11 Replies Latest reply on Jun 28, 2009 8:19 PM by Bill Robinson

    NSH Proxy Question

    young so

      I have console connecting to the application correctly but, when try to execute NSH from the console to the server I am managing doesn't open the shell.  I have NSH install on my machine.  It look like authenication issue.  So, the question, if I am already authenicated within the console.  when I execute the NSH at the console.  Where is it going to get the authenication request?  Is at XML at the application server?

        • 1. Re: NSH Proxy Question
          Bill Robinson

          Did you follow the steps in the BladeLogic Administration pdf about setting up the client system for use w/ the NSH Proxy?  There are modifications required to the 'secure' file on the client system to work w/ a NSH Proxy.  Also, you may need to check the 'cache session credential' option on the CM GUI login box (click 'options>>'), or use the blcred command to establish credentials if you're not using the GUI.

          • 2. Re: NSH Proxy Question
            young so

            yup.  I am planning on using the blcred cred -acquire -profile <profile name> -password <password>.  Which is better managment?  The proxy or doing blcred on each user?

            • 3. Re: NSH Proxy Question
              Bill Robinson

              Once NSH is configured on your client system, to use the NSH Proxy from the client system you need to have established credentials before you launch NSH on the client.  You can either use blcred from the command line to do this or you can check the 'cache sesson credential' when you login to the CM GUI.

              • 4. Re: NSH Proxy Question
                young so

                Where is this cache credential file saved?

                • 5. Re: NSH Proxy Question
                  Bill Robinson

                  In the user's home dir App Data\BladeLogic I think.

                  • 6. Re: NSH Proxy Question
                    young so



                    Thanks for pointing me the correct direction.  Here is what I did so far and I am bit lost:


                    Within the CM:

                    From the Tools Menu | Administrator | Infrastructure Management | Right Click on Proxy Server.  I typed in the require fields and the port setting that I set the NSH Proxy on the blasadmin.  Restarted the application server then Configure the secure file on the cilent.


                    Is this right?  The part I was littel nevious about was the part where it asked me for User Name and Password for the NSH PROXY server.  Is it always going to use that credential to authenticate the user?  Is there way to log

                    • 7. Re: NSH Proxy Question
                      Bill Robinson

                      If you setup the NSH Proxy in blasadmin you shouldn't have to do it in the 'Tools | Infrastructure Management | ...' menu - those are essentially managing the same thing.  Do you have multiple instances of the appserver running?  If so, did you create a new instance for the NSH Proxy or did you modify an existing instance?


                      Anyway, if you don't have your credentials cached from the GUI login, the NSH client is going to prompt you to authenticate because it can't find any credentials.  So check the 'cache session credentials' box on the GUI login, or you need to establish creds from the commandline w/ blcred before you run nsh.

                      • 8. Re: NSH Proxy Question
                        young so
                        Do you have to do blcred even with nsh proxy enabled?  If, yes: what is the point of nsh proxy?  Is it suppose to assume a credential?  Is nsh proxy allowing to use cache credentials?
                        • 9. Re: NSH Proxy Question
                          Bill Robinson

                          To use the NSH proxy you must have credentials established.  this could be from a GUI login, or from blcred.


                          The purpose of the NSH proxy is to allow connections to remote servers from only the appserver(s), so you do not have to manage firewall rules for client systems, which may not have static addresses.  Network admins do not always want to open up 4750 (agent port) from all client systems to all target servers, or manage hundreds of firewall rules for this.  The proxy lets you connect to the appserver (which the clients already would have access to) and then go from the appserver to each target.


                          but, to do this, you need to be authenticated to Bladelogic first.  Which is another reason to enable it.


                          Also, the user mappings on the target systems typically take the form of "ROLE:USER -> local user" so you need some way to establish that you are infact ROLE:USER.  otherwise you will not be able to talk to the target system.  you could manually manipulate the mappings to match w/ the client OS username, but that becomes a complicated maintenance task.


                          what did you envision the purpose of the NSH proxy was for?

                          • 10. Re: NSH Proxy Question
                            young so

                            I envisioned Singel sign on and ability to remote into machine with 

                            nsh (I.e. Cd //hostname) without login to each machine with blcred.  

                            The way you've explained via cache credential and adding the all 

                            appsrv hostname in the secure file is the best way.  Right?


                            Young So

                            Sent from my IPhone


                            On Jun 28, 2009, at 3:17 PM, Bill Robinson <forums@developer.bmc.com

                            • 11. Re: NSH Proxy Question
                              Bill Robinson

                              That is how it works - you don't need to authenticate to each machine, you only need to authenticate once to the BladeLogic Authentication Service, which provides SSO via the cached credential.  You can do that w/ either blcred or the GUI w/ the cached credential.



                              You have the NSH Proxy configured on the appserver w/ the ProxySvcPort (which is the NSH Proxy that uses the Auth Service/SSO) setting right?  And you're not using the 'SRPProxy' settings?  Depending on the config, if you are using the SRPProxy you may run into behaviour like you describe.



                              In the secure file you want to add:




                              not just the appserver hostname, since you want all connections to any server to be routed through the NSH Proxy.  adding only the appserver hostname to the secure file will mean you'd only use the NSH Proxy for a nsh connection (cd //appserver) to the appserver itself, instead of all connections (cd //serverN)