Foglight 6.1.0 - Administration and Configuration Guide


	NOTE: Foglight displays dynamic data that is regularly updated. Therefore, using your browser’s Back and Forward buttons may cause cached views to appear or result in an error message.

Start the browser interface.

You can start the browser interface by opening a web browser instance and navigating to the URL that uses the following syntax:

http://localhost:8080/console

Where localhost is the name of the machine that has a running instance of the Management Server.


	NOTE: The preceding URL uses the default HTTP port number, 8080. For more information about default port assignments, see Default port assignments.

The Foglight login page opens in the web browser.

Type the user name and password you obtained in Step 2.

In the Foglight login page, in the User box, type your Foglight user name.

In the Password box, type your Foglight password.

Click Login.

Depending on the availability of a valid Foglight license and your user permissions, one of the following pages appears in the display area:

•

If your Management Server has a valid license, the Welcome to Foglight or the Environment Overview page appears in the browser interface.

The Welcome to Foglight page, with both the Navigation panel and Action panel open.

The Environment Overview page in Foglight Evolve.

The Foglight browser interface contains the following elements:

Navigation panel shows the dashboards that you have access to, based on the roles associated with your user account.

Display area contains the current dashboard. When you log in to Foglight, the Welcome page appears in the display area.

Action panel includes any actions that you can perform in the selected dashboard.

•

If your Management Server does not have a valid license, do one of the following, depending on your user permissions.

•

If your user account includes the Administration role, in the Unlicensed Server View, click Install a License. In the Manage Licenses dashboard that appears, install the license for the Management Server. For more information, see Install licenses.

•

If your user account does not include the Administration role, contact your Foglight administrator, as indicated in the Server Licensing Error view.

From here, after a successful login, you can explore the Administration dashboards in the browser interface.

Configure Windows Single Sign-on

The Management Server supports integration with external LDAP directories. In a Kerberos-based environment, such as Microsoft® Active Directory®, most web browsers can authenticate users against the web server using their current credentials.

When this feature is configured, if you log in to a machine running a Windows® OS and then log in to the browser interface, the Management Server uses your Windows account credentials to authenticate you as a Management Server user.

You can also import all of the related groups from Active Directory and map the groups to Management Server roles, to control user permissions in the browser interface.

Complete the following configuration steps to enable the Windows single sign-on (SSO) feature:

•

Configure Active Directory to support Windows Single Sign-on

•

Configure Foglight to support Windows Single Sign-on

•

Configure your web browser to support Windows Single Sign-on

If you were using the VSJ SSO that was provided in earlier versions of Foglight, you must also migrate your settings to the Windows OS-based SSO. For more information, see Migrate to Windows SSO from VSJ SSO.

Configure Active Directory to support Windows Single Sign-on

Microsoft® Active Directory® provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC (key distribution center) to authenticate users. It allows organizations to share and manage information about users and network resources. When properly configured, Active Directory® provides an SSO environment that can be integrated with the standard Windows® OS desktop login.


	TIP: When setting up the Kerberos Service Principal Name (SPN), use the following instructions to create mappings between the user account and SPNs, and to create a keytab file to configure in krb5‑auth.config. For example: ktpass -princ HTTP/<fmshost.example.com>@REALM -mapuser "<domain>\<user>" -pass <password> -out <keytabFilePath> And: Use setspn to set up the mapping for just the host name. For example: setspn -A HTTP/<fmshost> <user>


	NOTE: Duplicate SPNs cause Kerberos authentication to return an NTLM token and fallback to Form authentication. To search for duplicate SPNs: setspn -X -F If you locate duplicate SPNs for “HTTP/<fmshost>”, you can remove them with the following command: setspn -d HTTP/<fmshost> <user>

Configure Foglight to support Windows Single Sign-on

Foglight provides SSO for the Management Server using Active Directory® as its identity store. It includes an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner. This method allows users to access only those Management Server components for which they are authorized.

Enabling the Windows® SSO feature in Foglight requires the configuration of the following components:

•

krb5-auth.config

Table 1. Properties requiring configuration for SSO in Foglight.
Property Name	Comment
Krb5ConfigFilePath	Location of the Kerberos configuration file.
Principal	The Active Directory® service principal.
QualifyUserPrincipal	Include the Active Directory® Domain name in the user principal name.
Keytab	The keytab file of the service principal specified above.
LDAPURLOverrides	If there is a connection issue with the default LDAP URL, use the LDAPURLOverrides property to override the default setting. This property specifies the LDAP URL to be used by the server for retrieving group membership information for SSO users. By default, the server gets the LDAP URL from krb5.config (see the Krb5ConfigFilePath property). This property can be used to override that value. The domain name must be set as lowercase ASCII. For example: LDAPURLOverrides = { "domain1" : "ldap://ldap1.example.com", /regex./ : "ldap://ldap2.example.com", /./ : "ldap://ldap3.example.com", };
QualifyGroupName	Specifies whether the server should append the domain to the group name when importing SSO user-associated groups. The default value is true.
AdditionalContextParameters	Specifies additional context parameters when the Management Server initializes the LDAP context and connects to the LDAP server for retrieving group membership information for SSO users. For example: AdditionalContextParameters = { "java.naming.referral" : "follow", }; NOTE: This property is commented out by default.
UserQueryFilter	Specifies the LDAP filter used to search for LDAP User objects. The filter argument is the SSO user name. For example: UserQueryFilter = "(&(objectClass=user)(sAMAccountName={0}))"; NOTE: If this property is not set, the default setting is: UserQueryFilter ="(&(objectClass=user)(sAMAccountName={0}))"
GroupQueryFilter	Specifies the LDAP filter used to search for LDAP User groups. The filter argument is the LDAP User DN. For example, to import direct groups: GroupQueryFilter = "(&(objectclass=group)(member={0}))"; For example, to import all nested groups: GroupQueryFilter = "(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))"; If this property is not set, then the default value is GroupQueryFilter = "(&(objectclass=group)(member={0}))"

Set these properties to enable Windows® SSO. Foglight Windows® SSO retrieves LDAP User group information from the LDAP server. The LDAP URL is generated from the krb5.conf kdc setting.

•

krb5.config

The krb5.config file contains standard Kerberos configuration information. Foglight supports the configuration of multiple domains.See the following URL for detailed information about the settings:

http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html


	NOTE: The first KDC in krb5.conf will be used as the LDAP server for the related domain by default. If that is not appropriate you should configure LDAP URLs for each of their domains relevant to Foglight SSO in the LDAPURLOverides element in krb5-auth.config.

Configure your web browser to support Windows Single Sign-on

Most web browsers include extensions that allow Foglight users to participate in a Kerberos-based single sign-on (SSO) environment. This environment relies on the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) authentication mechanism. To enable this feature, configure your web browser to support SPNEGO authentication.


	IMPORTANT: Only Microsoft® Internet Explorer®, Google Chrome™, and Mozilla® Firefox® browsers can be configured to support SPNEGO authentication currently.

To configure Internet Explorer to enable SPNEGO authentication:

Start Internet Explorer.

From the Tools menu, navigate to Internet Options > Advanced > Security.

Scroll down to the Security section. Select the option: Enable Integrated Windows Authentication (requires restart).

From the Tools menu, select Internet Options > Security > Local Intranet > Sites > Advanced.

Add one of the following:

•

An entry for the application server.

•

A list entry that globally includes the domain of the application server. For example: http://*.example.com

Select Local Intranet > Custom Level.

Select the Security Settings > User Authentication option for Automatic logon only in Internet Zone option.

Restart Internet Explorer.

To configure Chrome to enable SPNEGO authentication on a machine running a Windows OS:

For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.

From the Start menu, open the Control Panel.

Select Internet Options.

Select the Security tab.

Click Local Intranet > Sites > Advanced.

Type the domain of the application server in the box (for example: “*.example.com”), and click Add.

Click OK to close all the dialog boxes.

To configure Chrome to enable SPNEGO authentication on a machine running Linux or Chromium:

For complete details, see the Chrome documentation at: http://www.chromium.org/developers/design-documents/http-authentication.

•

Customize the launcher for your desktop.

Add the following parameter to the command-line:

--auth-server-whitelist=“.example.com”

where “.example.com” is the domain of the application server.

To configure Firefox to enable SPNEGO authentication:

For complete details, see the Firefox documentation at https://developer.mozilla.org/en-US/docs/Integrated_Authentication.

Start Firefox.

In the address bar of a blank tab, type about:config.

If prompted, click “I’ll be careful, I promise!”.

A list of entries appears in the Firefox window.

In the Filter field, type: negotiate. Locate the entry network.negotiate‑auth.trusted‑uris. This entry is used to configure the sites that are permitted to engage in SPNEGO authentication with Firefox.

Double click network.negotiate‑auth.trusted‑uris.

In the dialog box that opens, type the URL that you use to access the Foglight browser interface.

Click OK to close the dialog box, and restart Firefox to enable the new configuration.

Migrate to Windows SSO from VSJ SSO

If you were using the VSJ SSO implementation in earlier versions of Foglight, you must migrate to the new Windows OS-based SSO.

To migrate to Windows OS-based SSO from VSJ SSO:

Make a backup of the vsj.properties file before you upgrade Foglight. You can find this file in the following location:
<foglight_home>/server/default/deploy-foglight/console.war/WEB-INF/vsj.properties

Upgrade Foglight to the latest version.

If there is no keytab file configured in the VSJ SSO, create the keytab file first using the ktpass command, as described in Configure Active Directory to support Windows Single Sign-on.

Edit the krb5-auth.config file to set the properties described in the following table.

Table 2. VSJ properties and the corresponding krb5-auth.config properties
vsj.properties	krb5-auth.config
idm.princ	Principal
idm.keytab	Keytab
idm.ad.qualifyUserPrincipal	QualifyUserPrincipal

Edit the krb5.config file. Set the realm name to the vsj.properties idm.realm value.

After you configure Windows® SSO, log in to your Active Directory® domain, start your web browser, and navigate to the Foglight browser interface. You are no longer required to provide your user name and password on the login page. The Management Server now uses your Kerberos credentials to log you in to the Foglight browser interface and grant you permissions associated with your Active Directory® account. This configuration allows you to bypass the common login page.

If you want to log in to the browser interface using an internal Foglight user account instead of your Windows account (for example, foglight/foglight), you have two options.

•

If you are already in the browser interface, click Sign Out to navigate to the login page. Now you can enter the desired user name and password.

•

Start your web browser and navigate to: http://<host>:<port>/console/?nowinsso
where host and port are the name of the machine on which the Management Server is running and the browser interface port number.

Manage Licenses

Install licenses

Installing a license enables you to access any features that are defined in the license file for a specific length of time.

To install a license, do either of the following:

•

To install with a license file:

On the navigation panel, under Dashboards, click Administration > Setup > Manage Licenses.

Click Install.

In the Install License dialog box, click Browse.

In the file browser, specify the location of the license file.

In the Install License dialog box, click Install License.

After a few moments, the Install License dialog box closes, and the Manage Licenses dashboard refreshes, showing the newly installed license in the list.

When the Management Server reads the license file, it stores it in the database and no longer requires the actual file.

•

To install a Subscription License:

On the navigation panel, under Dashboards, click Administration > Setup > Manage Licenses.

Click Install Subscription License.

In the Install Subscription License dialog box, input the Subscription License Number and click Install License.

After a few moments, the Install License dialog box closes, and the Manage Licenses dashboard refreshes, showing the newly installed license in the list.

View license contents

The top part of the Manage Licenses dashboard provides an overview of the licensed capabilities currently enabled on the server. Installing a Foglight license enables the capabilities that are defined in the license file.

To view license contents:

On the navigation panel, under Dashboards, click Administration > Setup > Manage Licenses.

Observe the top part of the Manage Licenses dashboard.

This area lists the capabilities covered by the installed licenses.

An icon appears to the right of each capability, indicating if the capability is enabled or disabled, while Cartridge License Name lists those cartridges that are currently licensed.

Observe the state of your license. Each license in the list includes an icon in the second column from the left that indicates if the license is expired

, is active

, or is expiring in the next 30 days

. Use this indicator to quickly identify any licenses that you need to renew, to prevent Foglight from disabling access to the capabilities provided by your license agreement.

Find out which capabilities each individual license provides. In the list of installed licenses, observe the Capabilities column. This column shows a set of icons, each representing a licensed capability.

Hovering over an icon shows a tool tip with the name of the capability the icon represents.

If a license file covers one or more agents, it shows the agent icon

in the Capabilities column. Hovering over that icon displays a tool tip that contains the agent name along with the number of licensed agents.

Export License Usage

Users can export a license usage report by clicking the Export License Usage button.

To export a license usage report:

On the navigation panel, under Dashboards, click Administration > Setup > Manage Licenses.

Click Export License Usage and click Export.

A license usage report will be generated, including both subscription licenses and Evolve licenses. The default time range is one year.

Delete licenses

Deleting a license disables the features defined in the license.

To delete a license:

On the navigation panel, under Dashboards, click Administration > Setup > Manage Licenses.

On the Manage Licenses dashboard, in the area that lists installed licenses, select a row containing the license that you want to delete.

Click Delete.

In the License Confirmation dialog box, click OK.

The License Confirmation dialog box closes. The top part of the Manage Licenses dashboard refreshes, indicating the change of licensed components. For example, deleting a server master license file results in one or more components being disabled.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Foglight 6.1.0 - Administration and Configuration Guide

Retrieving Data with Scripts and Queries

Online-Only Topics

Logging in

Manage Licenses