Options for the secure file

NSH client

Specifies the authentication protocol used when communicating with a Network Shell proxy server. For more on Network Shell Proxy Servers, see Setting-up-a-Network-Shell-proxy-server. You can set <protocol> to ssoproxy, which specifies that single sign-on functionality should be used when communicating with the Network Shell proxy server. ssoproxy is the default value for appserver_protocol.

NSH client

Sets a data compression level. By default, data is not compressed. If you want to use data compression, set <value> to a number between 1 and 9, where a greater number calls for better compression. Be aware, however, that better compression is more CPU intensive. Typically you should use compression when communicating through a thin pipe. In a LAN environment the overhead required for compressing and uncompressing data is usually greater than the time saved transferring compressed data.

NSH client, RSCD agent

Determines the type of data encryption that should be used. Set this field to tls, which specifies that BMC Server Automation should automatically negotiate an encryption method (usually AES).

NSH client, RSCD agent

Use depends on whether a secure file entry defines the special host name rscd:

• When applied to an rscd entry, the host= field determines the address to which the agent should listen for client connections. If a system has a single NIC card, you do not have to set this field because the agent automatically listens on the default system NIC card (address). The host= field should only be used for systems with multiple NIC cards (real or virtual) so you can select the NIC (address) to which the RSCD agent should listen.
• When applied to a non-rscd entry, the host= field can be used to redirect data between hosts. If the remote daemon to which the data is being sent is not another RSCD daemon, then it is the responsibility of the remote daemon to forward the data to an RSCD daemon and also return any data it might return.

RSCD agent

Specifies whether the agent should send TCP keep-alive messages to the other side of a connection. If keep-alive messages are sent, the connecting system notices the death of a connection or a machine crash. If TCP keep-alives are not sent, sessions might hang indefinitely leaving hung processes or threads on the agent. Possible values for this field are yes or no. The default value, if unset, is yes.

NSH client

Specifies the frequency at which the client should send a keepalive message to the target server, to ensure that the NSH to RSCD connection remains alive and is not killed due to a connection timeout. This setting is required only on the client side (and not required at the remote target that runs the RSCD Agent). The value must be an integer (the interval length in seconds) or zero (no keepalive messages sent).

RSCD agent

Determines the maximum number of times a bad connection is allowed from a source address before the address is locked. A bad connection can happen if encryption is not set up properly or a particular host is not granted access. The address is locked for a period of time as defined by the unlock= field (see below). <value> should be a non-zero positive number.

{{id name="Optionsforthesecurefile-port"/}}port=<value>

NSH client, RSCD agent

Redirects data to a port other than the default port of 4750. On most UNIX systems, access to port numbers under 1024 requires root permissions. When selecting an alternate port number, make sure it does not conflict with some other existing service. Also, when using this field, make sure that both the client and server machines are configured to use the same port number.

NSH client, RSCD agent

Determines the transport protocol used for communication between BMC Server Automation applications and the RSCD agent. Protocol 5, the default protocol, uses the TLS protocol (TLS is the successor to SSL) for communication between client and server.

NSH client

Identifies the authentication profile that should be used to provide session credentials to Network Shell when communicating with a Network Shell proxy server. If you need to use multiple Network Shell proxy servers, you can set up a different secure file entry for each profile. Using the BL_AUTH_PROFILE_NAME environment variable, you can override the value defined with this field. For more on Network Shell proxy servers, see Setting-up-a-Network-Shell-proxy-server.

NSH client

Provides the Network Shell path to the file containing authentication profile definitions, which are necessary when Network Shell communicates with a Network Shell proxy server. Using the BL_AUTH_PROFILES_FILE, you can override the value defined with this option. For more on Network Shell proxy server, see Setting-up-a-Network-Shell-proxy-server.

NSH client

Sets the maximum number of seconds that a client waits when first contacting a remote server before giving up. The default value is 30 seconds. Without this option, the TCP protocol might continue to contact an offline or unavailable server for several minutes before finally giving up and reporting that a server is unavailable. This timeout mechanism is implemented within the BMC Server Automation code and does not in any way alter any system wide TCP parameters. If the operating system has an effective TCP timeout less than the value defined here, the OS value takes precedence.

NSH client, RSCD agent

Specifies one of the following values when using protocol 5:

• encryption_only — Use the TLS protocol to autonegotiate an encryption type (that is, a cipher) and then use that cipher to communicate. Client-side authentication or certificates are not required.
• encryption_and_auth — Use TLS for encryption and client-side authentication. This option requires a certificate. For more on certificates, see Implementing-security-Application-Server-to-agents-or-repeaters.

RSCD agent

Works in conjunction with the lock= field, which allows you to lock out IP addresses that repeatedly fail to connect to the (RSCD agent) server. These failures are limited to encryption misconfigurations and host authorization errors. With the unlock= field, you can specify how many minutes the IP address should be locked before allowing connection attempts to resume. If <value> is a negative number, the IP address is locked until the RSCD agent is restarted. The default value for unlock= is 1 minute.

RSCD agent

Turns off X11 forwarding. By default this field is set to on and X11 forwarding is enabled for this agent. For more information about X11 forwarding, see Using-X11-forwarding-to-run-programs-remotely-via-NSH.

RSCD agent

Defines an offset from 6000, and together these values specify the port that the agent binds to for X11 forwarding. By default, X11 forwarding starts at port 6010 (6000 plus an offset of 10). Any new connections afterwards increment the offset by one (that is, 6011, 6012, and so forth).