Configuring BMC Bladelogic RSCD Agent Security

Mar 24, 2012 by Vinnie Lima | Leave a Comment

The BMC Bladelogic for Servers RSCD Agent has three configuration files which are key to enabling remote users or Application Servers to interact with the agent.  There are two locations where such files are placed:

  1. For Linux/UNIX Systems, these files are under /usr/lib/rsc
  2. For Windows Systems, these files are under C:\Windows\rsc

 

The files are:

  1. exports – defines who can connect to the agent
  2. users – defines the Roles and Users (ACL-based) that can interact with the agent, and the account those users should impersonate into
  3. users.local – static definition (supersedes the users file) of Roles and Users (Non-ACL driven) that must always have access to the agent.

 

The typical configuration is as follows:

  • exports – should define at a minimum the BBSA application server that can communicate with this agent.  This is how you secure and prevent unauthorized AppServers from talking to the RSCD Agent

 

10.10.10.10   rw,user=Administrator

Where:

  1. 10.10.10.10 is the IP address of the BBSA Application Server
  2. rw is the permission (read-write) that system has.
  3. Administrator is the impersonated user on the local system.  This can also be root on a linux/unix system.

 

  • users – is populated by performing an ACL Push Job from Bladelogic.  Applies the RBAC model assigned in BBSA to the target system’s RSCD Agent.
  • users.local – must have at a minimum three entries which allow BBSA Application Server (defined in #1) to properly communicate to the target system for mundane fundamental actions:

     

    RBACAdmins:RBACAdmin   rw,map=Administrator
    BLAdmins:BLAdmin               rw,map=Administrator
    System:System                           rw,map=Administrator

    Where:

    1. RBACAdmins:RBACAdmin is the default user in BBSA to manipulate Roles and Permissions.
    2. BLAdmins:BLAdmin is the default Administrator user in BBSA
    3. System:System is an undocumented requirement.  BBSA App servers historically have used this built in role/user for functional communications to with the RSCD Agent. I believe mostly this is needed for communicating with the RSCD agent on the File Server.

    You do not need to restart the RSCD agent for these changes to take effect.

    About the author:

    Vinnie Lima

    Vinnie Lima is the Managing Director for VVL Systems & Consulting, a small business focusing on IT Optimization for Cloud, Infrastructure, and End Users. Based out of Baltimore, Maryland, Vinnie Lima has over 21 years in IT Automation, Orchestration, and Cloud. Mr. Lima’s career has been focusing on helping customers drive value from their IT investments through the use of leading edge technologies and approaches, driving innovation in a wide spectrum of industries such as DoD, Federal, Health Care, and Financial.

    facebook twitter linkedin instagram

    Leave A Reply

    ERROR: si-captcha.php plugin: GD image support not detected in PHP!

    Contact your web host and ask them to enable GD image support for PHP.

    ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

    Contact your web host and ask them to enable imagepng for PHP.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Subscribe to our Newsletter
    Stay informed with the latest technology news, industry events, and training offered by VVL Systems for free! Fill out this form and receive our newsletter delivered straight to your inbox.

    See how VVL has helped clients leverage the latest technologies and agile capabilities.

    Latest VVL and Industry News

    Dec 30, 2020

    SolarWinds Breach Response

    Information & Resources regarding SolarWinds Orion Incident As many are aware, SolarWinds Orion products experienced a security incident that has…

    Feb 06, 2020

    What is a Zero Trust Maturity Model?

    In this article, we'll review the recent materials, standards, and guidance principles related to Zero Trust Framework with the hope…

    Upcoming VVL and Industry Events