Can the FMS connect to LDAP using secure encrypted communications (secure LDAP port 636)? (4254139)

Can the Foglight Management Server (FMS) use LDAPS (secure LDAP on port 636) instead of basic LDAP (port 389) to integrate with Active Directory?

How to encrypt the communication between the Foglight Management Server and the LDAP server?

Yes, Foglight supports the use of secure LDAP (LDAPS). It is necessary to configure the TrustStore properly for an encrypted LDAP connection.

Use the following instructions if you need to encrypt communication between the Management Server and the LDAP server:

1. In environments where an in-house certificate granting authority (CA) is in use, the CA’s certificates may need to be added as trusted certificates; acquire the LDAP server's certificate authority or server certificate in .pem format from the security team.
2. Import the certificates into the embedded JRE TrustStore or the Foglight TrustStore.

   Option 1: Import the certificate into the embedded JRE TrustStore

   Foglight uses JRE TrustStore as the default TrustStore. The default TrustStore will NOT be preserved during Foglight upgrade.

   Import the certificate into the embedded JRE TrustStore, [foglight_home]/jre/lib/security/cacerts (default password: changeit), with the following command:

   [foglight_home]/jre/bin/keytool -import -trustcacerts -alias [alias_of_cert] -keystore [path_to_cacerts] -storepass changeit -file [path_to_cert_file]

   Option 2: Import the certificate into the Foglight TrustStore

   Foglight also supports a separate TrustStore, which will be preserved during upgrade.

   Prepare and import the certificate into Foglight TrustStore with the following steps:

   1. Prepare TrustStore: copy [foglight_home]/config/security/trust.keystore.sample to [foglight_home]/config/security/trust.keystore
   2. Import the certificate into the Foglight TrustStore, [foglight_home]/config/security/trust.keystore (default password: nitrogen), with the following command:

      [foglight_home]/jre/bin/keytool -import -file [path_to_cert_file] -alias [alias_of_cert] -keystore [foglight_home]/config/security/trust.keystore -storepass nitrogen

   Notes:

   • If a root CA or other intermediate certificates are required, please import them into the selected TrustStore one at a time using the above commands.
   • The name used as the certificate alias is not important; use a unique name to represent each certificate being imported (E.g.: internalrootcacert, internalintermediatecacert).
   • For more information and steps for FIPS-compliant mode refer to the Importing self-signed certificates to Foglight TrustStore section in any of the Foglight Installation Guides.
3. Restart the Foglight Management Server.
4. On the navigation panel, under Dashboards, click Administration > Users & Security > Directory Services Settings.
5. Under LDAP Locations, click Edit and specify the LDAP server URL in the following format: ldaps://ldap_server.yourdomain.com:636

   Note: The port number for LDAP over SSL is usually 636. Confirm the correct port number with your LDAP server administrator.

To list the certificates in the cacerts TrustStore the following command can be used:

[foglight_home]/jre/bin/keytool -keystore [foglight_home]/jre/lib/security/cacerts -storepass changeit -list -v

The certificate chain presented by the LDAP server can be verified with:

[foglight_home]/jre/bin/keytool -printcert -sslserver ldap_server.yourdomain.com:636

To retrieve the certificate chain in PEM format add the -rfc option:

[foglight_home]/jre/bin/keytool -printcert -sslserver ldap_server.yourdomain.com:636 -rfc

Note: The output in PEM format can be used to export the certificates and import to the TrustStore; copy each certificate in the output to separate files (E.g.: cert1.cer, cert2.cer and cert3.cer).