User accounts

The TrueSight Server Automation product creates various user accounts during component installation:

Account
Name

Details

Password

Notes

BladeLogicRSCD

On a domain controller:
BladeLogicRSCDDC

  • Component: Windows RSCD Agent
  • Purpose: Run RSCD service on Windows Systems
  • Type: OS
  • Privileges : Log on as Batch Job
  • Default password: Random (24 alpha-numeric and special characters)
  • Password Change Forced: No.
    If the password is set to expire due to GPO settings then you must ensure that a NSH Script job is created to run the chapw command periodically to reset the password before the password expires, on all systems.  Alternatively the password expiration can not be set on this account and the chapw job can still be run periodically to reset the password and avoid the possibility that the account will be locked out by the policy.
  • Password Encryption : Windows encryption

The default random password length can be configured using chapw/agentctl command. Refer Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.

Password can be changed using the chapw command. The password is stored in the registry using the CryptProtectData function.

If an Automation Principal is used exclusively, you can remove this user account using chapw.

During RSCD Agent installation on a domain controller, user must provide a password for BladeLogicRSCDDC user. As BladeLogicRSCDDC account is shared across all domain controllers in the domain, the same password must be provided when installing RSCD Agent on all domain controllers in that domain.

truesight

  • Component: Smart Agent on supported UNIX platforms
  • Purpose: Run the Smart Agent service on UNIX systems
  • Type: OS
  • Privileges : Own application files
  • Default password: NA (locked on install)
  • Password Change Forced: NA
  • Password Encryption : NA

Account is created with a locked password. The Smart Agent process starts as a root user and it changes to the truesight user immediately. Therefore, the Smart Agent runs with the truesight user for most of the time. When the Smart Agent requires to perform the operations that need super user privileges, it changes to the root user to perform the operations. After these operations are completed, it changes back to the truesight user.

bluser

  • Component: Application Server on Windows and Linux
  • Purpose: Run externally spawned processes
  • Type: OS
  • Privileges:
    • Owns few application files
    • (Windows)
      Log on as a batch job
      Deny log on locally
  • Windows:
    • Default password: Random (20 alpha-numeric and special characters)
    • Password Change Forced: No.

If the password is set to expire due to GPO settings then you must ensure that password is reset periodically before it expires, on all systems. And new password is updated in TSSA using blcli (See blcli LowPrivUser).

    • Password Encryption : Windows encryption
  • Linux:
    • Default password: NA (locked on install)
    • Password Change Forced: NA
    • Password Encryption : NA

This user account is used for restricting access to the Application Server file system.

On Windows, the account is created during Application Server service startup.

On Linux, the account is created during the Application Server installation.

As a part of some of the Job execution, the Application Server needs to spawn some of the external commands/scripts on the Application Server hosts. So these commands/scripts (wherever required) are spawned with this user account so that those commands/scripts runs with this user's privileges.

The user account gets removed during the Application Server uninstallation.

If you don’t want to use the Application Server file system access restriction feature, you can delete this user account. Later, if you want to use this feature, enable it first. After you enable it, on Linux, you need to create this user account manually. On Windows, the user account is created automatically during the Application Server service startup. For more information, see Restricting-access-to-the-Application-Server-file-system.

bladmin

  • Component: Application Server on Linux
  • Purpose: Run Application Server processes
  • Type: OS
  • Privileges : Owns application files
  • Default password: NA (locked on install)
  • Password Change Forced: NA
  • Password Encryption : NA

Account is created with a locked password.

The application server init scripts run a 'su - bladmin' to drop privileges.

Ensure that the bladmin user belongs to the bladmin primary group before upgrading the Application Server. To check if the primary group is bladmin, run the following command:
id bladminSample output:
uid=54322(bladmin) gid=54331(bladmin) groups=54331(bladmin)
(the ids may vary on your system)

If that is not the primary group id, then modify the user account. Use the following sample code:
Usermod -g bladmin bladmin

For a fresh installation, TrueSight Server Automation creates the bladmin user and the bladmin group.

BladeLogic

  • Component: Oracle Database
  • Purpose: All Application Server to DB communication happens as this account
  • Type: Database
  • Default password: configurable during install by dba
  • Password Change Forced: Dependent on DB password policy
  • Password Encryption : DB default

 

BLAdmin

  • Component: TrueSight Server Automation Application
  • Purpose: Initial Application Administrator account
  • Type: Application
  • Privileges : Full access to all resources granted via Role. Implicit Read on all objects
  • Default password: No
  • Password Change Forced: Configurable in application settings (blasadmin / link)
  • Password Encryption : Non-reversible Hash stored in the database

During install the BLAdmin account is created. The password for BLAdmin is mandatory and must be provided for a successful installation.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

RBACAdmin

  • Component: TrueSight Server Automation Application
  • Purpose: Initial Application Administrator account
  • Type: Application
  • Privileges : Full access to all RBAC objects and implicit Read and ModifyAcls on all objects
  • Default password: No
  • Password Change Forced: Configurable in application settings (blasadmin / link)
  • Password Encryption : Non-reversible Hash stored in DB

During install the BLAdmin account is created. The password for RBACAdmin is mandatory and must be provided for a successful installation.

Because TrueSight Server Automation assigns permissions via the role (RBAC) this account can be locked or disabled (as long as there are other accounts in this role) and there is nothing inherently 'special' about this account.

TrueSight Server Automation uses various accounts during operation:

Account Name

Details

Password

Notes

SYSTEM

  • Component: RSCD Agent on Windows
  • Purpose: RSCD Agent runs as this user
  • Type: OS
  • Privileges: As defined by Operating System Administrator
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: NA

The RSCD service operates under the SYSTEM account, and during execution, establishes mappings to configured user accounts as discussed in Impersonation-and-privilege-mapping.

root

  • Component: RSCD Agent on UNIX
  • Purpose: RSCD Agent runs as this user
  • Type: OS
  • Privileges: root
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: NA

RSCD service must run as root for UPM as discussed in Impersonation-and-privilege-mapping. Password is not stored or used by the agent.

Automation Principal

  • Component: TrueSight Server Automation Application
  • Purpose: Agent installation, Target Server
    Access, Active Directory User Sync
  • Type: OS
  • Privileges: Log on As Batch Job
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: AES 128 Bit

The Automation Principal account is created by the user on the target server or Windows domain and the credentials are stored in the TrueSight Server Automation database and used when the application is configured to use an AP for the noted purposes.

Local server account

  • Component: RSCD / UPM
  • Purpose: Actions performed
    via TrueSight Server Automation act as this account on the
    target server
  • Type: OS
  • Privileges: Whatever is required to
    perform the desired functions
    via TrueSight Server Automation
  • Default Password: NA
  • Password Change Forced: NA
  • Password Encryption: NA

The User Impersonation function is used (link) and TrueSight Server Automation does not know the account password.

bladelogic

  • Component: SqlServer Database user
  • Purpose: All Application Server
    to database communication happens as this account
  • Type: OS
  • Privileges: Member of the db_owner role
    with access to the dbo schema
    for the TrueSight Server Automation Database (for more information, see List of required database permissions)
  • Default Password: Configurable during install by Database Administrator
  • Password Change Forced: Dependent on database password policy
  • Password Encryption: database default

 

Application Users

  • Component: TrueSight Server Automation Application
  • Purpose: Application User
    accounts
  • Type: Application
  • Privileges: Defined by RBAC Administrators
  • Default Password: No
  • Password Change Forced: Configurable in applications settings (blasadmin / link)
  • Password Encryption: Variable - SRP, AD

Authentication is available with the built-in SRP authentication type or configurable to external authentication sources such as LDAP, Active Directory, PKI, and RSA.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*