Walkthrough: Securing an RSCD agent
This topic walks you through the process of securing an RSCD agent on a managed server so only authorized users of BMC BladeLogic Server Automation can perform actions on the server. The topic consists of the following sections:
Today, all IT departments are justifiably concerned about the security of their computing environments. Recognizing those concerns, BMC recommends you control access to all servers managed with BladeLogic. By taking the steps described in this walkthrough, you can ensure that only authorized BladeLogic users can access and control RSCD agents installed on managed servers.
What does this walkthrough show?
There are several tasks necessary to secure an RSCD agent. Each task corresponds to one of the sections below.
- Create an exports file that controls access from BladeLogic client machines that communicate with agents. Typically an exports file sets global permissions for all users on BladeLogic client machines. The exports file is a simple text file that you can edit with a text editor.
- Define a File Deploy Job to deploy the exports file to RSCD agents that must be secured. This example deploys the exports file to Windows servers. Another File Deploy Job would be necessary to secure UNIX-style servers.
You can also use a Deploy Job to deploy either a complete exports file or entries from an exports file, but for the sake of simplicity, this walkthrough shows how to use a File Deploy Job.
- Set up a regularly scheduled ACL Push Job that pushes access controls to a server. In BladeLogic, you specify which users have access permissions to servers. To ensure that only those designated users can access the specified servers, you can run an ACL Push Job, which converts the server access permissions into a users configuration file on each server. The users file controls which users have access to a server.
What do I do to get started?
For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. In live deployments, BMC recommends that you grant access based on roles with a narrower set of permissions
How to create an exports file to secure an RSCD agent
Using a text editor, open a document and create an entry that controls access from the Application Server. A typical entry is shown at right. The entry grants read and write permissions to users from a machine with the specified IP address. In this case, the IP address is the address of the primary Application Server.
Instead of an IP address, you can use the Application Server's fully qualified name or alias, but an IP address does not require the involvement of a DNS server, which can sometimes be a point of failure.
If you have additional Application Servers, create similar entries for them.
|3||Create entries for any repeaters that are being used to relay information to the RSCD agent.|
|4||If you are using a SOCKS proxy server, add another entry for the SOCKS proxy.|
Save the file in a temporary location. The file should be called exports.
At right we see the full text of the file.
Never use broad permissions such as
The point of this walkthrough is to create a narrow set of permissions targeted only at users on the client machines that could potentially communicate with the RSCD agent.
How to deploy the exports file with a File Deploy Job
In the BMC Server Automation Console, expand the Jobs folder and navigate to a folder where you can create a File Deploy Job. Select the folder, right-click, and select New > File Deploy Job.
On the General panel of the File Deploy Job wizard, perform the following steps:
On the Targets panel:
On the Schedules panel:
When the job completes:
Note: This example demonstrates how to perform a File Deploy Job on Windows servers. Another job is necessary to deploy the exports file to Linux and UNIX-style servers.
How to run a regularly scheduled ACL Push Job
In BMC Server Automation Console, expand the Jobs folder and navigate to a folder where you can create an ACL Push Job. Select the folder, right-click, and select New > Administration Task > ACL Push Job.
|2||On the General panel of the ACL Push Job wizard, enter a name for the job. Then click Next.|
On the Targets panel:
On the Schedules panel:
When the job completes, navigate to the job in the Jobs folder, right-click, and select Show Results. The pane at right shows the results of the ACL Push Job. Check the results to be sure the job executed successfully on all servers.
Where to go from here
Another measure to consider when securing RSCD agents is requiring agents to authenticate X509 certificates during communication with other BladeLogic components. For more information on that process, see Implementing security for communication legs.