ajoutez le bloc suivant à votre fichier de configuration du serveur MySQL (généralement `/etc/mysql/mysql.conf.d/mysqld.cnf`) : + + ```shell + [mysqld] + ssl-ca=/etc/mysql/newcerts/ca-cert.pem + ssl-cert=/etc/mysql/newcerts/server-cert.pem + ssl-key=/etc/mysql/newcerts/server-key.pem + # Restreindre aux versions TLS sécurisées uniquement + tls_version=TLSv1.2,TLSv1.3 + ``` + +**3. Vérifiez que SSL est actif.** + + ```sql + SHOW VARIABLES LIKE '%ssl%'; + -- have_ssl doit être YES + -- ssl_ca, ssl_cert, ssl_key doivent pointer vers vos fichiers de certificats + ``` + + + + +> Si le serveur est déjà configuré pour SSL (par exemple pour Centreon MAP), ignorez cette section. + +> Assurez-vous d'utiliser le répertoire que vous avez précédemment créé (`/etc/mariadb/newcerts` dans cet exemple). + +**1. Modifiez la configuration du serveur MariaDB.** Ajoutez le bloc suivant à votre fichier de configuration du serveur MariaDB (généralement `etc/mariadb/mariadb.conf.d/50-server.cnf`) : + + ```shell + [mariadb] + ssl-ca = /etc/mariadb/newcerts/ca-cert.pem + ssl-cert = /etc/mariadb/newcerts/server-cert.pem + ssl-key = /etc/mariadb/newcerts/server-key.pem + + # Restreindre aux versions TLS sécurisées uniquement + tls_version = TLSv1.2,TLSv1.3 + + # Redémarrer MariaDB + systemctl restart mariadb + ``` + +**3. Vérifiez que SSL est actif.** + +```shell +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl doit être YES +-- ssl_ca, ssl_cert, ssl_key doivent pointer vers vos fichiers de certificats +``` + + + + +### Étape 3 - Configurer l'utilisateur MySQL/MariaDB + + + + +Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. + +**1. Exiger SSL pour l'utilisateur.** + + ```sql + -- SSL uniquement (aucun certificat client requis) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + + -- Ou TLS mutuel (certificat client requis) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + + -- Vérification : ssl_type doit maintenant afficher ANY (pour SSL) ou X509 (pour mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Accorder les privilèges.** + + ```sql + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. + +**1. Exiger SSL pour l'utilisateur.** + + ```shell + -- SSL uniquement (aucun certificat client requis) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + -- Ou TLS mutuel (certificat client requis) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + -- Vérification : ssl_type doit afficher ANY (pour SSL) ou X509 (pour mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Accorder les privilèges.** + + ```shell + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +### Étape 4 - Configurer JDBC (Centreon MBI / BIRT) + + + + +Centreon MBI utilise MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), qui ne prend pas en charge les fichiers PEM directement. Les certificats doivent être stockés dans un Java KeyStore (JKS ou PKCS12). + +| Fichier | Contenu | Rôle | Requis | +|---------|---------|------|--------| +| `truststore.jks` | Certificat CA | Permet à Java de vérifier l'identité du serveur de base de données | ✓ Toujours | +| `keystore.jks` | Certificat client + clé privée | Permet à la base de données de vérifier l'identité de l'application | Seulement si `REQUIRE X509` | + +> **Remarque : le mTLS est optionnel.** Il n'est nécessaire que si l'utilisateur MySQL a été créé avec `REQUIRE X509`. Si l'utilisateur a été créé avec `REQUIRE SSL`, seul le TrustStore est requis. + +**1. Créez le TrustStore.** Le TrustStore contient le certificat CA. Java l'utilise pour valider que le certificat du serveur MySQL a été signé par une autorité de confiance. + + ```shell + keytool -importcert -alias mysqlServerCACert \ + -file /etc/mysql/newcerts/ca-cert.pem \ + -keystore /etc/mysql/newcerts/truststore.jks \ + -storepass changeit \ + -noprompt + ``` + +**2. Créez le KeyStore (optionnel — mTLS uniquement).** Ignorez cette étape si l'utilisateur `centreonbi` a été créé avec `REQUIRE SSL`. + + 2.1 Regroupez le certificat et la clé client dans un fichier PKCS12 : + + ```shell + openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/client.p12 \ + -name mbiClient \ + -passout pass:changeit + ``` + + 2.2 Convertissez le PKCS12 en JKS : + + ```shell + keytool -importkeystore \ + -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ + -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit + ``` + +**3. Définissez les permissions sur les fichiers.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/*.jks +chmod 640 /etc/mysql/newcerts/*.jks +``` + +**4. Mettez à jour les fichiers de profil XML BIRT.** + +> **Important — encodage XML :** Dans les valeurs d'attributs XML, le séparateur `&` entre les paramètres d'URL doit être écrit sous la forme `&`. Ne pas le faire provoquera une erreur d'analyse XML et empêchera MBI de démarrer. + +Deux fichiers doivent être mis à jour, chacun contenant deux profils. + +**/etc/cbis-conf/cbis-profile.xml** + + Profil **Centreon** (base de données `centreon`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage`) : + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profil **Centreon** (base de données `centreon_mbi`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage_mbi`) : + + ```xml + + ``` + +**Optionnel — mTLS (REQUIRE X509) :** ajoutez les paramètres KeyStore à chaque URL : + + ```xml + + ``` + + Appliquez le même modèle aux trois autres profils. + + + + +Contrairement à MySQL Connector/J, **MariaDB Connector/J 3.x prend en charge les fichiers PEM nativement** via le paramètre `serverSslCert` directement dans l'URL JDBC. Aucune conversion en Java KeyStore n'est nécessaire pour le mode SSL simple. + +Un keystore PKCS12 n'est nécessaire que pour le mTLS (authentification par certificat client) : + +| Fichier | Contenu | Rôle | Requis | +|---------|---------|------|--------| +| `ca-cert.pem` | Certificat CA | Permet au pilote de vérifier l'identité du serveur MariaDB | ✓ Toujours | +| `keystore.p12` | Certificat client + clé privée | Permet à MariaDB de vérifier l'identité de l'application | Seulement si `REQUIRE X509` | + +> **Remarque : le mTLS est optionnel.** Il n'est nécessaire que si l'utilisateur MariaDB a été créé avec `REQUIRE X509`. Si l'utilisateur a été créé avec `REQUIRE SSL`, seul `serverSslCert` pointant vers la CA est nécessaire. + +**1. (Optionnel) Créez le KeyStore PKCS12 pour le mTLS.** + +Ignorez cette étape si `centreonbi` a été créé avec `REQUIRE SSL`. + +```shell +openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/keystore.p12 \ + -name mbiClient \ + -passout pass:changeit +``` + +**2. Définissez les permissions sur les fichiers.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem +chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # uniquement si mTLS +chmod 640 /etc/mysql/newcerts/ca-cert.pem +chmod 640 /etc/mysql/newcerts/keystore.p12 # uniquement si mTLS +``` + +**3. Mettez à jour les fichiers de profil XML.** + +L'`odaURL` doit utiliser le schéma `jdbc:mariadb://` et inclure les paramètres SSL. + +> **Important — encodage XML :** Dans les valeurs d'attributs XML, le séparateur `&` entre les paramètres d'URL doit être écrit sous la forme `&`. Ne pas le faire provoquera une erreur d'analyse XML et empêchera MBI de démarrer. + +Deux fichiers doivent être mis à jour, chacun contenant deux profils. + +**/etc/cbis-conf/cbis-profile.xml** + + Profil **Centreon** (base de données `centreon`) : + + ```xml + + + ``` + + Profil **Censtorage** (base de données `centreon_storage`) : + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profil **Centreon** (base de données `centreon_mbi`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage_mbi`) : + + ```xml + + ``` + +**Optionnel — mTLS (REQUIRE X509) :** ajoutez les paramètres KeyStore à chaque URL : + + ```xml + + ``` + + Appliquez le même modèle aux trois autres profils. + + + + +### Étape 5 - Redémarrer Centreon MBI + +```shell +systemctl restart cbis +``` + +### Étape 6 - Vérifier l'expiration des certificats + + + + +**TrustStore (certificat CA) :** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/truststore.jks -storepass changeit +# Recherchez : Valid from ... until ... +``` + +**KeyStore (certificat client, mTLS uniquement) :** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/keystore.jks -storepass changeit +# Recherchez : Valid from ... until ... +``` + +**Certificat CA (PEM) :** + +```shell +openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates +``` + + + + +**Certificat CA :** + + ```shell + openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates + # notBefore=... + # notAfter=... + ``` + +**Certificat du serveur :** + + ```shell + openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates + ``` + +**KeyStore PKCS12 (mTLS uniquement) :** + + ```shell + keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit + # Recherchez : Valid from ... until ... + ``` + + + + +### Référence des modes SSL + + + + +Le mode `VERIFY_CA` est le minimum recommandé pour la production. Ce tableau répertorie les autres modes disponibles selon vos exigences de sécurité : + +| Mode | Certificat serveur vérifié | Nom d'hôte/IP vérifié | Cas d'usage | +|------|--------------------------|----------------------|-------------| +| `DISABLED` | Non | Non | Développement uniquement — pas de chiffrement | +| `PREFERRED` | Non | Non | Utilise SSL si disponible, repli sur connexion non chiffrée | +| `REQUIRED` | Non | Non | Impose SSL, mais ne valide pas le certificat du serveur | +| `VERIFY_CA` | Oui | Non | Utilisé dans cette procédure — valide la chaîne CA | +| `VERIFY_IDENTITY` | Oui | Oui | Le plus strict — vérifie également le nom d'hôte/IP par rapport au SAN du certificat | + +> **Remarque :** Si vous souhaitez utiliser le mode `VERIFY_IDENTITY`, le certificat du serveur doit inclure un Subject Alternative Name (SAN) correspondant exactement à l'IP ou au nom d'hôte utilisé dans l'URL JDBC. + + + + +Le mode `verify-ca` est le minimum recommandé pour la production. Ce tableau répertorie les autres modes disponibles selon vos exigences de sécurité : + +| Mode | Certificat serveur vérifié | Nom d'hôte/IP vérifié | Cas d'usage | +|------|--------------------------|----------------------|-------------| +| `disable` | Non | Non | Développement uniquement — pas de chiffrement | +| `trust` | Non | Non | Chiffre le trafic mais ne valide pas le certificat du serveur | +| `verify-ca` | Oui | Non | Utilisé dans cette procédure — valide la chaîne CA | +| `verify-full` | Oui | Oui | Le plus strict — vérifie également le nom d'hôte/IP par rapport au SAN du certificat | + +> **Remarque :** Si vous souhaitez utiliser le mode `verify-full`, le certificat du serveur doit inclure un Subject Alternative Name (SAN) correspondant exactement à l'IP ou au nom d'hôte utilisé dans l'URL JDBC. Le champ CN seul n'est pas suffisant pour les connexions basées sur une adresse IP. + + + diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md new file mode 100644 index 000000000000..a2c9b5b5bc9e --- /dev/null +++ b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md @@ -0,0 +1,572 @@ +--- +id: secure-your-mbi-platform +title: Sécuriser votre plateforme MBI +--- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +Ce chapitre décrit les procédures avancées pour sécuriser votre plateforme Centreon MBI. + +> Si vous souhaitez utiliser MBI avec une connexion à la base de données sécurisée, nous vous recommandons également de sécuriser votre plateforme Centreon. Suivez cette [procédure](https://docs.centreon.com/fr/docs/administration/secure-platform/#secure-the-web-server-with-https) si nécessaire. + +## Configurer TLS sur une base de données MySQL ou MariaDB + +Cette section décrit comment activer SSL entre Centreon MBI et un serveur MySQL ou MariaDB en utilisant la vérification par autorité de certification (mode VERIFY\_CA / verify-ca). + +> **Remarque :** Cette procédure couvre uniquement le mode VERIFY\_CA. Dans ce mode, le certificat du serveur est validé par rapport à une autorité de certification de confiance, mais le nom d'hôte/l'adresse IP n'est pas vérifié. Pour les autres modes de vérification SSL, consultez la section [Référence des modes SSL](#référence-des-modes-ssl). + +- Sélectionnez l'onglet correspondant à la base de données que vous souhaitez utiliser. + +### Étape 1 - Générer les clés et les certificats + +> Si vous avez déjà généré des certificats (par exemple lors de la configuration de Centreon MAP), vous pouvez ignorer cette section et réutiliser le certificat CA existant. + + + + +**1. Créez un répertoire** (`/etc/mysql/newcerts` dans cet exemple) pour stocker vos fichiers de certificats : + + ```shell + mkdir -p /etc/mysql/newcerts + cd /etc/mysql/newcerts + ``` + +**2. Générez l'autorité de certification (CA).** La CA est utilisée pour signer les certificats du serveur et du client, établissant ainsi une chaîne de confiance. + + ```shell + # Générer la clé privée de la CA + openssl genrsa 2048 > ca-key.pem + # Générer le certificat auto-signé de la CA + openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem + ``` + +**3. Générez le certificat du serveur.** Le certificat du serveur est présenté par MySQL aux clients lors de la négociation SSL. + + ```shell + # Générer la clé privée du serveur et la CSR (Certificate Signing Request) + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + + # Convertir la clé du serveur au format RSA (requis par MariaDB) + openssl rsa -in server-key.pem -out server-key.pem + + # Signer le certificat du serveur avec la CA + openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem + ``` + +**4. Générez le certificat client (optionnel — mTLS uniquement).** Le certificat client est utilisé par l'application pour s'authentifier auprès de MySQL. Ignorez cette section si vous n'avez besoin que de `REQUIRE SSL`. + + ```shell + # Générer la clé privée du client et la CSR + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + + # Convertir la clé du client au format RSA + openssl rsa -in client-key.pem -out client-key.pem + + # Signer le certificat client avec la CA + openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem + ``` + +**5. Vérifiez les certificats.** Assurez-vous que les deux certificats sont correctement signés par la CA avant de continuer. + + ```shell + openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem + # Résultat attendu : + # server-cert.pem: OK + # client-cert.pem: OK + ``` + +**6. Définissez les droits sur les fichiers.** + + ```shell + chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem + chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem + chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem + ``` + + + + +**1. Créez un répertoire** (`/etc/mariadb/newcerts` dans cet exemple) pour stocker vos fichiers de certificats : + + ```shell + mkdir -p /etc/mariadb/newcerts + cd /etc/mariadb/newcerts + ``` + +**2. Générez l'autorité de certification (CA).** La CA est utilisée pour signer les certificats du serveur et du client, établissant ainsi une chaîne de confiance. + +```shell +# Générer la clé privée de la CA +openssl genrsa 2048 > ca-key.pem +# Générer le certificat auto-signé de la CA +openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem +``` + +**3. Générez le certificat du serveur.** Le certificat du serveur est présenté par MariaDB aux clients lors de la négociation SSL. + +```shell +# Générer la clé privée du serveur et la CSR (Certificate Signing Request) +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + +# Convertir la clé du serveur au format RSA (requis par MySQL) +openssl rsa -in server-key.pem -out server-key.pem + +# Signer le certificat du serveur avec la CA +openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem +``` + +**4. Générez le certificat client (optionnel — mTLS uniquement).** Ignorez cette section si vous n'avez besoin que de `REQUIRE SSL`. + +```shell +# Générer la clé privée du client et la CSR +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + +# Convertir la clé du client au format RSA +openssl rsa -in client-key.pem -out client-key.pem + +# Signer le certificat client avec la CA +openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem +``` + +**5. Vérifiez les certificats.** + +```shell +openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem +# Résultat attendu : +# server-cert.pem: OK +# client-cert.pem: OK +``` + +**6. Définissez les droits sur les fichiers.** + +```shell +chown -Rv mariadb:mariadb /etc/mariadb/newcerts/*.pem +chmod 600 /etc/mariadb/newcerts/server-key.pem /etc/mariadb/newcerts/client-key.pem +chmod 644 /etc/mariadb/newcerts/ca-cert.pem /etc/mariadb/newcerts/server-cert.pem /etc/mariadb/newcerts/client-cert.pem +``` + + + + +### Étape 2 - Configurer le serveur MySQL/MariaDB + + + + +> Si le serveur est déjà configuré pour SSL (par exemple pour Centreon MAP), ignorez cette section. + +> Assurez-vous d'utiliser le répertoire que vous avez précédemment créé (`/etc/mysql/newcerts` dans cet exemple). + +**1. Modifiez la configuration du serveur MySQL.** Ajoutez le bloc suivant à votre fichier de configuration du serveur MySQL (généralement `/etc/mysql/mysql.conf.d/mysqld.cnf`) : + + ```shell + [mysqld] + ssl-ca=/etc/mysql/newcerts/ca-cert.pem + ssl-cert=/etc/mysql/newcerts/server-cert.pem + ssl-key=/etc/mysql/newcerts/server-key.pem + # Restreindre aux versions TLS sécurisées uniquement + tls_version=TLSv1.2,TLSv1.3 + ``` + +**3. Vérifiez que SSL est actif.** + + ```sql + SHOW VARIABLES LIKE '%ssl%'; + -- have_ssl doit être YES + -- ssl_ca, ssl_cert, ssl_key doivent pointer vers vos fichiers de certificats + ``` + + + + +> Si le serveur est déjà configuré pour SSL (par exemple pour Centreon MAP), ignorez cette section. + +> Assurez-vous d'utiliser le répertoire que vous avez précédemment créé (`/etc/mariadb/newcerts` dans cet exemple). + +**1. Modifiez la configuration du serveur MariaDB.** Ajoutez le bloc suivant à votre fichier de configuration du serveur MariaDB (généralement `etc/mariadb/mariadb.conf.d/50-server.cnf`) : + + ```shell + [mariadb] + ssl-ca = /etc/mariadb/newcerts/ca-cert.pem + ssl-cert = /etc/mariadb/newcerts/server-cert.pem + ssl-key = /etc/mariadb/newcerts/server-key.pem + + # Restreindre aux versions TLS sécurisées uniquement + tls_version = TLSv1.2,TLSv1.3 + + # Redémarrer MariaDB + systemctl restart mariadb + ``` + +**3. Vérifiez que SSL est actif.** + +```shell +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl doit être YES +-- ssl_ca, ssl_cert, ssl_key doivent pointer vers vos fichiers de certificats +``` + + + + +### Étape 3 - Configurer l'utilisateur MySQL/MariaDB + + + + +Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. + +**1. Exiger SSL pour l'utilisateur.** + + ```sql + -- SSL uniquement (aucun certificat client requis) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + + -- Ou TLS mutuel (certificat client requis) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + + -- Vérification : ssl_type doit maintenant afficher ANY (pour SSL) ou X509 (pour mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Accorder les privilèges.** + + ```sql + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. + +**1. Exiger SSL pour l'utilisateur.** + + ```shell + -- SSL uniquement (aucun certificat client requis) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + -- Ou TLS mutuel (certificat client requis) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + -- Vérification : ssl_type doit afficher ANY (pour SSL) ou X509 (pour mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Accorder les privilèges.** + + ```shell + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +### Étape 4 - Configurer JDBC (Centreon MBI / BIRT) + + + + +Centreon MBI utilise MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), qui ne prend pas en charge les fichiers PEM directement. Les certificats doivent être stockés dans un Java KeyStore (JKS ou PKCS12). + +| Fichier | Contenu | Rôle | Requis | +|---------|---------|------|--------| +| `truststore.jks` | Certificat CA | Permet à Java de vérifier l'identité du serveur de base de données | ✓ Toujours | +| `keystore.jks` | Certificat client + clé privée | Permet à la base de données de vérifier l'identité de l'application | Seulement si `REQUIRE X509` | + +> **Remarque : le mTLS est optionnel.** Il n'est nécessaire que si l'utilisateur MySQL a été créé avec `REQUIRE X509`. Si l'utilisateur a été créé avec `REQUIRE SSL`, seul le TrustStore est requis. + +**1. Créez le TrustStore.** Le TrustStore contient le certificat CA. Java l'utilise pour valider que le certificat du serveur MySQL a été signé par une autorité de confiance. + + ```shell + keytool -importcert -alias mysqlServerCACert \ + -file /etc/mysql/newcerts/ca-cert.pem \ + -keystore /etc/mysql/newcerts/truststore.jks \ + -storepass changeit \ + -noprompt + ``` + +**2. Créez le KeyStore (optionnel — mTLS uniquement).** Ignorez cette étape si l'utilisateur `centreonbi` a été créé avec `REQUIRE SSL`. + + 2.1 Regroupez le certificat et la clé client dans un fichier PKCS12 : + + ```shell + openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/client.p12 \ + -name mbiClient \ + -passout pass:changeit + ``` + + 2.2 Convertissez le PKCS12 en JKS : + + ```shell + keytool -importkeystore \ + -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ + -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit + ``` + +**3. Définissez les permissions sur les fichiers.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/*.jks +chmod 640 /etc/mysql/newcerts/*.jks +``` + +**4. Mettez à jour les fichiers de profil XML BIRT.** + +> **Important — encodage XML :** Dans les valeurs d'attributs XML, le séparateur `&` entre les paramètres d'URL doit être écrit sous la forme `&`. Ne pas le faire provoquera une erreur d'analyse XML et empêchera MBI de démarrer. + +Deux fichiers doivent être mis à jour, chacun contenant deux profils. + +**/etc/cbis-conf/cbis-profile.xml** + + Profil **Centreon** (base de données `centreon`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage`) : + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profil **Centreon** (base de données `centreon_mbi`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage_mbi`) : + + ```xml + + ``` + +**Optionnel — mTLS (REQUIRE X509) :** ajoutez les paramètres KeyStore à chaque URL : + + ```xml + + ``` + + Appliquez le même modèle aux trois autres profils. + + + + +Contrairement à MySQL Connector/J, **MariaDB Connector/J 3.x prend en charge les fichiers PEM nativement** via le paramètre `serverSslCert` directement dans l'URL JDBC. Aucune conversion en Java KeyStore n'est nécessaire pour le mode SSL simple. + +Un keystore PKCS12 n'est nécessaire que pour le mTLS (authentification par certificat client) : + +| Fichier | Contenu | Rôle | Requis | +|---------|---------|------|--------| +| `ca-cert.pem` | Certificat CA | Permet au pilote de vérifier l'identité du serveur MariaDB | ✓ Toujours | +| `keystore.p12` | Certificat client + clé privée | Permet à MariaDB de vérifier l'identité de l'application | Seulement si `REQUIRE X509` | + +> **Remarque : le mTLS est optionnel.** Il n'est nécessaire que si l'utilisateur MariaDB a été créé avec `REQUIRE X509`. Si l'utilisateur a été créé avec `REQUIRE SSL`, seul `serverSslCert` pointant vers la CA est nécessaire. + +**1. (Optionnel) Créez le KeyStore PKCS12 pour le mTLS.** + +Ignorez cette étape si `centreonbi` a été créé avec `REQUIRE SSL`. + +```shell +openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/keystore.p12 \ + -name mbiClient \ + -passout pass:changeit +``` + +**2. Définissez les permissions sur les fichiers.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem +chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # uniquement si mTLS +chmod 640 /etc/mysql/newcerts/ca-cert.pem +chmod 640 /etc/mysql/newcerts/keystore.p12 # uniquement si mTLS +``` + +**3. Mettez à jour les fichiers de profil XML.** + +L'`odaURL` doit utiliser le schéma `jdbc:mariadb://` et inclure les paramètres SSL. + +> **Important — encodage XML :** Dans les valeurs d'attributs XML, le séparateur `&` entre les paramètres d'URL doit être écrit sous la forme `&`. Ne pas le faire provoquera une erreur d'analyse XML et empêchera MBI de démarrer. + +Deux fichiers doivent être mis à jour, chacun contenant deux profils. + +**/etc/cbis-conf/cbis-profile.xml** + + Profil **Centreon** (base de données `centreon`) : + + ```xml + + + ``` + + Profil **Censtorage** (base de données `centreon_storage`) : + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profil **Centreon** (base de données `centreon_mbi`) : + + ```xml + + ``` + + Profil **Censtorage** (base de données `centreon_storage_mbi`) : + + ```xml + + ``` + +**Optionnel — mTLS (REQUIRE X509) :** ajoutez les paramètres KeyStore à chaque URL : + + ```xml + + ``` + + Appliquez le même modèle aux trois autres profils. + + + + +### Étape 5 - Redémarrer Centreon MBI + +```shell +systemctl restart cbis +``` + +### Étape 6 - Vérifier l'expiration des certificats + + + + +**TrustStore (certificat CA) :** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/truststore.jks -storepass changeit +# Recherchez : Valid from ... until ... +``` + +**KeyStore (certificat client, mTLS uniquement) :** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/keystore.jks -storepass changeit +# Recherchez : Valid from ... until ... +``` + +**Certificat CA (PEM) :** + +```shell +openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates +``` + + + + +**Certificat CA :** + + ```shell + openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates + # notBefore=... + # notAfter=... + ``` + +**Certificat du serveur :** + + ```shell + openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates + ``` + +**KeyStore PKCS12 (mTLS uniquement) :** + + ```shell + keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit + # Recherchez : Valid from ... until ... + ``` + + + + +### Référence des modes SSL + + + + +Le mode `VERIFY_CA` est le minimum recommandé pour la production. Ce tableau répertorie les autres modes disponibles selon vos exigences de sécurité : + +| Mode | Certificat serveur vérifié | Nom d'hôte/IP vérifié | Cas d'usage | +|------|--------------------------|----------------------|-------------| +| `DISABLED` | Non | Non | Développement uniquement — pas de chiffrement | +| `PREFERRED` | Non | Non | Utilise SSL si disponible, repli sur connexion non chiffrée | +| `REQUIRED` | Non | Non | Impose SSL, mais ne valide pas le certificat du serveur | +| `VERIFY_CA` | Oui | Non | Utilisé dans cette procédure — valide la chaîne CA | +| `VERIFY_IDENTITY` | Oui | Oui | Le plus strict — vérifie également le nom d'hôte/IP par rapport au SAN du certificat | + +> **Remarque :** Si vous souhaitez utiliser le mode `VERIFY_IDENTITY`, le certificat du serveur doit inclure un Subject Alternative Name (SAN) correspondant exactement à l'IP ou au nom d'hôte utilisé dans l'URL JDBC. + + + + +Le mode `verify-ca` est le minimum recommandé pour la production. Ce tableau répertorie les autres modes disponibles selon vos exigences de sécurité : + +| Mode | Certificat serveur vérifié | Nom d'hôte/IP vérifié | Cas d'usage | +|------|--------------------------|----------------------|-------------| +| `disable` | Non | Non | Développement uniquement — pas de chiffrement | +| `trust` | Non | Non | Chiffre le trafic mais ne valide pas le certificat du serveur | +| `verify-ca` | Oui | Non | Utilisé dans cette procédure — valide la chaîne CA | +| `verify-full` | Oui | Oui | Le plus strict — vérifie également le nom d'hôte/IP par rapport au SAN du certificat | + +> **Remarque :** Si vous souhaitez utiliser le mode `verify-full`, le certificat du serveur doit inclure un Subject Alternative Name (SAN) correspondant exactement à l'IP ou au nom d'hôte utilisé dans l'URL JDBC. Le champ CN seul n'est pas suffisant pour les connexions basées sur une adresse IP. + + + diff --git a/versioned_docs/version-26.10/reporting/secure-your-mbi-platform.md b/versioned_docs/version-26.10/reporting/secure-your-mbi-platform.md new file mode 100644 index 000000000000..13a35a661f88 --- /dev/null +++ b/versioned_docs/version-26.10/reporting/secure-your-mbi-platform.md @@ -0,0 +1,572 @@ +--- +id: secure-your-mbi-platform +title: Secure your MBI platform +--- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +This chapter describes advanced procedures to secure your Centreon MBI platform. + +> If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this [procedure](https://docs.centreon.com/docs/administration/secure-platform/#secure-the-web-server-with-https) if needed. + +## Configure TLS on a MySQL or MariaDB database + +This section describes how to enable SSL between Centreon MBI and a MySQL or MariaDB server using certificate authority verification (VERIFY\_CA / verify-ca mode). + +> **Note:** This procedure covers the VERIFY\_CA mode only. In this mode, the server certificate is validated against a trusted Certificate Authority, but the hostname/IP address is not verified. For other SSL verification modes, see the [SSL Mode reference](#ssl-mode-reference) section. + +- Select the tab corresponding to the database you want to use. + +### Step 1 - Generate keys and certificates + +> If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate. + + + + +**1. Create a directory** (`/etc/mysql/newcerts` in this example) to store your certificate files: + + ```shell + mkdir -p /etc/mysql/newcerts + cd /etc/mysql/newcerts + ``` + +**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + + ```shell + # Generate the CA private key + openssl genrsa 2048 > ca-key.pem + # Generate the CA self-signed certificate + openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem + ``` + +**3. Generate the server certificate.** The server certificate is presented by MySQL to clients during the SSL handshake. + + ```shell + # Generate the server private key and CSR (Certificate Signing Request) + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + + # Convert the server key to RSA format (required by MariaDB) + openssl rsa -in server-key.pem -out server-key.pem + + # Sign the server certificate with the CA + openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem + ``` + +**4. Generate the client certificate (optional — mTLS only).** The client certificate is used by the application to authenticate itself to MySQL. Skip this section if you only need `REQUIRE SSL`. + + ```shell + # Generate the client private key and CSR + openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + + # Convert the client key to RSA format + openssl rsa -in client-key.pem -out client-key.pem + + # Sign the client certificate with the CA + openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem + ``` + +**5. Verify the certificates.** Ensure both certificates are correctly signed by the CA before proceeding. + + ```shell + openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem + # Expected output: + # server-cert.pem: OK + # client-cert.pem: OK + ``` + +**6. Set the file ownership.** + + ```shell + chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem + chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem + chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem + ``` + + + + +**1. Create a directory** (`/etc/mariadb/newcerts` in this example) to store your certificate files: + + ```shell + mkdir -p /etc/mariadb/newcerts + cd /etc/mariadb/newcerts + ``` + +**2. Generate the Certificate Authority (CA).** The CA is used to sign both the server and client certificates, establishing a chain of trust. + +```shell +# Generate the CA private key +openssl genrsa 2048 > ca-key.pem +# Generate the CA self-signed certificate +openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem +``` + +**3. Generate the server certificate.** The server certificate is presented by MariaDB to clients during the SSL handshake. + +```shell +# Generate the server private key and CSR (Certificate Signing Request) +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem + +# Convert the server key to RSA format (required by MySQL) +openssl rsa -in server-key.pem -out server-key.pem + +# Sign the server certificate with the CA +openssl x509 -req -in server-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out server-cert.pem +``` + +**4. Generate the client certificate (optional — mTLS only).** Skip this section if you only need `REQUIRE SSL`. + +```shell +# Generate the client private key and CSR +openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem + +# Convert the client key to RSA format +openssl rsa -in client-key.pem -out client-key.pem + +# Sign the client certificate with the CA +openssl x509 -req -in client-req.pem -days 365000 \ + -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \ + -out client-cert.pem +``` + +**5. Verify the certificates.** + +```shell +openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem +# Expected output: +# server-cert.pem: OK +# client-cert.pem: OK +``` + +**6. Set the file ownership.** + +```shell +chown -Rv mariadb:mariadb /etc/mariadb/newcerts/*.pem +chmod 600 /etc/mariadb/newcerts/server-key.pem /etc/mariadb/newcerts/client-key.pem +chmod 644 /etc/mariadb/newcerts/ca-cert.pem /etc/mariadb/newcerts/server-cert.pem /etc/mariadb/newcerts/client-cert.pem +``` + + + + +### Step 2 - Configure the MySQL/MariaDB server + + + + +> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. + +> Ensure you are using the directory you previously created (`/etc/mysql/newcerts` in this example). + +**1. Edit the MySQL server configuration.** Add the following block to your MySQL server configuration file (typically `/etc/mysql/mysql.conf.d/mysqld.cnf`): + + ```shell + [mysqld] + ssl-ca=/etc/mysql/newcerts/ca-cert.pem + ssl-cert=/etc/mysql/newcerts/server-cert.pem + ssl-key=/etc/mysql/newcerts/server-key.pem + # Restrict to secure TLS versions only + tls_version=TLSv1.2,TLSv1.3 + ``` + +**3. Verify SSL is active.** + + ```sql + SHOW VARIABLES LIKE '%ssl%'; + -- have_ssl should be YES + -- ssl_ca, ssl_cert, ssl_key should point to your certificate files + ``` + + + + +> If the server is already configured for SSL (e.g., for Centreon MAP), skip this section. + +> Ensure you are using the directory you previously created (`/etc/mariadb/newcerts` in this example). + +**1. Edit the MariaDB server configuration.** Add the following block to your MariaDB server configuration file (typically `etc/mariadb/mariadb.conf.d/50-server.cnf`): + + ```shell + [mariadb] + ssl-ca = /etc/mariadb/newcerts/ca-cert.pem + ssl-cert = /etc/mariadb/newcerts/server-cert.pem + ssl-key = /etc/mariadb/newcerts/server-key.pem + + # Restrict to secure TLS versions only + tls_version = TLSv1.2,TLSv1.3 + + # Restart MariaDB + systemctl restart mariadb + ``` + +**3. Verify SSL is active.** + +```shell +SHOW VARIABLES LIKE '%ssl%'; +-- have_ssl should be YES +-- ssl_ca, ssl_cert, ssl_key should point to your certificate files +``` + + + + +### Step 3 - Configure the MySQL/MariaDB user + + + + +Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. + +**1. Require SSL for the user.** + + ```sql + -- SSL only (no client certificate required) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + + -- Or mutual TLS (client certificate required) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + + -- Verify: ssl_type should now show ANY (for SSL) or X509 (for mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Grant privileges.** + + ```sql + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +Centreon MBI uses the `centreonbi` user. Apply SSL requirements to this user for each relevant host. + +**1. Require SSL for the user.** + + ```shell + -- SSL only (no client certificate required) + ALTER USER 'centreonbi'@'' REQUIRE SSL; + -- Or mutual TLS (client certificate required) + -- ALTER USER 'centreonbi'@'' REQUIRE X509; + -- Verify: ssl_type should show ANY (for SSL) or X509 (for mTLS) + SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; + ``` + +**2. Grant privileges.** + + ```shell + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_mbi`.* + TO `centreonbi`@``; + GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, + CREATE TEMPORARY TABLES, LOCK TABLES + ON `centreon_storage_mbi`.* + TO `centreonbi`@``; + ``` + + + + +### Step 4 - Configure JDBC (Centreon MBI / BIRT) + + + + +Centreon MBI uses MySQL Connector/J (`com.mysql.cj.jdbc.Driver`), which does not support PEM files directly. Certificates must be stored in a Java KeyStore (JKS or PKCS12). + +| File | Contains | Purpose | Required | +|------|----------|---------|----------| +| `truststore.jks` | CA certificate | Lets Java verify the database server's identity | ✓ Always | +| `keystore.jks` | Client cert + private key | Lets the database verify the application's identity | Only if `REQUIRE X509` | + +> **Note: mTLS is optional.** It is only needed if the MySQL user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only the TrustStore is required. + +**1. Create the TrustStore.** The TrustStore contains the CA certificate. Java uses it to validate that the MySQL server's certificate was signed by a trusted authority. + + ```shell + keytool -importcert -alias mysqlServerCACert \ + -file /etc/mysql/newcerts/ca-cert.pem \ + -keystore /etc/mysql/newcerts/truststore.jks \ + -storepass changeit \ + -noprompt + ``` + +**2. Create the KeyStore (optional — mTLS only).** Skip if the `centreonbi` user was created with `REQUIRE SSL`. + + 2.1 Bundle the client cert and key into a PKCS12 file: + + ```shell + openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/client.p12 \ + -name mbiClient \ + -passout pass:changeit + ``` + + 2.2 Convert PKCS12 to JKS: + + ```shell + keytool -importkeystore \ + -srckeystore /etc/mysql/newcerts/client.p12 -srcstoretype PKCS12 -srcstorepass changeit \ + -destkeystore /etc/mysql/newcerts/keystore.jks -deststoretype JKS -deststorepass changeit + ``` + +**3. Set file permissions.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/*.jks +chmod 640 /etc/mysql/newcerts/*.jks +``` + +**4. Update the BIRT XML profile files.** + +> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. + +Two files must be updated, each containing two profiles. + +**/etc/cbis-conf/cbis-profile.xml** + + Profile **Centreon** (`centreon` database): + + ```xml + + ``` + + Profile **Censtorage** (`centreon_storage` database): + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profile **Centreon** (`centreon_mbi` database): + + ```xml + + ``` + + Profile **Censtorage** (`centreon_storage_mbi` database): + + ```xml + + ``` + +**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: + + ```xml + + ``` + + Apply the same pattern to the three other profiles. + + + + +Unlike MySQL Connector/J, **MariaDB Connector/J 3.x supports PEM files natively** via the `serverSslCert` parameter directly in the JDBC URL. No Java KeyStore conversion is needed for simple SSL mode. + +A PKCS12 keystore is only needed for mTLS (client certificate authentication): + +| File | Contains | Purpose | Required | +|------|----------|---------|----------| +| `ca-cert.pem` | CA certificate | Lets the driver verify the MariaDB server's identity | ✓ Always | +| `keystore.p12` | Client cert + private key | Lets MariaDB verify the application's identity | Only if `REQUIRE X509` | + +> **Note: mTLS is optional.** It is only needed if the MariaDB user was created with `REQUIRE X509`. If the user was created with `REQUIRE SSL`, only `serverSslCert` pointing to the CA is needed. + +**1. (Optional) Create the PKCS12 KeyStore for mTLS.** + +Skip this step if `centreonbi` was created with `REQUIRE SSL`. + +```shell +openssl pkcs12 -export \ + -in /etc/mysql/newcerts/client-cert.pem \ + -inkey /etc/mysql/newcerts/client-key.pem \ + -out /etc/mysql/newcerts/keystore.p12 \ + -name mbiClient \ + -passout pass:changeit +``` + +**2. Set file permissions.** + +```shell +chown centreon-bi: /etc/mysql/newcerts/ca-cert.pem +chown centreon-bi: /etc/mysql/newcerts/keystore.p12 # only if mTLS +chmod 640 /etc/mysql/newcerts/ca-cert.pem +chmod 640 /etc/mysql/newcerts/keystore.p12 # only if mTLS +``` + +**3. Update XML profile files.** + +The `odaURL` must use the `jdbc:mariadb://` scheme and include SSL parameters. + +> **Important — XML encoding:** In XML attribute values, the `&` separator between URL parameters must be written as `&`. Failing to do so will cause an XML parse error and prevent MBI from starting. + +Two files must be updated, each containing two profiles. + +**/etc/cbis-conf/cbis-profile.xml** + + Profile **Centreon** (`centreon` database): + + ```xml + + + ``` + + Profile **Censtorage** (`centreon_storage` database): + + ```xml + + ``` + +**/etc/cbis-conf/reports-profile.xml** + + Profile **Centreon** (`centreon_mbi` database): + + ```xml + + ``` + + Profile **Censtorage** (`centreon_storage_mbi` database): + + ```xml + + ``` + +**Optional — mTLS (REQUIRE X509):** add KeyStore parameters to each URL: + + ```xml + + ``` + + Apply the same pattern to the three other profiles. + + + + +### Step 5 - Restart Centreon MBI + +```shell +systemctl restart cbis +``` + +### Step 6 - Check Certificate Expiry + + + + +**TrustStore (CA certificate):** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/truststore.jks -storepass changeit +# Look for: Valid from ... until ... +``` + +**KeyStore (client certificate, mTLS only):** + +```shell +keytool -list -v -keystore /etc/mysql/newcerts/keystore.jks -storepass changeit +# Look for: Valid from ... until ... +``` + +**CA certificate (PEM):** + +```shell +openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates +``` + + + + +**CA certificate:** + + ```shell + openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates + # notBefore=... + # notAfter=... + ``` + +**Server certificate:** + + ```shell + openssl x509 -in /etc/mysql/newcerts/server-cert.pem -noout -dates + ``` + +**PKCS12 KeyStore (mTLS only):** + + ```shell + keytool -list -v -keystore /etc/mysql/newcerts/keystore.p12 -storepass changeit + # Look for: Valid from ... until ... + ``` + + + + +### SSL Mode reference + + + + +The `VERIFY_CA` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: + +| Mode | Server cert verified | Hostname/IP verified | Use case | +|------|---------------------|---------------------|----------| +| `DISABLED` | No | No | Development only — no encryption | +| `PREFERRED` | No | No | Uses SSL if available, fallback to plain | +| `REQUIRED` | No | No | Enforces SSL, but does not validate the server cert | +| `VERIFY_CA` | Yes | No | Used in this procedure — validates the CA chain | +| `VERIFY_IDENTITY` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + +> **Note:** If you want to use the `VERIFY_IDENTITY` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. + + + + +The `verify-ca` mode is the recommended minimum for production. This table lists other available modes depending on your security requirements: + +| Mode | Server cert verified | Hostname/IP verified | Use case | +|------|---------------------|---------------------|----------| +| `disable` | No | No | Development only — no encryption | +| `trust` | No | No | Encrypts traffic but does not validate the server cert | +| `verify-ca` | Yes | No | Used in this procedure — validates the CA chain | +| `verify-full` | Yes | Yes | Strictest — also checks hostname/IP against the certificate SAN | + +> **Note:** If you want to use the `verify-full` mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL. The CN field alone is not sufficient for IP-based connections. + + + diff --git a/versioned_sidebars/version-26.10-sidebars.json b/versioned_sidebars/version-26.10-sidebars.json index c4f045858024..caaf1d4f5a29 100644 --- a/versioned_sidebars/version-26.10-sidebars.json +++ b/versioned_sidebars/version-26.10-sidebars.json @@ -225,6 +225,10 @@ { "type": "doc", "id": "graph-views/secure-your-map-platform" + }, + { + "type": "doc", + "id": "reporting/secure-your-mbi-platform" } ] }, From 6e82fa6a005f5545dec9ac7d0c1d204a139b285d Mon Sep 17 00:00:00 2001 From: smau Date: Thu, 2 Apr 2026 09:06:25 +0200 Subject: [PATCH 7/8] Typo --- .../version-25.10/reporting/secure-your-mbi-platform.md | 8 ++++---- .../version-26.10/reporting/secure-your-mbi-platform.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md index a2c9b5b5bc9e..22d8e2e30072 100644 --- a/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md +++ b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/secure-your-mbi-platform.md @@ -224,7 +224,7 @@ SHOW VARIABLES LIKE '%ssl%'; Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. -**1. Exiger SSL pour l'utilisateur.** +**1. Exigez SSL pour l'utilisateur.** ```sql -- SSL uniquement (aucun certificat client requis) @@ -237,7 +237,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; ``` -**2. Accorder les privilèges.** +**2. Accordez les privilèges.** ```sql GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, @@ -266,7 +266,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. -**1. Exiger SSL pour l'utilisateur.** +**1. Exigez SSL pour l'utilisateur.** ```shell -- SSL uniquement (aucun certificat client requis) @@ -277,7 +277,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; ``` -**2. Accorder les privilèges.** +**2. Accordez les privilèges.** ```shell GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md index a2c9b5b5bc9e..22d8e2e30072 100644 --- a/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md +++ b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/secure-your-mbi-platform.md @@ -224,7 +224,7 @@ SHOW VARIABLES LIKE '%ssl%'; Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. -**1. Exiger SSL pour l'utilisateur.** +**1. Exigez SSL pour l'utilisateur.** ```sql -- SSL uniquement (aucun certificat client requis) @@ -237,7 +237,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; ``` -**2. Accorder les privilèges.** +**2. Accordez les privilèges.** ```sql GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, @@ -266,7 +266,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à cet utilisateur pour chaque hôte concerné. -**1. Exiger SSL pour l'utilisateur.** +**1. Exigez SSL pour l'utilisateur.** ```shell -- SSL uniquement (aucun certificat client requis) @@ -277,7 +277,7 @@ Centreon MBI utilise l'utilisateur `centreonbi`. Appliquez les exigences SSL à SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi'; ``` -**2. Accorder les privilèges.** +**2. Accordez les privilèges.** ```shell GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, From 5493577d56f9d86b63f815d1f66df3ebc0bcee9a Mon Sep 17 00:00:00 2001 From: smau Date: Thu, 9 Apr 2026 09:41:14 +0200 Subject: [PATCH 8/8] Add link from install topic to Secure your MBI platform topic. --- .../version-25.10/reporting/installation.md | 2 ++ .../version-26.10/reporting/installation.md | 2 ++ versioned_docs/version-25.10/reporting/installation.md | 2 ++ versioned_docs/version-26.10/reporting/installation.md | 2 ++ 4 files changed, 8 insertions(+) diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/installation.md b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/installation.md index 7d21d1dd1376..1c3a9535f091 100644 --- a/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/installation.md +++ b/i18n/fr/docusaurus-plugin-content-docs/version-25.10/reporting/installation.md @@ -1142,6 +1142,8 @@ mysql_secure_installation - Répondez **oui** à toutes les questions, sauf à "Disallow root login remotely?" - Il est obligatoire de définir un mot de passe pour l'utilisateur **root** de la base de données. Vous aurez besoin de ce mot de passe pendant l'[installation web](../installation/web-and-post-installation.md). +> Voir les procédures avancées pour [Sécuriser votre plateforme MBI](../reporting/secure-your-mbi-platform.md). + #### Commencer à configurer Vérifiez que la base de reporting est bien démarrée puis lancez les diff --git a/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/installation.md b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/installation.md index 9f5cfa40eadd..630e6fad0cbd 100644 --- a/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/installation.md +++ b/i18n/fr/docusaurus-plugin-content-docs/version-26.10/reporting/installation.md @@ -1142,6 +1142,8 @@ mysql_secure_installation - Répondez **oui** à toutes les questions, sauf à "Disallow root login remotely?" - Il est obligatoire de définir un mot de passe pour l'utilisateur **root** de la base de données. Vous aurez besoin de ce mot de passe pendant l'[installation web](../installation/web-and-post-installation.md). +> Voir les procédures avancées pour [sécuriser votre plateforme MBI](../reporting/secure-your-mbi-platform.md). + #### Commencer à configurer Vérifiez que la base de reporting est bien démarrée puis lancez les diff --git a/versioned_docs/version-25.10/reporting/installation.md b/versioned_docs/version-25.10/reporting/installation.md index 545ead68c1b0..2878b9ae687f 100644 --- a/versioned_docs/version-25.10/reporting/installation.md +++ b/versioned_docs/version-25.10/reporting/installation.md @@ -1167,6 +1167,8 @@ mysql_secure_installation - Answer **yes** to all questions except "Disallow root login remotely?" - It is mandatory to define a password for the **root** user of the database. You will need this password during the [web-installation](../installation/web-and-post-installation.md). +> See advanced procedures to [Secure your MBI platform](../reporting/secure-your-mbi-platform.md). + > For more information, please see the [official MariaDB documentation](https://mariadb.com/kb/en/mysql_secure_installation/). #### Start configuring diff --git a/versioned_docs/version-26.10/reporting/installation.md b/versioned_docs/version-26.10/reporting/installation.md index 468ffba0ce1a..d711fe584086 100644 --- a/versioned_docs/version-26.10/reporting/installation.md +++ b/versioned_docs/version-26.10/reporting/installation.md @@ -1167,6 +1167,8 @@ mysql_secure_installation - Answer **yes** to all questions except "Disallow root login remotely?" - It is mandatory to define a password for the **root** user of the database. You will need this password during the [web-installation](../installation/web-and-post-installation.md). +> See advanced procedures to [Secure your MBI platform](../reporting/secure-your-mbi-platform.md). + > For more information, please see the [official MariaDB documentation](https://mariadb.com/kb/en/mysql_secure_installation/). #### Start configuring