Skip to main content

Secure your MBI platform

This chapter describes advanced procedures to secure your Centreon MBI platform.

If you want to use MBI with a secured database connection, we recommend that you also secure your Centreon platform. Follow this procedure if needed.

Configure TLS on a MySQL or MariaDB database

This section describes how to enable SSL between Centreon MBI and a MySQL or MariaDB server using certificate authority verification (VERIFY_CA / verify-ca mode).

Note: This procedure covers the VERIFY_CA mode only. In this mode, the server certificate is validated against a trusted Certificate Authority, but the hostname/IP address is not verified. For other SSL verification modes, see the SSL Mode reference section.

  • Select the tab corresponding to the database you want to use.

Step 1 - Generate keys and certificates

If you have already generated certificates (e.g., when configuring Centreon MAP), you can skip this section and reuse the existing CA certificate.

1. Create a directory (/etc/mysql/newcerts in this example) to store your certificate files:

mkdir -p /etc/mysql/newcerts
cd /etc/mysql/newcerts

2. Generate the Certificate Authority (CA). The CA is used to sign both the server and client certificates, establishing a chain of trust.

# Generate the CA private key
openssl genrsa 2048 > ca-key.pem
# Generate the CA self-signed certificate
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem

3. Generate the server certificate. The server certificate is presented by MySQL to clients during the SSL handshake.

# Generate the server private key and CSR (Certificate Signing Request)
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem

# Convert the server key to RSA format (required by MariaDB)
openssl rsa -in server-key.pem -out server-key.pem

# Sign the server certificate with the CA
openssl x509 -req -in server-req.pem -days 365000 \
  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
  -out server-cert.pem

4. Generate the client certificate (optional — mTLS only). The client certificate is used by the application to authenticate itself to MySQL. Skip this section if you only need REQUIRE SSL.

# Generate the client private key and CSR
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem

# Convert the client key to RSA format
openssl rsa -in client-key.pem -out client-key.pem

# Sign the client certificate with the CA
openssl x509 -req -in client-req.pem -days 365000 \
  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
  -out client-cert.pem

5. Verify the certificates. Ensure both certificates are correctly signed by the CA before proceeding.

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
# Expected output:
# server-cert.pem: OK
# client-cert.pem: OK

6. Set the file ownership.

chown -Rv mysql:mysql /etc/mysql/newcerts/*.pem
chmod 600 /etc/mysql/newcerts/server-key.pem /etc/mysql/newcerts/client-key.pem
chmod 644 /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem

Step 2 - Configure the MySQL/MariaDB server

If the server is already configured for SSL (e.g., for Centreon MAP), skip this section.

Ensure you are using the directory you previously created (/etc/mysql/newcerts in this example).

1. Edit the MySQL server configuration. Add the following block to your MySQL server configuration file (typically /etc/mysql/mysql.conf.d/mysqld.cnf):

[mysqld]
ssl-ca=/etc/mysql/newcerts/ca-cert.pem
ssl-cert=/etc/mysql/newcerts/server-cert.pem
ssl-key=/etc/mysql/newcerts/server-key.pem
# Restrict to secure TLS versions only
tls_version=TLSv1.2,TLSv1.3

3. Verify SSL is active.

SHOW VARIABLES LIKE '%ssl%';
-- have_ssl should be YES
-- ssl_ca, ssl_cert, ssl_key should point to your certificate files

Step 3 - Configure the MySQL/MariaDB user

Centreon MBI uses the centreonbi user. Apply SSL requirements to this user for each relevant host.

1. Require SSL for the user.

-- SSL only (no client certificate required)
ALTER USER 'centreonbi'@'<ip_or_hostname>' REQUIRE SSL;

-- Or mutual TLS (client certificate required)
-- ALTER USER 'centreonbi'@'<ip_or_hostname>' REQUIRE X509;

-- Verify: ssl_type should now show ANY (for SSL) or X509 (for mTLS)
SELECT user, host, ssl_type FROM mysql.user WHERE user='centreonbi';

2. Grant privileges.

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER,
      CREATE TEMPORARY TABLES, LOCK TABLES
  ON `centreon`.*
  TO `centreonbi`@`<ip_or_hostname>`;

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER,
      CREATE TEMPORARY TABLES, LOCK TABLES
  ON `centreon_storage`.*
  TO `centreonbi`@`<ip_or_hostname>`;

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER,
      CREATE TEMPORARY TABLES, LOCK TABLES
  ON `centreon_mbi`.*
  TO `centreonbi`@`<ip_or_hostname>`;

GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER,
      CREATE TEMPORARY TABLES, LOCK TABLES
  ON `centreon_storage_mbi`.*
  TO `centreonbi`@`<ip_or_hostname>`;

Step 4 - Configure JDBC (Centreon MBI / BIRT)

Centreon MBI uses MySQL Connector/J (com.mysql.cj.jdbc.Driver), which does not support PEM files directly. Certificates must be stored in a Java KeyStore (JKS or PKCS12).

FileContainsPurposeRequired
truststore.jksCA certificateLets Java verify the database server's identity✓ Always
keystore.jksClient cert + private keyLets the database verify the application's identityOnly if REQUIRE X509

Note: mTLS is optional. It is only needed if the MySQL user was created with REQUIRE X509. If the user was created with REQUIRE SSL, only the TrustStore is required.

1. Create the TrustStore. The TrustStore contains the CA certificate. Java uses it to validate that the MySQL server's certificate was signed by a trusted authority.

keytool -importcert -alias mysqlServerCACert \
  -file /etc/mysql/newcerts/ca-cert.pem \
  -keystore /etc/mysql/newcerts/truststore.jks \
  -storepass changeit \
  -noprompt

2. Create the KeyStore (optional — mTLS only). Skip if the centreonbi user was created with REQUIRE SSL.

2.1 Bundle the client cert and key into a PKCS12 file:

openssl pkcs12 -export \
  -in /etc/mysql/newcerts/client-cert.pem \
  -inkey /etc/mysql/newcerts/client-key.pem \
  -out /etc/mysql/newcerts/client.p12 \
  -name mbiClient \
  -passout pass:changeit

2.2 Convert PKCS12 to JKS:

keytool -importkeystore \
  -srckeystore  /etc/mysql/newcerts/client.p12   -srcstoretype  PKCS12 -srcstorepass  changeit \
  -destkeystore /etc/mysql/newcerts/keystore.jks  -deststoretype JKS   -deststorepass changeit

3. Set file permissions.

chown centreon-bi: /etc/mysql/newcerts/*.jks
chmod 640 /etc/mysql/newcerts/*.jks

4. Update the BIRT XML profile files.

Important — XML encoding: In XML attribute values, the & separator between URL parameters must be written as &amp;. Failing to do so will cause an XML parse error and prevent MBI from starting.

Two files must be updated, each containing two profiles.

/etc/cbis-conf/cbis-profile.xml

Profile Centreon (centreon database):

<property name="odaURL" value="jdbc:mysql://<ip_or_hostname>:3306/centreon?autoReconnect=true&amp;sslMode=VERIFY_CA&amp;trustCertificateKeyStoreUrl=file:/etc/mysql/newcerts/truststore.jks&amp;trustCertificateKeyStorePassword=changeit"/>

Profile Censtorage (centreon_storage database):

<property name="odaURL" value="jdbc:mysql://<ip_or_hostname>:3306/centreon_storage?autoReconnect=true&amp;sslMode=VERIFY_CA&amp;trustCertificateKeyStoreUrl=file:/etc/mysql/newcerts/truststore.jks&amp;trustCertificateKeyStorePassword=changeit"/>

/etc/cbis-conf/reports-profile.xml

Profile Centreon (centreon_mbi database):

<property name="odaURL" value="jdbc:mysql://<ip_or_hostname>:3306/centreon_mbi?autoReconnect=true&amp;sslMode=VERIFY_CA&amp;trustCertificateKeyStoreUrl=file:/etc/mysql/newcerts/truststore.jks&amp;trustCertificateKeyStorePassword=changeit"/>

Profile Censtorage (centreon_storage_mbi database):

<property name="odaURL" value="jdbc:mysql://<ip_or_hostname>:3306/centreon_storage_mbi?autoReconnect=true&amp;sslMode=VERIFY_CA&amp;trustCertificateKeyStoreUrl=file:/etc/mysql/newcerts/truststore.jks&amp;trustCertificateKeyStorePassword=changeit"/>

Optional — mTLS (REQUIRE X509): add KeyStore parameters to each URL:

<property name="odaURL" value="jdbc:mysql://<ip_or_hostname>:3306/centreon?autoReconnect=true&amp;sslMode=VERIFY_CA&amp;trustCertificateKeyStoreUrl=file:/etc/mysql/newcerts/truststore.jks&amp;trustCertificateKeyStorePassword=changeit&amp;clientCertificateKeyStoreUrl=file:/etc/mysql/newcerts/keystore.jks&amp;clientCertificateKeyStorePassword=changeit"/>

Apply the same pattern to the three other profiles.

Step 5 - Restart Centreon MBI

systemctl restart cbis

Step 6 - Check Certificate Expiry

TrustStore (CA certificate):

keytool -list -v -keystore /etc/mysql/newcerts/truststore.jks -storepass changeit
# Look for: Valid from ... until ...

KeyStore (client certificate, mTLS only):

keytool -list -v -keystore /etc/mysql/newcerts/keystore.jks -storepass changeit
# Look for: Valid from ... until ...

CA certificate (PEM):

openssl x509 -in /etc/mysql/newcerts/ca-cert.pem -noout -dates

SSL Mode reference

The VERIFY_CA mode is the recommended minimum for production. This table lists other available modes depending on your security requirements:

ModeServer cert verifiedHostname/IP verifiedUse case
DISABLEDNoNoDevelopment only — no encryption
PREFERREDNoNoUses SSL if available, fallback to plain
REQUIREDNoNoEnforces SSL, but does not validate the server cert
VERIFY_CAYesNoUsed in this procedure — validates the CA chain
VERIFY_IDENTITYYesYesStrictest — also checks hostname/IP against the certificate SAN

Note: If you want to use the VERIFY_IDENTITY mode, the server certificate must include a Subject Alternative Name (SAN) matching the exact IP or hostname used in the JDBC URL.