Foglight 5.7.5.7 Security and Auth Token

In Foglight 5.7.5.7 release, we introduced two new authentication features: support for multiple LDAP/AD domains, and Auth-Token support.

Support for multiple LDAP/AD domains

In addition to single domain LDAP/AD authentication, we have added support for multiple-domain authentication. Though one domain covers most use cases, it sometimes becomes necessary for large enterprises to use multiple domains in their production environments. For example, merger and acquisition activity often introduces multiple domains that need to be incorporated within one organization. With this in mind, we have added support for multiple-domains authentication in Foglight 5.7.5.7.

Configuring multiple LDAP domains

• Navigate to the Configuration Directory Services dashboard (Administration > Users & Security Management > Configure Directory Services). From there, you can:
  • create or delete the LDAP/AD domain configuration. 
  • activate or deactivate the LDAP/AD domain configuration.

The domains authentication will be done sequentially. User login will be success when any of domains' authentication passed. On the contrary, the user login will be failed if all login attempts fail.

Authentication through digital token (Auth Token)

Token-based authentication, aka Auth Token, is another feature added in this release. An Auth Token could be used in several cases, such as:

• filing a Foglight REST API call
• sending a Foglight Command Line 
• sending a HTTP request to Foglight for a dashboard view. 

One digital token can only be associated with one Foglight user, and vice versa. There is role-level access control for the Auth Token generation and removal. The Foglight Administrator role can generate and remove the Auth Token for Foglight users. Non-administrative users can only manage their own user accounts through Foglight Command Line.

The Foglight administrators and the token-associated user account can reset or delete the Auth Token.

In the Details of <user> dashboard (Administration > Users & Security Management > User Management), the Foglight administrators can generate new digital tokens, update or delete existing tokens.

Alternatively, the Auth Token can also be managed through Foglight Command Line.

The Auth Token can be used for below integrations. Please refer to the Foglight help document and REST API document for more details.

• Foglight Command Line authentication.

./fglcmd.sh -srv <FMS IP> -port <FMS port> -authtoken < authToken > -cmd command

• No login view authentication.

https://<server>:<port>/console/foglight_ext?authToken=<authToken>&viewId=system:core_alarms.231&mode=portlet

• Foglight REST API authentication which uses the Auth Token in http header for authentication.

It is important to secure the Auth Token usage. Foglight administrators can take advantage of the relevant user roles to better manage the user access. The following two user roles are newly introduced in the Foglight 5.7.5.7 release for better security management:

• "API Access" role: restricts the access to the REST API
• "Command Line Access" role: restricts the access to Foglight Command Line.

Meanwhile, to protect the Auth Token, SSL connection for Foglight REST API and URL dashboard view is recommended.