Foglight Agent Manager 5.9.1 - Foglight Agent Manager Guide

Configuring credentials

The Management Server includes a credential management system that enables you to create, store, and manage credentials through the Foglight™ browser interface.

Different cartridges support different types of credentials. Some cartridges, for example, support the use of Windows® and UNIX® credentials, while others can only authenticate local users. The credential type determines which parts of the monitored system are used to connect to a resource, such as host names or IP addresses. For complete information about cartridge-specific credential types, see your cartridge documentation.

Credentials are encrypted and stored in lockboxes. Lockboxes are released to credential clients, such as the Agent Manager. Agents, in turn, request credentials from the Agent Manager.

For detailed information about managing credentials in Foglight, see “Controlling System Access with Credentials” in the Administration and Configuration Guide.

Foglight agents need access to credentials when monitoring systems that require credential verification. Credential information consists of a name, type, policies, and resource mappings. You can create and manage credentials through the Management Server browser interface.

Foglight supports the following commonly used credential types:

IMPORTANT: When specifying a domain name in this credential type, a fully qualified domain name is required. Failing to use a fully qualified domain name may prevent the Agent Manager from establishing a connection to a remote monitored resource. For example, if the full domain name is prod.example.com, use prod.example.com as the domain name instead of just prod, when configuring the credential.

Each credential can have one or more authentication policies, based on the desired usage count, failure rate, the time range during which the credential can be used, and the amount of time during which the credential information is cached locally. Credentials can apply to specific parts of the monitored environment, such as hosts and ports. Resource mappings identify secured resources. The mappings typically contain a combination of literal expressions, regular expressions, or an IP address range.

For more information about creating and managing credentials, including detailed examples of configuring a credential, see “Exploring the Manage Credentials Dashboard” in the Foglight Administration and Configuration Guide.

Managing lockboxes

A lockbox can be password-protected, and contains a collection of credential keys used for encryption and decryption. A lockbox can encrypt one or more credentials. All lockboxes, except the System lockbox, are password-protected.

You can create, edit, and manage lockboxes, change their passwords, and release them to credential clients (such as the Agent Manager) using the Manage Lockboxes dashboard in the Management Server browser interface.

Releasing lockboxes to the Agent Manager

Each lockbox in the Management Server contains a set of credentials and keys for their encryption and decryption. Credentials are released to the Agent Manager unencrypted. When a lockbox is released to the Agent Manager, the Agent Manager passes the credential information to its agents. The agents use this information to establish connection with target resources.

When you start the Agent Manager without having first released a lockbox to it from the Management Server, the following message appears in the startup log:

INFO The Credential Manager has not been assigned any lockboxes. Lockboxes are used to decrypt credentials received as a result of an Agent Credential Query. Without any lockbox assignments, credentials received within a credential query result-set will be discarded. You can grant lockboxes to this Agent Manager through the Credential Administrator on the Server.

The lockbox you release to the Agent Manager must contain the credentials necessary for the agents to access the monitored resources.

CAUTION: Any agents that have access to an Agent Manager with a released lockbox can potentially query and obtain credential information stored within that lockbox.

3	On the Manage Lockboxes dashboard, in the row containing the lockbox that you want to release, click the Release to Credential Clients icon.

IMPORTANT: The System lockbox that is included by default with the Management Server is not password-protected. Its contents are accessible to all clients in your system.

NOTE: This functionality consumes server resources. It can be significant depending on the size of your client list.

When the lockbox is released to the Agent Manager, any credentials that are later added to the same lockbox are also accessible to the Agent Manager and its monitored agents.

Troubleshooting

This section provides information about problems that you may encounter while running the Agent Manager and describes the solutions available for these problems.