Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > Enable TLS in the LEM reports application

Enable TLS in the LEM reports application

Updated: September 15, 2017

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between the LEM reports application and the LEM database.

  • By default, TLS is disabled on versions of LEM that have been upgraded from LEM version 6.0.1 or earlier.

  • The procedure to enable TLS differs depending on your LEM configuration (standalone or with a dedicated database appliance).

  • When enabling TLS, the LEM certificate for accessing the web or AIR console needs to be rebuilt. Machines used to access LEM web or AIR console must re-import their certificates.

Enable TLS on a standalone LEM VM or appliance

Use these steps if the LEM database is located on the same VM or appliance as the LEM Manager. This is the most common arrangement.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

    Steps 2 – 6 below are required to upgrade older versions of LEM. If you have LEM version 6.0.1 or later, go to step 7. The default hostname is swi-lem.

  1. At the cmc> prompt, type appliance.

  2. At the cmc::appliance> prompt, type hostname.

  3. Enter the name of the LEM Manager at the prompt “Please enter the new hostname…

    Enter the currently-used hostname if you do not want the LEM Manager name to change.

  4. At the cmc::appliance> prompt, type exit.

  5. At the cmc> prompt, type manager.

  6. At the cmc::manager> prompt, type exportcert.

  7. Follow the prompts to export the LEM Manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  8. At the cmc::manager> prompt, enter enabletls.
  9. At the cmc::manager> prompt, enter restart.

Set up a dedicated LEM user for accessing reports

Starting with LEM 6.0.1, a user account with the Reports role is required to access LEM from the LEM reports application.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. Click Build > Users.

  3. Click + to create a new LEM user.

  4. Complete the fields as required.

  5. Select the Reports option form in the LEM Role drop-down menu.

    The Administrator and Auditor roles can also query LEM using the LEM reports application.

  6. Save the new user.

Configure the Reports application to use TLS

  1. Start the LEM reports application. See Open the LEM reports application for steps.

  2. Click the Configure drop-down menu and select Managers > Credentials and Certificates.

  3. Click the green button.

  4. Enter the Manager IP or hostname.

  5. Fill in the credentials of the user created previously in the LEM web console.

  6. Select the Use TLS connection option.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. Click the green button again to add a new Manager.

  8. Click the Certificates tab.

  9. Click Import Certificate.

  10. Browse and Open LEM certificate (the network share folder specified during the certificate export).

  11. Use the certificate from the Database Appliance in case you have LEM configured with a dedicated database.

  12. Close the Manager Configuration window.

    If LEM changed its host name, importing the LEM CA certificate again is not required.

Enable TLS on a LEM Manager with a separate database appliance

Typically the LEM database is located on the same VM or appliance as the LEM Manager. If your LEM deployment has a separate LEM database, follow these steps.

To use the custom CA to sign a database or LEM Manager certificate, generate and sign the certificate after you change the hostname.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type appliance.

  3. At the cmc::appliance> prompt, type hostname.

  4. At the prompt Please enter the new hostname, enter a name for the LEM Manager.

    If you do not want your LEM Manager name to change, enter the currently-used hostname.

  5. At the cmc::appliance> prompt, type exit.

  6. At the cmc> prompt, type manager.

  7. At the cmc::manager> prompt, type exportcert.

  8. Follow the prompts to export LEM CA certificate.

    An accessible network share is required. Once the export is successful, the following message displays:

    Exporting CA Cert to\\server\share\SWICAert-hostname.crt ... Success.

  9. At the cmc::manager> prompt, type enabletls.

Import certificates into the LEM Manager and database

LEM Manager and database nodes need to trust each other’s certificates. This can be done by importing certificates from both sides.

This procedure is not required if you upgraded from LEM 6.0.0 or earlier, or if version 6.0.1 or later was deployed and the CA was used to sign both LEM certificates.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type manager.

  3. At the cmc::manager> prompt, type importl4ca.

  4. Choose the network share location specified during certificate export of Database.

  5. When prompted for a file name, specify the name of a Database certificate.

    Enter the full file name, including the file extension.

  6. Open the cmc prompt on the LEM database machine.

  7. At the cmc> prompt, type manager.

  8. At the cmc::manager> prompt, enter importl4ca.

  9. Choose the network share location specified during certificate export of Manager.

  10. When prompted for a file name, specify the name of the LEM Manager certificate.

Next steps:

Import a self-signed certificate into the LEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the prompt, enter manager.

  3. At the cmc::manager> prompt, type importcert.

  4. Choose the network share path.

  5. When prompted, confirm the share name.

  6. When prompted for a file name, enter the full name of the certificate, including the CER extension.

  7. When completed, the following message appears:

    Certificate successfully imported.

Last modified

Tags

Classifications

Public