Configuring the secure file
When configuring the secure file, you can make three types of entries:
Always use the secadmin utility to configure the secure file. The secadmin utility encrypts any keys needed for data encryption and guarantees that the secure file is formatted correctly. For more information, see Using the secadmin utility.
Default entry
The secure file allows for a special host name called default. It defines connection parameters for servers that otherwise do not have an entry in the secure file. Creating a default entry is an easy way to define the same communication parameters for multiple servers without having to configure entries for each of those servers.
A default entry in the secure file uses the following format:
default:<option1:option2:option3...>
where optionN is a list of colon-separated fields. Each option in the list defines a parameter for communicating with all servers that do not have a host entry specifically defined for them. For a list of options, see Options for secure file.
When you initially install Network Shell, the BMC Server Automation consoles, or the RSCD agent, a default entry is automatically created in the secure file.
The default entry:
- Specifies that the client use protocol 5 and instructs clients and servers to communicate using the TLS protocol for secure communication.
- Designates the default port as 4750.
- That is automatically generated in a client's secure file reads as follows:
default:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls
rscd entry
The secure file allows for another special host name called rscd. It defines standard connection parameters that are used for an RSCD agent on a server communicating with clients when those clients are not included in the list of host entries on the server's secure file. Creating an rscd entry is an easy way to define the same communication parameters for all of the servers in your system that are not otherwise configured in the secure file.
An rscd entry in the secure file uses the following format:
rscd:<option1:option2:option3...>
where optionN is a list of colon-separated fields. Each option in the list defines a parameter for communicating with all agents that do not have a host entry specifically defined for them. For a complete list of available options, see Options for secure file.
Note
If you change the RSCD agent port number in the secure file, you must restart both the Application Server as well as the RSCD agent on the system(s) where you changed the secure file for the change to take effect.
When you initially install an RSCD agent on a server, an rscd entry is automatically created in the secure file. The rscd entry specifies that the RSCD agent use protocol 5 and instructs clients and servers to communicate using the TLS protocol for secure communication. The rscd entry also designates the default port as 4750. The rscd entry that is automatically generated in the secure file on a server reads as follows:
rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls
Host entries
Host entries in the secure file on a server set connection parameters that define how that server communicates with individual clients. Host entries in the secure file on a client set connection parameters that define how that client communicates with individual servers. You must make corresponding entries in the secure file on both the client and server to establish a connection between client and server.
To configure host entries in the secure file, create entries that define parameters for a connection with a particular host. Use the following format for each entry:
<hostName>:<option1:option2:option3...>
where,
<hostName> is the host with which the client or server is communicating. <hostName> can be a resolvable host name, IP address, or subnet designation. Subnet designations are used to define a range of addresses (see Subnet designations).<optionN> is a list of colon-separated fields. Each option defines a parameter for communicating with the host (or subnet) named in <hostName>. For a complete list of available options, see Options for secure file.
Using the secadmin utility
With the secadmin utility, you can create, modify, or delete entries in a secure file. You can also create, modify, or delete default or rscd entries in the secure file. Additionally, the secadmin utility lets you modify entries in the securecert file.
Example
If you are using protocol 5 and you want to specify TLS-style encryption between a client called host1 and three servers called host2, host3, and host4, you would use secadmin to make the following additions to the secure file on host1:
secadmin -a host2 -p 5 -T encryption_only -e tlssecadmin -a host3 -p 5 -T encryption_only -e tlssecadmin -a host4 -p 5 -T encryption_only -e tls
Next, you must use secadmin to modify the secure file on host2, host3, and host4 by entering the following command on each of those servers:
secadmin -m host1 -p 5 -T encryption_only -e tls
If you are using secadmin on a server where Network Shell is not installed, you must include the full path to the secadmin utility when running a secadmin command. By default, you can find secadmin in the following locations:
- UNIX: /opt/bmc/bladelogic/NSH/secadmin
- Windows: C:\Program Files\BMC Software\BladeLogic\RSCD\secadmin
For a complete description of the secadmin utility, see the man page for secadmin.
Comments
Log in or register to comment.