1 2 3 Previous Next 32 Replies Latest reply on Sep 4, 2014 9:35 AM by Karim Brown

    NSH Command from Appserver via SOCKS Proxy

    Karim Brown

      Hi,

      I added a ServerBeheidProxy via SOCKS Proxy. I opned nsh on the appserver and gave a simple command like:

       

      agentinfo ServerBeheidProxy

       

      the output is:

       

      Appserver# agentinfo ServerBeheidProxy

      Can't access host "ServerBeheidProxy": Connection timed out OR Operation not permitted

      Appserver#

       

      do you know why? I use a user with BLAdmins Role and the users file on the target is OK.

        • 1. Re: NSH Command from Appserver via SOCKS Proxy
          Bill Robinson

          Is your nsh client configured to use a NSH Proxy ?  if not, that is likely why this is failing.

          1 of 1 people found this helpful
          • 2. Re: NSH Command from Appserver via SOCKS Proxy

            Here's the procedure, make sure you did not miss anything. In your case the "client" is your appserver:

             

            1. Setup the appserver to accept NSH Proxy Requests
            Blasadmin set AuthServer ProxyServiceURLs service:proxysvc.bladelogic:blsess://[appserver_fqdn]:9842
            Blasadmin set appserver ProxySvcPort 9842
            Restart the appserver.

             

             

            2. Setup the secure file on the client system (windows\rsc\secure or /usr/rsc/secure).

            This is all one line:
            default:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/<path_to>/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

             

             

            3. Create authentication profile on the client system and acquire credentials
            # blcred authprofile -add
            new profile name: defaultProfile
            authentication server [host:port]: [appserver]:9840
            authentication type [srp|adk|domainauth|ldap|securid]: SRP

             

            # blcred cred -acquire
            profile name: defaultProfile
            username: BLAdmin
            password:
            Authentication succeeded: acquired session credential

             

             

            4. Test

            # nsh
            Pick Role:
            1. RBACAdmins
            2. BLAdmins
            2
            client%

            1 of 1 people found this helpful
            • 3. Re: NSH Command from Appserver via SOCKS Proxy
              Karim Brown

              Thank you!

              our NSH Proxy is not configured. I will do the steps above and give you an update.

              • 4. Re: NSH Command from Appserver via SOCKS Proxy
                Karim Brown

                Hi lazar,

                • Step 1 is done
                • Step 2: I edited the securefile on the Appserver in "C/Windows/rsc/" with this content

                default:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls
                rscd:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls

                default:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/BMC

                Software/BladeLogic/8.1/NSH/br/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

                • STEP 3: can't do it I don't know why!!!

                Appserver# blcred authprofile -add

                new profile name: newprofile

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                Invalid input

                Appserver#

                is any thing wrong?

                I retried the same with this content:

                rscd:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls:

                default:port=13719:protocol=5:tls_mode=encryption_only:appserver_protocol=ssoproxy:encryption=tls:

                But the Problem is still there.

                Appserver# blcred authprofile -add

                new profile name: newprofile

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                authentication server [host:port]: 9840

                Invalid input

                Appserver#

                Tahnk you!

                • 5. Re: NSH Command from Appserver via SOCKS Proxy

                  You are just entering the port name, you need to enter: appserver_hostname:9840

                   

                  sample of the output is in the square brackets [host:port]

                  • 6. Re: NSH Command from Appserver via SOCKS Proxy
                    Karim Brown

                    yes, you're right.

                    I will test it tomorrow and give the new status

                    • 7. Re: NSH Command from Appserver via SOCKS Proxy
                      Karim Brown

                      Hi,

                      I did the Steps from 1 to 3.

                      But the Test gives this output:

                       

                      Appserver# blcred cred -acquire

                      profile name: BLAdmin

                      username: BLAdmin

                      password:

                      Authentication succeeded: acquired session credential

                      Appserver# agentinfo Target_IP

                      Can't access host "Target_IP": Connection timed out OR Operation not permitted

                      Appserver# cd //Target_IP

                      cd: connection timed out OR Operation not permitted: //Target_IP

                      Appserver#

                      • 8. Re: NSH Command from Appserver via SOCKS Proxy

                        after you acquire credential, type nsh - what do you get?

                         

                        is target pingable?

                        is your target running on this port 13719? (show the secure file from the target)

                        can you telnet to port 13719?

                        do you see anything in the agent log on the target during this operation?

                        • 9. Re: NSH Command from Appserver via SOCKS Proxy
                          Karim Brown

                          - after typing nsh - => I get the Output:

                           

                          H:\>nsh -

                          Appserver#

                          - the Target is pingable from the SOCKSProxyServer (Dante). I can Add the server to BL via the Proxy

                          - The Content of the Target is:

                          rscd:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls:

                          default:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls:

                          - Telnet is OK from the Proxy

                          ProxyServer:/usr/lib # telnet Target_IP 13719

                          Trying Target_IP...

                          Connected to Target_IP.

                          Escape character is '^]'.

                           

                          - Yes I see in the Target log this content

                           

                          e490a854e46a3afd6626 0000000116 09/14/12 17:04:38.491 INFO1    rscd -  ProxyServerIP 24374 0/0 (Linux:User):

                           

                          CM: > [Client] Pushing of AgentACL to TargetIP succeeded

                           

                          a5cc88a2dbd78770dd3e 0000000117 09/19/12 17:10:02.481 WARN     rscd -  ProxyServerIP 8590 -1/-1 (Not_available):

                           

                          (Not_available): TLS setup failed for agent: Protocol mismatch. Check that client and server "secure" files match. Exiting and terminating connection.

                          [root@Targetname log]#

                          • 10. Re: NSH Command from Appserver via SOCKS Proxy

                            ok, after you typed "nsh", type "blid" - what is the output?

                             

                            can you paste the contents of the secure file from the apsperver again (assuming that you run these tests fro the appserver, correct?)

                            • 11. Re: NSH Command from Appserver via SOCKS Proxy
                              Karim Brown

                              - the oputpu of blid on the Appserver is:

                               

                              Appserver# blid

                              local: uid=0(MyBLUser) gid=0(mkgroup)

                              Appserver#

                              - yes, I'm running the tests from the appserver.

                              - secure file from the appserver

                               

                              default:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls

                              rscd:port=13719:protocol=5:tls_mode=encryption_only:encryption=tls

                               

                              default:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/BMC/Software/BladeLogic/8.1/NSH/br/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

                              • 12. Re: NSH Command from Appserver via SOCKS Proxy

                                you should have only one 'default' line.

                                 

                                Comment the first 'default' line and test with only this 'default' line:

                                 

                                default:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/<path_to>/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

                                 

                                if it does not work, then modify that default line to add the port, and test again:

                                 

                                default:port=13719:protocol=5:auth_profile=defaultProfile:auth_profiles_file=/c/Program Files/<path_to>/authenticationProfiles.xml:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls

                                 

                                leave rscd line as is.

                                • 13. Re: NSH Command from Appserver via SOCKS Proxy
                                  Karim Brown

                                  both contents doesn't work.

                                  with the same error

                                   

                                  Appserver# agentinfo TargetIP

                                  Can't access host "TargetIP": Connection timed out OR Operation not permitted

                                  Appserver2#

                                  • 14. Re: NSH Command from Appserver via SOCKS Proxy
                                    Bill Robinson

                                    What does your job routing rule look like ?

                                    1 2 3 Previous Next