Chat now with support
Chat mit Support

Foglight Agent Manager 5.9.8 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server Deploying the Agent Manager cartridge Downloading the Agent Manager installer Installing the Agent Manager Starting or stopping the Agent Manager process Frequently asked questions
Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Excluding SSL ciphers from upstream or downstream Connections

You can exclude SSL cipher suites from both upstream Agent Manager connections (to the Management Server or an Agent Manager concentrator), or downstream connections (as a concentrator).

If you need to exclude one or more ciphers from the SSL encryption used for SSL connections, you can do so using one or more excluded-ssl-cipher elements in the fglam.config.xml file. For example, you may want to exclude lower encryption strength ciphers, or ciphers with security vulnerabilities.

1
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing.
2
Between the existing <config:http-upstreams> and </config:http-upstreams> tags, add an <config:http-upstream/> child element:
<config:http-upstream url="https://secure_server_URL:port_number">
1
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing.
2
Between the existing <config:http-downstreams> and </config:http-downstreams> tags, add an <config:https-downstream/> child element:

Excluding Specific SSL Protocols from Downstream Connections

If you need to exclude one or more protocols from the SSL protocol negotiation, you can do so using one or more excluded-ssl-protocol elements. Some common values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2.

If none are specified, then SSLv2Hello and SSLv3 are disabled by default. Otherwise only those protocols listed will be excluded.

1
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing.
2
Between the existing <config:http-downstreams> and </config:http-downstreams> tags, add an <config:https-downstream/> child element:

Configuring the Agent Manager to accept connections from the Management Server

You can configure the Foglight® Agent Manager to accept connections from the Management Server and enable reverse data polling. This is useful in situations when the Agent Manager cannot connect to the Management Server due to its location. For example, when the Agent Manager is located in the cloud and the Management Server runs on premises, the Agent Manager has no means to connect to the Management Server and pass on the collected data. Another example is when the Agent Manager resides in a demilitarized zone (DMZ), exposed to untrusted networks, and the Management Server is behind a firewall.

To enable this feature, you must instruct the Agent Manager to accept connections from the Management Server in order to facilitate normal message passing and data polling.

You do this by performing the following steps:

Using the fglam.config.xml file, disable upstream connections to the Management Server. For instructions, see To prevent the Agent Manager from connecting to the Management Server:.

1
Open the fglam.config.xml file for editing. This file is located in the <fglam_home>/state/default/config directory.
2
In the fglam.config.xml file, locate the <config:http-upstreams> XML element, and within that element, declare a new <config:http-upstream> element using the following lines of code:
The no-connection element prevents the Agent Manager from connecting to the upstream Management Server.
1
Open the fglam.config.xml file for editing. This file is located in the <fglam_home>/state/default/config directory.
2
In the fglam.config.xml file, locate the <config:http-downstreams> XML element, and within that element, declare a new <config:http-downstream> sub-element for a non-SSL connection or <config:https-downstream> for an SSL connection.
3
Non-SSL connections only. Within the newly created <config:http-downstream> element, provide a port number that the Agent Manager will use to listen for incoming connections, and optionally the IP address of the network interface. For example:
4
User-provided certificates or keystores only. Within the newly created <config:https-downstream> element, provide the information about the certificate and keystore you want to use. There is a wide range of attributes that you can use. For complete instructions, review the <config:documentation> element under <config:http-downstreams>.
1
Launch a command shell and navigate to the <fglam_home>/jre/<jre_version>/jre/bin directory on Agent Manager. And then issue the following command to generate the keypair and BCFKS keystore.
keytool -genkeypair -noprompt -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=<fglam_host_name>" -validity 365 -alias <keypair_alias_name> -keystore </path/to/fglam.kesytore> -storepass <password> -storetype BCFKS -providerpath <fglam_home>\client\<build-version>\lib\bc-fips.jar -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
2
Export the certificate from BCFKS keystore:
keytool -exportcert -noprompt -rfc -alias <keypair_alias_name> -file </path/to/exported-cert-filename> -keystore </path/to/fglam.kesytore> -storepass <password> -storetype BCFKS -providerpath <fglam_home>\client\<build-version>\lib\bc-fips.jar -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
a
Locate the property 'Trust Store' in Administration > Setup > Management Server Configuration dashboard, and get the path of current trust store used by Management Server.
The JRE cacerts is the default trust store if Management Server runs in non-FIPS mode. Issue the following command to import the certificate to Management Server:
keytool -import -alias <alias_name> -file </path/to/exported-cert-filename> -keystore <fms_home>/jre/lib/security/cacerts -storepass changeit
The trust.fips.keystore is the default trust store if Management Server runs in FIPS-compliant mode. Issue the following command to import the certificate to Management Server:
keytool -import -alias <alias_name> -file </path/to/exported-cert-filename> -keystore <fms_home>/config/security/trust.fips.keystore -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <fms_home>/server/core/bc-fips.jar -storepass nitrogen
2
On the Agent Properties dashboard, under Agent Type, select FglAM Adapter, and in the pane on the right, click Edit.
3
In the Agent Type Properties dialog box that appears, under Hosts to Pull Data From, click Edit.
4
In the Edit List of Hosts to Pull Data From dialog box that appears, click Add.
Enabled: Select this check box if you want the Management Server to connect to this Agent Manager.
URL: Type the URL the Agent Manager uses to communicate with the Management Server.
Local Address: To specify a local network address for the Management Server connection to the Agent Manager, type the IP address of a NIC (network interface card) on the machine hosting the Agent Manager required to establish connections to the Management Server.
Proxy URL: If you want the Management Server to connect to the Agent Manager using a proxy, type the URL of the proxy server.
Proxy NTLM Domain: If you are using a proxy server for communication, and the proxy uses Windows authentication, type the Windows domain.
Proxy User Name: If you are using a proxy server for communication, type the user name needed to access the proxy server.
Proxy Password: If you are using a proxy server for communication, type the password associated with the user name.
Allow Self Signed SSL Certificates: Select this check box if you want to enable the Management server to accept self-signed-certificates from the Agent Manager. It is not recommended to enable this configuration in FIPS-compliant mode for security consideration. When Management Server is running in FIPS-compliant mode, you need to add the Agent Manager's public certificate to Management Server's jre keystore. For more information, see To configure non-SSL connections or connections using user-provided certificates or keystores: .
SSL Certificate Common Name: If you want to enable the Management Server to accept self-signed certificates from the Agent Manager, and the certificate has a different common (host) name than the one reported by the Agent Manager, type the certificate common name.
Compressed Connection: Select this check box if you want the Management Server to establish HTTP-compressed communication with the Agent Manager.
Chunked HTTP Connection: Select this check box if you want to use an HTTP connection with chunked transfer encoding enabled.

Configuring the Agent Manager to execute commands on remote hosts

ExecuteCommandOnRemoteHostsAction is an action that is used for the Agent Manager to execute a command on remote hosts.

1
Add the ExecuteCommandOnRemoteHostsAction action to your rule list. For more information about how to add or edit an action in a rule, refer to the Getting Started: create a new rule or Getting Started: view and edit rule definitions section in the Foglight Administration and Configuration Help.
AgentManagerName (Mandatory): The Agent Manager name that is delegated to invoke the command on remote hosts.
CommandLine (Mandatory): The command to be executed remotely.
RemoteHosts (Mandatory): Target host addresses and platforms map, for example, hostName=Windows!hostIP=Linux. The platform value can be either of the following: Windows, Linux, Solaris, AIX, and HP-UX.
AgentManagerNameUseRegExp (Optional): The flag indicating whether the AgentManagerName parameter should be treated as regular expressions. This value is either true or false.
MatchAll (Optional): The flag indicating whether to run the command on all Agent Managers that matches the selection criteria. If set to false, the command will be executed only on the first matching Agent Manager.
Port (Optional): SSH connection port, default is 22. Windows platform does not need to configure this value.
Timeout (Optional): Command executing timeout value. Default is 0, which will use the Agent Manager default timeout value.
3
Go to the Dashboards > Administration > Credentials > Manage Credentials dashboard, add credentials for those remote hosts. The credentials usage must set to either “Execute Command On Remote Hosts For Windows” or “Execute Command On Remote Hosts For Unix”.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen