If you are using a Kemp 360 Central instance with version 1.6 or higher, and you add a LoadMaster with version 7.1.35 or higher, certificate-based authentication is used to authenticate the communications between Kemp 360 Central and the LoadMaster. To enable certificate-based authentication, Kemp 360 Central automatically configures some settings when a LoadMaster is added to it:

  • The Application Program Interface (API) is enabled on the LoadMaster. This is to ensure that Kemp 360 Central can communicate with the LoadMaster.
  • Session Management is enabled on the LoadMaster.
  • A local user is created on the LoadMaster which is used by Kemp 360 Central to authenticate to the LoadMaster. This user is provided with All Permissions on the LoadMaster.
  • A local certificate is generated for the local user created in the previous step. This certificate is then stored in Kemp 360 Central to authenticate to the LoadMaster.
  • The Admin Login Method on the LoadMaster is changed to Password or Client certificate. This is to enable certificate-based authentication on the LoadMaster.
Note: When a LoadMaster is removed from Kemp 360 Central, none of the above settings change. For example, when you remove a LoadMaster from Kemp 360 Central, certificate-based authentication is not removed from the LoadMaster. It remains in effect and must be removed manually using the LoadMaster UI, if that is required.
Note: If either the LoadMaster user account or certificate used by Kemp 360 Central is removed from the LoadMaster, or if any of the LoadMaster settings required for certificate authentication listed above are modified, then certificate authentication breaks. This means that Kemp 360 Central will not be able to gather statistics and configuration data from the LoadMaster. To fix this issue, edit the device definition on Kemp 360 Central, change from Certificate Authentication to Basic Authentication, and re-enter the LoadMaster credentials. This re-establishes contact with the device. After contact is re-established, you can switch back to Certificate Authentication if you want.

For more information on user and session management on the LoadMaster, refer to the User Management, Feature Description in the LoadMaster documentation.

The workflow is as follows:

  1. Add a LoadMaster to Kemp 360 Central using an administrative LoadMaster username and password.
  2. Kemp 360 Central attempts to contact the LoadMaster using the credentials supplied. If it is successful, Kemp 360 Central then attempts to set up certificate authentication with the LoadMaster. If certificate authentication fails, you get an error message and see the icon on the device either remain as the 'never contacted' icon (for unmanaged devices) or change to the 'unauthorized' icon. If SMTP is set up correctly, you also receive an email message that certificate authentication has failed.
  3. Kemp 360 Central continues to try and contact the device. If negotiating certificate authentication fails and/or contact is never established, you can edit the LoadMaster configuration on Kemp 360 Central so that Kemp 360 Central and LoadMaster will use only basic authentication (username and password) and will not attempt to negotiate certificate authentication. To do this:
    1. Click the device in the network tree.
    2. Click the Edit icon at the bottom left of the UI.
    3. Under Authentication, click Basic.
    4. Click Apply.

Since version 1.16 of Kemp 360 Central you can now choose to opt out of certificate authentication by editing the Authentication setting so that the unit uses basic authentication and does not attempt to establish certificate authentication. To change from Certificate to Basic authentication, re-enter your username and password for the device, select Basic and click Apply.