Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Enable TLS in the LEM reports application

Enable TLS in the LEM reports application

Updated: October 5, 2018

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between the LEM reports application and the LEM database.

  • By default, TLS is disabled on versions of LEM that have been upgraded from LEM version 6.0.1 or earlier.

  • The procedure to enable TLS differs depending on your LEM configuration (standalone or with a dedicated database appliance).

  • When enabling TLS, the LEM certificate for accessing the web or AIR console needs to be rebuilt. Machines used to access LEM web or AIR console must re-import their certificates.

Enable TLS on a standalone LEM VM or appliance

Use these steps if the LEM database is located on the same VM or appliance as the LEM Manager. This is the most common arrangement.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

    Steps 2 – 6 below are required to upgrade older versions of LEM. If you have LEM version 6.0.1 or later, go to step 7. The default hostname is swi-lem.

  1. At the cmc> prompt, type appliance.

  2. At the cmc::appliance> prompt, type hostname.

  3. Enter the name of the LEM Manager at the Please enter the new hostname prompt.

    Enter the currently-used hostname if you do not want the LEM Manager name to change.

  4. At the cmc::appliance> prompt, type exit.

  5. At the cmc> prompt, type manager.

  6. At the cmc::manager> prompt, type exportcert.

  7. Follow the prompts to export the LEM Manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  8. At the cmc::manager> prompt, enter enabletls.
  9. At the cmc::manager> prompt, enter restart.

Set up a dedicated LEM user for accessing reports

Starting with LEM 6.0.1, a user account with the Reports role is required to access LEM from the LEM reports application.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Build > Users.

  3. To create a new LEM user, click Button-Plus-BlackMT75.png.

  4. Complete the fields as required.

  5. From the LEM Role drop-down list, select Reports.

    The Administrator and Auditor roles can also query LEM using the LEM reports application.

  6. Save the new user.

Configure the Reports application to use TLS

  1. Start the LEM reports application. See Open the LEM reports application for steps.

  2. Click the Configure drop-down menu and select Managers > Credentials and Certificates.

  3. Click the green button.

  4. Enter the Manager IP or hostname.

  5. Fill in the credentials of the user created previously in the LEM web console.

  6. Select the Use TLS connection option.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. To add a new Manager, click the green button again.

  8. Click the Certificates tab.

  9. Click Import Certificate.

  10. Browse and Open LEM certificate (the network share folder specified during the certificate export).

  11. Use the certificate from the Database Appliance in case you have LEM configured with a dedicated database.

  12. Close the Manager Configuration window.

    If LEM changed its host name, importing the LEM CA certificate again is not required.

Enable TLS on a LEM Manager with a separate database appliance

Typically the LEM database is located on the same VM or appliance as the LEM Manager. If your LEM deployment has a separate LEM database, follow these steps.

To use the custom CA to sign a database or LEM Manager certificate, generate and sign the certificate after you change the hostname.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type appliance.

  3. At the cmc::appliance> prompt, type hostname.

  4. At the Please enter the new hostname prompt, enter a name for the LEM Manager.

    If you do not want your LEM Manager name to change, enter the currently-used hostname.

  5. At the cmc::appliance> prompt, type exit.

  6. At the cmc> prompt, type manager.

  7. At the cmc::manager> prompt, type exportcert.

  8. Follow the prompts to export LEM CA certificate.

    An accessible network share is required. Once the export is successful, the following message displays:

    Exporting CA Cert to\\server\share\SWICAert-hostname.crt ... Success.

  9. At the cmc::manager> prompt, type enabletls.

Import certificates into the LEM Manager and database

LEM Manager and database nodes need to trust each other’s certificates. This can be done by importing certificates from both sides.

This procedure is not required if you upgraded from LEM 6.0.0 or earlier, or if version 6.0.1 or later was deployed and the CA was used to sign both LEM certificates.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the cmc> prompt, type manager.

  3. At the cmc::manager> prompt, type importl4ca.

  4. Choose the network share location specified during certificate export of Database.

  5. When prompted for a file name, specify the name of a Database certificate.

    Enter the full file name, including the file extension.

  6. Open the cmc prompt on the LEM database machine.

  7. At the cmc> prompt, type manager.

  8. At the cmc::manager> prompt, enter importl4ca.

  9. Choose the network share location specified during certificate export of Manager.

  10. When prompted for a file name, specify the name of the LEM Manager certificate.

Next steps:

Import a self-signed certificate into the LEM Manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager.

  1. Open the CMC command line. See Log in to the LEM CMC command line interface for steps.

  2. At the prompt, enter manager.

  3. At the cmc::manager> prompt, type importcert.

  4. Choose the network share path.

  5. When prompted, confirm the share name.

  6. When prompted for a file name, enter the full name of the certificate, including the CER extension.

  7. When completed, the following message appears:

    Certificate successfully imported.

Last modified

Tags

Classifications

Public