Chat now with support
Chat with Support

Foglight for Virtualization Enterprise Edition 8.7 - Administration and Configuration Guide

Administering and Configuring Foglight Extending Your Monitoring Reach with Foglight Cartridges Administering Foglight Configure Rules and Metric Calculations to Discover Bottlenecks Customizing Your Foglight Environment with Tooling

Retrieving Data with the REST API

The Foglight REST API is an application programming interface (API) that uses HTTP requests to GET, PUT, POST, and DELETE data. REST APIs are protected by authentications, which means you need retrieve an access token before using REST APIs. For more information about the Foglight REST API, refer to the Foglight REST API Reference Guide.

Retrieving Data with Scripts and Queries

In some cases, you may be required to run scripts, at the request of Quest Support, or for other maintenance functions. You can use the Script Console dashboard to test sample scripts. This dashboard is accessible to users with the Administrator and Cartridge Developer roles only. To access this dashboard, from the navigation panel, click Dashboards > Administration > Tooling > Script Console.

 

Online-Only Topics

Learn more about:

Logging in

The browser interface supports most web browsers, such as Internet Explorer and Mozilla Firefox. Before you log in, ensure that your Management Server and any Foglight agent instances are up and running and adjust your browser settings.

For example, on Windows platforms, you can start the Management Server by clicking Start > Programs > Quest > Foglight #.#.# > Start Foglight.
To start the Foglight Agent Manager, you can start its process either by issuing the fglam command (Unix or Windows) or starting its Windows service (Windows only).
http://localhost:8080/console
Where localhost is the name of the machine that has a running instance of the Management Server.
a
In the Foglight login page, in the User box, type your Foglight user name.
b
In the Password box, type your Foglight password.
c
Click Login.
If your Management Server has a valid license, the Welcome to Foglight or the Environment Overview page appears in the browser interface.
Navigation panel shows the dashboards that you have access to, based on the roles associated with your user account.
Display area contains the current dashboard. When you log in to Foglight, the Welcome page appears in the display area. After clicking a dashboard entry in the navigation panel, the display area shows the selected dashboard.
Action panel includes any actions that you can perform in the selected dashboard.
If your user account includes the Administration role, in the Unlicensed Server View, click Install a License. In the Manage Licenses dashboard that appears, install the license for the Management Server. For more information, see Install licenses.

From here, after a successful login, you can explore the Administration dashboards in the browser interface.

The Management Server supports integration with external LDAP directories. In a Kerberos-based environment, such as Microsoft® Active Directory®, most web browsers can authenticate users against the web server using their current credentials.

When this feature is configured, if you log in to a machine running a Windows® OS and then log in to the browser interface, the Management Server uses your Windows account credentials to authenticate you as a Management Server user.

You can also import all of the related groups from Active Directory and map the groups to Management Server roles, to control user permissions in the browser interface.

Complete the following configuration steps to enable the Windows single sign-on (SSO) feature:

If you were using the VSJ SSO that was provided in earlier versions of Foglight, you must also migrate your settings to the Windows OS-based SSO. For more information, see Migrate to Windows SSO from VSJ SSO.

Microsoft® Active Directory® provides a directory service supporting the Lightweight Directory Access Protocol (LDAP), and a Kerberos KDC (key distribution center) to authenticate users. It allows organizations to share and manage information about users and network resources. When properly configured, Active Directory® provides an SSO environment that can be integrated with the standard Windows® OS desktop login.

TIP: When setting up the Kerberos Service Principal Name (SPN), use the following instructions to create mappings between the user account and SPNs, and to create a keytab file to configure in krb5‑auth.config. For example:

ktpass -princ HTTP/<fmshost.example.com>@REALM -mapuser "<domain>\<user>" -pass <password> -out <keytabFilePath>

And:
Use setspn to set up the mapping for just the host name. For example:

setspn -A HTTP/<fmshost> <user>
NOTE: Duplicate SPNs cause Kerberos authentication to return an NTLM token and fallback to Form authentication. To search for duplicate SPNs:
setspn -X -F
If you locate duplicate SPNs for “HTTP/<fmshost>”, you can remove them with the following command:
setspn -d HTTP/<fmshost> <user>

Foglight provides SSO for the Management Server using Active Directory® as its identity store. It includes an enterprise-wide method of identification and authorization that can be administered in a consistent and transparent manner. This method allows users to access only those Management Server components for which they are authorized.

Enabling the Windows® SSO feature in Foglight requires the configuration of the following components:

Krb5ConfigFilePath

Location of the Kerberos configuration file.

Principal

The Active Directory® service principal.

QualifyUserPrincipal

Include the Active Directory® Domain name in the user principal name.

Keytab

The keytab file of the service principal specified above.

LDAPURLOverrides

If there is a connection issue with the default LDAP URL, use the LDAPURLOverrides property to override the default setting.

This property specifies the LDAP URL to be used by the server for retrieving group membership information for SSO users.

By default, the server gets the LDAP URL from krb5.config (see the Krb5ConfigFilePath property). This property can be used to override that value. The domain name must be set as lowercase ASCII.

For example:

LDAPURLOverrides = {
"domain1" : "ldap://ldap1.example.com",
/regex.*/ : "ldap://ldap2.example.com",
/.*/ : "ldap://ldap3.example.com",
};

QualifyGroupName

Specifies whether the server should append the domain to the group name when importing SSO user-associated groups. The default value is true.

AdditionalContextParameters

Specifies additional context parameters when the Management Server initializes the LDAP context and connects to the LDAP server for retrieving group membership information for SSO users.

For example:

AdditionalContextParameters = {
"java.naming.referral" : "follow",
};

UserQueryFilter

Specifies the LDAP filter used to search for LDAP User objects. The filter argument is the SSO user name.

For example:

UserQueryFilter = "(&(objectClass=user)(sAMAccountName={0}))";

NOTE: If this property is not set, the default setting is:
UserQueryFilter ="(&(objectClass=user)(sAMAccountName={0}))"

GroupQueryFilter

Specifies the LDAP filter used to search for LDAP User groups. The filter argument is the LDAP User DN.

For example, to import direct groups:

GroupQueryFilter = "(&(objectclass=group)(member={0}))";

For example, to import all nested groups:

GroupQueryFilter = "(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={0}))";

If this property is not set, then the default value is

GroupQueryFilter = "(&(objectclass=group)(member={0}))"

Set these properties to enable Windows® SSO. Foglight Windows® SSO retrieves LDAP User group information from the LDAP server. The LDAP URL is generated from the krb5.conf kdc setting.
The krb5.config file contains standard Kerberos configuration information. Foglight supports the configuration of multiple domains.See the following URL for detailed information about the settings:
NOTE: The first KDC in krb5.conf will be used as the LDAP server for the related domain by default. If that is not appropriate you should configure LDAP URLs for each of their domains relevant to Foglight SSO in the LDAPURLOverides element in krb5-auth.config.

Most web browsers include extensions that allow Foglight users to participate in a Kerberos-based single sign-on (SSO) environment. This environment relies on the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) authentication mechanism. To enable this feature, configure your web browser to support SPNEGO authentication.

IMPORTANT: Only Microsoft® Internet Explorer®, Google Chrome, and Mozilla® Firefox® browsers can be configured to support SPNEGO authentication currently.
3
From the Tools menu, navigate to Internet Options > Advanced > Security.
4
Scroll down to the Security section. Select the option: Enable Integrated Windows Authentication (requires restart).
5
From the Tools menu, select Internet Options > Security > Local Intranet > Sites > Advanced.
7
Select Local Intranet > Custom Level.
8
Select the Security Settings > User Authentication option for Automatic logon only in Internet Zone option.
2
Select Internet Options.
3
Select the Security tab.
4
Click Local Intranet > Sites > Advanced.
6
Click OK to close all the dialog boxes.
where “.example.com” is the domain of the application server.
5
In the Filter field, type: negotiate. Locate the entry network.negotiate‑auth.trusted‑uris. This entry is used to configure the sites that are permitted to engage in SPNEGO authentication with Firefox.
6
Double click network.negotiate‑auth.trusted‑uris.
8
Click OK to close the dialog box, and restart Firefox to enable the new configuration.

If you were using the VSJ SSO implementation in earlier versions of Foglight, you must migrate to the new Windows OS-based SSO.

1
Make a backup of the vsj.properties file before you upgrade Foglight. You can find this file in the following location:
<foglight_home>/server/default/deploy-foglight/console.war/WEB-INF/vsj.properties
4
Edit the krb5-auth.config file to set the properties described in the following table.

Principal

Keytab

QualifyUserPrincipal

5
Edit the krb5.config file. Set the realm name to the vsj.properties idm.realm value.

After you configure Windows® SSO, log in to your Active Directory® domain, start your web browser, and navigate to the Foglight browser interface. You are no longer required to provide your user name and password on the login page. The Management Server now uses your Kerberos credentials to log you in to the Foglight browser interface and grant you permissions associated with your Active Directory® account. This configuration allows you to bypass the common login page.

If you want to log in to the browser interface using an internal Foglight user account instead of your Windows account (for example, foglight/foglight), you have two options.

If you are already in the browser interface, click Sign Out to navigate to the login page. Now you can enter the desired user name and password.
Start your web browser and navigate to: http://<host>:<port>/console/?nowinsso
where host and port are the name of the machine on which the Management Server is running and the browser interface port number.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating