1 2 Previous Next 16 Replies Latest reply on Nov 8, 2016 6:30 AM by Santhosh Kurimilla

    Extended objects on Targets behind a SOCKS proxy

      Error          Oct 31, 2011 12:22:34 PM          com.bladelogic.om.infra.app.collector.AssetCollectionException: SSL_connect2

      SSL_connect

      SSL_connect2

      SSL_connect

      SSL_connect2

      SSL_connect

      nsh:1: device not ready: //APPSERVER/d/storage/extended_objects/disawin-audit.nsh

      (component=CIS - Windows Server 2008 (Target), selector=Extended Object:Audit-Policy-1.3.19)

       

       

      i am able to browse the target   browse the file system and such things.

       

      There is a agent installed on  the  SOCKS proxy  machine and a NSH proxy is also installed. How do u tell the target not to look at appserver but the repeater.

       

      version 8.1

        • 1. Re: Extended objects on Targets behind a SOCKS proxy
          Bill Robinson

          Is the file server available during the job run?  the error looks like it can’t talk to the file server.

           

          Does the role running the job have a valid mapping on the file server ?

           

          The actual script that the EO is running is stored on the file server.  repeaters are not used during compliance.  Repeaters are only used for deploy.

          1 of 1 people found this helpful
          • 2. Extended objects on Targets behind a SOCKS proxy

            Hi bill thanks for the reply,

             

            But If we are connecting to the server via a socks proxy, this traffic should also be handled by the proxy? the main reason we are having a SOCKS proxy is because there is limted connectivity to the targets. i am running it as BLADMIN and the fileserver is same as the app server.

             

            Considering no repeaters are involved, the EO script must be fetched via the SOCKS proxy? do i need to put any  special setting on the proxy  ?

            • 3. Re: Extended objects on Targets behind a SOCKS proxy
              Bill Robinson

              The EO script resides on the file server.  we have to copy it or access it from the file server before we can do anything against the target server.

               

              What version of bladelogic is this ?

               

              Also – how are the socks rules setup?  accessing the file server should not go through the socks proxy.

              • 4. Re: Extended objects on Targets behind a SOCKS proxy

                its bl 8.1.02 

                 

                ENV A >1080 > Proxy >4750 > target

                 

                If we need to run EO scripts do we need to have another file server at the target environment?

                 

                If we need to copy it? where do we copy and how do we tell the agent to go look at the new location?

                • 5. Re: Extended objects on Targets behind a SOCKS proxy
                  Bill Robinson

                  what is the path from the appserver to the file server agent?

                   

                  what does your network routing rule say?

                   

                  Does d/storage/extended_objects/disawin-audit.nsh actually exist?

                   

                  What version of bladelogic is this ?

                   

                  You do not need another file server – this actually is not possible.

                  • 6. Re: Extended objects on Targets behind a SOCKS proxy


                    what is the path from the appserver to the file server agent?

                     

                              File server is the same as the appserver

                     

                    what does your network routing rule say?

                     

                              If t custom poperty = XXXXX then proxy =

                     

                    Does d/storage/extended_objects/disawin-audit.nsh actually exist?

                     

                              yes it does but its on the appserver which has no direct access to the target. only 1080> proxy > 4750 > target.

                     

                     

                    What version of bladelogic is this ?

                     

                    8 .1. 2

                    • 7. Re: Extended objects on Targets behind a SOCKS proxy
                      Bill Robinson

                      is the file server agent registered in the gui? if so, does it have this property set?

                       

                      also, can the proxy talk back to the file server on 4750 ?

                      • 8. Re: Extended objects on Targets behind a SOCKS proxy

                        is the file server agent registered in the gui?

                        yes

                         

                         

                        if so, does it have this property set?

                        NO

                         

                        application server >1080 > proxy

                         

                        do you know to configure dante proxy?

                         

                        here is the proxy conf file

                         

                         

                         

                        >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

                         

                        #logoutput: syslog stdout /var/log/sockd.log

                        debug: 1

                        logoutput: /var/log/sockd.log

                         

                         

                        # The server will bind to the address 10.1.1.1, port 1080 and will only

                        # accept connections going to that address.

                        internal: eth0 port = 1080

                         

                         

                        # all outgoing connections from the server will use the IP address

                        external: eth0

                         

                         

                        # list over acceptable methods, order of preference.

                        # A method not set here will never be selected.

                        #

                        # If the method field is not set in a rule, the global

                        # method is filled in for that rule.

                         

                         

                        # methods for socks-rules.

                        method: none

                         

                         

                        # methods for client-rules.

                        clientmethod: none

                         

                         

                        # when doing something that can require privilege, it will use the

                        # userid "sockd".

                        user.privileged: sockd

                         

                         

                        # when running as usual, it will use the unprivileged userid of "sockd".

                        #user.unprivileged: sockd

                         

                         

                        #

                        # The rules prefixed with "client" are checked first and say who is allowed

                        # and who is not allowed to speak/connect to the server.  I.e the

                        # ip range containing possibly valid clients.

                        # It is especially important that these only use IP addresses, not hostnames,

                        # for security reasons.

                        #

                        # The rules that do not have a "client" prefix are checked later, when the

                        # client has sent its request and are used to evaluate the actual

                        # request.

                        #

                        # The "to:" in the "client" context gives the address the connection

                        # is accepted on, i.e the address the socks server is listening on, or

                        # just "0.0.0.0/0" for any address the server is listening on.

                        #

                        # The "to:" in the non-"client" context gives the destination of the clients

                        # socks request.

                        #

                        # "from:" is the source address in both contexts.

                        #

                         

                         

                        client pass {

                                from: 192.168.11.37/32 port 1-65535 to: 0.0.0.0/0

                        }

                         

                         

                        client pass {

                                from: 203.166.141.32/27 port 1-65535 to: 192.168.11.37/32

                        }

                         

                         

                        # Drop everyone else as soon as we can and log the connect, they are not

                        # on our net and have no business connecting to us.  This is the default

                        # but if you give the rule yourself, you can specify details.

                        client block {

                                from: 0.0.0.0/0 to: 0.0.0.0/0

                                log: connect error

                        }

                         

                         

                        # the rules controlling what clients are allowed what requests

                        #

                         

                         

                        # or you might want to allow it, for instance "active" ftp uses it.

                        # Note that a "bindreply" command must also be allowed, it

                        # should usually by from "0.0.0.0/0", i.e if a client of yours

                        # has permission to bind, it will also have permission to accept

                        # the reply from anywhere.

                        #pass {

                        #        from: 10.0.0.0/8 to: 0.0.0.0/0

                        #        command: bind

                        #        log: connect error

                        #}

                         

                         

                        # some connections expect some sort of "reply", this might be

                        # the reply to a bind request or it may be the reply to a

                        # udppacket, since udp is packet based.

                        # The below will allow all "replies" in to your clients at the 10.0.0.0/8 net.

                        pass {

                                from: 0.0.0.0/0 to: 10.0.0.0/8

                                command: bindreply udpreply

                                log: connect error

                        }

                         

                         

                        # SGPDD057 is allowed to use tcp and udp to anywhere.

                        pass {

                                from: 192.168.11.37/32 to: 0.0.0.0/0

                                protocol: tcp udp

                        }

                         

                         

                        # 203.166.141.x is allowed to use tcp and udp to SGPDD057.

                        pass {

                                from: 203.166.141.32/27 to: 192.168.11.37/32

                                protocol: tcp udp

                        }

                         

                         

                        # last line, block everyone else.block {

                                from: 0.0.0.0/0 to: 0.0.0.0/0

                                log: connect error

                        }

                        • 9. Extended objects on Targets behind a SOCKS proxy

                          can any one share a working dante config file?

                          • 10. Re: Extended objects on Targets behind a SOCKS proxy
                            Pedro Jose Barbero Iglesias

                            Hi there,

                             

                            I've been reading this post carefully and it looks like this had never will be solved, as least apparently.

                             

                            Well I am facing the same problem when running EO on a remote targets which are behind a Socks Proxy. In our case, we have and Bladelogic Infrastrucute in version 8.7 P2 and our File Server is in a NFS export mounted on our Application Servers, So that, the scripts referenced by the EOs, point out an application sever's location,a location like "//localhost/bladelogic/NSH/storage/extended_objects/script_name".

                             

                            All the other functionallities through the Socks Proxy work well, the only problem we face is wtih the EO invocations, whose references are not being resolved by the Socks Proxy. So that, is there any way to either solve or bypass this problem?

                             

                            Regards.

                            • 11. Re: Extended objects on Targets behind a SOCKS proxy
                              Bill Robinson

                              there should be two choices:

                              - the socks proxy can communicate w/ the file server rscd (and you will need to change the file server name to 'blfs' and the socks proxy will need to be able to resolve that to one of the file server agents)

                              - the nsh client on the appserver needs to be configured to use a nsh proxy

                              1 of 1 people found this helpful
                              • 12. Re: Extended objects on Targets behind a SOCKS proxy
                                Pedro Jose Barbero Iglesias

                                Hi there Bill,

                                 

                                First option dindn't work, the Socks proxy now is capabale of resolving both Application Servers and the EO was modified to point out one of them in its path, but we got the same error as result.

                                 

                                And about the second option, works perfectly, so that ithis is engouh for our purpouse.

                                 

                                Thank you very much for you early answer, it' very appreciated.

                                • 13. Re: Extended objects on Targets behind a SOCKS proxy
                                  Pedro Jose Barbero Iglesias

                                  Hi again Bill,

                                   

                                  Sorry for my so fast reply, EO are being well executed from the Bladelogic Console but not when this are executed from any of our Compliance Jobs, the errors we got are like this:

                                  As it looks like, do I have to cache credentials on all of our App Severs at any time I want these work? Just in case,will there be any way to cache them automatically?

                                   

                                  Or my diagnostic is incorrect and this is due to other matter?

                                   

                                  Regards.

                                  • 14. Re: Extended objects on Targets behind a SOCKS proxy
                                    Santhosh Kurimilla

                                    This specific error message states that You have the cached credentials on the client but, with a different Authentication profile defined in the secure file.

                                    Try this: blcred cred -list and check against your secure file definition.

                                    1 2 Previous Next