The Management Server includes a credential management system that enables you to create, store, and manage credentials through the Foglight™ browser interface.Different cartridges support different types of credentials. Some cartridges, for example, support the use of Windows® and UNIX® credentials, while others can only authenticate local users. The credential type determines which parts of the monitored system are used to connect to a resource, such as host names or IP addresses. For complete information about cartridge-specific credential types, see your cartridge documentation.Credentials are encrypted and stored in lockboxes. Lockboxes are released to credential clients, such as the Agent Manager. Agents, in turn, request credentials from the Agent Manager.For detailed information about managing credentials in Foglight, see “Controlling System Access with Credentials” in the Administration and Configuration Guide.Foglight agents need access to credentials when monitoring systems that require credential verification. Credential information consists of a name, type, policies, and resource mappings. You can create and manage credentials through the Management Server browser interface.
• Challenge Response: Uses one or more challenge and response pairs to grant access without requiring any interaction in the browser interface. The answers are sent by the agent as part of the agent configuration.
• Domain, User Name, and Password (Windows): Requires a user name and password to access a monitored resource. The domain name is optional.
IMPORTANT: When specifying a domain name in this credential type, a fully qualified domain name is required. Failing to use a fully qualified domain name may prevent the Agent Manager from establishing a connection to a remote monitored resource. For example, if the full domain name is prod.example.com, use prod.example.com as the domain name instead of just prod, when configuring the credential.
• DSA Key: Uses the Digital Signature Algorithm (DSA) Key for authentication.
• RSA Key: Uses the RSA (Rivest, Shamir, and Adleman) Key for authentication.
• Use Client’s Login At Connection Time: Uses the currently logged in user’s account to access secured resources. This is not the user currently logged into the Management Server, but the user under which the credential client is running. For example, a credential provided to an Agent Manager instance launched by a user on a remote machine, causes the connection to the secured resource to be made using this user’s identity.
• User Name: Requires a user name to access a monitored resource.
• User Name and Password: Requires a user name and password to access a monitored resource.Each credential can have one or more authentication policies, based on the desired usage count, failure rate, the time range during which the credential can be used, and the amount of time during which the credential information is cached locally. Credentials can apply to specific parts of the monitored environment, such as hosts and ports. Resource mappings identify secured resources. The mappings typically contain a combination of literal expressions, regular expressions, or an IP address range.For more information about creating and managing credentials, including detailed examples of configuring a credential, see “Exploring the Manage Credentials Dashboard” in the Foglight Administration and Configuration Guide.
A lockbox can be password-protected, and contains a collection of credential keys used for encryption and decryption. A lockbox can encrypt one or more credentials. All lockboxes, except the System lockbox, are password-protected.
Each lockbox in the Management Server contains a set of credentials and keys for their encryption and decryption. Credentials are released to the Agent Manager unencrypted. When a lockbox is released to the Agent Manager, the Agent Manager passes the credential information to its agents. The agents use this information to establish connection with target resources.When you start the Agent Manager without having first released a lockbox to it from the Management Server, the following message appears in the startup log:INFO The Credential Manager has not been assigned any lockboxes. Lockboxes are used to decrypt credentials received as a result of an Agent Credential Query. Without any lockbox assignments, credentials received within a credential query result-set will be discarded. You can grant lockboxes to this Agent Manager through the Credential Administrator on the Server.The lockbox you release to the Agent Manager must contain the credentials necessary for the agents to access the monitored resources.
2 On the navigation panel, click Dashboards > Administration > Credentials > Manage Lockboxes.
3 On the Manage Lockboxes dashboard, in the row containing the lockbox that you want to release, click the Release to Credential Clients icon.
4 In the Release Lockbox to Credential Clients dialog box, type the lockbox password (if one exists) and select one or more credential clients (that is, Agent Managers) for lockbox release.
5 Click Release.The Release Lockbox to Credential Clients dialog box closes, indicating success.
6 Optional—ensure the Credential Clients column is populated.
a Using the breadcrumb trail, return to the main Credentials dashboard, and navigate to the View Clients dashboard.
b On the View Clients dashboard, ensure that the Show lockboxes currently assigned to each client check box is selected.
The view refreshes, with the Assigned Lockboxes column populated.
c Return to the main Credentials dashboard.
d Navigate to the Manage Lockboxes dashboard.
e On the Manage Lockboxes dashboard, observe the Credential Clients column of the newly released lockbox entry. The column lists the credential clients to which the lockbox is assigned.