Configuring the Agent Manager

This section is about configuring the Agent Manager after the installation.

This section covers the following key areas:

Configuring credentials

The Management Server includes a credential management system that enables you to create, store, and manage credentials through the Foglight browser interface. Different cartridges support different types of credentials. Some cartridges, for example, support the use of Windows and UNIX credentials, while others can only authenticate local users. The credential type determines which parts of the monitored system are used to connect to a resource, such as host names or IP addresses. Credentials are encrypted and stored in lockboxes. Lockboxes are released to credential clients, such as the Agent Manager. Agents, in turn, request credentials from the Agent Manager.

Foglight agents need access to credentials when monitoring systems that require credential verification. Credential information consists of a name, type, policies, and resource mappings. You can create and manage credentials through the Management Server browser interface. Foglight supports the following commonly used credential types:

  • Challenge Response: Uses one or more challenge and response pairs to grant access without requiring any interaction in the browser interface. The answers are sent by the agent as part of the agent configuration.
  • Domain, User Name, and Password (Windows): Requires a user name and password to access a monitored resource. The domain name is optional.

    When specifying a domain name in this credential type, a fully qualified domain name is required. Failing to use a fully qualified domain name may prevent the Agent Manager from establishing a connection to a remote monitored resource. For example, if the full domain name is prod.example.com, use prod.example.com as the domain name instead of just prod, when configuring the credential.

  • DSA Key: Uses the Digital Signature Algorithm (DSA) Key for authentication.
  • RSA Key: Uses the RSA (Rivest, Shamir, and Adleman) Key for authentication.
  • Use Client’s Login At Connection Time: Uses the currently logged in user’s account to access secured resources. This is not the user currently logged into the Management Server, but the user under which the credential client is running. For example, a credential provided to an Agent Manager instance launched by a user on a remote machine, causes the connection to the secured resource to be made using this user’s identity.
  • User Name: Requires a user name to access a monitored resource.
  • User Name and Password: Requires a user name and password to access a monitored resource.

Each credential can have one or more authentication policies, based on the desired usage count, failure rate, the time range during which the credential can be used, and the amount of time during which the credential information is cached locally. Credentials can apply to specific parts of the monitored environment, such as hosts and ports. Resource mappings identify secured resources. The mappings typically contain a combination of literal expressions, regular expressions, or an IP address range.

Managing lockboxes

A lockbox can be password-protected, and contains a collection of credential keys used for encryption and decryption. A lockbox can encrypt one or more credentials. All lockboxes, except the System lockbox, are password-protected. You can create, edit, and manage lockboxes, change their passwords, and release them to credential clients (such as the Agent Manager) using the Manage Lockboxes dashboard in the Management Server browser interface.

Releasing lockboxes to the Agent Manager

Each lockbox in the Management Server contains a set of credentials and keys for their encryption and decryption. Credentials are released to the Agent Manager unencrypted. When a lockbox is released to the Agent Manager, the Agent Manager passes the credential information to its agents. The agents use this information to establish connection with target resources.

When you start the Agent Manager without having first released a lockbox to it from the Management Server, the following message appears in the startup log:

INFO The Credential Manager has not been assigned any lockboxes. Lockboxes are used to decrypt credentials received as a result of an Agent Credential Query. Without any lockbox assignments, credentials received within a credential query result-set will be discarded. You can grant lockboxes to this Agent Manager through the Credential Administrator on the Server.

The lockbox you release to the Agent Manager must contain the credentials necessary for the agents to access the monitored resources.

Any agents that have access to an Agent Manager with a released lockbox can potentially query and obtain credential information stored within that lockbox.

To release a lockbox to the Agent Manager:

  1. Log in to the Foglight browser interface.
  2. On the navigation panel, click Dashboards > Administration > Credentials > Manage Lockboxes.
  3. On the Manage Lockboxes dashboard, in the row containing the lockbox that you want to release, click the Release to Credential Clients icon.
  4. In the Release Lockbox to Credential Clients dialog box, type the lockbox password (if one exists) and select one or more credential clients (that is, Agent Managers) for lockbox release.

    The System lockbox that is included by default with the Management Server is not password-protected. Its contents are accessible to all clients in your system.

  5. Click Release. The Release Lockbox to Credential Clients dialog box closes, indicating success.
  6. Optional— ensure the Credential Clients column is populated.
    a. Using the breadcrumb trail, return to the main Credentials dashboard, and navigate to the View Clients dashboard.
    b. On the View Clients dashboard, ensure that the Show lockboxes currently assigned to each client check box is selected. The view refreshes, with the Assigned Lockboxes column populated.

    This functionality consumes server resources. It can be significant depending on the size of your client list.

    c. Return to the main Credentials dashboard.
    d. Navigate to the Manage Lockboxes dashboard.
    e. On the Manage Lockboxes dashboard, observe the Credential Clients column of the newly released lockbox entry. The column lists the credential clients to which the lockbox is assigned.
    When the lockbox is released to the Agent Manager, any credentials that are later added to the same lockbox are also accessible to the Agent Manager and its monitored agents.

Configuring anti-virus exclusion settings

Anti-virus software may negatively impact the CPU and system performance of machines running Foglight. To reduce resource consumption, it is highly recommended to exclude the relevant directory, processes, and executables from being scanned by the anti-virus software.

  • The common installation directory is as follows: %fglam_home%
  • FglAM related processes and executables are as follows:
    • For Windows:
      • <FglAM Base Folder>\bin\fglam.exe
      • <FglAM Base Folder>\client<version>\bin\bindDA.exe
      • <FglAM Base Folder>\client<version>\bin\dcmlist.exe
      • <FglAM Base Folder>\client<version>\bin\fog4_launcher.exe
      • <FglAM Base Folder>\client<version>\bin\installer.exe
      • <FglAM Base Folder>\client<version>\bin\qcn_relauncher.exe
      • <FglAM Base Folder>\client<version>\bin\qcn_runner.exe
      • <FglAM Base Folder>\client<version>\bin\qcn_watchdog.exe
      • <FglAM Base Folder>\client<version>\bin\setDA.exe
      • <FglAM Base Folder>\client<version>\bin\udp2icmp.exe
      • \Non-embedded FglAM: \jre<jre_version>\bin\java.exe
    • For other operating systems:
      • <FglAM Base Folder>/bin/fglam
      • <FglAM Base Folder>/bin/setuid_launcher
      • <FglAM Base Folder>/client//bin/bindDA
      • <FglAM Base Folder>/client//bin/dcmlist
      • <FglAM Base Folder>/client//bin/fog4_launcher
      • <FglAM Base Folder>/client//bin/installer
      • <FglAM Base Folder>/client//bin/qcn_relauncher
      • <FglAM Base Folder>/client//bin/qcn_runner
      • <FglAM Base Folder>/client//bin/qcn_watchdog
      • <FglAM Base Folder>/client//bin/setDA
      • <FglAM Base Folder>/client//bin/udp2icmp
      • Non-embedded FglAM: /jre/<jre_version>/bin/java

Configuring the Agent Manager memory usage limits

The amount of memory needed for proper operation of an agent manager is determined by the amount and type of the agents it will be used to monitor. For more information about hardware requirements, refer to Typical Resource Requirements.

To set the Agent Manager memory usage limits:

  1. Locate the agent manager configuration file:
    For Linux:
    /state/default/config/baseline.jvmargs.config
    For Windows:
    \state\default\config\baseline.jvmargs.config

  2. Edit the file to configure sizing parameters by uncommenting the lines vmparameter.0 and vmparameter.1, and entering the desired memory requirements as shown in the example below:
    vmparameter.0 = “-Xms128m”;
    vmparameter.1 = “-Xms128m”;

  3. Restart the agent manager to apply the new settings.