8 Replies Latest reply on Oct 1, 2012 2:48 PM by Bill Robinson

    Setting up multiple secure files?

    S Crawford

      Is there a way to have multiple secure files setup in the 7.5 client so the user doesn't have to manually change it everytime they switch app servers?


      We have multiple BladeLogic environments running, and each one is setup with a different authentication profile and NSH Proxy Server. Everytime a user wants to logon to a different environment, they need to go into their secure file and change the 'auth_profile' value to the correct profile name. Is there a way we can list all authentication profiles in the secure file, or have multiple secure files that are automatically read? The users don't know they need to change this file so they are constantly reporting SSO errors to us.

        • 1. Re: Setting up multiple secure files?

          In your secure file, you can limit the entries to apply for communication bound for certain addresses or subnets. Use the secadmin utlity to configure this option. It should also be in the install or users guide. Just do a search for secadmin I did this for work at a customer that had three separate BladeLogic environments and when I would nsh to one environment the secure file would auto direct me to that NSH proxy based upon the destination subnet I was trying to reach.


          Message was edited by:

          Adam Bowen

          • 2. Re: Setting up multiple secure files?
            S Crawford

            Hmm, I tried setting this up in the client secure file (using secadmin) but it doesn't seem to work. See the attached secure file to see how it looks now. There is 1 test environment, 2 prod environments, and 2 DR environments.


            When I try to login to a different environment (by choosing the different authentication profile at the login screen) and then try to go onto NSH and get the error that usually comes up when the wrong profile is in the secure file:


            SSO Error: Could not find a credential in cache file "C:\Users\User_1\AppData\Roaming/BladeLogic/bl_sesscc" that matches the

            current authentication profile

            Error in Initializing RBAC User and Role (SSO Proxy)

            Network Shell can be used for local access


            I think it is still only reading the default entry in the secure file. Is there something else that needs to be done?

            • 3. Re: Setting up multiple secure files?
              Bill Robinson

              you need to use the subnets and not the names of the appservers. nsh is going to resolve the target server and then look in secure and say ...'for i need to use a proxy' or 'for i go direct on port 5750', etc.



              also, get rid of the ~/ - you can put in /C/Program Files/BladeLogic/OM/br/authenticationProfiles.xml w/o escaping the space and it's ok.

              • 4. Re: Setting up multiple secure files?
                S Crawford

                Hmm, I'm not sure if this will help in my case. The error msg I'm receiving is saying that the authentication profile in the saved credentials (bl_sesscc) does not match the current profile, which I am assuming is being determined by the secure file because if I correct the secure file on the fly to the correct profile, NSH will work when I close it and bring it back up.


                I guess defining subnets would be good if I wanted to always use the same proxy for certain servers, but what I really need is to always connect to correct proxy based on which profile I'm using. Is this possible?

                • 5. Re: Setting up multiple secure files?
                  Bill Robinson

                  if you have more than 1 CM GUI up at the same time the creds will likely get confused. I think you can only be connected to 1 env at a time and have the cached creds work properly.


                  I don't think the proxy setup works that way. nsh is kinda dumb - it resolves the target system, then looks in the secure file for how to connect to it.


                  what's happening in your example I think is that nsh is resolving a target system like server1.foo.com, and it's using the 'default' entry from the secure file because 'server1.foo.com' doesn't match the name/ip of any of the hosts you put in there (which are all your appservers afaict). so that's why it doesn't like the profile - the profile specified in the default line doesn't match what you have loaded.


                  so if all your dev systems are on put in an entry in the secure file for that and reference your 'dev' profile, test is on reference the test profile.


                  so then if you login to bladelogic to the test profile, and you open up nsh and are connecting to a test system, it's going to say, oh, i'm hitting this subnet, i should use this profile info.

                  • 6. Re: Setting up multiple secure files?
                    S Crawford

                    Yep it sounds like what you explained is exactly what is happening in my case. Unfortunately our server IP addresses are not split up by environment, so I can't map the subnets to the BL profiles.


                    It is common practice for a lot of customers to have to manually change their secure file whenever they switch profiles, or is there another method available the secure file that isn't documented?


                    Are there any plans to allow multiple profiles to be listed in the secure file?

                    • 7. Re: Setting up multiple secure files?
                      Bill Robinson

                      I've asked for that enhancment (multiple profiles in secure) and I know it's an issue, you can raise it too.


                      Another option that I haven't tried yet (tonite maybe) is to use hostnames or matches - so something like *.dev.com as the host entry if your hosts are split up by dns names, or some other kind of match. though I have no idea if that will actually work.


                      if not there will have to be some manual switching afaik.

                      • 8. Re: Setting up multiple secure files?
                        Bill Robinson

                        as of 8.1.02 or 03 and 8.0 SP10 as long as you have the 'appserver_protocol=ssoproxy' in the secure file on the client, the 'NSH Here' will pass down the profile name and connect, meaning you can have multiple GUIs running concurrently, w/ multiple nsh windows open connecting to different nsh proxies.