Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Foglight 5.9.5 - Security and Compliance Guide

Table of Contents

Security overview

Foglight security measures Customer security measures Security features in Foglight

Service accounts

Agent credentials

Foglight users and groups Role-based access control Password policies

Setting password complexity levels

Required privileges

Installing Foglight Management Server Running Foglight Management Server Installing agent Components Manual database configuration

Controlling remote system access with credentials Protection of data collection infrastructure

Installation of data collection clients Agents requiring privilege escalation

Protection of stored data

Credentials for Foglight users LDAP credentials Management Server repository database credentials Foglight agent credentials Database repository

Protection of communicated data

Web application security Communication between Management Server and agents Communication between Management Server and clients Communication between Management Server and Java EE technology agents Communication between Management Server and XML over HTTP(S) agents Communication between Management Server and repository database

Enabling FIPS 140-2 mode for HTTPS traffic Network ports

Default port assignments Agent adapter ports Client communication

Configuration parameters Audit log Log files Masking sensitive input data Uninstalling Foglight IPv6 Monitoring patches for the embedded database Daylight savings time extension QuestClick scripts Understanding the Foglight platform's relationship to Java "Clickjacking" vulnerability

Security features for APM appliances

Overview of APM appliances Trust model Multiple layers of defense

Layer 1: Firewall Layer 2: Port scan detection and blocking tool Layer 3: Customized operating system distribution Layer 4: Apache Tomcat server configuration

Restricted access to appliances

No root access User authentication on appliances Secure remote access Restricted network ports for appliances Defense against Denial-of-Service attacks

Logs for appliances Data entry validation for APM dashboards Installation of upgrades and patches Customer data protection on appliances

Restricted access to sensitive captured data Secure data storage in the Archiver database Secure data transfer between software components Secure use of customers' private keys

Usage feedback Appendix: FISMA compliance

NIST 800-53 categories

Enabling FIPS 140-2 mode for HTTPS traffic

Some customers require that all network traffic be protected with FIPS 140-2 compliant ciphers. The following procedure can be used to configure the Foglight® Management Server to permit the use of specific TLS cipher suites only for communications with its Web server (all traffic over HTTPS).


	NOTE: Enabling this configuration causes Foglight to accept only the cipher suites listed explicitly below.

To enable FIPS 140-2 mode for HTTPS traffic:

1

On the Management Server, open the <foglight_home>/server/tomcat/server.xml file for editing.

2

In the server.xml file, locate the following Connector element:

<Connector executor="tomcatThreadPool" maxHttpHeaderSize="8192"

URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"

clientAuth="false" keystoreFile="../../config/tomcat.keystore"

keystorePass="password" sslProtocol="TLS"

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" bindOnInit="false" />

3

Add the following ciphers attribute to the Connector element:

ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA,

TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"

4

Restart the Management Server.

Network ports

The Foglight® installation process allows you to configure port assignments. The default ports are displayed during installation.

Default port assignments

Table 2. Foglight® Management Server default port assignments
Port Name	Port Number	Outgoing/Incoming
Embedded DB	TCP 15432	Incoming/Outgoing
HTTP	TCP 8080	Incoming
HTTPS	TCP 8443	Incoming
High Availability	UDP 45566 TCP 7800	Incoming/Outgoing
Federation RMI	TCP 1099	Incoming/Outgoing
Federation RMI Service	TCP 4444	Incoming/Outgoing NOTE: Note: If your Federation Master Server is installed behind the firewall, you must configure this port on the Federation Child Server to set up the connection with the server.
QP5	TCP 8448	Incoming/Outgoing

High Availability (HA) refers to running a secondary instance of Foglight as a failover backup server (redundant mode). Foglight listens to the multicast port (45566) only when configured for HA mode.

Table 3. Ports used when Foglight is installed with an external database
Port Name	Port Number	Outgoing/Incoming
External PostgreSQL®	5432	Outgoing
Microsoft® SQL Server®	1433	Outgoing
Oracle®	1521	Outgoing
MySQLTM	3306	Outgoing

Agent adapter ports

Table 4. Agent adapter ports used when configuring the Foglight Administration Console
Port Name	Port Number	Outgoing/Incoming
Agent Manager	8080	Incoming
Agent Manager over SSL	8443	Incoming
Java EE Technology Agent	41705	Incoming

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center