Configuring BMC Bladelogic RSCD Agent Security

The BMC Bladelogic for Servers RSCD Agent has three configuration files which are key to enabling remote users or Application Servers to interact with the agent.  There are two locations where such files are placed:

  1. For Linux/UNIX Systems, these files are under /usr/lib/rsc
  2. For Windows Systems, these files are under C:\Windows\rsc

 

The files are:

  1. exports – defines who can connect to the agent
  2. users – defines the Roles and Users (ACL-based) that can interact with the agent, and the account those users should impersonate into
  3. users.local – static definition (supersedes the users file) of Roles and Users (Non-ACL driven) that must always have access to the agent.

 

The typical configuration is as follows:

  • exports – should define at a minimum the BBSA application server that can communicate with this agent.  This is how you secure and prevent unauthorized AppServers from talking to the RSCD Agent

 

10.10.10.10   rw,user=Administrator

Where:

  1. 10.10.10.10 is the IP address of the BBSA Application Server
  2. rw is the permission (read-write) that system has.
  3. Administrator is the impersonated user on the local system.  This can also be root on a linux/unix system.

 

  • users – is populated by performing an ACL Push Job from Bladelogic.  Applies the RBAC model assigned in BBSA to the target system’s RSCD Agent.
  • users.local – must have at a minimum three entries which allow BBSA Application Server (defined in #1) to properly communicate to the target system for mundane fundamental actions:

     

    RBACAdmins:RBACAdmin   rw,map=Administrator
    BLAdmins:BLAdmin               rw,map=Administrator
    System:System                           rw,map=Administrator

    Where:

    1. RBACAdmins:RBACAdmin is the default user in BBSA to manipulate Roles and Permissions.
    2. BLAdmins:BLAdmin is the default Administrator user in BBSA
    3. System:System is an undocumented requirement.  BBSA App servers historically have used this built in role/user for functional communications to with the RSCD Agent. I believe mostly this is needed for communicating with the RSCD agent on the File Server.

    You do not need to restart the RSCD agent for these changes to take effect.

    Written by

    March 24, 2012
    Comments 0

    Speak Your Mind

    *


    *