Foglight 6.1.0 - Installing Foglight on Windows with an External MySQL Database

<foglight_home>\jre\bin\keytool -import -file <path_to_cert_file> -alias <alias_of_cert> -keystore <foglight_home>\jre\lib\security\cacerts -storepass <store_pwd>

Option 2: Prepare and import the certificate into Foglight TrustStore with the following steps:

Prepare TrustStore: copy <foglight_home>\config\security\trust.keystore.sample to <foglight_home>\config\security\trust.keystore

Import the certificate into the Foglight TrustStore, <foglight_home>\ config\security\trust.keystore (default password: nitrogen), with the following command:

<foglight_home>\jre\bin\keytool -import -file <path_to_cert_file> -alias <alias_of_cert> -keystore <foglight_home>\config\security\trust.keystore -storepass <store_pwd>

FIPS-compliant mode

In FIPS-compliant mode, it is required to use FIPS-validated KeyStore type BCFKS.

Import the certificate into the Foglight default TrustStore in FIPS-compliant mode, <foglight_home>\config\security\trust.fips.keystore (default password: nitrogen) with the following command:

<foglight_home>\jre\bin\keytool -import -trustcacerts -alias <alias_of_cert> - file <path_to_cert_file> -keystore <foglight_home>\config\security\trust.fips.keystore -deststoretype BCFKS - provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <foglight_home>\server\core\bc-fips.jar -storepass <store_pwd>

Setting up an encrypted database connection with SSL

The following procedure outlines how to set up a secure external MySQL® database connection and verify that the MySQL® Server supports SSL encryption.


	NOTE: This procedure must be performed after installation but before you start the Management Server.

To set up an encrypted external MySQL database connection with SSL:

Import a CA certificate into the Management Server keystore (cacerts) as outlined in Importing a network security certificate.

Update the MySQL configuration file (my.ini) with the new security certificate and key information by adding the following properties:

•

ssl-ca=<cacert.pem>

•

ssl-cert=<server-cert.pem>

•

ssl-key=<server-key.pem>

Uncomment and set the server.database.secureconn attribute in the server.config file to true, as shown below.

server.database.secureconn = "true";


	NOTE: Do not enable this option until the database server’s CA certificate is properly imported into <foglight_home>\jre\lib\security\cacerts.

Start the database.

Start the Management Server.

To verify whether the MySQL Server (mysqld) supports SSL connections:

Ensure that the MySQL Server (mysqld program) for your Foglight database is running.

mysql --host <hostname> –port=<mysql_db_port_number> –user=<mysql_user> --password=<mysql_user_passwword>

At the mysql prompt, run the following query:

show variables like 'have_ssl'

The output shows the variable have_ssl with a value of either YES or DISABLED.

If the value is YES, the MySQL® Server supports SSL connections. If the value is DISABLED, the MySQL Server supports SSL connections but was not started with the appropriate SSL command options (-ssl-<option_name>=<value>). See the MySQL documentation for more information about these options.

Setting up an encrypted LDAP connection with SSL

Use the following instructions if you need to encrypt communication between the Management Server and the LDAP server.

To encrypt communication between Management Server and LDAP:

Acquire the LDAP server certificate in .pem format from the administrator.

Import the certificate into the Management Server keystore, see Importing self-signed certificates to Foglight TrustStore .


	NOTE: In addition to the Root CA certificate, there may be one or more intermediate CA certificates. If so, make sure to import the Root CA certificate and all intermediate CA certificates in sequence.