9 Replies Latest reply on Apr 4, 2012 8:02 PM by Bill Robinson

    HOWTO configure "NSH here" to use NSH Proxy

    Steven Wyns

      Hi,

       

      We have set up multiple BladeLogic instances:

      - 1 development, 1 acceptance (testing purposes)

      - 1 production instance that serves all pillars in datacenter 1

      - 1 production instance that serves all pillars in datacenter 2

      remark: these are real seperate environments, no multi appserver environment 

       

      Each instance has an NSH proxy configured.

       

      I've configured my client to use the NSH proxy like this:

      secadmin -m default -p 5 -appserver_protocol ssoproxy -T encryption_and_auth -e tls

       

      This way I'm not obliged to give an authentication profile that will be used, NSH will read out the environment variable BL_AUTH_PROFILE_NAME. This works fine if you start nsh out of a CMD window and set your environment in the beginning. When clicking the custom command "NSH here" I always recieve the notice that the authentication profile is unknown.

       

      Is there a way to use "NSH here" via an NSH proxy while connecting to multiple environments with different authentication profiles?

       

      Kind Regards,

        • 1. Re: HOWTO configure "NSH here" to use NSH Proxy
          Paul Seager-Smith

          If you cache your credentials when you log on to the application server through the console, then it will take the same credentials and authentication profile that you use when you log on. The SSO means that the NSH as a custom command should work directly then.

           

          Regards,

           

          Paul

          • 2. Re: HOWTO configure "NSH here" to use NSH Proxy
            Steven Wyns

            Hi Paul,

             

            I think I know what you mean, and this works correctly if you connect with 1 authentication profile. Then you can specify this authentication profile during the secadmin command. But how will I do this when having multiple environments / authentication profiles.

             

            Kind Regards,

            • 3. Re: HOWTO configure "NSH here" to use NSH Proxy
              Paul Seager-Smith

              OK, I see what you mean. I haven't tried this, but assuming that the authentication profiles are pointing to different servers, you should be able to create multiple entries in the secure file, e.g.

               

              server1:port=4750:protocol=5:tls_mode=encryption_only:auth_profile=Auth1:appserver_protocol=ssoproxy:encryption=tls:

              server2:port=4750:protocol=5:tls_mode=encryption_only:auth_profile=Auth2:appserver_protocol=ssoproxy:encryption=tls:

               

              The multiple entries are normally used for communication with the RSCD agent, but might also work in this case.

               

              Regards,

               

              Paul

              • 4. Re: HOWTO configure "NSH here" to use NSH Proxy
                Bill Robinson

                That won't work because it will only direct traffic destined for the server1 or server2 to the proxy, and you need to direct all traffic to the proxy.

                 

                I think the environment variable would be the best way to go, if you can get that to work somehow.

                • 5. Re: HOWTO configure "NSH here" to use NSH Proxy
                  Steven Wyns

                  Hi Bill,

                   

                  Did some work on this today and came to this result:

                  A custom command with the command:

                  For /F "delims=" %%%%I in ('C:\\TEMP\\Lcm_GetAuthProf\\Lcm_GetAuthProf.exe') Do Set BL_AUTH_PROFILE_NAME=%%%%I&& nsh -D //%H"%p"

                   

                  where 'C:\\TEMP\\Lcm_GetAuthProf\\Lcm_GetAuthProf.exe' is an executable that returns nothing more than the authentication profile used at the moment: merging info out of the "bl_sesscc" file and "authenticationprofiles.xml"

                   

                  the output of getAuthProf is then put into the environment variable BL_AUTH_PROFILE_NAME

                   

                  nsh reads this environment variable during start

                   

                  secadmin needs to be configured without using -auth_profile

                   

                  when running the NSH here command you wil see an error first, but in the end the nsh shell will be started:

                  SSO Error: No authentication profile has been successfully loaded. Single Sign-On connections require a valid authentic
                  ation profile.
                  Error in Initializing RBAC User and Role (SSO Proxy)
                  Network Shell can be used for local access
                  Access is denied.
                  server1% blid
                  local: uid=400(username) gid=401(mkpasswd)
                  remote: role=BLAdmins

                   

                  user=username@DOMAIN.COM timeout=1439(minutes) 45(seconds)

                   

                  I find this rather complex for something that should be supported out of the box. Does someone have an idea if version 8.x fixes this?

                   

                  Kind regards,

                  • 6. Re: HOWTO configure "NSH here" to use NSH Proxy
                    Wenchi Liao

                    How about changing the "NSH Here" command to run something like 'nsh-cred.bat PROFILE1 "%H" "%p"' for each instance. PROFILE1 would be replaced with PROFILE2 in the second instance, etc.

                     

                    nsh-cred.bat (or the shell script equivalent) would be a wrapper like

                     

                    set BL_AUTH_PROFILE_NAME=%1

                    set newhost=%2

                    set newpath=%3


                    blcred cred -test || {

                      blcred cred -acquire || {

                        echo Cannot obtain session credentials

                        pause

                        exit

                      }

                    }


                    nsh -D //%newhost%"%newpath%"

                     

                    This assumes a consistent auth profile for all users. It may also blow the credentials away, so mixing different environments may be a bit of a pain.

                    • 7. Re: HOWTO configure "NSH here" to use NSH Proxy
                      Steven Wyns

                      Hi,

                       

                      Well in our environment we're not sure which authentication profile is being used. The users are able to create new profiles themselves, therefore we've created the LCM_GetAuthProf script. Embedding it all into a bat file is maybe a good idea. It makes everything a bit more readable.

                       

                      Kind regards

                      • 8. Re: HOWTO configure "NSH here" to use NSH Proxy
                        Steffen Kreis

                        Hello,

                         

                        we are facing the same challenge at the moment.

                        Is there any update resolution on this topic ?

                         

                        Regards

                        Steffen

                        • 9. Re: HOWTO configure "NSH here" to use NSH Proxy
                          Bill Robinson

                          btw, as of 8.0 sp10 and 8.1.? when you do 'nsh here' the profile is picked up from the gui and overrides whatever is in the secure file, so you can connect to multiple nsh proxies w/o modifying the secure file.

                          1 of 1 people found this helpful