Configuring the file server agent ACLs
The TrueSight Server Automation file server requires special agent ACLs because non-administrative users might require write access to the Depot storage directory on the file server. Traditionally, the file server has been configured with very open ACLs to allow for this. However, this might pose a security problem. The solution is to segregate access to the file server as internal access (when the Application Server accesses the file server while creating, modifying, or deleting objects such as BLPackage and NSH script) and explicit access (when you access the file server such as through an NSH script or extended object). In this way, more granular access can be granted to the TrueSight Server Automation file server storage directory in a secure fashion. For more information, see Restricting-access-to-the-file-server-file-system
The following example steps for the configuration of file server agent ACLs assume that you have a basic TrueSight Server Automation environment set up and configured, and you have some general knowledge of using Configuration Manager. The example shows steps for both Windows and UNIX environments.
To configure file server agent ACLs
- Create the following user accounts.
- Create a local, low-privileged user account with read/write access to the file server storage location. Use the following example commands:
- (Windows) net user blfsrw /add
- (UNIX) useradd blfsrw
- (UNIX) useradd blfsro -g blfsrw
- Create a local, low-privileged user account with read only access to the file server storage location. Use the following example commands:
- (Windows) net user blfsro /add
- (UNIX) useradd blfsro
(UNIX) useradd blfsro -g blfsrw
- Create a local, low-privileged user account with read/write access to the file server storage location. Use the following example commands:
- Assign local file permissions to the Depot Store. The following examples for this step assume a file server storage location of C:\storage on Windows and /storage on UNIX.
- Grant read/write permission to user blfsrw
- (Windows) Set permissions through the Security tab in the Properties dialog box.
(UNIX) Use the following sample commands:
chown -R blfsrw:blfsrw /opt/bmc/bladelogic/storageIf you also need to modify the permissions on this directory, run the following commands:find /opt/bmc/bladelogic/storage -type f | xargs -i chmod 640 {}
find /opt/bmc/bladelogic/storage -type d | xargs -i chmod 750 {}
- (Windows) Set permissions through the Security tab in the Properties dialog box.
- (Windows) Grant read only permission to user blfsro through the Security tab in the Properties dialog box.
- Grant read/write permission to user blfsrw
- To enhance security on the file server, configure the following files:
Configure the exports file.
An Application Server does not need an agent to run. An Application Server needs to connect to a file server in order to run, and it is the file server that needs a valid agent. The exports file on the file server is configured differently from the exports file on a remote host, as all incoming connections from the Application Servers should be mapped to the same user. This ensures that file permission issues do not arise for Console users that try to open depot objects that have inconsistent ownerships on the file server.
Use the following sample code:<application server 1>,<application server 2>,<application server n...> ro,user=blfsroConfigure the users.local file to ensure that it contains the following code (on the file server only):
System:System rw,map=blfsrw
Where blfsrw is the local and low-privileged user account with read and write access to the file server storage location. The System:System role:user is a built-in account that the TrueSight Server Automation Application Server will use to communicate with the file server.