12 Replies Latest reply on Jul 21, 2011 8:37 AM by Gerardo Bartoccini

    nexec with differernt user than BladeLogicRSCD / NSH Proxy Problems

    Johannes Richter

      Dear Community,

       

      I have the following problem.

      I want to start a command line application using nexec in a NSH script under Windows. Problem is that BladeLogicRSCD User is used to start the application, but I need to execute it by a domain user.

       

      Is there any possibility to change the user who executes the commands inside nexc?

       

      Thanks in advance!

       

      Regards,

      Johannes

        • 1. Re: nexec with differernt user than BladeLogicRSCD
          Bill Robinson

          Use the ‘Automation Principal’ feature available in 8.x

           

          Btw, you are not actually running as the BladeLogicRSCD user, you are running as the user your role is mapped to…

          • 2. Re: nexec with differernt user than BladeLogicRSCD
            Johannes Richter

            Hi Bill,

             

            thanks for your answer!

             

            Now I created an "Automation Principal" with the domain user and assigned it to a role. But still executing with BladeLogicRSCD (I can check it in task manager).

             

            Do I have to do some Tasks after assigning the Principal to the role?

             

            Thanks

            Johannes

            • 3. Re: nexec with differernt user than BladeLogicRSCD
              Bill Robinson

              Did you configure the appserver to be and use a nsh proxy?

              • 4. nexec with differernt user than BladeLogicRSCD
                Johannes Richter

                Hey Bill,

                 

                no I didn't set up any NSH Proxy. Is it necessary?

                 

                Johannes

                • 5. Re: nexec with differernt user than BladeLogicRSCD
                  Bill Robinson

                  Yes, for nsh to pickup the AP.

                  • 6. Re: nexec with differernt user than BladeLogicRSCD
                    Johannes Richter

                    Hi Bill,

                     

                    I tried to set up nsh proxy server. I defined the port for the proxy (ProxySvcPort). And changed the secure file on the appserver to:

                     

                    default:port=4750:protocol=5:tls_mode=encryption_only:auth_profiles_file=/c/BMC/BladeLogic/8.1/NSH/br/authenticationProfiles.xml:auth_profile=local:appserver_protocol=ssoproxy:encryption=tls:

                    Also I provided the ProxyServiceURL in the appServer Properties:

                     

                    service:proxysvc.bladelogic:blsess://muc-vip-pocw070:9882

                     

                    Problem now, I can following lines in the appserver.log:

                     

                    [19 Jul 2011 12:50:38,201] [Nsh-Proxy-Thread-3] [INFO] [jrichter:BLAdmins:192.168.18.25] [BLSSOPROXY] NSH Proxy Connection closed

                    [19 Jul 2011 12:50:38,794] [Nsh-Proxy-Thread-4] [INFO] [jrichter:BLAdmins:192.168.18.25] [BLSSOPROXY] NSH Proxy Connection closed

                    [19 Jul 2011 12:50:39,076] [Nsh-Proxy-Thread-2] [INFO] [jrichter:BLAdmins:192.168.18.25] [BLSSOPROXY] Connecting to localhost

                    [19 Jul 2011 12:50:39,310] [Nsh-Proxy-Thread-0] [INFO] [jrichter:BLAdmins:192.168.18.25] [BLSSOPROXY] copy data stop: Connection closed

                    [19 Jul 2011 12:50:39,310] [Nsh-Proxy-Thread-0] [INFO] [jrichter:BLAdmins:192.168.18.25] [BLSSOPROXY] NSH Proxy Connection closed

                     

                    If I execute a command, I get this error:

                     

                    Error          19.07.2011 12:50:39          cd: no authorization to access host: //localhost/

                     

                    What did I miss?

                     

                    Thanks for your help!!!

                     

                    Johannes

                    • 7. Re: nexec with differernt user than BladeLogicRSCD
                      Johannes Richter

                      Maybe it helps, here is the Proxy Service Output:

                       

                       

                      Nsh-Proxy Manager

                      ==================

                       

                       

                      Nsh-Proxy listening on ports:

                      ==============================

                      SSO Proxy Port = 9882

                      Control Port = 9851

                       

                       

                      Maximum concurrent connections = 20

                      Open NSH proxies = 1

                      Idle NSH proxies = 1

                      Active NSH proxies = 0

                      Number of NSH proxy worker threads = 5

                      Available NSH proxy worker threads = 5

                       

                       

                      Hosts connected to application server:

                      =======================================

                      Host,User,Role,Type,Idle Time

                      --------------------------------------------------

                      192.168.18.25,BLAdmin,BLAdmins,NSH Proxy,0h:43m:16s407ms

                       

                       

                      Helper Threads Status:

                      =======================

                      Name,State,Time in state (ms),Additional Info

                      --------------------------------------------------

                      Accept-Nsh-Proxy-Thread,POLLING,0h:8m:35s250ms,Average polling time over the previous 19 requests is 184593(ms)

                      Select-Nsh-Proxy-Thread,POLLING,0h:43m:16s407ms,Average polling time over the previous 26 requests is 54853(ms)

                       

                       

                      Nsh-Proxy Worker Threads Status:

                      =================================

                      Name,State,Time in state (ms),Additional Info

                      --------------------------------------------------

                      Nsh-Proxy-Thread-0,WAITING_FOR_PROXY_REQUEST,0h:43m:20s672ms,

                      Nsh-Proxy-Thread-1,WAITING_FOR_PROXY_REQUEST,0h:43m:17s0ms,

                      Nsh-Proxy-Thread-2,WAITING_FOR_PROXY_REQUEST,0h:8m:28s922ms,

                      Nsh-Proxy-Thread-3,WAITING_FOR_PROXY_REQUEST,0h:43m:16s407ms,

                      Nsh-Proxy-Thread-4,WAITING_FOR_PROXY_REQUEST,0h:12m:31s547ms,

                       

                       

                      From NSH on appserver:

                       

                       

                      muc-vip-pocw070% blid

                      local: uid=400(Administrator) gid=401(mkpasswd)

                      muc-vip-pocw070% blcred cred -list

                      Username:         BLAdmin

                      Authentication:   SRP

                      Issuing Service:  service:authsvc.bladelogic:blauth://muc-vip-po

                      Expiration Time:  Tue Jul 19 22:44:26 CEST 2011

                      Maximum Lifetime: Tue Jul 19 22:44:26 CEST 2011

                      Client address:   192.168.18.25

                      Authorized Roles:

                          BLAdmins

                       

                       

                      Destination URLs:

                          service:appsvc.bladelogic:blsess://muc-vip-pocw070:9841

                          service:proxysvc.bladelogic:blsess://muc-vip-pocw070:9882

                       

                       

                      JR: added NSH blcred output

                      • 8. Re: nexec with differernt user than BladeLogicRSCD
                        Gerardo Bartoccini

                        How is your user/role mapped on the target server?

                         

                        Try

                         

                        agentinfo <target server>

                        • 9. Re: nexec with differernt user than BladeLogicRSCD
                          Bill Robinson

                          on localhost, what's in the rsc files?

                           

                          also, on the appserver, you don't need to specify the profile or profiles_file settings in the secure file.  the job will handle that.

                          • 10. Re: nexec with differernt user than BladeLogicRSCD
                            Johannes Richter

                            agentinfo localhost:

                            muc-vip-pocw070% agentinfo localhost

                            SSO Error: Received SSO session reject message "CREDENTIAL_EXPIRED"

                            Can't access host "localhost": Error in TLS protocol

                             

                            secure file on localhost:

                            rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

                            default:port=4750:protocol=5:tls_mode=encryption_only:auth_profiles_file=/c/BMC/BladeLogic/8.1/NSH/br/authenticationProfiles.xml:auth_profile=local:appserver_protocol=ssoproxy:encryption=tls:

                             

                            export file:

                            #

                            #  Copyright (c) 2001-2010 BladeLogic, Inc.

                            #       -- All Rights Reserved --

                            #

                            #  This file is read by the "rscd" to determine permissions for the given host.

                            #

                            # Please read the BMCBladeLogicAdministration.pdf or "exports" man page for details

                            # on how to use this file.

                            #

                            *   rw, user=Administrator

                             

                            users file:

                            #

                            #  Copyright (c) 2001-2010 BladeLogic, Inc.

                            #       -- All Rights Reserved --

                            #

                            # This file contains a list of user permission overrides. The permissions

                            # defined in this file will override any associated permissions defined in the

                            # "exports" file.

                            #

                            # Please read the BMCBladeLogicAdministration.pdf or "users" man page for details

                            # on how to use this file.

                            #

                             

                             

                            users.local file:

                            #

                            #  Copyright (c) 2001-2010 BladeLogic, Inc.

                            #       -- All Rights Reserved --

                            #

                            # This file contains a list of user permission overrides. The permissions

                            # defined in this file will override any associated permissions defined in the

                            # "exports" or "users" file.

                            #

                            # Please read the BMCBladeLogicAdministration.pdf for details on how to use this

                            # file.

                            #

                             

                             

                            Thanks for your help!!!

                             

                            Johannes

                            • 11. Re: nexec with differernt user than BladeLogicRSCD
                              Johannes Richter

                              Can somebody help? Would be great!!!

                               

                              Thanks!

                              Johannes

                              • 12. Re: nexec with differernt user than BladeLogicRSCD
                                Gerardo Bartoccini

                                You need agentinfo to make sure that you are mapped properly.

                                 

                                Apparently your credentials are expired, that's why the agentinfo fails.

                                 

                                Have you restarted the appserver after configuring the NSH proxy?

                                 

                                Have you edited the secure file on your console? This file has to be edited in order to point to the NSH proxy.

                                 

                                Is your console the same host than the target server and the application server?

                                Personally, I had issues when using console and NSH proxy on the same host, although apparently it is supported on BL 8.x

                                 

                                Once you get agentinfo to work properly, you will be able to run your script.