Setting up a Network Shell client to run in proxy mode

Use this procedure to configure a Network Shell client so it can run in proxy mode — that is, so it can communicate with servers using a Network Shell proxy server. This topic describes the settings you must add to the secure file for a client installation.

Additionally, if you plan to run Network Shell and BLCLI scripts unattended on this client machine, this procedure includes steps to ensure that the scripts have access to valid SSO session credentials. You can use the blcred utility to authenticate a user and acquire a new session credential. For a complete description of blcred, see the blcred man page.

To set up a Network Shell client to run in proxy mode

1. Start Network Shell for a client installation and use the secadmin utility to create an entry in the secure file that specifies the following:
   • auth_profile=<authProfile>, where <authProfile> is the name of the authentication profile that holds a description of the Authentication Service from which the required session credential should be issued and the authentication mechanism that was used to authenticate the user when the session credential was acquired.
     Authentication profiles are defined in the authentication profiles file. The value used for <authProfile> must match the name of an authentication profile included in that file. Note that the BL_AUTH_PROFILE_NAME environment variable can override the value of this secure file setting.

   • auth_profiles_file=<fileName>, where <fileName> is the Network Shell path to the XML file containing authentication profile definitions, such as /c/Program Files/BMC Software/BladeLogic/NSH/br/authenticationProfiles.xml. To create the authenticationProfiles.xml file, use the BMC Server Automation Console to generate authentication profiles on this client machine (see Setting up an authentication profile for details), or copy authenticationProfiles.xml from a machine where the console is installed and authentication profiles have already been created. The BL_AUTH_PROFILES_FILE environment variable can override the value of the auth_profiles_file setting in the secure file.

     The auth_profiles_file option is only necessary if you have stored the authenticationProfiles.xml file in a location other than its default location. By default, this file is located at <install_dir>/br/authenticationProfiles.xml.

   • appserver_protocol=ssoproxy
     For example, the following is a default entry in the secure file on a client machine running Network Shell:

     default:protocol=5:auth_profile=QAProfile:appserver_protocol=ssoproxy:
     tls_mode=encryption_only:encryption=tls

     To use the secadmin utility to generate the default entry shown above, enter the following from Network Shell:
     secadmin -m default -p 5 -auth_profile QAProfile -appserver_protocol ssoproxy -T encryption_only -e tls
     For more information about the secure file, see Configuring the secure file. For more information about secadmin, see Using the secadmin utility.

2. Assign the NSH_PROXY.Connect authorization to any role that should be used to connect to a Network Shell proxy server.
3. To run Network Shell and BLCLI scripts unattended from this client machine, do the following:
   1. Provide an authentication profile name that can be used to generate an SSO session credential. You can provide an authentication profile name using a command line option for blcred or by defining the BL_AUTH_PROFILE_NAME environment variable.
      You can create an authentication profile using blcred or you can create one beforehand using the BMC Server Automation Console. See Setting up an authentication profile for information about using the BMC Server Automation Console to set up authentication profiles.
   2. Provide user information required for the authentication mechanism specified in the authentication profile by doing any of the following:
      • Enter command line options to blcred that provide a user name, password, and other information required for the authentication mechanism.
      • Let the blcred utility prompt for a user name, password, and other information required for the authentication mechanism.
      • For SRP authentication, set up a keytab file called user_info.dat, which stores an encoded user name and password. For information about setting up user_info.dat, see Generating a user information file. Then use blcred with the -i parameter to obtain the SRP credentials from this file. For more information, see the Using the blcred utility and the man page for the blcred command.
   3. If the user is authorized for multiple roles, make a role selection by doing one of the following:
      • Define the BL_RBAC_ROLE environment variable.
      • Let the Network Shell client (operating in proxy mode) and the BLCLI prompt the user to make a role selection after establishing an SSO session.
      • Provide a BLCLI command line option that specifies the user's role. For a script calling BLCLI, specify a role by appending -r <rolename> to the BLCLI command. When using Network Shell performance commands to run BLCLI commands, specify a role by running blcli_setoption roleName <rolename> before calling the blcli_connect or blcli_execute commands.