Chat now with support
Chat with Support

Foglight Experience Monitor 5.8.1 - User Guide

Installing and configuring Multi-appliance clusters Configuring the appliance Specifying monitored web traffic Transforming monitored URLs Managing applications Foglight components and the appliance Using the console program Troubleshooting the appliance Appendix: Third party software Monitoring the user experience Customizing reports The alarm system Integrating the appliance SOAP-based web services

Global user account options

The User Accounts page > User Account Options section provides several global settings that affect all web console users:

Section User account management presents the three main categories of appliance users (Administrative, General, and Guest) and their corresponding system types. Guest accounts are typically created for users whose only interest is viewing report sets that have been created by others.

By default, the Restrict guest account navigation option on the User Accounts page is disabled. This means the user’s menu options expand to include the viewing of metrics, resource lists, and the alarm log.

When Guest type users are not restricted, they can also view resources, metrics, and the alarm log.

If the Restrict guest account navigation option is enabled, any user whose profile is of type Guest is only able to view report sets. Other commands normally accessed via the menus are not available.

As is the case with General type users, Guest users cannot create report sets; however, while General users are able to create alarm profiles, Guest users still do not have this feature available to them.

You can enforce the use of strong passwords for all user accounts. On the User Accounts page, the Enforce strong passwords option allows you to require strong passwords whenever new accounts are created or existing users modify their passwords. If you modify this option after some user accounts have been created with passwords that are not considered strong, those users are still be able to log in to the system.

The default password only requires that passwords consist of five characters.

The strong password policy requires that passwords do not contain the user account name, and must contain characters from at least three of the four following character types:

The password expiration policy causes user passwords to expire after a defined period of time. An administrator can configure the password expiration length (number of days).

If a user attempts to log in to the web console using an expired password, a warning message appears; the user is authenticated and prompted to change the password immediately.

If a user attempts to log in through the attached terminal using an expired password, the following message appears:

If a user attempts to log in through SSH using an expired password, he is not authenticated and, therefore, cannot change the password that way. The system displays the following message:

In either situation, users must log in through the web console to change an expired password or have an administrator change the password for them.

By default, the Expire passwords after X days option on the User Accounts page is disabled.

A session expiration policy can be configured for the web console, SSH, and terminal sessions in order to force sessions to terminate after a defined period of time. An administrator can configure this expiration period.

In the web console, when a session expires, users are redirected to the login page, where they must re-enter their login name and password. Terminal sessions will terminate and the user will be presented with a login prompt. SSH sessions and database are dropped.

By default, the Expire web console, terminal, database and SSH session after X minutes of inactivity option on the User Accounts page is disabled.

Administrators can define a policy to enforce a minimum length for passwords for all user accounts.

By default, the Minimum password length option is set to 5.

Increasing security for user account management and access privileges

Some organizations require enhanced security for user account management. In these environments, you can activate the appliance’s security profile, called lockdown mode. This optional mode separates user account management and access privileges between users of the web console and network or system administrators.

Lockdown mode implements the following changes to the appliance software and the web console.

Splits user account management. The user accounts setup and support are now special administrative accounts that cannot be managed through the web console.
Restricts SSH access to the support account only.
Adds Change Setup Account Password and Change Support Account Password options to the account management page for the setup account.
Removes the ability to access the shell by hiding the Remove Shell Access From Console and Access Shell options.
Modifies the Enable/Disable SSH option so that it is only available for the support account.

You activate lockdown mode by running a script from the command line.

The setup user account exists. The account must have console program access enabled and web console access disabled.
The support user account exists. The account must have SSH access enabled.
3
Select Advanced Options, then More Advanced Options.
4
Select Access Shell.
5
On the command line, run: /usr/local/ecrit/lockdown.sh

After activating lockdown mode, the setup account no longer has SSH enabled, and the support account no longer has access to the console program. Therefore, the process for remotely accessing the appliance and its console program changes. Now when using SSH, you must log in as the support user, and then at the command line, switch to the setup account to launch the console program.

A command prompt appears. When logged in as support, there is no access to directories and an extremely limited ability to run commands.
4
Log in as the setup user.

Security settings on the appliance

You can manage security settings for the appliance on the Security page accessed by clicking Configure > Appliance > Security in the menu.

Figure 20. Security page

From this page you can configure the appliance web server to use Secure Sockets Layer (SSL).

For more information, see these topics:

Configuring the web server to use SSL

This section outlines how to configure the appliance’s web server to use Secure HTTP. To configure the appliance to monitor secure HTTP traffic with the web servers it is monitoring, see Configuring SSL keys.

1
In the SSL Certificate Key File box, click Browse and locate the key file.
2
In the SSL Certificate File box, click Browse and locate the certificate file.
3
Once both files have been located, click Enable SSL to switch the appliance’s web server to use Secure Socket Layer.

Use the Disable SSL button in the “Configure Web Server or SSL” section to reset the appliance’s web server to HTTP.

Related Documents