8 Replies Latest reply on Jun 26, 2014 9:30 AM by richard mcleod

    SSO error while executing NSH commands using BAO

      Hello Friends,

       

      I am trying to execute NSH commands like agentinfo using BAO. I am getting following error:

       

      SSO Error: Could not load credential cache file "C:\Windows\system32\config\systemprofile\AppData\Roaming\BladeLogic\bl_sesscc"

      Error in Initializing RBAC User and Role (SSO Proxy)

      Network Shell can be used for local access

      session-delimiter

       

       

      Could you please assist me in resolving above error?

       

      Thanks,

      Rahul

        • 1. Re: SSO error while executing NSH commands using BAO
          Bill Robinson

          i believe if you review the bao install docs they mention that you need to run the bao service as a real user account, not local system.

          • 2. Re: SSO error while executing NSH commands using BAO
            Aryan Anantwar

            Hi Rahul,

             

            plz check & confirm below things:

             

            • BAOCDP service is running with a user account (not with Local System Account)
            • The user configured to run BAOCDP service has access to C:\Windows\system32\config\systemprofile\AppData\Roaming\BladeLogic\bl_sesscc
            • Login to BSA console on BAOCDP system is successful or not?
            • Have you configured NSH Proxy server?

             

            Regards,

            Aryan Anantwar

            • 3. Re: SSO error while executing NSH commands using BAO
              Bill Robinson

              If the service is running as a real user, then it won’t be writing to local system’s home directory so your 2nd point is moot.

              • 4. Re: SSO error while executing NSH commands using BAO
                Aryan Anantwar

                Yes bill.

                 

                I was just pointing to the bl_sesscc file, to check the access permissions.

                 

                Regards,

                Aryan Anantwar

                • 5. Re: Re: SSO error while executing NSH commands using BAO
                  Yanick Girouard

                  Some of those checks are not exactly true or needed...

                   

                  • The user configured to run BAOCDP service has access to C:\Windows\system32\config\systemprofile\AppData\Roaming\BladeLogic\bl_sesscc
                    --> That is wrong. If the service is not using a system account, the bl_sesscc file will be at this location: C:\Users\<CDP_USER_ACCOUNT>\AppData\Roaming\BladeLogic, and not in the Windows folder.
                  • Login to BSA console on BAOCDP system is successful or not?
                    --> You don't technically don't need to test console access, a simple blcred test is sufficient, since this is all the CDP service will be using
                  • Have you configured NSH Proxy server?
                    --> Unless you want the CDP service to run commands that need to access remote agents, you don't need the NSH Proxy, and by default, it's not even suggested in the BAO documentation.
                  • 6. Re: SSO error while executing NSH commands using BAO
                    richard mcleod

                    We're seeing something similar on our linux system (except it shows that creds are expired...)

                     

                    25 Jun 2014 16:22:10,809 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] Checking for the installCertPrompt

                    25 Jun 2014 16:22:10,809 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] Inside installCertPrompt check

                    25 Jun 2014 16:22:10,809 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] installCertPrompt : ?[yes|no]:

                    25 Jun 2014 16:22:10,810 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] installCert yes

                    25 Jun 2014 16:22:10,810 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] Not Entered in InstallcertPrompt check block

                    25 Jun 2014 16:22:10,810 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] Prompt is not found in the response, continue reading the stream.

                    25 Jun 2014 16:22:10,810 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] Found ending string 'session-delimiter' in line: ' SSO Error: Received SSO session reject message "CREDENTIAL_EXPIRED"

                    Error in Initializing RBAC User and Role (SSO Proxy)

                    Network Shell can be used for local access

                    session-delimiter

                    '

                    25 Jun 2014 16:22:10,810 DEBUG SessionInputStreamHandler : [Thread=InputStream][Adapter=InputStream] InputStream Completed reading

                     

                    Note: Not sure if this is possible and/or adding to the problem but I am trying to use user@domain inside of the <srp-user-name> tag

                    • 7. Re: SSO error while executing NSH commands using BAO
                      Yanick Girouard

                      BAO relies on cached credentials to work, so you need to have a process that constantly refreshes the credentials before they expire (blcred cred -acquire ...).

                       

                      I believe the BSA adapter supports a credential timeout setting, after which it automatically recreate sth ecached credential by running blcred again. Make sure yours is set to something smaller than the MaximumSessionCredentialLifetime and SessionCredentialLifetime blasadmin settings on your app server, or it could timeout before it is refreshed.

                       

                      If you're running it on Linux, you could alternatively use a cron job to periodically run a blcred command using a user_info.dat file generated with the bl_gen_blcli_user_info utility that is located in the NSH/bin directory. Then you can use blcred like this to generate a cached credential without prompting for a password:

                       

                      blcred cred -acquire -profile $AUTH_PROFILE -i $PATH_TO_user_info.dat


                      Just make sure you create it for the right user if the CDP is not running as root. If running the cron job as root, it's best that you run blcred through /bin/su - CDP_USER -c "blcred..." if you want it to be properly created in the right location, or just use the crontab of that user.

                      • 8. Re: SSO error while executing NSH commands using BAO
                        richard mcleod

                        Thanks will give this a shot