diff --git a/pandora_server/conf/pandora_server.conf.new b/pandora_server/conf/pandora_server.conf.new index 0a80181b2f..865204a6c7 100644 --- a/pandora_server/conf/pandora_server.conf.new +++ b/pandora_server/conf/pandora_server.conf.new @@ -67,6 +67,18 @@ dbhost 127.0.0.1 # Default value depends on the dbengine (mysql: 3306) #dbport 3306 +# dbssl: Enable (1) or disable (0) SSL for the database connection. + +dbssl 0 + +# dbsslcafile: Path to a file in PEM format that contains a list of trusted SSL certificate authorities. + +# dbsslcafile + +# dbsslcapath: Path to a directory that contains trusted SSL certificate authority certificates in PEM format. + +# dbsslcapath + # By default, parent agent will not be updated #update_parent 0 diff --git a/pandora_server/lib/PandoraFMS/Config.pm b/pandora_server/lib/PandoraFMS/Config.pm index 8f48a7f401..6184a74feb 100644 --- a/pandora_server/lib/PandoraFMS/Config.pm +++ b/pandora_server/lib/PandoraFMS/Config.pm @@ -233,6 +233,9 @@ sub pandora_load_config { $pa_config->{"dbhost"} = "localhost"; $pa_config->{'dbport'} = undef; # set to standard port of "dbengine" later $pa_config->{"dbname"} = "pandora"; + $pa_config->{"dbssl"} = 0; + $pa_config->{"dbsslcapath"} = ""; + $pa_config->{"dbsslcafile"} = ""; $pa_config->{"basepath"} = $pa_config->{'pandora_path'}; # Compatibility with Pandora 1.1 $pa_config->{"incomingdir"} = "/var/spool/pandora/data_in"; $pa_config->{"user"} = "pandora"; # environment settings default user owner for files generated @@ -704,6 +707,15 @@ sub pandora_load_config { elsif ($parametro =~ m/^dbname\s(.*)/i) { $pa_config->{'dbname'}= clean_blank($1); } + elsif ($parametro =~ m/^dbssl\s+([0-1])/i) { + $pa_config->{'dbssl'}= clean_blank($1); + } + elsif ($parametro =~ m/^dbsslcapath\s(.*)/i) { + $pa_config->{'dbsslcapath'}= clean_blank($1); + } + elsif ($parametro =~ m/^dbsslcafile\s(.*)/i) { + $pa_config->{'dbsslcafile'}= clean_blank($1); + } elsif ($parametro =~ m/^dbuser\s(.*)/i) { $pa_config->{'dbuser'}= clean_blank($1); } @@ -1282,6 +1294,9 @@ sub pandora_load_config { } } + # Configure SSL. + set_ssl_opts($pa_config); + if (($pa_config->{"verbosity"} > 4) && ($pa_config->{"quiet"} == 0)){ if ($pa_config->{"PID"} ne ""){ print " [*] PID File is written at ".$pa_config->{'PID'}."\n"; diff --git a/pandora_server/lib/PandoraFMS/DB.pm b/pandora_server/lib/PandoraFMS/DB.pm index ffe7eee54f..2c950c54b0 100644 --- a/pandora_server/lib/PandoraFMS/DB.pm +++ b/pandora_server/lib/PandoraFMS/DB.pm @@ -109,6 +109,7 @@ our @EXPORT = qw( get_agentmodule_status get_agentmodule_status_str get_agentmodule_data + set_ssl_opts $RDBMS $RDBMS_QUOTE $RDBMS_QUOTE_STRING @@ -123,6 +124,9 @@ our $RDBMS_QUOTE = ''; # For strings, Character used to quote in the current RDBMS our $RDBMS_QUOTE_STRING = ''; +# SSL options. +my $SSL_OPTS = ''; + ########################################################################## ## Connect to the DB. ########################################################################## @@ -135,7 +139,7 @@ sub db_connect ($$$$$$) { $RDBMS_QUOTE_STRING = '"'; # Connect to MySQL - my $dbh = DBI->connect("DBI:mysql:$db_name:$db_host:$db_port", $db_user, $db_pass, { RaiseError => 1, AutoCommit => 1 }); + my $dbh = DBI->connect("DBI:mysql:$db_name:$db_host:$db_port;$SSL_OPTS", $db_user, $db_pass, { RaiseError => 1, AutoCommit => 1 }); return undef unless defined ($dbh); # Enable auto reconnect @@ -1542,6 +1546,29 @@ sub db_release_lock($$) { my ($lock) = $sth->fetchrow; } +######################################################################## +## Set SSL options globally for the module. +######################################################################## +sub set_ssl_opts($) { + my ($pa_config) = @_; + + # SSL is disabled for the DB. + if (!defined($pa_config->{'dbssl'}) || $pa_config->{'dbssl'} == 0) { + return; + } + + # Enable SSL. + $SSL_OPTS = "mysql_ssl=1;mysql_ssl_optional=1;mysql_ssl_verify_server_cert=1"; + + # Set additional SSL options. + if (defined($pa_config->{'dbsslcapath'}) && $pa_config->{'dbsslcapath'} ne "") { + $SSL_OPTS .= ";mysql_ssl_ca_path=" . $pa_config->{'dbsslcapath'}; + } + if (defined($pa_config->{'dbsslcafile'}) && $pa_config->{'dbsslcafile'} ne "") { + $SSL_OPTS .= ";mysql_ssl_ca_file=" . $pa_config->{'dbsslcafile'}; + } +} + # End of function declaration # End of defined Code diff --git a/pandora_server/util/pandora_db.pl b/pandora_server/util/pandora_db.pl index ffaf0084ff..633ee7454b 100755 --- a/pandora_server/util/pandora_db.pl +++ b/pandora_server/util/pandora_db.pl @@ -629,6 +629,9 @@ sub pandora_load_config_pdb ($) { $conf->{'claim_back_snmp_modules'} = '1' unless defined ($conf->{'claim_back_snmp_modules'}); $conf->{'verbosity'} = '3' unless defined ($conf->{'verbosity'}); + # Configure SSL. + set_ssl_opts($conf); + # Dynamic interval configuration. $conf->{"dynamic_constant"} = 0.10 unless defined($conf->{"dynamic_constant"}); $conf->{"dynamic_warning"} = 0.10 unless defined($conf->{"dynamic_warning"});