5 Replies Latest reply on May 3, 2012 6:02 AM by Bill Robinson

    NSH Scripts are failing in BBSA

    Shankar Masekar

      Hi All

       

      We are facing issue while executing Type 2 NSH script within BBSA(Vr 8.1) against remote host behind SOCKS proxy with NSH proxy configured.

       

      We are able to execute NEXEC commannd against the same remote host via NSH client but when we run simple create user nsh cript within BBSA ,it fails with below error..

       

      ________________________________________________________________________________________________

      Info        Apr 30, 2012 7:53:39 AM                Exit Code 1

      Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

      Error      Apr 30, 2012 7:53:39 AM                Error in Initializing RBAC User and Role (SSO Proxy)

      Error      Apr 30, 2012 7:53:39 AM                Network Shell can be used for local access

      Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

      Error      Apr 30, 2012 7:53:39 AM                Error in Initializing RBAC User and Role (SSO Proxy)

      Error      Apr 30, 2012 7:53:39 AM                Network Shell can be used for local access

      Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

      Error      Apr 30, 2012 7:53:39 AM                cd: no such file or directory: //avodca82x/getting fail when BBSA calls NSH cripts to be run againt the remote host.

      ________________________________________________________________________________________________

       

      Here is the error that we get in ‘nsh_proxy_deployment_host.log’

      ________________________________________________________________________________________________

      [30 Apr 2012 08:47:39,304] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:195.233.58.180] [BLSSOPROXY] received an expired credential from BLAdmin

      [30 Apr 2012 08:47:39,309] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:195.233.58.180] [BLSSOPROXY] Client's session credential was rejected

      com.bladelogic.om.infra.mfw.util.BlException: Client's session credential was rejected

              at com.bladelogic.om.infra.mfw.net.BlSessionServerConnection.authenticate(BlSessionServerConnection.java:193)

              at com.bladelogic.om.infra.mfw.net.BlSessionServerConnection.doHandshake(BlSessionServerConnection.java:99)

              at com.bladelogic.om.infra.mfw.net.BlSessionNshServerConnection.doHandshake(BlSessionNshServerConnection.java:48)

              at com.bladelogic.om.infra.mfw.fw.BlSessionNshProxyPair.setupClient(BlSessionNshProxyPair.java:104)

              at com.bladelogic.om.infra.mfw.fw.BlSessionNshProxyPair.init(BlSessionNshProxyPair.java:75)

              at com.bladelogic.om.infra.mfw.fw.NshProxyWorkerThread.execute(NshProxyWorkerThread.java:106)

              at com.bladelogic.om.infra.mfw.fw.NshProxyWorkerThread.execute(NshProxyWorkerThread.java:17)

              at com.bladelogic.om.infra.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:95)

      [30 Apr 2012 08:47:39,310] [Nsh-Proxy-Thread-1] [INFO] [Anonymous:Anonymous:195.233.58.180] [BLSSOPROXY] failure establishing session with proxy service

      [30 Apr 2012 08:47:39,310] [Nsh-Proxy-Thread-1] [INFO] [Anonymous:Anonymous:195.233.58.180] [BLSSOPROXY] NSH Proxy Connection closed

      ________________________________________________________________________________________________

       

      I also have copied authenticationprofiles.xml to all the console machines and made an entry in console machine secure file but still the NSH job is failing…

      We are wondering why  NSH script job fails when we are able to succesfuly acquire credential & run nexec commands against the same host.

       

      Here is the details of cached credential & Nexec command output..

      ________________________________________________________________________________________________

      vodcahzr:root:$PWD # blcred cred -acquire -profile defaultProfile

      username: BLAdmin

      password:

      Authentication succeeded: acquired session credential

      vodcahzr:root:$PWD # blcred cred -list

      Username:         BLAdmin

      Authentication:   SRP

      Issuing Service:  service:authsvc.bladelogic:blauth://vodcahzr:10840

      Expiration Time:  Mon Apr 30 18:49:08 CEST 2012

      Maximum Lifetime: Mon Apr 30 18:49:08 CEST 2012

      Client address:   195.233.58.180

      Authorized Roles:

          BLAdmins

       

      Destination URLs:

          service:appsvc.bladelogic:blsess://vodcahzr.dc-ratingen.de:10841

          service:proxysvc.bladelogic:blsess://vodcahzr.dc-ratingen.de:11842

      vodcahzr:root:$PWD # nexec avodca82x ls

      BladeLogic: set BL_SRP_INFO to 0x18558014 to reuse user credential and role selection.

      app  bin  boot  dev  etc  home  lib  lib64  lost+found  media  misc  mnt  NOVAHOME  nsr  nul  opt  path_perl  proc  root  sbin  selinux  srv  sys  tftpboot  tmp  usr  var

      ________________________________________________________________________________________________

       

       

      Can someone help me understand why the NSH script job fails , are we missing somethinng ?

       

        • 1. NSH Scripts are failing in BBSA

          This is because you have setup the secure file on the appserver to use the SSO proxy

          Do you want the appserver process also to connect through the NSH Proxy ?

          If yes, what are the exact contents of the secure file on  the appserver ?

          • 2. Re: NSH Scripts are failing in BBSA
            Shankar Masekar

            Hi Rohit,

             

            Here are the exact contents of the secure file on the appserver

            -----------------------------------------------------------------------------------------------------------

            #default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

            default:port=4750:protocol=5:auth_profiles_file=/opt/SP/app/bmc/bladelogic/8.1/operationsManager/NSH/br/authenticationProfiles.xml:auth_profile=defaultProfile:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls:

            ------------------------------------------------------------------------------------------------------------

             

            Basically, Our customer wants to execute type 2 NSH scripts within BBSA provisioning calls on many target hosts & in case the target is remote host ,they want it to go through SOCKS proxy & execute on the remote target host.

            Hence we have configured NSH proxy in the app server instance & also setup SOCKS proxy so all remote NSH communication can go through NSH proxy > SOCKS proxy > target host.

             

            A per our test, we are able to execute NSH nexec commands on the target hosts via NSH client on app server which is configured to use NSH proxy (see secure file contents above), but when we run simple NSH script jobs within BSA it fails with below error..

             

            ----------------------------------------------------------------------------------------------------------

            Info        Apr 30, 2012 7:53:39 AM                Exit Code 1

            Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

            Error      Apr 30, 2012 7:53:39 AM                Error in Initializing RBAC User and Role (SSO Proxy)

            Error      Apr 30, 2012 7:53:39 AM                Network Shell can be used for local access

            Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

            Error      Apr 30, 2012 7:53:39 AM                Error in Initializing RBAC User and Role (SSO Proxy)

            Error      Apr 30, 2012 7:53:39 AM                Network Shell can be used for local access

            Error      Apr 30, 2012 7:53:39 AM                SSO Error: Cannot find proxy service URL because no service URLs in the cached credential matched the current authentication profile

            Error      Apr 30, 2012 7:53:39 AM                cd: no such file or directory: //avodca82x/getting fail when BBSA calls NSH cripts to be run againt the remote host.

             

            -----------------------------------------------------------------------------------------------------------

            • 3. Re: NSH Scripts are failing in BBSA
              Bill Robinson

              The secure file on the appserver should have only this for the ‘default’ line:

               

              default:protocol=5:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls:

               

              from another system w/ the client installed can you run:

              blcred cred –acquire –profile YOURPROFILE

              then

              blcred cred –list

              and paste the result ?

              • 4. Re: NSH Scripts are failing in BBSA
                Shankar Masekar

                Hi Bill,

                 

                Thanks for your reply.

                 

                I had tried removing 'port=4750' from the secure file ,but that dint help .

                 

                 

                Anyway we could resolve this issue. The problem was, we haven’t updated proxysvc URL in the job_deployment app server instance,which was causing to run the NSH script jobs.

                After adding  the URL & restarting job deployment app server instance ,we could ran NSH script jobs against remote host via NSH proxy.

                 

                Regards ,

                Shankar

                • 5. Re: NSH Scripts are failing in BBSA
                  Bill Robinson

                  The syntax for the secure file I put below is the correct syntax for the secure file on an appserver to configure it to use the nsh proxy btw.