What are the steps required to use an external signed certificate in the Foglight Management Server? (4254114)

What are the steps required to use an externally signed certificate in the Foglight Management Server (FMS) so users and Foglight Agent Manager (FglAM) clients can connect to the FMS via HTTPS?

ssl | https | certificate | csr | pfx | pkcs12 | ca | root | intermediate

This solution covers the steps to use an externally signed certificate in the Foglight Management Server (FMS) and for Foglight Agent Manager (FglAM) clients to connect via HTTPS.

Foglight Management Server (FMS) side

$FMS_HOME is where the FMS is installed.

• The default location for a Windows installation is C:\Quest\Foglight
• The default location for a Linux installation is /home/foglight/Quest/Foglight

There are multiple keystores used by Foglight.

• The built-in Tomcat keystores located at $FMS_HOME/config/tomcat.keystore (default password: nitrogen)
• The Foglight Management Server also use Java JRE keystores located at $FMS_HOME/jre/lib/security/cacerts (default password: changeit)

Review the following sections depending on the certificate management process in the environment:

• If a Certificate Signing Request (CSR) is required from Foglight for it to be signed by a Certificate Authority (CA), refer to Option 1 - Generate a new key, create a certificate request and import the signed certificate.
• If a certificate was generated and signed externally for Foglight to use (for example, a wildcard certificate), refer to Option 2 - Private key and signed certificate are available.

Option 1 - Generate a new key, create a certificate request and import the signed certificate

The following steps need to be completed to generate a new key pair in the Foglight keystore, create a certificate signing request for it to be signed by a Certificate Authority (CA) and then import the signed certificate.

1. Change directory to $FMS_HOME/config/
2. Backup the existing $FMS_HOME/config/tomcat.keystore and $FMS_HOME/jre/lib/security/cacerts files.
3. Delete the existing tomcat key from the tomcat.keystore keystore using the following command:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat

4. Create a new key under the tomcat alias using the following command:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity [number of days] -dname "CN=[your_fmsserver_dns_name],OU=[your_organizational_unit_name],O=[your_organization_name],L=[your_city_name],ST=[your_state_name],C=[your_two-letter_country_code]" -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip]

5. Generate a Certificate Signing Request (CSR) using the following command:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity [number of days] -ext SAN=dns:[your_fmsserver_dns_name],ip:[your_fmsserver_ip] -file foglight.csr

6. The CSR file must be signed by a Certificate Authority (CA).
7. Import the signed certificate back to the tomcat.keystore using the following command (CA certificates may need to be imported first; refer to section Import CA's root and intermediate certificates of this KB article).

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -trustcacerts -import -file [ca signed certificate]

   or

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity [number of days] -importcert -file [ca signed certificate chain in p7b format]

8. Restart the FMS.

Example:

--- Delete key after completing backups
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -delete -alias tomcat

--- Create new key
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -keyalg RSA -keysize 2048 -genkeypair -validity 730 -dname "CN=servername.domain.com,OU=IT,O=Your Company,L=Your City,ST=Your State,C=US" -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com

--- Generate CSR
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -certreq -validity 730 -ext SAN=dns:servername.domain.com,dns:serveralias.domain.com -file foglight.csr

--- Import signed certificate
$FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -validity 730 -trustcacerts -import -file foglight.cer

Option 2 - Private key and signed certificate are available

If you have an existing SSL certificate and you want to use this certificate in Tomcat, follow the steps below to import this SSL certificate.

Note: This certificate must be provided in the PKCS #12 (pfx) format. If the certificate and private key are saved in separate files, run the following command to merge them to the PKCS12 format:

openssl pkcs12 -export -in $certfile -inkey $keyfile -out $keystorefile -name tomcat -CAfile $cacertfile -caname root

To import a certificate in Tomcat:

1. Backup the existing Tomcat keystore file $FMS_HOME/config/tomcat.keystore
2. Delete the existing tomcat certificate from the tomcat.keystore keystore using the following command:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -delete

3. Obtain the certificate's alias name from the certificate PFX file using the following command:

   $FMS_HOME/jre/bin/keytool -keystore $your_certificate_pfx_file -storepass $certificate_pfx_password -list -v

   The following is an example of command output. The value of Alias name is required in step 4.

   • Your keystore contains 1 entry
   • Alias name: tq-294043e3-fd9d-42ee-a596-0217c7d6d5f8
   • Creation date: May 8, 2020
   • Entry type: PrivateKeyEntry

4. Merge the Tomcat keystore and the PKCS12 keystore using the following command:

   $FMS_HOME/jre/bin/keytool -importkeystore -destkeystore $FMS_HOME/config/tomcat.keystore -deststorepass nitrogen -destalias tomcat -destkeypass nitrogen -srckeystore [your_certificate_pfx_file] -srcstorepass [certificate_pfx_password] -srcstoretype pkcs12 -srcalias [alias_name_in_step_3]

Import CA's root and intermediate certificates

In environments where an in-house certificate granting authority (CA) is in use, the CA’s certificate may need to be added as trusted certificates to the keystore; otherwise errors such as  keytool error: java.lang.Exception: Failed to establish chain from reply will prevent the import of the signed certificate.

1. Import the root certificate:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts -alias rootca -file [YourRootCA.cer]

2. Import the intermediate certificate(s) if necessary:

   $FMS_HOME/jre/bin/keytool -keystore $FMS_HOME/config/tomcat.keystore -storepass nitrogen -import -trustcacerts  -alias intermediateca -file [YourIntermediateCA.cer]

Foglight Agent Manager (FglAM) side

$FglAM_HOME is where FglAM is installed.

• The default location for a Windows installation is C:\Program Files\Common Files\Quest\Foglight Agent Manager
• The default location for a Linux installation is /home/foglight/Quest/foglightagentmanager

Review the following sections to configure the FglAM for HTTPS connections to the FMS from the user interface or by manually editing the configuration file.

Switch FglAM to FMS from http to https via UI

1. Stop the Foglight Agent Manager
2. Start with $FglAM_HOME/bin/fglam --configure
3. Click Next to accept default Host Display Name
4. Click Next and make sure the Yes, reset this client's ID checkbox is not selected (Important: If the client ID is reset it can cause agents residing on the FglAM no to be activatable.)
5. Click on SSL Certificates then add root CA certificate and any intermediate CA certificate FMS server certificate may use
6. Click and edit the existing FMS entries
7. Change port from 8080 to 8443 or specify the port if using a non-default one, such as 443.
8. Uncheck Allow self-signed certificates
9. Uncheck Allow certificate with an unexpected common name
10. Click OK to save it
11. Click Test to validate connectivity between FglAM and FMS
12. Click Next (Downstream Connection Configuration)
13. Click Next (Widows Service)
14. Click Finish

Switch FglAM to FMS from http to https from the configuraton file

1. Stop Foglight Agent Manager
2. Open $FglAM_HOME\state\default\config\fglam.config.xml
3. Modify the http-upstream url entry as follows:

   From:

   <http-upstream url='https://foglight.yourdomain.com:8443' ssl-allow-self-signed='false' ssl-cert-common-name='quest.com'/>

   To:

   <http-upstream url='https://foglight.yourdomain.com:8443'/>

4. Import the root CA certificate and any other intermediate CA certificates the FMS server certificate may use; for example:

   $FglAM_HOME/bin/fglam --add-certificate CertificateAlias=/path/certificate_filename

   Note: The name used as CertificateAlias is not important; use something unique to represent the certificate being imported.

For additional information refer to section Configuring Foglight to use the HTTPS port in any of the Foglight installation setup guides available in the Support Portal (E.g.: Foglight - Installing Foglight on a UNIX System with an Embedded PostgreSQL Database).

Futher helpful links about merging keys and importing certificates:
How to import an existing SSL certificate for use in Tomcat
Import private key and certificate into java keystore