Did you follow the steps in the BladeLogic Administration pdf about setting up the client system for use w/ the NSH Proxy? There are modifications required to the 'secure' file on the client system to work w/ a NSH Proxy. Also, you may need to check the 'cache session credential' option on the CM GUI login box (click 'options>>'), or use the blcred command to establish credentials if you're not using the GUI.
yup. I am planning on using the blcred cred -acquire -profile <profile name> -password <password>. Which is better managment? The proxy or doing blcred on each user?
Once NSH is configured on your client system, to use the NSH Proxy from the client system you need to have established credentials before you launch NSH on the client. You can either use blcred from the command line to do this or you can check the 'cache sesson credential' when you login to the CM GUI.
Where is this cache credential file saved?
In the user's home dir App Data\BladeLogic I think.
Thanks for pointing me the correct direction. Here is what I did so far and I am bit lost:
Within the CM:
From the Tools Menu | Administrator | Infrastructure Management | Right Click on Proxy Server. I typed in the require fields and the port setting that I set the NSH Proxy on the blasadmin. Restarted the application server then Configure the secure file on the cilent.
Is this right? The part I was littel nevious about was the part where it asked me for User Name and Password for the NSH PROXY server. Is it always going to use that credential to authenticate the user? Is there way to log
If you setup the NSH Proxy in blasadmin you shouldn't have to do it in the 'Tools | Infrastructure Management | ...' menu - those are essentially managing the same thing. Do you have multiple instances of the appserver running? If so, did you create a new instance for the NSH Proxy or did you modify an existing instance?
Anyway, if you don't have your credentials cached from the GUI login, the NSH client is going to prompt you to authenticate because it can't find any credentials. So check the 'cache session credentials' box on the GUI login, or you need to establish creds from the commandline w/ blcred before you run nsh.
Do you have to do blcred even with nsh proxy enabled? If, yes: what is the point of nsh proxy? Is it suppose to assume a credential? Is nsh proxy allowing to use cache credentials?
To use the NSH proxy you must have credentials established. this could be from a GUI login, or from blcred.
The purpose of the NSH proxy is to allow connections to remote servers from only the appserver(s), so you do not have to manage firewall rules for client systems, which may not have static addresses. Network admins do not always want to open up 4750 (agent port) from all client systems to all target servers, or manage hundreds of firewall rules for this. The proxy lets you connect to the appserver (which the clients already would have access to) and then go from the appserver to each target.
but, to do this, you need to be authenticated to Bladelogic first. Which is another reason to enable it.
Also, the user mappings on the target systems typically take the form of "ROLE:USER -> local user" so you need some way to establish that you are infact ROLE:USER. otherwise you will not be able to talk to the target system. you could manually manipulate the mappings to match w/ the client OS username, but that becomes a complicated maintenance task.
what did you envision the purpose of the NSH proxy was for?
I envisioned Singel sign on and ability to remote into machine with
nsh (I.e. Cd //hostname) without login to each machine with blcred.
The way you've explained via cache credential and adding the all
appsrv hostname in the secure file is the best way. Right?
Sent from my IPhone
On Jun 28, 2009, at 3:17 PM, Bill Robinson <firstname.lastname@example.org
That is how it works - you don't need to authenticate to each machine, you only need to authenticate once to the BladeLogic Authentication Service, which provides SSO via the cached credential. You can do that w/ either blcred or the GUI w/ the cached credential.
You have the NSH Proxy configured on the appserver w/ the ProxySvcPort (which is the NSH Proxy that uses the Auth Service/SSO) setting right? And you're not using the 'SRPProxy' settings? Depending on the config, if you are using the SRPProxy you may run into behaviour like you describe.
In the secure file you want to add:
not just the appserver hostname, since you want all connections to any server to be routed through the NSH Proxy. adding only the appserver hostname to the secure file will mean you'd only use the NSH Proxy for a nsh connection (cd //appserver) to the appserver itself, instead of all connections (cd //serverN)