Feature/agent auth cert key (#98)

wazuh · Jan 14, 2019 · ed8313b · ed8313b
1 parent bcdca0f
commit ed8313b
Showing 1 changed file with 27 additions and 3 deletions.
diff --git a/manifests/client.pp b/manifests/client.pp
@@ -37,6 +37,8 @@
   $manage_client_keys              = 'authd',
   $agent_auth_password             = undef,
   $wazuh_manager_root_ca_pem       = undef,
+  $wazuh_agent_cert                = undef,
+  $wazuh_agent_key                 = undef,
   $agent_seed                      = undef,
   $max_clients                     = 3000,
   $ar_repeated_offenders           = '',
@@ -178,11 +180,33 @@
           content => $wazuh_manager_root_ca_pem,
           require => Package[$agent_package_name],
         }
+       $agent_auth_option_manager = "-v /var/ossec/etc/rootCA.pem"
+      }
 
-        $agent_auth_command = "${agent_auth_base_command} -v /var/ossec/etc/rootCA.pem"
-      } else {
-        $agent_auth_command = $agent_auth_base_command
+    # https://documentation.wazuh.com/current/user-manual/registering/use-registration-service.html#verify-agents-via-ssl
+    if ($wazuh_agent_cert != undef) and ($wazuh_agent_key != undef) {
+      validate_string($wazuh_agent_cert)
+      validate_string($wazuh_agent_key)
+      file { '/var/ossec/etc/sslagent.cert':
+        owner   => $wazuh::params::keys_owner,
+        group   => $wazuh::params::keys_group,
+        mode    => $wazuh::params::keys_mode,
+        content => $wazuh_agent_cert,
+        require => Package[$agent_package_name],
       }
+      file { '/var/ossec/etc/sslagent.key':
+        owner   => $wazuh::params::keys_owner,
+        group   => $wazuh::params::keys_group,
+        mode    => $wazuh::params::keys_mode,
+        content => $wazuh_agent_key,
+        require => Package[$agent_package_name],
+      }
+
+      $agent_auth_option_agent = "-x /var/ossec/etc/sslagent.cert -k /var/ossec/etc/sslagent.key"
+    }
+
+    $agent_auth_command = "$agent_auth_base_command $agent_auth_option_manager $agent_auth_option_agent"
+
 
       if $agent_auth_password {
         exec { 'agent-auth-with-pwd':