In your secure file, you can limit the entries to apply for communication bound for certain addresses or subnets. Use the secadmin utlity to configure this option. It should also be in the install or users guide. Just do a search for secadmin I did this for work at a customer that had three separate BladeLogic environments and when I would nsh to one environment the secure file would auto direct me to that NSH proxy based upon the destination subnet I was trying to reach.
Message was edited by:
Hmm, I tried setting this up in the client secure file (using secadmin) but it doesn't seem to work. See the attached secure file to see how it looks now. There is 1 test environment, 2 prod environments, and 2 DR environments.
When I try to login to a different environment (by choosing the different authentication profile at the login screen) and then try to go onto NSH and get the error that usually comes up when the wrong profile is in the secure file:
SSO Error: Could not find a credential in cache file "C:\Users\User_1\AppData\Roaming/BladeLogic/bl_sesscc" that matches the
current authentication profile
Error in Initializing RBAC User and Role (SSO Proxy)
Network Shell can be used for local access
I think it is still only reading the default entry in the secure file. Is there something else that needs to be done?
secure 1.1 K
you need to use the subnets and not the names of the appservers. nsh is going to resolve the target server and then look in secure and say ...'for 192.168.1.0/24 i need to use a proxy' or 'for 192.168.2.0/2 i go direct on port 5750', etc.
also, get rid of the ~/ - you can put in /C/Program Files/BladeLogic/OM/br/authenticationProfiles.xml w/o escaping the space and it's ok.
Hmm, I'm not sure if this will help in my case. The error msg I'm receiving is saying that the authentication profile in the saved credentials (bl_sesscc) does not match the current profile, which I am assuming is being determined by the secure file because if I correct the secure file on the fly to the correct profile, NSH will work when I close it and bring it back up.
I guess defining subnets would be good if I wanted to always use the same proxy for certain servers, but what I really need is to always connect to correct proxy based on which profile I'm using. Is this possible?
if you have more than 1 CM GUI up at the same time the creds will likely get confused. I think you can only be connected to 1 env at a time and have the cached creds work properly.
I don't think the proxy setup works that way. nsh is kinda dumb - it resolves the target system, then looks in the secure file for how to connect to it.
what's happening in your example I think is that nsh is resolving a target system like server1.foo.com, and it's using the 'default' entry from the secure file because 'server1.foo.com' doesn't match the name/ip of any of the hosts you put in there (which are all your appservers afaict). so that's why it doesn't like the profile - the profile specified in the default line doesn't match what you have loaded.
so if all your dev systems are on 192.168.1.0/24 put in an entry in the secure file for that and reference your 'dev' profile, test is on 192.168.2.0/24 reference the test profile.
so then if you login to bladelogic to the test profile, and you open up nsh and are connecting to a test system, it's going to say, oh, i'm hitting this subnet, i should use this profile info.
Yep it sounds like what you explained is exactly what is happening in my case. Unfortunately our server IP addresses are not split up by environment, so I can't map the subnets to the BL profiles.
It is common practice for a lot of customers to have to manually change their secure file whenever they switch profiles, or is there another method available the secure file that isn't documented?
Are there any plans to allow multiple profiles to be listed in the secure file?
I've asked for that enhancment (multiple profiles in secure) and I know it's an issue, you can raise it too.
Another option that I haven't tried yet (tonite maybe) is to use hostnames or matches - so something like *.dev.com as the host entry if your hosts are split up by dns names, or some other kind of match. though I have no idea if that will actually work.
if not there will have to be some manual switching afaik.
as of 8.1.02 or 03 and 8.0 SP10 as long as you have the 'appserver_protocol=ssoproxy' in the secure file on the client, the 'NSH Here' will pass down the profile name and connect, meaning you can have multiple GUIs running concurrently, w/ multiple nsh windows open connecting to different nsh proxies.