Foglight Experience Monitor 5.8.1 - Installation and Administration Guide

Global user account options

The User Accounts page > User Account Options section provides several global settings that affect all web console users:

Section User account management presents the three main categories of appliance users (Administrative, General, and Guest) and their corresponding system types. Guest accounts are typically created for users whose only interest is viewing report sets that have been created by others.

By default, the Restrict guest account navigation option on the User Accounts page is disabled. This means the user’s menu options expand to include the viewing of metrics, resource lists, and the alarm log.

When Guest type users are not restricted, they can also view resources, metrics, and the alarm log.

If the Restrict guest account navigation option is enabled, any user whose profile is of type Guest is only able to view report sets. Other commands normally accessed via the menus are not available.

As is the case with General type users, Guest users cannot create report sets; however, while General users are able to create alarm profiles, Guest users still do not have this feature available to them.

You can enforce the use of strong passwords for all user accounts. On the User Accounts page, the Enforce strong passwords option allows you to require strong passwords whenever new accounts are created or existing users modify their passwords. If you modify this option after some user accounts have been created with passwords that are not considered strong, those users are still be able to log in to the system.

The default password only requires that passwords consist of five characters.

The strong password policy requires that passwords do not contain the user account name, and must contain characters from at least three of the four following character types:

The password expiration policy causes user passwords to expire after a defined period of time. An administrator can configure the password expiration length (number of days).

If a user attempts to log in to the web console using an expired password, a warning message appears; the user is authenticated and prompted to change the password immediately.

If a user attempts to log in through the attached terminal using an expired password, the following message appears:

If a user attempts to log in through SSH using an expired password, he is not authenticated and, therefore, cannot change the password that way. The system displays the following message:

In either situation, users must log in through the web console to change an expired password or have an administrator change the password for them.

NOTE: Administrators can always change the password of a user whose password has expired.

By default, the Expire passwords after X days option on the User Accounts page is disabled.

A session expiration policy can be configured for the web console, SSH, and terminal sessions in order to force sessions to terminate after a defined period of time. An administrator can configure this expiration period.

In the web console, when a session expires, users are redirected to the login page, where they must re-enter their login name and password. Terminal sessions will terminate and the user will be presented with a login prompt. SSH sessions and database are dropped.

By default, the Expire web console, terminal, database and SSH session after X minutes of inactivity option on the User Accounts page is disabled.

Administrators can define a policy to enforce a minimum length for passwords for all user accounts.

By default, the Minimum password length option is set to 5.

Increasing security for user account management and access privileges

Some organizations require enhanced security for user account management. In these environments, you can activate the appliance’s security profile, called lockdown mode. This optional mode separates user account management and access privileges between users of the web console and network or system administrators.

Lockdown mode implements the following changes to the appliance software and the web console.

You activate lockdown mode by running a script from the command line.

IMPORTANT: Once activated, this mode cannot be deactivated.

NOTE: If you attempt to restore a backup created before lockdown mode was enabled, it causes issues. To avoid confusion, you may want to discard the pre-lockdown backups.

After activating lockdown mode, the setup account no longer has SSH enabled, and the support account no longer has access to the console program. Therefore, the process for remotely accessing the appliance and its console program changes. Now when using SSH, you must log in as the support user, and then at the command line, switch to the setup account to launch the console program.

Security settings on the appliance

You can manage security settings for the appliance on the Security page accessed by clicking Configure > Appliance > Security in the menu.

From this page you can configure the appliance web server to use Secure Sockets Layer (SSL).

NOTE: If your organization requires enhanced security for user account management, see Increasing security for user account management and access privileges.

For more information, see these topics:

Configuring the web server to use SSL

This section outlines how to configure the appliance’s web server to use Secure HTTP. To configure the appliance to monitor secure HTTP traffic with the web servers it is monitoring, see Configuring SSL keys.

IMPORTANT: From this point on, in order to access the web console, you must use HTTPS in your web browser address box instead of HTTP.

Use the Disable SSL button in the “Configure Web Server or SSL” section to reset the appliance’s web server to HTTP.