Important

   

Starting version 8.9.03, BMC Server Automation is renamed to TrueSight Server Automation. This space contains information about BMC Server Automation 8.9.02 and previous versions. For TrueSight Server Automation 8.9.03 and later releases, see TrueSight Server Automation 8.9.

Walkthrough: Securing an RSCD agent

This topic walks you through the process of securing an RSCD agent on a managed server so only authorized users of BMC BladeLogic Server Automation can perform actions on the server. The topic consists of the following sections:

Introduction

Today, all IT departments are justifiably concerned about the security of their computing environments. Recognizing those concerns, BMC recommends you control access to all servers managed with BladeLogic. By taking the steps described in this walkthrough, you can ensure that only authorized BladeLogic users can access and control RSCD agents installed on managed servers.

What does this walkthrough show?

There are several tasks necessary to secure an RSCD agent. Each task corresponds to one of the sections below.

  • Create an exports file that controls access from BladeLogic client machines that communicate with agents. Typically an exports file sets global permissions for all users on BladeLogic client machines. The exports file is a simple text file that you can edit with a text editor.
  • Define a File Deploy Job to deploy the exports file to RSCD agents that must be secured. This example deploys the exports file to Windows servers. Another File Deploy Job would be necessary to secure UNIX-style servers.
    You can also use a Deploy Job to deploy either a complete exports file or entries from an exports file, but for the sake of simplicity, this walkthrough shows how to use a File Deploy Job.
  • Set up a regularly scheduled ACL Push Job that pushes access controls to a server. In BladeLogic, you specify which users have access permissions to servers. To ensure that only those designated users can access the specified servers, you can run an ACL Push Job, which converts the server access permissions into a users configuration file on each server. The users file controls which users have access to a server. 

What do I do to get started?

For this walkthrough, we have logged on as BLAdmin, the default superuser for BSA. In live deployments, BMC recommends that you grant access based on roles with a narrower set of permissions

How to create an exports file to secure an RSCD agent

StepProcedureExample screen

1

Using a text editor, open a document and create an entry that controls access from the Application Server. A typical entry is shown at right. The entry grants read and write permissions to users from a machine with the specified IP address. In this case, the IP address is the address of the primary Application Server.

Instead of an IP address, you can use the Application Server's fully qualified name or alias, but an IP address does not require the involvement of a DNS server, which can sometimes be a point of failure.
The comment line shown at right is not required; it is added here to improve the readability of the file.

#Primary Application Server
10.20.21.101 rw
2

If you have additional Application Servers, create similar entries for them.

#Secondary Application Servers
10.20.21.102 rw
10.20.21.103 rw
3Create entries for any repeaters that are being used to relay information to the RSCD agent. 
#Repeaters
10.20.21.190 rw
4If you are using a SOCKS proxy server, add another entry for the SOCKS proxy.
#SOCKS Proxy Server
10.20.21.220 rw
5

Save the file in a temporary location. The file should be called exports.

At right we see the full text of the file.

Warning

Never use broad permissions such as * rw,user=root|Administrator.

The point of this walkthrough is to create a narrow set of permissions targeted only at users on the client machines that could potentially communicate with the RSCD agent.

#Primary Application Server
10.20.21.101 rw
 
#Secondary Application Servers
10.20.21.102 rw
10.20.21.103 rw
 
#Repeaters
10.20.21.190 rw
 
#SOCKS Proxy Server
10.20.21.220 rw

How to deploy the exports file with a File Deploy Job

StepProcedureExample screen

1

In the BMC Server Automation Console, expand the Jobs folder and navigate to a folder where you can create a File Deploy Job. Select the folder, right-click, and select New > File Deploy Job.
The job you are creating will deploy the exports file to a collection of Windows servers.

2

On the General panel of the File Deploy Job wizard, perform the following steps:

  1. For Name, enter a name for the job.
  2. For Source, click the browse icon and navigate to the exports file you created in the procedure described above.
  3. For Destination, click the browse icon and navigate to the location where the exports file should be deployed. The path must be entered using an NSH-style path.
    On modern Windows servers, the location (when entered in NSH style) is /C/Windows/rsc.
  4. Click Next.

3

On the Targets panel:

  1. Select the servers or server groups where you want to deploy the exports file.
    In this example, we select a server group containing all Windows servers.
  2. Click Next four times to display the Schedules panel.
4

On the Schedules panel:

  1. Select Execute job now.
  2. Click Finish to begin executing the job.
5

When the job completes:

  1. Navigate to the job in the Jobs folder, right-click, and select Show Results. The pane at right shows the results of the File Deploy Job. Check the results to be sure the job executed successfully.
  2. In the results pane, select the job run and check the list of servers to which the file was deployed to ensure that the file successfully deployed to all targets.

Note: This example demonstrates how to perform a File Deploy Job on Windows servers. Another job is necessary to deploy the exports file to Linux and UNIX-style servers.

How to run a regularly scheduled ACL Push Job

StepProcedureExample screen

1

In BMC Server Automation Console, expand the Jobs folder and navigate to a folder where you can create an ACL Push Job. Select the folder, right-click, and select New > Administration Task > ACL Push Job.

2On the General panel of the ACL Push Job wizard, enter a name for the job. Then click Next.
3

On the Targets panel:

  1. Select the servers or server groups to which you want to push ACLs.
    In this example, we select a server smart group for all servers.
  2. Click Next twice to display the Schedules panel.
4

On the Schedules panel:

  1. Click Execute job now so we can immediately push the ACLs. After the job runs immediately, it will continue to run according to the schedule we define in the following steps.
  2. Click the New Schedule icon .
  3. Define a schedule that runs every Monday at 1 AM Eastern Standard Time.
    1. Click Weekly.
    2. Set the time to 1:00.
    3. Click Monday.
    4. For Time Zone, select America/New York (Eastern Standard Time).
  4. Click OK. The schedule appears in the list of schedules.
5

When the job completes, navigate to the job in the Jobs folder, right-click, and select Show Results. The pane at right shows the results of the ACL Push Job. Check the results to be sure the job executed successfully on all servers.

Where to go from here

Another measure to consider when securing RSCD agents is requiring agents to authenticate X509 certificates during communication with other BladeLogic components. For more information on that process, see Implementing security for communication legs.

Was this page helpful? Yes No Submitting... Thank you

Comments