What are the steps required to use an external signed certificate in the Foglight Management Server? (4254114)

Here are all required steps to use an external signed certificate in the FMS and connect FGLAM clients to FMS via HTTPS:

The commands used here are based on Linux, Windows command will be similar

Foglight Management Server (FMS) Side

$FMS_HOME is where FMS is installed.

• The default location for a Windows installation is C:\Quest_Software\Foglight
• The default location for a Linux installation is /home/foglight/Quest/Foglight

If you already have an wildcard certificate and want reuse it in Foglight, please refer to KB227620

There are multiple keystores used by Foglight.

• The built-in Tomcat keystores located at: $FMS_HOME/config/tomcat.keystore (default password: nitrogen)
• The Foglight Management Server also use Java JRE keystores located at: $FMS_HOME/jre/lib/security/cacerts (default password: changeit)

Option 1 - Importing an externally signed certificate

1. Change directories to the following path: $FMS_HOME/config/

2. Backup the existing $FMS_HOME/config/tomcat.keystore and $FMS_HOME/jre/lib/security/cacerts files.

3. Delete the existing tomcat key from the tomcat.keystore directory using the following command:

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat

4. Create a new key under the tomcat alias using the following command:

 $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity [number of days] -dname "CN=[your_fmsserver_dns_name],OU=[your_organizational_unit_name],O=[your_organization_name],L=[your_city_name],ST=[your_state_name],C=[your_two-letter_country_code]" -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip]

5. Generate a Certificate Signing Request (CSR) using the following command:

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity [number of days] -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip] -file foglight.csr

6. The CSR file must be signed by a Certification Authority (CA).

7. Import the signed certificate back to the tomcat.keystore using the following command (may need to import the root certificates first; refer to section 'Import CA's root and intermediate certificates' of this KB article.)

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -trustcacerts -import  -file [ca signed certificate]

or

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -importcert -file [ca signed certificate chain in p7b format]

8. Restart the FMS.

Example:

--- Delete key after completing backups
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat

--- Create new key
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity 730 -dname "CN=servername.domain.com,OU=IT,O=Your Company,L=Your City,ST=Your State,C=US" -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com

--- Generate CSR
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity 730 -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com -file foglight.csr

--- Import signed certificate
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity 730 -trustcacerts -import -file foglight.cer

Option 2 - Private key and signed certificate are available

If the private key and the signed certificate is available already they only need to be imported into the keystore. The private key and the signed certificate need to be merged otherwise they cannot be imported. Often you need to import a root and/or intermediate certificate too.

cat [YourPublicKey.cer] [YourPrivateKey.pem] > [YourKeyPair.pem]

Note: If the certificate is available in PFX format, please review import steps in section Importing a PKCS #12 (pfx) format certificate from any of the Foglight Installation and Setup Guide for supported platforms.

Import CA's root and intermediate certificates

In environments where an in-house certificate granting authority (CA) is in use, the CA’s certificate may need to be added as trusted certificates to the keystore; otherwise errors such as  keytool error: java.lang.Exception: Failed to establish chain from reply will prevent the import of the signed certificate.

1. Import the root certificate:

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts -alias rootca -file [YourRootCA.cer]

2. Import the intermediate certificate(s) if necessary:

$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts  -alias intermediateca -file [YourIntermediateCA.cer]

Foglight Agent Manager (FglAM) side

$FglAM_HOME is where FglAM is installed.

• The default location for a Windows installation is C:\Program Files\Common Files\Quest\Foglight Agent Manager
• The default location for a Linux installation is /home/foglight/Quest/foglightagentmanager

A. Switch FglAM to FMS from http to https via UI

1. Stop Foglight Agent Manager
2. Start with $FglAM_HOME/bin/fglam --configure
3. Click Next
4. Click Next to accept default host display name
5. Click next and do not update client ID
6. Click SSL certificates then add root CA certificate and any intermediate CA certificate FMS server certificate may use
7. Click and edit existing FMS entry
8. Change port from 8080 to 8443. If you are using non-standard port, replace 8443 to your
9. Uncheck allow self-singed certificates
10. Uncheck allow certificate with an unexpected common name
11. Click OK to save it
12. Click Test to test connectivity between FglAM and FMS
13. Click Next (downstream connection configuration)
14. Click Next (widows services)
15. Click Finish

B. Manual switch FglAM to FMS from http to https via

1. Stop Foglight Agent Manager
2. Open $FglAM_HOME\state\default\config\fglam.config.xml

Modify the "http-upstream url" entry as follows:

From:
config:http-upstream ssl-allow-self-signed="true" ssl-cert-common-name="quest.com" url="https://yourFMS_FQDN:8443"

To:
config:http-upstream url="https://yourFMS_FQDN:8443"

3. Import root CA certificate and any other intermediate CA certificate FMS server certificate may use

$FglAM_HOME/bin/fglam --add-certificate YourCertAlias=/path/certificate_filename

YourCertAlias is not important. Just use something unique.