Skip to content
logo
Percona Monitoring and Management
Secure
Initializing search
    percona/pmm-doc
    percona/pmm-doc
    • Welcome
    • Setting up
      • Server
        • Network
        • Docker
        • Podman
        • Helm
        • Virtual Appliance
        • AWS Marketplace
        • Easy-install script
      • Client
        • MySQL
        • MongoDB
        • PostgreSQL
        • ProxySQL
        • Amazon RDS
        • Microsoft Azure
        • Google Cloud Platform
        • Linux
        • External Services
        • HAProxy
        • Remote instances
    • Get started
      • User Interface
      • Percona Alerting
      • Backup and Restore
        • Prepare a storage location
        • MongoDB backups
          • MongoDB backup prerequisites
          • Create MongoDB on-demand and scheduled backups
          • Create MongoDB PITR backups
          • Restore a MongoDB backup
          • MongoDB Backup and Restore support matrix
        • MySQL backups
          • MySQL backup prerequisites
          • Create a MySQL backup
          • Restore a MySQL backup
        • Edit a scheduled backup
        • Delete a backup
      • Roles and permissions
        • Configure access control
        • Labels for access control
        • Create access roles
        • Manage access roles
        • Assign roles to users
        • Use Case
      • Query Analytics
      • Working with Advisors
    • How to
      • Configure
      • Manage users
      • Upgrade
      • Secure
        • SSL encryption
          • Mounting certificates
          • Copying certificates
          • Use trusted SSL when connecting PMM Client to PMM Server
        • Grafana HTTPS secure cookies
      • Optimize
      • Annotate
      • Share dashboards and panels
      • Extend Metrics
      • Resolve issues
      • Integrate with Percona Platform
        • Check Percona Portal account information
    • Details
      • Architecture
      • UI components
      • PMM components and versions
      • Data handling in PMM
      • Develop Advisor checks
      • PMM Inventory
      • Dashboards
        • Manage dashboards
          • Insight
            • Advanced Data Exploration
            • VictoriaMetrics
            • VictoriaMetrics Agents Overview
          • Environments
            • Environment Summary
          • Kubernetes
            • Kubernetes Pods Status
            • Kubernetes Volumes
          • DBaas
          • OS Dashboards
            • Disk Details
            • Network Details
            • Memory Details
            • Node Temperature Details
            • Nodes Compare
            • Nodes Overview
            • Node Summary
            • NUMA Details
            • Processes Details
          • Prometheus Dashboards
            • Prometheus Exporters Overview
          • MySQL Dashboards
            • MySQL Command/Handler Counters Compare
            • MySQL InnoDB Compression Details
            • MySQL InnoDB Details
            • MySQL MyISAM/Aria Details
            • MySQL MyRocks Details
            • MySQL Instance Summary
            • MySQL Instances Compare
            • MySQL Instances Overview
            • MySQL Wait Event Analyses Details
            • MySQL Performance Schema Details
            • MySQL Query Response Time Details
            • MySQL Replication Summary
            • MySQL Group Replication Summary
            • MySQL Table Details
            • MySQL User Details
            • MySQL TokuDB Details
          • MongoDB Dashboards
            • Experimental MongoDB Collection Details
            • Experimental MongoDB Oplog Details
            • MongoDB Cluster Summary
            • MongoDB Instance Summary
            • MongoDB Instances Overview
            • MongoDB Instances Compare
            • MongoDB ReplSet Summary
            • MongoDB InMemory Details
            • MongoDB MMAPv1 Details
            • MongoDB WiredTiger Details
          • PostgreSQL Dashboards
            • PostgreSQL Instance Summary
            • PostgreSQL Instances Compare
            • Experimental PostgreSQL Vacuum Monitoring
          • ProxySQL Dashboards
          • HA Dashboards
            • PXC/Galera Cluster Summary
            • Experimental PXC/Galera Cluster Summary
            • PXC/Galera Nodes Compare
            • HAProxy Instance Summary
      • Commands
        • pmm-admin - PMM Administration Tool
        • pmm-agent - PMM Client agent
      • API
      • VictoriaMetrics
      • ClickHouse
      • PostgreSQL
      • Glossary
      • Introduction
      • DBaaS architecture
        • Setting up DBaaS
        • Create a Kubernetes Cluster
        • Deleting Kubernetes clusters
        • Activating DBaaS
        • Add a Kubernetes cluster automatically
        • Add a Kubernetes cluster manually
        • Manage allowed component versions
          • OLM installation
          • Operators installation
        • Add a DB Cluster
        • Manage a DB Cluster
        • Delete a DB Cluster
        • Create a database cluster from a template
      • Backup and restore
    • FAQ
    • Release Notes
      • PMM 2.39.0
      • PMM 2.38.1
      • PMM 2.38.0
      • PMM 2.37.1
      • PMM 2.37.0
      • PMM 2.36.0
      • PMM 2.35.0
      • PMM 2.34.0
      • PMM 2.33.0
      • PMM 2.32.0
      • PMM 2.31.0
      • PMM 2.30.0
      • PMM 2.29.1
      • PMM 2.29.0
      • PMM 2.28.0
      • PMM 2.27.0
      • PMM 2.26.0
      • PMM 2.25.0
      • PMM 2.24.0
      • PMM 2.23.0
      • PMM 2.22.0
      • PMM 2.21.0
      • PMM 2.20.0
      • PMM 2.19.0
      • PMM 2.18.0
      • PMM 2.17.0
      • PMM 2.16.0
      • PMM 2.15.1
      • PMM 2.15.0
      • PMM 2.14.0
      • PMM 2.13.0
      • PMM 2.12.0
      • PMM 2.11.1
      • PMM 2.11.0
      • PMM 2.10.1
      • PMM 2.10.0
      • PMM 2.9.1
      • PMM 2.9.0
      • PMM 2.8.0
      • PMM 2.7.0
      • PMM 2.6.1
      • PMM 2.6.0
      • PMM 2.5.0
      • PMM 2.4.0
      • PMM 2.3.0
      • PMM 2.2.2
      • PMM 2.2.1
      • PMM 2.2.0
      • PMM 2.1.0
      • PMM 2.0.1
      • PMM 2.0.0
      • Copyright and licensing information
      • Trademark policy

    • SSL encryption
      • Mounting certificates
      • Copying certificates
      • Use trusted SSL when connecting PMM Client to PMM Server
    • Grafana HTTPS secure cookies

    Secure¶

    By Default, PMM ships with a self-signed certificate to enable usage out of the box. While this does enable users to have encrypted connections between clients (database clients and web/API clients) and the PMM server, it shouldn’t be considered a properly secured connection. Taking the following precautions will ensure that you are truly secure:

    • SSL encryption with trusted certificates to secure traffic between clients and server;

    • Grafana HTTPS secure cookies

    SSL encryption¶

    Valid and trusted SSL certificates are needed to encrypt traffic between the client and server. Certificates can be purchased online from various sources, or some organizations generate their own trusted certificates. Regardless of which path you choose for enabling maximum security, the process to secure PMM consists of the following components:

    1. Staging the files in the proper locations:

      • You can directly mount to a local directory containing the required certificates or
      • You can copy the files to the appropriate directory in your Container|AMI|OVF

    2. Restarting PMM

    3. Ensuring the client(s) trust the certificate issuer (Ubuntu | RedHat can get you started but this is somewhat OS specific)

    With our Docker, OVF and AMI images, certificates are stored in /srv/nginx and our self-signed certificates are staged there by default.

    Mounting certificates¶

    For container-based installation, if your certificates are in a directory called /etc/pmm-certs on the container host, run the following to mount that directory in the proper location so that PMM can find it when the container starts:

    docker run -d -p 443:443 --volumes-from pmm-data \
  --name pmm-server -v /etc/pmm-certs:/srv/nginx \
  --restart always percona/pmm-server:2
    • All certificates must be owned by root. You can do this with: chown 0:0 /etc/pmm-certs/*
    • The mounted certificate directory (/etc/pmm-certs in this example) must contain the files named certificate.crt, certificate.key, ca-certs.pem, and dhparam.pem.
    • For SSL encryption, the container should publish on port 443 instead of 80.

    Copying certificates¶

    If PMM Server is running as a Docker image, use docker cp to copy certificates. This example copies certificate files from the current working directory to a running PMM Server docker container.

    docker cp certificate.crt pmm-server:/srv/nginx/certificate.crt
docker cp certificate.key pmm-server:/srv/nginx/certificate.key
docker cp ca-certs.pem pmm-server:/srv/nginx/ca-certs.pem
docker cp dhparam.pem pmm-server:/srv/nginx/dhparam.pem
docker exec -it pmm-server chown root.root /srv/nginx/*

    Use trusted SSL when connecting PMM Client to PMM Server¶

    For the new trusted certificates to take effect, you’ll just need to restart the PMM server (or advanced users can restart just nginx from a shell: supervisorctl restart nginx).

    You can now register clients to the PMM Server using the following: 

    pmm-admin config --server-url=https://<user>:<password>@<server IP>

    Remember

    Your client machine(s) must trust the issuer of the certificate, or you will still see “untrusted connections” messages when accessing the web interface. Thus, your client will need the --server-insecure-tls parameter when running the pmm-admin config command. Follow the instructions on your operating system to install the issuer certificate (ca-certs.pem).

    In case of pmm-client running in the container, mount certificates to /etc/pki/tls/certs:

    PMM_SERVER=X.X.X.X:443
docker run \
--rm \
--name pmm-client \
-e PMM_AGENT_SERVER_ADDRESS=${PMM_SERVER} \
-e PMM_AGENT_SERVER_USERNAME=admin \
-e PMM_AGENT_SERVER_PASSWORD=admin \
-e PMM_AGENT_SETUP=1 \
-e PMM_AGENT_CONFIG_FILE=config/pmm-agent.yaml \
-v /your_directory_with/certs:/etc/pki/tls/certs \
--volumes-from pmm-client-data \
percona/pmm-client:2

    Grafana HTTPS secure cookies¶

    To enable:

    1. Start a shell within the Docker container.

      docker exec -it pmm-server bash

    2. Edit /etc/grafana/grafana.ini.

    3. Enable cookie_secure and set the value to true.

    4. Restart Grafana.

      supervisorctl restart grafana

    Contact us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.

    Last update: 2023-09-27
    Percona LLC, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better. Read more about Percona Cookie Policy.