Configuring the embedded Agent Manager
Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server
Deploying the Agent Manager cartridge
Downloading the Agent Manager installer
Installing the Agent Manager
Configuring the Agent Manager
Installing the Agent Manager using the installer interface
Installing the Agent Manager from the command line
Using the Agent Manager silent installer
Installing the Agent Manager as a Windows service
Starting or stopping the Agent Manager process
Frequently asked questions
How do I upgrade the Agent Manager?
How do I uninstall the Agent Manager?
Where can I find the Agent Manager installation log files?
Are the passwords that are stored in the configuration file, fglam.config.xml, encrypted?
How can I see what parameters are available for the silent installers?
Why are two URLs displayed for localhost when I search for HA peers?
I tested the connection between the Agent Manager and a Management Server, but the Management Server URL failed the connectivity test. Why did this happen?
Operating system patches
Launching the Agent Manager installation interface
Configuring the Agent Manager to run in FIPS-compliant mode
Configuring the Agent Manager from the command line
Configuring the Agent Manager to use SSL certificates
Configuring an Agent Manager instance as a Concentrator
Advanced system configuration and troubleshooting
Configuring the concentrator
Configuring downstream Instances
Creating a secure connection with downstream instances
Excluding SSL ciphers from upstream or downstream Connections
Excluding Specific SSL Protocols from Downstream Connections
Configuring the Agent Manager to accept connections from the Management Server
Configuring the Agent Manager to execute commands on remote hosts
Configuring multiple Agent Manager instances
Controlling the polling rate
Configuring the Agent Manager to work in HA mode
Assigning Agent Managers to HA partitions
Adding cartridges to the HA deployment whitelist
About agent fail-over
About non-HA deployments
Negotiating Agent Manager resources at runtime
Configuring credentials
Configuring anti-virus exclusion settings
Troubleshooting
Configuring Windows Management Instrumentation (WMI)
Monitoring the Agent Manager performance
WMI IPv6 connection support
Windows Firewall interference
Minimum requirements for Windows Management Instrumentation
Configuring Windows Remote Management (WinRM)
Promoting remote users to administrators on local machines through the Domain Controller
Granting required permissions to individual remote users
WMI access violation and OS connectivity verification failure
WMI and Quota Violation error
Known WMI issues in Windows Server 2008
Tuning WMI connections
Modifying registry key ownership on Windows Server 2008 R2
Configuring registry settings for Windows Server 2008 R2 and Windows 7
Resolving Access Denied errors when connecting to Windows XP Professional
OS collection fails with a Local_Limit_Exceeded error
Access to DCOM objects and registry is denied
Configuring registry settings for WinShell access through DCOM
Permissions on registry keys to configure DCOM command shell connection
Enabling agents to connect from UNIX machines
Enabling agents to connect locally on Windows
Releasing a locked MySQL process
WinRM IPv6 connection support
About WinRM authentication and the Agent Manager
Configuring the target (monitored) system
Configuring the Agent Manager (monitoring) system
Generating a configuration file required for WinRM Negotiate authentication
Configuring command-shell connection settings
About WinRM connection ports
Troubleshooting
UNIX- and Linux-specific configuration
Agent Manager service can't start automatically when the operating system restarts
SSH IPv6 connection support
About supported remote monitoring protocols
Configuring the Agent Manager to run as a daemon
Configuring Agent Manager agent privileges
Using sudo to configure secure launcher permissions
Using setuid_launcher to configure secure launcher permissions
Preventing Agent Manager core dumps on Linux
Investigating Agent Manager diagnostics
Deploying the Agent Manager to large-scale environments
Using Agent Manager silent installer Parameters
Example: Deploying the Agent Manager to multiple UNIX hosts
Example: Deploying the Agent Manager to multiple Windows hosts
Next steps
Creating a secure connection with downstream instances
|
1 |
Launch a command shell on the Agent Manager machine, and navigate to the <fglam_home>/jre/<jre_version>/<jre>/bin/ directory. |
|
2 |
If you do not already have an SSL certificate for the concentrator host, you can create a self-signed certificate by executing the following command on the concentrator machine, where <password> is replaced with your desired password: |
|
3 |
Respond to the prompts from keytool. Only the “first and last name” are required, all other fields can be left blank. The “first and last name” form the common name (CN) for this key pair and this needs to be provided to the Management Server (for reverse polling) or downstream Agent Managers (as the ssl-cert-common-name). You can type anything you want into this field, but the host name is the most common choice. The default value, if left blank, is Unknown. |
|
5 |
Open the file <fglam_home>/state/<state name>/config/fglam.config.xml for editing. |
|
6 |
Between the existing <http-downstreams> and </http-downstreams> tags, add an <https-downstream/> child element: |
<https-downstream key-password=<password> keystore=<path_to_keystore> port=<port_number> [address=<network_address>]/>
|
• |
|
• |
|
• |
<port_number> is the port number on which you want the concentrator to listen for connections from downstream Agent Manager instances. |
|
• |
<network_address> is the network address, to which the concentrator is bound when receiving connections from the downstream instances. This argument is optional. It is useful when a machine has two or more network addresses and you want the connections to the Management Server to go out from one, and the connections from the downstream instances to come in to another. |
|
IMPORTANT: Other optional attributes are available for the <https-downstreams> element. See the file fglam.config.xml for details. |
|
7 |
If required, configure the concentrator to listen for connections on multiple different ports by adding additional <https-downstream/> elements and setting the arguments as described above. |
See Configuring Management Server URLs using the installer interface or Step 10: Change service credentials [Optional] for information about these parameters, which you can set through the Agent Manager installer or configuration interface.
|
NOTE: It is not recommended to enable the ssl-allow-self-signed configuration when the downstream Agent Manager is running in FIPS-compliant mode. If this configuration is disabled, you have to add the concentrator's certificate to the downstream Agent Manager's keystore in order to connect to the concentrator using HTTPS. To export certificate from concentrator: 1. Locate the element <config:http-downstream> in <fglam_home>/state/default/config/fglam.config.xml file on concentrator Agent Manager, and get the path of the keystore corresponding to the downstream Agent Manager. If it is a relative path, it is relative to the path of "<fglam_home>/state/default/". 2. Launch a command shell and navigate to the <fglam_home>/jre/<jre_version>/jre/bin directory. 3. Issue the following command to export concentrator's certificate: keytool -exportcert -noprompt -rfc -alias fglam-cert -file <exported-cert-filename> -keystore </path/to/keystore> -storepass <key-password> -storetype BCFKS -providerpath "<fglam_home>\client\<build-version>\lib\bc-fips.jar" -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider To import the exported certificate to downstream Agent Manager: 1. Launch a command shell and navigate to the <fglam_home>/bin on the downstream Agent Manager. 2. Issue the following command to import certificate: fglam --add-certificate <alias=/path/to/exported-cert-filename> |
Excluding SSL ciphers from upstream or downstream Connections
If you need to exclude one or more ciphers from the SSL encryption used for SSL connections, you can do so using one or more excluded-ssl-cipher elements in the fglam.config.xml file. For example, you may want to exclude lower encryption strength ciphers, or ciphers with security vulnerabilities.
|
1 |
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing. |
|
2 |
Between the existing <config:http-upstreams> and </config:http-upstreams> tags, add an <config:http-upstream/> child element: |
<config:http-upstream url="https://secure_server_URL:port_number">
|
1 |
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing. |
|
2 |
Between the existing <config:http-downstreams> and </config:http-downstreams> tags, add an <config:https-downstream/> child element: |
Excluding Specific SSL Protocols from Downstream Connections
|
1 |
Open the <fglam_home>/state/<state name>/config/fglam.config.xml file for editing. |
|
2 |
Between the existing <config:http-downstreams> and </config:http-downstreams> tags, add an <config:https-downstream/> child element: |
Configuring the Agent Manager to accept connections from the Management Server
You can configure the Foglight® Agent Manager to accept connections from the Management Server and enable reverse data polling. This is useful in situations when the Agent Manager cannot connect to the Management Server due to its location. For example, when the Agent Manager is located in the cloud and the Management Server runs on premises, the Agent Manager has no means to connect to the Management Server and pass on the collected data. Another example is when the Agent Manager resides in a demilitarized zone (DMZ), exposed to untrusted networks, and the Management Server is behind a firewall.
You do this by performing the following steps:
|
• |
Configure downstream non-SSL connections, or connections requiring user-provided certificates or keystores. For instructions, see To configure non-SSL connections or connections using user-provided certificates or keystores:.
|
• |
Using the fglam.config.xml file, disable upstream connections to the Management Server. For instructions, see To prevent the Agent Manager from connecting to the Management Server:. |
|
• |
|
1 |
Open the fglam.config.xml file for editing. This file is located in the <fglam_home>/state/default/config directory. |
|
2 |
In the fglam.config.xml file, locate the <config:http-upstreams> XML element, and within that element, declare a new <config:http-upstream> element using the following lines of code: |
The no-connection element prevents the Agent Manager from connecting to the upstream Management Server.
|
1 |
Open the fglam.config.xml file for editing. This file is located in the <fglam_home>/state/default/config directory. |
|
2 |
In the fglam.config.xml file, locate the <config:http-downstreams> XML element, and within that element, declare a new <config:http-downstream> sub-element for a non-SSL connection or <config:https-downstream> for an SSL connection. |
|
3 |
Non-SSL connections only. Within the newly created <config:http-downstream> element, provide a port number that the Agent Manager will use to listen for incoming connections, and optionally the IP address of the network interface. For example: |
|
4 |
User-provided certificates or keystores only. Within the newly created <config:https-downstream> element, provide the information about the certificate and keystore you want to use. There is a wide range of attributes that you can use. For complete instructions, review the <config:documentation> element under <config:http-downstreams>. |
|
1 |
Launch a command shell and navigate to the <fglam_home>/jre/<jre_version>/jre/bin directory on Agent Manager. And then issue the following command to generate the keypair and BCFKS keystore. keytool -genkeypair -noprompt -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=<fglam_host_name>" -validity 365 -alias <keypair_alias_name> -keystore </path/to/fglam.kesytore> -storepass <password> -storetype BCFKS -providerpath <fglam_home>\client\<build-version>\lib\bc-fips.jar -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider |
|
2 |
Export the certificate from BCFKS keystore: keytool -exportcert -noprompt -rfc -alias <keypair_alias_name> -file </path/to/exported-cert-filename> -keystore </path/to/fglam.kesytore> -storepass <password> -storetype BCFKS -providerpath <fglam_home>\client\<build-version>\lib\bc-fips.jar -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider |
|
a |
Locate the property 'Trust Store' in Administration > Setup > Management Server Configuration dashboard, and get the path of current trust store used by Management Server. |
|
• |
The JRE cacerts is the default trust store if Management Server runs in non-FIPS mode. Issue the following command to import the certificate to Management Server: keytool -import -alias <alias_name> -file </path/to/exported-cert-filename> -keystore <fms_home>/jre/lib/security/cacerts -storepass changeit |
|
• |
The trust.fips.keystore is the default trust store if Management Server runs in FIPS-compliant mode. Issue the following command to import the certificate to Management Server: keytool -import -alias <alias_name> -file </path/to/exported-cert-filename> -keystore <fms_home>/config/security/trust.fips.keystore -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <fms_home>/server/core/bc-fips.jar -storepass nitrogen |
|
2 |
On the Agent Properties dashboard, under Agent Type, select FglAM Adapter, and in the pane on the right, click Edit. |
|
3 |
|
4 |
|
• |
Enabled: Select this check box if you want the Management Server to connect to this Agent Manager. |
|
• |
URL: Type the URL the Agent Manager uses to communicate with the Management Server. |
|
• |
Local Address: To specify a local network address for the Management Server connection to the Agent Manager, type the IP address of a NIC (network interface card) on the machine hosting the Agent Manager required to establish connections to the Management Server. |
|
• |
Proxy URL: If you want the Management Server to connect to the Agent Manager using a proxy, type the URL of the proxy server. |
|
• |
Proxy NTLM Domain: If you are using a proxy server for communication, and the proxy uses Windows authentication, type the Windows domain. |
|
• |
Proxy User Name: If you are using a proxy server for communication, type the user name needed to access the proxy server. |
|
• |
Proxy Password: If you are using a proxy server for communication, type the password associated with the user name. |
|
• |
Allow Self Signed SSL Certificates: Select this check box if you want to enable the Management server to accept self-signed-certificates from the Agent Manager. It is not recommended to enable this configuration in FIPS-compliant mode for security consideration. When Management Server is running in FIPS-compliant mode, you need to add the Agent Manager's public certificate to Management Server's jre keystore. For more information, see To configure non-SSL connections or connections using user-provided certificates or keystores: . |
|
• |
SSL Certificate Common Name: If you want to enable the Management Server to accept self-signed certificates from the Agent Manager, and the certificate has a different common (host) name than the one reported by the Agent Manager, type the certificate common name. |
|
• |
Compressed Connection: Select this check box if you want the Management Server to establish HTTP-compressed communication with the Agent Manager. |
|
• |
Chunked HTTP Connection: Select this check box if you want to use an HTTP connection with chunked transfer encoding enabled. |