Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Transport Layer Security

Transport Layer Security

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 14, 2016

Views: 34 Votes: 0 Revisions: 8

The Transport Layer Security (TLS) option introduces an extra level of security for data transfers between a LEM database and the Reports application. By default, TLS is disabled on LEM 6.0.1 and later LEM appliances updated from previous versions. The enabling procedure differs depending on your LEM configuration (standalone or with dedicated database appliance).

During the process, the LEM certificate for accessing the Web or AIR console needs to be rebuilt. Machines used to access LEM web or AIR console must re-import their certificates.

Enable a standalone LEM appliance

  1. Access the cmc prompt, either from the vSphere/Hyper-V Client console or via the SSH client.

    The following steps are required for upgrading LEM appliances. If you have a version 6.0.1 or later appliance, go to step 7. The default hostname is swi-lem.

  1. At the cmc> prompt, enter appliance.
  2. At the cmc::acm# prompt, enter hostname.
  3. Enter the name of your manager at the prompt "Please enter the new hostname..."

    Enter the currently used hostname if you do not want the LEM manager name to change

  4. At the cmc::acm# prompt, enter exit.
  5. At the cmc> prompt, enter manager.
  6. At the cmc::cmm# prompt, enter exportcert.
  7. Follow the prompts to export LEM manager CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAer -hostname.crt ... Success.

  8. At the cmc::cmm# prompt, enter enabletls.

11. At the cmc::cmm# prompt, enter restart.

See Set up a dedicated LEM user for accessing reports to set up a user for accessing Reports and Configure the Reports application to configure the Reports application itself.

Set up a dedicated LEM user for accessing reports

LEM 6.0.1 requires authorization to access LEM from the Reports application. This means that a user with Reports role has to be created in the LEM Console. If you already have a suitable user, proceed to Configure the Reports application

  1. Log in to the LEM Web or AIR Console as a user with administrator rights.
  2. Click Build > Users.
  3. Click + to create a new LEM user.
  4. Complete the fields as required.
  5. Select the Reports option form the LEM Role drop-down menu.

    Other roles that may query LEM via Reports are Administrator and Auditor.

  6. Save the new user.

    If you have an Active Directory Connector configured, you can utilize a directory Service user as a Reports user instead of in-built LEM one.

Configure the Reports application

  1. Start LEM Reports.
  2. Click the Configure drop-down menu and select Managers > Credentials and Certificates.
  3. Click the green button.
  4. Enter the manager IP or hostname.
  5. Fill in the credentials of the user created previously in Web Console.
  6. Select the Use TLS connection box.

    You can also ping the address you specified by clicking Test Connection. This option does not perform credentials validation or TLS availability check.

  7. Click the green button again to add a new Manager.
  8. Click the Certificates tab.
  9. Click Import Certificate.
  10. Browse and Open LEM certificate (e.g. the network share folder specified during certificate export).
  11. Use the certificate from the Database Appliance in case you have LEM configured with a dedicated Database.
  12. Close the Manager Configuration window.

    If the LEM changed its hostname, there is no need to import the LEM CA certificate again.

Enable TLS on a LEM manager with a dedicated database appliance

  1. Access the cmc> prompt (either from vSphere/Hyper-V Client console or via SSH client).
  2. At the cmc> prompt, enter appliance.
  3. At the cmc::acm# prompt, enter hostname.
  4. At the prompt "Please enter the new hostname..." specify desired name of your manager.

    To prevent your LEM manager name from changing, enter the current hostname.

  5. At the cmc::acm# prompt, enter exit.
  6. At the cmc> prompt, enter manager.
  7. At the cmc::cmm# prompt, enter exportcert.
  8. Follow the prompts to export LEM CA certificate.

    An accessible network share is required. Once the export is successful, you will see the following message: Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success.

  9. At the cmc::cmm# prompt, enter enabletls.

Enabling TLS on LEM Database

An accessible network share is required. Once the export is successful, you will see the following message:

Exporting CA Cert to \\server\share\SWICAert-hostname.crt ... Success.

To use the custom CA to sign Database or Manager certificate, generate and sign the certificate after changing the hostname.

  1. Access the cmc prompt (either from vSphere/Hyper-V Client console or via SSH client).
  2. At the cmc> prompt, enter appliance.
  3. At the cmc::acm# prompt, enter hostname.
  4. At the prompt "Please enter the new hostname..." specify desired name of your manager.

    If you do not want your LEM manager name to change, enter the currently used hostname.

  5. At the cmc::acm# prompt, enter exit.
  6. At the cmc> prompt, enter manager.
  7. At the cmc::cmm# prompt, enter exportcert.
  8. Follow the prompts to export LEM CA certificate.
  9. At the cmc::cmm# prompt, enter enabletls.

Import certificates into the manager and database

Manager and Database nodes need to trust each other's certificates. This can be done by importing certificates from both sides.

The following procedure is not required if you upgraded from LEM 6.0.0 and earlier or version 6.0.1 was deployed and CA was used to sign both LEM certificates.

  1. Access the cmc> prompt of LEM Manager.
  2. At the cmc> prompt, enter manager.
  3. At the cmc::cmm# prompt, enter importl4ca.
  4. Choose the network share location specified during certificate export of Database.
  5. When prompted for a file name, specify the name of Database certificate.

    Enter the full filename including the file extension.

  6. Access the cmc> prompt of LEM Database.
  7. At the cmc> prompt, enter manager.
  8. At the cmc::cmm# prompt, enter importl4ca.
  9. Choose the network share location specified during certificate export of Manager.
  10. When prompted for a file name, specify the name of Manager certificate.

Follow the instructions for Set up a dedicated LEM user for accessing reports to set up a user for accessing reports, and Configure the Reports application to configure the Reports application.

Import a self-signed certificate into the manager

Use the importcert command in the CMC to import a signed certificate by any CA into the manager. 

  1. Access a cmc> prompt in LEM Manager using vSphere or Hyper-V Client console or an SSH client (such as PuTTY) connected to port 32022.
  2. At the prompt, enter manager.
  3. At the cmc::cmm# prompt, type importcert.
  4. Choose the network share path.
  5. When prompted, confirm the share name.
  6. When prompted for a file name, enter the full name of the certificate, including the .cer extension.
  7. When completed, the following message appears:

    Certificate successfully imported.

 

Last modified
07:09, 14 Sep 2016

Tags

Classifications

Public