Chat now with support
Chat with Support

Foglight Agent Manager 5.9.1 - Foglight Agent Manager Guide

Configuring the embedded Agent Manager Installing external Agent Managers
Understanding how the Agent Manager communicates with the Management Server Deploying the Agent Manager cartridge Downloading the Agent Manager installer Installing the Agent Manager Starting or stopping the Agent Manager process Frequently asked questions
Configuring the Agent Manager Advanced system configuration and troubleshooting
Configuring Windows Management Instrumentation (WMI) Configuring Windows Remote Management (WinRM) UNIX- and Linux-specific configuration
Monitoring the Agent Manager performance Deploying the Agent Manager to large-scale environments

Configuring credentials

The Management Server includes a credential management system that enables you to create, store, and manage credentials through the Foglight browser interface.

Different cartridges support different types of credentials. Some cartridges, for example, support the use of Windows® and UNIX® credentials, while others can only authenticate local users. The credential type determines which parts of the monitored system are used to connect to a resource, such as host names or IP addresses. For complete information about cartridge-specific credential types, see your cartridge documentation.

Credentials are encrypted and stored in lockboxes. Lockboxes are released to credential clients, such as the Agent Manager. Agents, in turn, request credentials from the Agent Manager.

For detailed information about managing credentials in Foglight, see “Controlling System Access with Credentials” in the Administration and Configuration Guide.

Foglight agents need access to credentials when monitoring systems that require credential verification. Credential information consists of a name, type, policies, and resource mappings. You can create and manage credentials through the Management Server browser interface.

Foglight supports the following commonly used credential types:
Challenge Response: Uses one or more challenge and response pairs to grant access without requiring any interaction in the browser interface. The answers are sent by the agent as part of the agent configuration.
Domain, User Name, and Password (Windows): Requires a user name and password to access a monitored resource. The domain name is optional.
 
* 
IMPORTANT: When specifying a domain name in this credential type, a fully qualified domain name is required. Failing to use a fully qualified domain name may prevent the Agent Manager from establishing a connection to a remote monitored resource. For example, if the full domain name is prod.example.com, use prod.example.com as the domain name instead of just prod, when configuring the credential.
DSA Key: Uses the Digital Signature Algorithm (DSA) Key for authentication.
RSA Key: Uses the RSA (Rivest, Shamir, and Adleman) Key for authentication.
Use Client’s Login At Connection Time: Uses the currently logged in user’s account to access secured resources. This is not the user currently logged into the Management Server, but the user under which the credential client is running. For example, a credential provided to an Agent Manager instance launched by a user on a remote machine, causes the connection to the secured resource to be made using this user’s identity.
User Name: Requires a user name to access a monitored resource.
User Name and Password: Requires a user name and password to access a monitored resource.

Each credential can have one or more authentication policies, based on the desired usage count, failure rate, the time range during which the credential can be used, and the amount of time during which the credential information is cached locally. Credentials can apply to specific parts of the monitored environment, such as hosts and ports. Resource mappings identify secured resources. The mappings typically contain a combination of literal expressions, regular expressions, or an IP address range.

For more information about creating and managing credentials, including detailed examples of configuring a credential, see “Exploring the Manage Credentials Dashboard” in the Foglight Administration and Configuration Guide.

Managing lockboxes

A lockbox can be password-protected, and contains a collection of credential keys used for encryption and decryption. A lockbox can encrypt one or more credentials. All lockboxes, except the System lockbox, are password-protected.

You can create, edit, and manage lockboxes, change their passwords, and release them to credential clients (such as the Agent Manager) using the Manage Lockboxes dashboard in the Management Server browser interface.

Releasing lockboxes to the Agent Manager

Each lockbox in the Management Server contains a set of credentials and keys for their encryption and decryption. Credentials are released to the Agent Manager unencrypted. When a lockbox is released to the Agent Manager, the Agent Manager passes the credential information to its agents. The agents use this information to establish connection with target resources.

When you start the Agent Manager without having first released a lockbox to it from the Management Server, the following message appears in the startup log:

INFO The Credential Manager has not been assigned any lockboxes. Lockboxes are used to decrypt credentials received as a result of an Agent Credential Query. Without any lockbox assignments, credentials received within a credential query result-set will be discarded. You can grant lockboxes to this Agent Manager through the Credential Administrator on the Server.

The lockbox you release to the Agent Manager must contain the credentials necessary for the agents to access the monitored resources.

 
* 
CAUTION: Any agents that have access to an Agent Manager with a released lockbox can potentially query and obtain credential information stored within that lockbox.
To release a lockbox to the Agent Manager:
1
Log in to the Foglight browser interface.
2
On the navigation panel, click Dashboards > Administration > Credentials > Manage Lockboxes.
3
On the Manage Lockboxes dashboard, in the row containing the lockbox that you want to release, click the Release to Credential Clients icon.
4
In the Release Lockbox to Credential Clients dialog box, type the lockbox password (if one exists) and select one or more credential clients (that is, Agent Managers) for lockbox release.
Figure 2. Release Lockbox to Credential Clients dialog box
 
* 
IMPORTANT: The System lockbox that is included by default with the Management Server is not password-protected. Its contents are accessible to all clients in your system.
5
Click Release.
The Release Lockbox to Credential Clients dialog box closes, indicating success.
6
Optional—ensure the Credential Clients column is populated.
a
Using the breadcrumb trail, return to the main Credentials dashboard, and navigate to the View Clients dashboard.
b
On the View Clients dashboard, ensure that the Show lockboxes currently assigned to each client check box is selected.
 
* 
NOTE: This functionality consumes server resources. It can be significant depending on the size of your client list.
The view refreshes, with the Assigned Lockboxes column populated.
c
Return to the main Credentials dashboard.
d
Navigate to the Manage Lockboxes dashboard.
e
On the Manage Lockboxes dashboard, observe the Credential Clients column of the newly released lockbox entry. The column lists the credential clients to which the lockbox is assigned.

When the lockbox is released to the Agent Manager, any credentials that are later added to the same lockbox are also accessible to the Agent Manager and its monitored agents.

Troubleshooting

This section provides information about problems that you may encounter while running the Agent Manager and describes the solutions available for these problems.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating