Password store

The password store in Checkmk enables passwords that are required for accessing a wide variety of systems in the monitoring system to be stored in a central location. The password store differentiates between who is allowed to store a password and who is allowed to use it. This allows you to map an organizational separation in your company between the storage and use of access data in Checkmk. For this purpose, Checkmk provides the contact groups.

A further advantage is that a password saved in the password store can be changed without having to touch the actual configuration that uses this password. The password itself is not displayed during use, only its title.

The password store not only stores the passwords assigned to a user, but also, for example, secrets (for apps in Microsoft Azure), tokens (for service accounts in a Kubernetes cluster) or URLs (for notifications to Microsoft Teams, Slack or Cisco Webex Teams, for example).

The use of the password store is always offered in Checkmk for when it is necessary to enter access data in order to have access to another system’s monitoring data, for example, when configuring active checks, special agents, rules for the Agent Bakery or notification methods in notification rules.

In this article, we will explain how to use the password store using the example of accessing an MQTT server — or broker, as it is called in the MQTT architecture. Such a broker collects sensor data in the 'Internet of Things' (IoT). In Checkmk, this broker can be monitored, for example to determine how many messages are in the queue.

You can access the Checkmk password store via Setup > General > Passwords. To create a new password, click on Add password.

As usual in Checkmk, the creation of a password in the password store also requires an internal Unique ID and a Title. Choose a meaningful title so that later not only you know what it is about, but also those Checkmk users who will use the password — because only this title will be displayed when selecting a password.

First enter the password in the Password properties box. With the following two options, Editable by and Share with, you control who has access to this password.

With Editable by you select a group of Checkmk users who have full access to the password — to use, change or delete it. The default selection here is Administrators and restricts access to Checkmk administrators, as only the admin role has the Write access to all passwords permission by default. However, you can also grant full access to a contact group that has already been assigned to you. With the Share with option, you can add contact groups to which the password should be made available in addition to use.

Once you have completed the password creation with Save, you will see the overview page for the password store, which lists all passwords with the most important parameters:

You can select a password from the password store within many Checkmk pages. For example, you can find the active checks in Setup > Services > HTTP, TCP, Email, …​ and the special agents in Setup > Agents > VM, cloud, container or Setup > Agents > Other integrations.

The rule set for the MQTT special agent is called MQTT broker statistics. Create a new rule:

Activate Username and enter the MQTT broker’s user name. Then activate Password of the user. By default, Explicit is selected to enter the password directly in the corresponding field. Whenever you are offered a list when entering access data, you can also use the password store instead of explicit entry. To do this, select From password store in the list. A list containing all the passwords you can use will then be displayed on the right.