1 2 Previous Next 16 Replies Latest reply on Oct 3, 2013 8:10 AM by Pedro José Barbero Iglesias

    SSO Error: Role Selection Error

    Pedro José Barbero Iglesias

      Hi there,

       

       

      After a lot of browsing around and see several post related to issues similar to mine, any of  all has helped me to solve the issue we are experimenting.

       

      This is the matter, during a workday suddenly one of our co-workers realized that when running NSH console (through "NSH Here") on any server in our console returns the following error:

       

      ------------------------------------------------------------------------------------

      SSO Error: Role Selection Error

       

      Error in Initializing RBAC User and Role (SSO Proxy)

      Network Shell can be used for local access

      SSO Error: Role Selection Error

       

      //AppServer01: Error in TLS protocol

      Press any key to continue . . .

      -------------------------------------------------------------------------------------

       

      We also found the following trace in our NSH Proxy Server:

       

      ------------------------------------------------------------------------------------

       

      [02 Oct 2013 12:14:42,467] [Scheduled-System-Tasks-Thread-5] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 271056896,Free JVM (B): 97673408,Used JVM (B): 173383488,VSize (B): 1701171200,RSS (B): 413089792,Used File Descriptors: 239

      [02 Oct 2013 12:15:34,738] [Nsh-Proxy-Thread-0] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] NSH Proxy Connection Created and Verified

      [02 Oct 2013 12:15:34,766] [Nsh-Proxy-Thread-0] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] Nsh RoleFail in NSH_PICKROLE state

      [02 Oct 2013 12:15:35,051] [Nsh-Proxy-Thread-2] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] NSH Proxy Connection Created and Verified

      [02 Oct 2013 12:15:35,080] [Nsh-Proxy-Thread-2] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] Nsh RoleFail in NSH_PICKROLE state

      [02 Oct 2013 12:15:42,467] [Scheduled-System-Tasks-Thread-5] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 271712256,Free JVM (B): 91065992,Used JVM (B): 180646264,VSize (B): 1701171200,RSS (B): 413089792,Used File Descriptors: 241

       

      ------------------------------------------------------------------------------------

       

      And this is what usually appeared when everything went all right.

       

      ------------------------------------------------------------------------------------

      [30 Aug 2013 02:02:07,939] [Scheduled-System-Tasks-Thread-9] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 603979776,Free JVM (B): 221856048,Used JVM (B): 382123728,VSize (B): 1781305344,RSS (B): 766193664,Used File Descriptors: 243

      [30 Aug 2013 02:02:19,041] [Nsh-Proxy-Thread-2] [INFO] [x094379:Anonymous:180.132.32.13] [BLSSOPROXY] NSH Proxy Connection Created and Verified

      [30 Aug 2013 02:02:19,193] [Nsh-Proxy-Thread-2] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] Connecting to bvsalblfsp01.wt.dces02.corp

      [30 Aug 2013 02:02:20,712] [Nsh-Proxy-Thread-1] [INFO] [x094379:Anonymous:180.132.32.13] [BLSSOPROXY] NSH Proxy Connection Created and Verified

      [30 Aug 2013 02:02:20,842] [Nsh-Proxy-Thread-2] [INFO] [x094379:Anonymous:180.132.32.13] [BLSSOPROXY] NSH Proxy Connection Created and Verified

      [30 Aug 2013 02:02:20,972] [Nsh-Proxy-Thread-1] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] Connecting to bvsalblfsp01.wt.dces02.corp

      [30 Aug 2013 02:02:20,983] [Nsh-Proxy-Thread-2] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] Connecting to bvsalblfsp01.wt.dces02.corp

      [30 Aug 2013 02:03:02,662] [Nsh-Proxy-Thread-0] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] copy data stop: Connection closed

      [30 Aug 2013 02:03:03,402] [Nsh-Proxy-Thread-1] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] copy data stop: Connection closed

      [30 Aug 2013 02:03:03,402] [Nsh-Proxy-Thread-2] [INFO] [x094379:BLAdmins:180.132.32.13] [BLSSOPROXY] copy data stop: Connection closed

      ------------------------------------------------------------------------------------

       

      This is the only problem we have been detected for now, everything looks going fine .So that we for now we are discarding problem with certificates expiration because we are able to authenticate through the console without any problem. We also discard any problem with NSH Proxy configuration because nothing has changed in them. And finally the most curious thing, the same problem has started to happen simultaneously in ours TEST and PRO environments.

       

      I feel quite abit lost in all this.So any kind of help willl be very apreciated.

       

      I also going to described our environment:

       

      6 Bladelogic App Servers:

       

      - AppServer01 (CM and NSH Proxy)

      - AppServer01 (CM and NSH Proxy)

      - AppServer03 (Job Deployment -  In use and running)

      - AppServer04 (Job Deployment - In use and running)

      - AppServer05 (Job Deployment - Not in use yet although installed and configured)

      - AppServer06 (Job Deployment - Not in use yet although installed and configured)

       

      1 Bladelogic Fileserver.

       

      If you consider you need more information to deal with this issue just let me know.

       

      Thanks in advanced.

        • 1. Re: SSO Error: Role Selection Error
          Mike Jones

          The most likely reason for this is you are configured to use NSH proxy and the credential has expired, performing a reconnect in the GUI or a blcred cred -acquire should resolve

          • 2. Re: SSO Error: Role Selection Error
            Pedro José Barbero Iglesias

            Hi Mike,

             

            We have already done that and it didn't work. As you can see at the screenshot attached.

            Acquiring_Credentials.png

             

            And here the log of the NSH Proxy Deployment:

             

            [02 Oct 2013 16:15:58,746] [Scheduled-System-Tasks-Thread-18] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 295108608,Free JVM (B): 21417544,Used JVM (B): 273691064,VSize (B): 1706565632,RSS (B): 430252032,Used File Descriptors: 253

            [02 Oct 2013 16:16:06,038] [Nsh-Proxy-Thread-1] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] NSH Proxy Connection Created and Verified

            [02 Oct 2013 16:16:06,069] [Nsh-Proxy-Thread-1] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] Nsh RoleFail in NSH_PICKROLE state

            [02 Oct 2013 16:16:58,745] [Scheduled-System-Tasks-Thread-3] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 285736960,Free JVM (B): 54938240,Used JVM (B): 230798720,VSize (B): 1706565632,RSS (B): 425062400,Used File Descriptors: 254

            [02 Oct 2013 16:17:58,747] [Scheduled-System-Tasks-Thread-3] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 289800192,Free JVM (B): 16225200,Used JVM (B): 273574992,VSize (B): 1706565632,RSS (B): 426049536,Used File Descriptors: 255

            [02 Oct 2013 16:18:06,599] [Nsh-Proxy-Thread-0] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] NSH Proxy Connection Created and Verified

            [02 Oct 2013 16:18:06,630] [Nsh-Proxy-Thread-0] [INFO] [x099707:Anonymous:180.5.63.141] [BLSSOPROXY] Nsh RoleFail in NSH_PICKROLE state

            [02 Oct 2013 16:18:58,746] [Scheduled-System-Tasks-Thread-16] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 290717696,Free JVM (B): 17446616,Used JVM (B): 273271080,VSize (B): 1706565632,RSS (B): 428544000,Used File Descriptors: 257

             

            We have also  removed bl_sesscr in the local installation of Bladelogic Console, restarted the NSH proxy, removed all cached credentials and logged in again but it didn't work too. Any other idea?

             

            Thanks in advanced.

            • 3. Re: SSO Error: Role Selection Error
              Mike Jones

              What is in the secure file on this host to configure the NSH proxy connection ?

              • 4. Re: SSO Error: Role Selection Error
                Pedro José Barbero Iglesias

                Below the content of the secure file:


                default:port=4750:protocol=5:tls_mode=encryption_only:auth_profiles_file=/C/Program Files/BMC Software/BladeLogic/8.2/NSH/br/authenticationProfiles.xml:auth_profile=PRB_ESP_PROD_01:appserver_protocol=ssoproxy:encryption=tls

                default:port=4750:protocol=5:tls_mode=encryption_only:auth_profiles_file=/C/Program Files/BMC Software/BladeLogic/8.2/NSH/br/authenticationProfiles.xml:auth_profile=PRB_ESP_PROD_02:appserver_protocol=ssoproxy:encryption=tls

                • 5. Re: SSO Error: Role Selection Error
                  Edwin Lindeman

                  By chance has the users account in RBAC Manager been modified with any Role changes? New Role ? Removed a Role from their account...etc?

                  1 of 1 people found this helpful
                  • 6. Re: SSO Error: Role Selection Error
                    Mike Jones

                    I haven't used two default entries in the secure file so I am not sure what effect that has.

                     

                    What is the configuration of the app servers running NSH proxy of (are they both false ?)

                    ValidateClientIpAddress

                    ValidateRequestURL

                    • 7. Re: SSO Error: Role Selection Error
                      Pedro José Barbero Iglesias

                      As far as I know nothing has changed at all. But we'll have to make a little  research about  it because we are not in charge of RBAC operations. But we haven't been notified about some modifications yet. I'll confirm it to you as soon as I have definitive answer. Any way,  we are used to create new users and roles without any kind of impact. I would be the first time this kind of operations have a direct impact.

                      • 8. Re: SSO Error: Role Selection Error
                        Pedro José Barbero Iglesias

                        They are both unset, but as far as I know this couldn't change without authorization.

                         

                        [AppServer]

                        AppServerInstrumentationFilePath:

                        AppServerInstrumentationRolloverCount:10

                        AppServerInstrumentationRolloverSize:10000

                        AppServerName:bvsalblogp01_nsh

                        AssetClassAclDelay:300000

                        AssetClassGlobalCacheEnabled:null

                        AssetClassHardReferenceMaximum:100

                        AssetClassJobCacheEnabled:null

                        AssetClassJobQueryCacheEnabled:null

                        AssetClassSessionCacheEnabled:null

                        AssetClassSessionQueryCacheEnabled:null

                        AssetPathCacheMaxSize:50

                        AuditCacheMaxSize:50

                        CLRProxyPort:

                        CertPasswd:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (Modified)

                        CertStore:bladelogic.keystore

                        ComplianceResultMaxNumberOfAssets:100

                        ComponentCacheMaxSize:100

                        ComponentHeaderCacheMaxSize:500

                        ConditionFormatLocaleCountry:

                        ConditionFormatLocaleLanguage:

                        ConditionFormatLocaleVariant:

                        DaalPluginImportWaitTimeout:null

                        DisplayName:bvsalblogp01_NSH

                        EnableARFAndASRExecution:false

                        EnableAsyncExecution:

                        EnableAtriumIntegration:

                        EnableInstrumentation:false

                        EnableProxyInspection:true

                        EnableSessionBasedCaching:true

                        FileSystemObjectCacheMaxSize:50000

                        GMOCacheMaxSize:500

                        HTTPProxyName:

                        HTTPProxyPassword:

                        HTTPProxyPort:

                        HTTPProxyType:null

                        HTTPProxyUser:

                        Hostname:

                        IdleNshProxyPruneTime:120

                        JVMArgs:

                        LauncherStatusRefreshInterval:30

                        LogItemWriterQueueSize:10000

                        MaxConnectionAttempts:10

                        MaxHeapSize:1g

                        MaxJMXConnections:20

                        MaxNshProxyContexts:20

                        MaxNshProxyThreads:3

                        MaxPort:9999

                        MaxRESTNotifyThreads:12

                        MemoryMonitorRefreshRate:60

                        MinPort:9950

                        NTLMProxyDomain:null

                        NshProxyMaxThreadIdleTime:500

                        NshProxySocketConnectTimeout:60

                        NshProxySocketOperationTimeout:7200

                        NumLogItemWriterThreads:5

                        PSCCacheMaxSize:500

                        PSICacheMaxSize:500

                        PSIValueCacheMaxSize:1000

                        PWDStore:

                        PatternCacheMaxSize:500

                        ProxySvcPort:9942

                        RegistryPort:9936

                        RemoteServerTimeout:300

                        RequireClientAuthentication:true

                        SSCOLoaderCacheMaxSize:25

                        ServerMonitorInterval:10

                        SnapshotCacheMaxSize:100

                        SocketTimeout:600

                        SocketsBindAddress:all

                        TemplateCacheMaxSize:100

                        UseSSLSockets:false

                        ValidateClientIpAddress:

                        ValidateRequestURL:

                        VersionCompatibilityCheck:minor

                        XMLConfigFileTransferChunkSize:100

                        [AssetThresholds]

                        MaxAllowedLiveBrowseResults:

                        MaxConfigRecords:25000

                        • 9. Re: SSO Error: Role Selection Error
                          Mike Jones

                          I am thinking that the two default entires could be causing the problem and might be causing it to connect to the other server for which the session credential is not valid.

                           

                          You could set the ValidateRequestURL and ValidateClientIpAddress to false or you could try with only one default entry in the secure file.

                          • 10. Re: SSO Error: Role Selection Error
                            richard mcleod

                            What version of BL are you using?

                             

                            You can try updating your local secure file (from the computer where you run the console/nsh): c:\windows\rsc\secure

                             

                            update the line to show as

                             

                            default:port=4750:protocol=5:tls_mode=encryption_only:appserver_protocol=ssoproxy:encryption=tls:

                            • 11. Re: SSO Error: Role Selection Error
                              Pedro José Barbero Iglesias

                              To be honest I didn't realize of that but I can tell you for sure that this have been working during the last nine months at least without any problem or warning messages.

                              • 12. Re: SSO Error: Role Selection Error
                                Pedro José Barbero Iglesias

                                The same error is being get after making the modification you have proposed.

                                • 13. Re: SSO Error: Role Selection Error
                                  Mike Jones

                                  For clarity which modifications have you tried, single default entry in the secure file, change the validate IP/URL settings or both ?

                                   

                                  So has anything changed recently if it has been working fine for the last 9 months. I do remember an issue we had when a lot of extra roles were added to a test user which exceeded the limit - bit that stopped us logging onto the console as well.

                                  • 14. Re: SSO Error: Role Selection Error
                                    richard mcleod

                                    Can you paste the contents of the 'secure' and 'users' file of a remote target you're trying to nsh to? Best to ensure those files are configured correctly as well

                                    1 2 Previous Next