Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Configuring the file server agent ACLs

The TrueSight Server Automation file server requires special agent ACLs because non-administrative users might require write access to the Depot storage directory on the file server. Traditionally, the file server has been configured with very open ACLs to allow for this. However, this might pose a security problem. The solution is to use property values for the RBAC Role mapping to give non-administrative users write access to the Depot file storage location. In this way, more granular access can be granted to the TrueSight Server Automation file server storage directory in a secure fashion.

The following example steps for the configuration of file server agent ACLs assume that you have a basic TrueSight Server Automation environment set up and configured, and you have some general knowledge of using Configuration Manager. The example shows steps for both Windows and UNIX environments.

Note

In some cases, depending on your specific environment, it might be necessary to create multiple properties to map RBAC roles to.

Before You Begin

Determine which RBAC Roles need administrative access to the file server, and which roles need write access to the Depot storage location but do not need administrative access to the file server itself.

ACLs should NEVER be pushed to the file server. Doing so causes various product operations to break, in addition to preventing the application server from starting. When setting up your ACL Push Job, run the job against an Alive Servers smart group that excludes the file server from the smart group. For more information about managing File Server ACLs, see How to configure two RSCD agents on a single host.

To configure file server agent ACLs

  1. Create a local, non-privileged user account with read/write access to the file server storage location. Use the following example commands:
    • (Windows) net user blfsrw /add
    • (UNIX) useradd blfsrw
  2. Assign local file permissions to the Depot Store. The following examples for this step assume a file server storage location of C:\storage on Windows and /storageon UNIX.
    • (Windows) Set permissions through the Security tab in the Properties dialog box.
    • (UNIX) Use the following sample command: chown -R blfsrw /storage
      If you also need to modify the permissions on this directory, run the following commands:

      find /storage -type f | xargs -i chmod 644 {}
      find /storage -type d | xargs -i chmod 755 {}
      
  3. To enhance security on the file server, configure the following files:
    1. Configure the exports file.
      An Application Server does not need an agent to run. An Application Server needs to connect to a File Server in order to run, and it is the file server that needs a valid and licensed agent. The exports file on the file server is configured differently from the exports file on a remote host, as all incoming connections from the Application Servers should be mapped to the same user. This ensures that file permission issues do not arise for Console users that try to open depot objects that have inconsistent ownerships on the file server.
      Use the following sample code:
      <application server 1>,<application server 2>,<application server n...> rw,user=blfsrw

      Note

      • To ensure a more secure environment, allow incoming connections only from the Application Server.
      • To specify Application Servers, you can use either DNS names or IP addresses.
    2. Configure the users.local file to ensure that it contains the following code (on the file server only):
      System:System rw,map=<root|Administrator>
      Where root or Administrator is the local administrator account. The System:System role:user is an internal account that the TrueSight Server Automation Application Server will use to initially communicate with the file server while the application server processes start up.

      Note

      For the file server, do not include the nouser entry in the users.local file or in the users file. For more information about the options in the users.local and users files, see Configuring the users or users.local files.

Was this page helpful? Yes No Submitting... Thank you

Comments