-
제목
Can the FMS connect to LDAP using secure encrypted communications (secure LDAP port 636)? -
설명
Can the Foglight Management Server (FMS) use LDAPS (secure LDAP on port 636) instead of basic LDAP (port 389) to integrate with Active Directory?
How to encrypt the communication between the Foglight Management Server and the LDAP server?
-
해결 방안
Yes, Foglight supports the use of secure LDAP (LDAPS). It is necessary to configure the TrustStore properly for an encrypted LDAP connection.
Use the following instructions if you need to encrypt communication between the Management Server and the LDAP server.
To encrypt communication between Management Server and LDAP:
- In environments where an in-house certificate granting authority (CA) is in use, the CA’s certificate may need to be added as trusted certificates; acquire the LDAP server's certificate authority or server certificate in .pem format from the security team.
- Import the certificate into the embedded JRE TrustStore,
[foglight_home]/jre/lib/security/cacerts(default password: changeit), with the following command:[foglight_home]/jre/bin/keytool -import -trustcacerts -alias [alias_of_cert] -keystore [path_to_cacerts] -storepass changeit -file [path_to_cert_file]Note: In non-FIPS mode, to be compatible with former Foglight versions, Foglight uses JRE TrustStore as the default TrustStore. The default TrustStore will NOT be preserved during Foglight upgrade. Foglight also support a separate TrustStore, which will be preserved during upgrade. For more information refer to the Importing self-signed certificates to Foglight TrustStore section in any of the Foglight Installation Guides.
- Restart the Foglight Management Server.
- On the navigation panel, under Dashboards, click Administration > Users & Security > Directory Services Settings.
- Under "LDAP Locations", click "Edit" and specify the LDAP server URL in the following format: ldaps://ldap_server.yourdomain.com:636
Note: The port number for LDAP over SSL is usually 636. Confirm the correct port number with your LDAP server administrator.