Setting up a Network Shell proxy server
A Network Shell proxy server is an Application Server defined to manage:
- Interactive traffic from Network Shell clients
- Traffic from jobs that invoke Network Shell.
This topic describes the different Application Server configurations requiring a Network Shell proxy server. Note that the initial installation of a BMC Server Automation Application Server does not set up a Network Shell proxy server by default.
Application Server types
When you create an Application Sever, you can specify its type. The initial installation of an Application Server sets its type to All, which means the Application Server can perform all possible functions, including that of a Network Shell proxy server. When you deploy additional Application Servers on a host, they can be any combination of the following types. You can also redefine the initial installation of the Application Server so its type is any combination of the following types.
- Configuration — Manages traffic from the console
- Job — Manages job traffic
- NSH_Proxy — Manages Network Shell traffic
- All — Performs all of the functions listed above
Configuration required when using a Network Shell proxy server
The following table describes actions you must take to implement a Network Shell proxy server for different Application Server configurations.
If you have deployed multiple Application Servers and a load balancer, additional configuration is necessary for a Network Shell proxy server. See Recommendations for Application Servers of type NSH_Proxy.
Application Server configuration | Additional configuration required |
---|---|
Application Server is set to type All or to a type that includes NSH_Proxy (for example, Configuration+NSH_Proxy) and the Application Server must function as a Network Shell proxy server. |
|
Application Server is not functioning as a Network Shell proxy server but it must redirect traffic to a Network Shell proxy server. |
|
The Application Server must be configured to use a Network Shell proxy server under the following circumstances:
|
|
Note
When you deploy Application Servers to multiple hosts, you must configure the Application Servers so they access the same database, use the same keystore information, and run synchronized clocks. Network Shell proxy servers are a type of Application Server, so you must perform this configuration on them too. For details, see Configuring multiple Application Servers on different hosts.
Run the Network Shell proxy service
Any Application Server defined to be a Network Shell proxy server must be running the Network Shell proxy service. To run the service, enable the Network Shell proxy port — the port on which the Network Shell proxy server listens for Network Shell traffic.
The initial installation of an Application Server on a host creates a default Application Server with its type set to All. A Network Shell proxy server is not enabled on a default Application Server. You must perform this procedure to enable the Network Shell proxy server.
When you deploy additional Application Servers on a host with their type set to ALL or any type that includes NSH_Proxy (such as, Configuration+NSH_Proxy), this procedure is not necessary. In those situations, the proxy service is automatically enabled.
To run the proxy service
- Using the BMC Server Automation Console, select Configuration > Infrastructure Management.
- Expand the Application Servers node. Right-click an Application Server defined to function as a Network Shell proxy server and select Edit.
The Application Server must have its type set to All or to a type that includes NSH_Proxy, such as Configuration+NSH_Proxy. - On the Edit Application Server Profile dialog box, provide a value for ProxySvcPort.
This value is the number of the port on the Application Server that listens for Network Shell traffic. By default, the Network Shell proxy server listens for traffic on a port equal to the base port plus 42 (typically 9842). - Click OK.
- Restart the Application Server. See Managing multiple Application Servers on the same host.
Configure the proxy service URL
To use a Network Shell proxy server, any Application Server that is not functioning as a Network Shell proxy server must be configured to send Network Shell traffic to a Network Shell proxy server.
To configure the proxy service URL
- Using the BMC Server Automation Console, select Configuration > Infrastructure Management.
- Expand the Application Servers node. Right-click an Application Server that is defined not to function as a Network Shell proxy server and select Edit.
- On the Edit Application Server Profile dialog box, provide a value for ProxyServiceURLs.
This value should identify a Network Shell proxy service running in the Application Server environment. The value you provide should have the format
service:proxysvc.bladelogic:blsess://<nshProxyServerHost>:<portNumber>
In the value shown above,<nshProxyServerHost>
is the fully qualified name of a host where a Network Shell proxy server is running and<portNumber>
is the value provided for ProxySvcPort on that Network Shell proxy server. By default, ProxySvcPort is set to base port plus 42. - Click OK.
- Restart the Application Server. See Managing multiple Application Servers on the same host.
Route Network Shell traffic to a Network Shell proxy server
Use this procedure to configure an Application Server so that Network Shell traffic is routed through a Network Shell proxy service for any Application Server that processes jobs.
To route Network Shell traffic to a Network Shell proxy server
Configure the secure file on the Application Server by running the following
secadmin
command:
secadmin -m default -p 5 -appserver_protocol ssoproxy -T encryption_only -e tls
This command generates the followingdefault
entry in the securefile:default:protocol=5:appserver_protocol=ssoproxy:tls_mode=encryption_only:encryption=tls
For more information about the secure file, see Secure file overview. For more information about
secadmin
, see Using the secadmin utility.- If users must run a Network Shell client interactively from this Application Server's host, configure the host to run in proxy mode.
- Repeat this procedure for any other Application Server that is defined to process jobs.
- If the particular deployment of the Application Server is not running an NSH Proxy Server itself, then you must update the
ProxyServiceURLs
setting in that deployment to reference to the relevant NSH Proxy URL.
For example, Application Server Deployment A is of type CONFIG, NSH_PROXY, and Application Server Deployment B is of type JOB. You must update theProxyServiceURLs
setting to contain the URL for the NSH Proxy Service on Deployment A. - If you have target systems that run the RSCD agent on customer ports, you must modify the secure file on your application servers to contain the following entry format, in addition to the default entry:
<host>:port=<custom port>:appserver_protocol=
ssoproxy:protocol=5:tls_mode=encryption_only:encryption=tls:
Additional configuration for using a Network Shell proxy server
In some situations you might want to set up a stand-alone Network Shell proxy server, which is an Application Server that does not perform any of the functions of an Application Server except manage Network Shell traffic. A stand-alone Network Shell proxy server cannot access the BMC Server Automation database. For more information, see Setting up a stand-alone Network Shell proxy server.
There are additional configuration tasks to adjust the performance of a Network Shell proxy server. See Recommendations for Application Servers of type NSH_Proxy.
Comments
Log in or register to comment.