Checkmk
to checkmk.com

1. Introduction

The password store in Checkmk enables passwords that are required for accessing a wide variety of systems in the monitoring system to be stored in a central location. The password store differentiates between who is allowed to store a password and who is allowed to use it. This allows you to map an organizational separation in your company between the storage and use of access data in Checkmk. For this purpose, Checkmk provides the contact groups.

A further advantage is that a password saved in the password store can be changed without having to touch the actual configuration that uses this password. The password itself is not displayed during use, only its title.

The password store not only stores the passwords assigned to a user, but also, for example, secrets (for apps in Microsoft Azure), tokens (for service accounts in a Kubernetes cluster) or URLs (for notifications to Microsoft Teams, Slack or Cisco Webex Teams, for example).

Tip

The password store is used to collect sensitive information in a central location instead of keeping it distributed in different places in the Checkmk site. The password store is not a password safe. Checkmk requires the access data with the passwords in plain text in order to be able to continuously contact the remote systems and retrieve the monitoring data. So that the passwords are not stored in plain text in the file system, the password file is encrypted — using a key that is also stored in the site directory. To make it clear that this encryption is not what is generally understood to be, this procedure is called obfuscation.

The use of the password store is always offered in Checkmk for when it is necessary to enter access data in order to have access to another system’s monitoring data, for example, when configuring active checks, special agents, rules for the Agent Bakery or notification methods in notification rules.

In this article, we will explain how to use the password store using the example of accessing an MQTT server — or broker, as it is called in the MQTT architecture. Such a broker collects sensor data in the 'Internet of Things' (IoT). In Checkmk, this broker can be monitored, for example to determine how many messages are in the queue.

2. Creating a password

You can access the Checkmk password store via Setup > General > Passwords. To create a new password, click on Add password.

Dialog for creating a password in the password store.
A password for an MQTT broker is created here

As usual in Checkmk, the creation of a password in the password store also requires an internal Unique ID and a Title. Choose a meaningful title so that later not only you know what it is about, but also those Checkmk users who will use the password — because only this title will be displayed when selecting a password.

First enter the password in the Password properties box. With the following two options, Editable by and Share with, you control who has access to this password.

With Editable by you select a group of Checkmk users who have full access to the password — to use, change or delete it. The default selection here is Administrators and restricts access to Checkmk administrators, as only the admin role has the Write access to all passwords permission by default. However, you can also grant full access to a contact group that has already been assigned to you. With the Share with option, you can add contact groups to which the password should be made available in addition to use.

Once you have completed the password creation with Save, you will see the overview page for the password store, which lists all passwords with the most important parameters:

The password store overview page.
The password list is preceded by what the password store can — and cannot — do
Tip

By default, access to the password store is open not only for administrators, but also for normal monitoring users, as the two roles admin and user have the Password management authorization. However, normal monitoring users only see the passwords for which they have full access and they can only assign a password to contact groups (and not to Checkmk administrators).

3. Selecting a password

You can select a password from the password store within many Checkmk pages. For example, you can find the active checks in Setup > Services > HTTP, TCP, Email, …​ and the special agents in Setup > Agents > VM, cloud, container or Setup > Agents > Other integrations.

The rule set for the MQTT special agent is called MQTT broker statistics. Create a new rule:

Rule with which a password can be selected from the password store
The password for the MQTT broker is used here

Activate Username and enter the MQTT broker’s user name. Then activate Password of the user. By default, Explicit is selected to enter the password directly in the corresponding field. Whenever you are offered a list when entering access data, you can also use the password store instead of explicit entry. To do this, select From password store in the list. A list containing all the passwords you can use will then be displayed on the right.

4. Files and directories

File path Function

~/var/check_mk/stored_passwords

The password store file containing the obfuscated passwords.

~/etc/password_store.secret

The file with the key for obfuscating the password file.

~/lib/python3/cmk/utils/password_store/__init__.py

The Checkmk Python module for the password store. In the comment lines at the beginning of this file you will find information on how you can use the password store in self-written active checks or special agents.

On this page