Security

Overview

XIMP security encompasses agent authentication via per-node tokens, dashboard access control through Xloud identity roles, and TLS certificate lifecycle management for all platform communications.

Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Agent Authentication

Each XIMP agent authenticates to the collector using a unique per-node token. Rotate tokens periodically and immediately when a node is decommissioned or suspected compromised.

Token Lifecycle
Token Rotation Procedure

Generate a new agent token

ximp agent token create --node compute-node-04 --expires 365d

List all agent tokens with expiry

ximp agent token list

Revoke an agent token

ximp agent token revoke <TOKEN_ID>

Revoking a token immediately disconnects the associated agent. Ensure the replacement token is deployed to the agent configuration before revoking the old one, or the node will stop reporting metrics.

Generate new token

Create replacement token

ximp agent token create --node <HOSTNAME> --expires 365d

Update agent configuration

Update /etc/ximp/agent.yaml on the node with the new token value:

/etc/ximp/agent.yaml

server:
  auth_token: <NEW_TOKEN>

Restart agent and verify

Restart agent

systemctl restart ximp-agent

Verify agent reconnected

ximp agent list --node <HOSTNAME>

Agent shows ACTIVE with a recent last-seen timestamp.

Revoke old token

ximp agent token revoke <OLD_TOKEN_ID>

Dashboard Access Control

XIMP dashboard access is controlled through Xloud identity roles. Assign roles based on job function to enforce least-privilege access.

Role	Access Level	Typical Assignees
`monitoring-viewer`	Read-only — dashboards and alert history	Developers, stakeholders
`monitoring-editor`	Create and edit dashboards, rules, and channels	Operations engineers
`monitoring-admin`	Full access — agents, retention, security settings	Platform administrators

Assign roles through XDeploy → Identity → Role Assignments.

Use the monitoring-viewer role for application teams who need to observe their service metrics without the ability to modify alert rules that affect other teams.

TLS Configuration

All XIMP communication uses TLS:

Agent-to-collector: TLS 1.3 minimum
Dashboard and API: TLS 1.3 minimum, HSTS enabled
Internal service communication: mTLS for collector-to-store traffic

Certificates are managed by XDeploy and renewed automatically 30 days before expiry.

Certificate Status
Manual Renewal

Check all certificate expiry dates

ximp tls status

Expected output shows certificate subjects, expiry dates, and days remaining. Certificates within 30 days of expiry trigger an automatic renewal.

If automatic renewal fails (e.g., due to DNS misconfiguration):

Manually renew all certificates

ximp tls renew --all

Renew a specific certificate

ximp tls renew --component collector

After renewal, verify the new certificate is in effect:

Verify renewed certificate

ximp tls status --component collector

Certificate expiry date is at least 90 days in the future.

Next Steps

Agent Configuration

Deploy and configure agents whose tokens are managed here

Alert Channels

Secure notification channel credentials and SMTP authentication

Troubleshooting

Diagnose TLS and authentication errors

Xloud Identity

Manage the Xloud identity roles used for XIMP access control

Core Services

Other Services

Overview

Agent Authentication

Generate new token

Update agent configuration

Restart agent and verify

Revoke old token

Dashboard Access Control

TLS Configuration

Next Steps

Agent Configuration

Alert Channels

Troubleshooting

Xloud Identity

Core Services

Other Services

Documentation Index

​Overview

​Agent Authentication

Generate new token

Update agent configuration

Restart agent and verify

Revoke old token

​Dashboard Access Control

​TLS Configuration

​Next Steps

Agent Configuration

Alert Channels

Troubleshooting

Xloud Identity

Overview

Agent Authentication

Dashboard Access Control

TLS Configuration

Next Steps