1 Reply Latest reply on May 2, 2013 3:33 AM by Scott Dunbar

    About RSCD end points and RLM

      Share This:

      I wanted to create a post that just shares some detail on using RSCD agent endpoints with RLM.  RLM comprises BRPM and VLQ, both of which have automation functionality.  While RPM can not communicate directly with end points that lack an API (or a command line local to the RPM host), VLQ can via the legacy VLQ bridge (pre 4.3) and the BSA RSCD agent (4.3+).

       

      Integration with existing BSA environments

      In this scenario, it is expected that BSA has an existing RBAC design and those ACL's are being distributed to managed servers (RSCD end points).  As is the norm, exports and users.local will be configured as per deign with the target being locked down via the ACL push to users file.  To deploy VLQ into this environment, it is considered best practice to make use of a BSA NSH Proxy and route all VLQ connections via the BSA environment.  NSH, RSCD and BSA console should be installed onto the VLQ host.  Secure file should be updated as follows:

      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

      default:port=4750:protocol=5:tls_mode=encryption_only:appserver_protocol=ssoproxy:encryption=tls:auth_profile=<auth profile name>

       

      The authenticationProfiles.xml file from the BSA appservers (or wherever you have a functional console installation) should be copied to /NSH/br

      Similar content to the following

      <?xml version="1.0" encoding="UTF-8"?>

      <ServiceProfiles>

        <ServiceProfile>

          <Name>profileName</Name>

          <ServiceURL>service:authsvc.bladelogic:blauth://serverName.com:9840</ServiceURL>

          <AuthenticationType>SRP</AuthenticationType>

        </ServiceProfile>

      </ServiceProfiles>

       

      All endpoint rsc files remain the same and continue to be managed via the ACL push.  A BSA user and role should be designated as the "VLQ Service Account" and must have permissions on all end points that you wish to manage.  Multiple user accounts can be used but this is not recommended.  Within VLQ, the BSA user credentials should be stored as properties on all environments and all packages where content is retrieved from a remote host.

      • BLCRED_PROFILE: Profile that points to the BMC Server Automation (BSA) application server
      • BLUSER: User name to use for authentication
      • BLPASSWORD: Password to use for authentication
      • (Optional) BLROLE: Nondefault role for the user

       

      NOTE:  Failure to use NSH proxy will likely pose challenging.  By default, an ACL push includes the 'nouser' line which means any content in exports or users.local becomes obsolete.  Trying to correct directly from VLQ to end points that are also managed by BSA will not work until your incoming user:role is part of the users.local file.

       

      Standalone RLM installations (no BSA)

      This configuration is simpler than where BSA is in use.  You can update the exports file to map the source address of the VLQ server to the user that you wish to map to on the target, for example:

      10.0.0.1 rw,user=root

      This secures the end point to only accept connections from the BSA appserver.

       

      Firewall requirements.

      VLQ will use the standard port for RSCD communication, that being 4750.  When the NSH proxy is required, 9840/9841 is used for authentication and 9842 is used for the NSH proxy traffic between VLQ and BSA NSH Proxy server(s).