Truesight Server Automation (TSSA): Information about the TSSA Windows local user account - BladeLogicRSCD

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Server Automation Suite


    COMPONENT:

    TrueSight Server Agent and NSH


    APPLIES TO:

    BMC BladeLogic Server Automation Suite



    PROBLEM:

     

    Questions:
    1. How is the 'BladeLogicRSCD' Windows user account password created?
    2. What encryption method/algorithm is used for BladeLogicRSCD account password?
    3. Where is the 'BladeLogicRSCD' or 'BladeLogicRSCDDC' account password stored
    4. Will there be there any process running on the target server with the BladeLogicRSCD/BladeLogicRSCDDC credentials?
    5. How often does the 'BladeLogicRSCD' or 'BladeLogicRSCDDC' account password get changed/updated?
    6. What is the minimum characters that the password supports?
    7. Can "AES encryption" (such as "AES 256") be enforced for the password?
    8. Does the BladeLogicRSCD user gets installed on Linux system as well ?
    9. Does the BladeLogicRSCD user send any requests to the application server ?
    10. What are the privileges granted to BladeLogicRSCD user in the local policy?
    11. Can the BladeLogicRSCD user password be reset?
    12. Is this a local user?

     


    SOLUTION:

     

    Answers:
    1. The "BladeLogicRSCD" user is created as part of the Windows RSCD Agent install. At install time a random password is generated for this user account.
    The default password of BladeLogicRSCD user is random since 8.1.00 (16 alpha-numeric and special characters)

    Please refer below for more details related to the TSSA user accounts:
    User and accounts

    2. BladeLogicRSCD account password uses CryptProtectData function

    3. The password is stored in the registry under "\HKEY_LOCAL_MACHINE\SAM\SAM\BladeLogic\Operations Manager\RSCD". The password is encrypted and stored in the S and E values.
    Refer BladeLogicRSCDDC Password update

    4. Yes, the process for the RSCD agent will be running on the domain controller as 'BladeLogicRSCDDC' account.
    The process of RSCD agent on non-domain controller will be using 'BladeLogicRSCD' account.

    5. The password is randomly generated upon installation of the RSCD agent and it will remain unchanged, unless it is updated manually

    6. There is no minimum characters that is required by the password but can be of 60 characters maximum.
    By default the password would contain 16 alphanumeric and special characters.

    7. No. The password is stored in the registry using the CryptProtectData function.

    8. No. BladeLogicRSCD user gets created on Windows Servers only. The BladeLogicRSCD user is created on Windows in order for the agent to obtain local privileges on the target server.  Whenever a connection is made to a target agent, first mapping is done to this user before reading exports, users, users.local. The agent uses a technique called user privilege mapping, which allows the agent to temporarily grant the local user's group privileges to an unprivileged user account called BladeLogicRSCD. This privilege mapping mechanism allows the agent to acquire the mapped local user's group privileges without having to access that user's Windows credentials (user name and password

    9. BladeLogic RSCD agents only perform actions when instructed to by an application server. There is no periodic polling and agents do not initiate connections back to the application server

    10. When the BladeLogicRSCD user is created, below privileges are granted to it in the local policy:

    SeBatchLogonRight
    SeDenyInteractiveLogonRight

    When BSA tries to impersonate as a user, following privilege is also added to the policy:
    SeSecurityPrivilege

    11. The password of BladeLogicRSCD can be reset. Use 'chapw -p' command for the password change.
    Write 'chapw' and hit enter for the complete usage.

    For password change on a domain controller, refer -
    BladeLogicRSCDDC Password update

    12. The rscd agent runs under the "Local System" account. For the impersonation to occur the rscd agent will "logon" as the BladeLogicRSCD user. Then window api calls are made which apply the appropriate permissions associated with the user it is mapped to. This allows commands to be executed in the context of the 'mapped to' user. However, the underlying running user is still the "Local System" account which doesn't have access to network resources. That "Local System" user cannot connect to remote windows shares.

     


    Article Number:

    000090421


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles