docs(broker): explain how to authenticate Broker connections.

Centreon Broker connections can be authenticated using X.509 certificates. This commit adds new paragraphs in the documentation to explain how to generate certificates correctly and configure Centreon Broker properly.

docs(broker): explain how to authenticate Broker connections.
66795f49 · Matthieu Kermagoret · Lionel Assepo · 9b781c5a · 66795f49 · 66795f49
Commit 66795f49 authored Aug 30, 2017 by Matthieu Kermagoret Committed by Lionel Assepo Sep 6, 2017
--- a/doc/en/_static/images/configuration/broker_certificates.png
+++ b/doc/en/_static/images/configuration/broker_certificates.png
--- a/doc/en/configuration_guide/poller/02configuration.rst
+++ b/doc/en/configuration_guide/poller/02configuration.rst
@@ -39,6 +39,61 @@ It is necessary to generate a configuration file for Centreon Broker:
   :align: center
+Optional authentication with Centreon Broker
+============================================
+If you wish to authenticate pollers that are sending data to your
+monitoring system then you can optionaly use Centreon Broker
+authentication mechanism, which is based on X.509 certificates.
+First generate a Certificate Authority certificate with OpenSSL. *ca.key*
+will be the private key (to store securely), while *ca.crt* will be the
+public certificate with which we will authenticate incoming connections.
+::
+	$> openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 365
+Now we can generate certificates using the CA key.
+::
+	$> openssl req -new -newkey rsa:2048 -nodes -keyout central.key -out central.csr -days 365
+	$> openssl req -new -newkey rsa:2048 -nodes -keyout poller.key -out poller.csr -days 365
+	$> openssl x509 -req -in central.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out central.crt -days 365 -sha256
+	$> openssl x509 -req -in poller.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out poller.crt -days 365 -sha256
+Place *central.key*, *central.crt* and *ca.crt* on the Centreon central server
+(in **/etc/centreon-broker** for example) and *poller.key*, *poller.crt* and
+*ca.crt* on your poller.
+Now we need to configure Centreon Broker to use these files. Go to
+**Configuration ==> Pollers ==> Broker configuration**. For
+*central-broker-master*, in the *Input* tab, you need to set the following
+parameters for *central-broker-master-input*.
+- Enable TLS encryption = Yes
+- Private key file = /etc/centreon-broker/central.key
+- Public certificate = /etc/centreon-broker/central.crt
+- Trusted CA's certificate = /etc/centreon-broker/ca.crt
+.. image:: /_static/images/configuration/broker_certificates.png
+   :align: center
+Similarly for your poller, you will need to modify it's TCP output in the Output
+tab with the following parameters.
+- Enable TLS encryption = Yes
+- Private key file = /etc/centreon-broker/poller.key
+- Public certificate = /etc/centreon-broker/poller.crt
+- Trusted CA's certificate = /etc/centreon-broker/ca.crt
+Regenerate the configuration of the affected pollers
+(**Configuration ==> Pollers**) and you're good.
 Centreontrapd Configuration
 ===========================

--- a/doc/fr/_static/images/configuration/broker_certificates.png
+++ b/doc/fr/_static/images/configuration/broker_certificates.png
--- a/doc/fr/configuration_guide/poller/02configuration.rst
+++ b/doc/fr/configuration_guide/poller/02configuration.rst
@@ -38,6 +38,64 @@ Il est nécessaire de générer un fichier de configuration pour le broker Centr
   :align: center
+Authentification avec Centreon Broker (optionnel)
+=================================================
+Si vous souhaitez authentifier les pollers envoyant des données dans
+votre système de monitoring vous pouvez utiliser le mécanisme
+d'authentification intégré à Centreon Broker. Celui-ci est basé sur
+l'utilisation de certificats X.509.
+La première étape est de générer un certificat pour l'autorité de
+certification (Certificate Authority, CA) avec OpenSSL. *ca.key* sera la
+clé privée (à stocker de manière sécurisée), tandis que *ca.crt* sera la
+clé publique servant à authentifier les connexions entrantes.
+::
+	$> openssl req -x509 -newkey rsa:2048 -nodes -keyout ca.key -out ca.crt -days 365
+Nous pouvons maintenant générer les certificats en utilisant la clé de la CA.
+::
+	$> openssl req -new -newkey rsa:2048 -nodes -keyout central.key -out central.csr -days 365
+	$> openssl req -new -newkey rsa:2048 -nodes -keyout poller.key -out poller.csr -days 365
+	$> openssl x509 -req -in central.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out central.crt -days 365 -sha256
+	$> openssl x509 -req -in poller.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out poller.crt -days 365 -sha256
+Placez *central.key*, *central.crt* et *ca.crt* sur le serveur Centreon
+central (dans **/etc/centreon-broker** par exemple) et *poller.key*,
+*poller.crt* et *ca.crt* sur votre poller.
+Nous devons maintenant configurer Centreon Broker pour utiliser ces
+fichiers. Allez dans **Configuration ==> Pollers ==> Broker configuration**.
+Pour *central-broker-master*, dans l'onglet *Input*, vous devez remplir les
+paramètres suivants pour *central-broker-master-input*.
+- Enable TLS encryption = Yes
+- Private key file = /etc/centreon-broker/central.key
+- Public certificate = /etc/centreon-broker/central.crt
+- Trusted CA's certificate = /etc/centreon-broker/ca.crt
+.. image:: /_static/images/configuration/broker_certificates.png
+   :align: center
+De manière similaire pour le poller, vous devez modifier les paramètres
+de la connexion TCP dans l'onglet Output.
+- Enable TLS encryption = Yes
+- Private key file = /etc/centreon-broker/poller.key
+- Public certificate = /etc/centreon-broker/poller.crt
+- Trusted CA's certificate = /etc/centreon-broker/ca.crt
+Regénérez la configuration des pollers affectés par ces changements
+(**Configuration ==> Pollers**) et la mise en place de
+l'authentification est terminée.
 Configuration de Centreontrapd
 ==============================