BMC Server Automation Glossary (BladeLogic)

Version 5

    Here's a (draft) list of different terms used in BMC Server Automation (BladeLogic) and a bit about what each of them means.  Starting with security terms and some basics.


    Deployment Architecture


    App Server (Application Server)

    The central component of BSA, where jobs run, agent contact is initiated, and where the BSA GUI connects.  Also, any server running an instance of the BSA appserver.


    RSCD Agent

    A small software component that runs on managed servers, providing connectivity and security mapping for the app server and Network Shell.


    Managed Target/Server

    Any server managed by BSA, running an RSCD Agent.


    Agentless Managed Object

    Some components BSA manages without having an installed agent, cf. virtualization management on AIX.


    Jobs and Scheduling



    Most activities in BSA run as a Job.  Jobs are scheduled activities (including those where "Execute Job Now" creates an immediate schedule), using a Depot Object like a software package, patch or NSH Script or a Policy (Compliance, Change Tracking) and one or more Servers.  Most Jobs have one or more Job Parts.



    JOB_TIMEOUT is a Job property that is used define how long a given Job should be allowed to run.  If a given Job runs longer than its JOB_TIMEOUT, it should be canceled.


    Job Part

    Jobs that have run against at least one server have at least one part: a unit of work that is targeted at that server and accomplishes some specific task.  Some Jobs will have one job part per server (running a script, for example), others may have multiple parts per server (simulate/stage/commit of a deploy job).



    JOB_PART_TIMEOUT is a property that is used define how long a given Job Part should be allowed to run.  This is usually tripped by a server that's having issues like a hung NFS mount or another system call that's either not responding or taking a very long time (30 min+) to respond.


    Live Browse


    Configuration Object

    Something that exists on managed server. It is under the local control of the OS and it is the most familliar form of an object. It can be a directory, a file, Windows or UNIX Service, configuration files.  Config Objects are composed of metadata and their actual contents.


    Extended Object

    A script or command, with machine-parseable output, whose output is read as configuration items.  Examples include the "eeprom" command on Solaris, "netstat", and customer scripts.


    Change Tracking


    Golden Image

    A snapshot taken of some configurations on a server in a known good state.



    One or more configuration items captured at a point in time (such as after a QA cycle, or on a regular schedule)


    Change Detection

    Comparing the results of a golden image to an existing live server, or a snapshot, to identify configurations that are different.




    A set of rules describing how something should be configured.  Usually instantiated in BSA as a Component Template, and used by a (rules-based) Compliance Job



    Sometimes there are good reasons why something can't be set according to the policy, like a specific application that's not compatible with the general policy in a particular way.  An exception lets us log that information (and how long it's allowed to be "out of compliance", and allows us to pass that server, for that policy's rule, when evaluating the server.



    Query Studio

    A quick report creation tool in BMC Decision Support (for) Server Automation (BDSSA).


    Report Studio

    An advanced report creation tool in BDSSA.


    Security related terms (stolen shamelessly from a BL whitepaper):


    certificate authority (CA)

    The trusted party issuing digital certificates (especially X.509 public-key certificates) to an

    identified end entity and vouching for the binding between the data items in a certificate. A

    certificate authority can be managed by an external certification service provider or the CA

    can belong to the same organization as the end entities in a PKI. CAs can also issue

    certificates to other sub-CAs. This leads to a tree-like certification hierarchy. The highest

    trusted CA in the tree is called a root CA.



    Digital documents used for secure authentication of communicating parties. A certificate

    binds identity information about an entity to the entity's public key for a certain validity

    period. A certificate is digitally signed by a trusted third party who has verified that the key

    pair actually belongs to the entity. Certificates can be thought of as analogous to

    passports that guarantee the identity of their bearers.


    certificate management protocol (CMP)

    A definition of the online interactions between end entities, registration authorities, and the

    certification authority in a PKI. CMP was developed by the PKIX Working Group of the IETF

    and specified in RFC 2510. An advanced version of CMP, known as CMPv2, is currently in

    draft form.


    certificate revocation list (CRL)

    A signed list containing the serial numbers of the certificates that have been revoked or

    suspended by the certificate issuer (the CA) before their expiration date. The CA usually

    issues new CRLs at frequent intervals. The current PKIX implementation of CRLs is the

    X.509 version 2 CRL. See RFC 2459 for more information.


    certification request

    A request for a certificate, generated by end entities or RAs and sent to the CA. A

    certification request contains at least the public key and some identity information about

    the entity making the request. A certificate is signed with the private key of the entity. If

    allowed by the certificate policy of the CA, a certificate can be issued based on the



    certification service provider (CSP)

    An organization that acts as a trusted third party or a CA host providing PKI services to

    other organizations and individuals.


    Internet Protocol Security (IPSec)

    A protocol suite, defined by the Internet Engineering Task Force (IETF), for protecting IP

    traffic at the packet level. IPSec can be used for protecting the data transmitted by any

    service or application that is based on IP. The IPSec protocols are defined in RFC 2401.

    Copyright © 2005, BladeLogic, Inc. All rights reserved. February 2005 19



    A solution to network security, created by MIT, that encompasses authentication and

    encryption. The Kerberos protocol uses strong cryptography so that a client can prove its

    identity to a server (and vice versa) across an insecure network connection. After a client

    and server have used Kerberos to prove their identity, they can also encrypt all of their

    communication to assure privacy and data integrity.

    See - whatis or for an FAQ on Kerberos

    Kerberos Tickets

    Kerberos Tickets uniquely identify a user. Kerberos Tickets are granted by a Ticket

    Granting Server, the Kerberos Domain Controller (KDC), and authenticated by an

    Authentication Server (AS). Microsoft’s Active Director Server functions as a KDC for

    Windows 2000 clients, while UNIX and Linux clients use the MIT KDC.

    As long as the number of requests is small, one TGS/AS is adequate. But as a network

    grows, the number of requests grows with it. The AS/TGS can then become a bottleneck

    in the authentication process. It is often advantageous to divide a network into realms.

    These divisions are often made on organizational boundaries, although they need not be.

    Each realm has its own AS and its own TGS.


    Lightweight Directory Access Protocol (LDAP)

    A directory access protocol defined by RFC 2251 and RFC 1777 for accessing directories

    supporting the X.500 models. Many companies are using LDAP based solutions as

    directories and user management systems.


    managed service provider (MSP)

    An organization that provides delivery and management of network-based services,

    applications, and equipment to other organizations or individuals. A CA hosting service is

    an example of an MSP activity.


    Microsoft Crypto API (MSCAPI)

    A standard cryptographic interface in Microsoft Windows based systems.


    port forwarding (X11 tunneling)

    The ability to have X11 client output directed to the port on which the BladeLogic Agent is

    listening, effectively tunneling the X11 client output stream from the Agent to the

    BladeLogic management console.


    public and private keys

    The keys used for encrypting and decrypting messages sent over a network. Private keys

    are secret and known only to their owners. They are used for signing and decrypting

    messages. Public keys are, as the name implies, public and can be published. For