Configuring the Infrastructure Blackout Window

The Infrastructure Blackout Window provides a controlled maintenance mode that temporarily restricts user logins and job execution across the TrueSight Server Automation (TSSA) environment. RBACAdmins use the Infrastructure Blackout Window during planned maintenance, upgrades, or validation activities to control system access. It prevents unintended operations by blocking access and job execution for all denylisted users while allowing explicitly authorized users or roles to perform required tasks. The Infrastructure Blackout Window applies across all the following application servers and access channels:

TrueSight Server Automation Console (RCP)
BLCLI
REST APIs
SOAP APIs

Considerations during the active Infrastructure Blackout period

When the Infrastructure Blackout Window is active, the following protocols are established to ensure security and maintain system integrity:

Only users or roles defined in the allowlist can log in. Login attempts by users in the denylist are rejected with a maintenance message.
For users on the denylist, existing user sessions remain active but are restricted from executing blocked operations.
Scheduled jobs for users in the denylist do not start, and manual job execution is blocked.
Jobs that are already running will continue until they are completed. However, jobs that were skipped will not be automatically rerun after the blackout period ends.
Configuration persists across application server restarts. However, allowlist updates always overwrite the existing configuration.
Configuration, enablement, and disablement of the Infrastructure Blackout Window are supported only through BLCLI.
Job execution denial messages are not customizable.

To assign required authorizations

RBAC authorizations govern the configuration and management of the Infrastructure Blackout Window, and these permissions are granted to users through the RBACAdmin or a user with RBAC permissions.

Log in to TrueSight Server Automation as an RBAC administrator.
Create a new role or select an existing role.
Assign one of the following authorizations to the role:
- InfraBlackoutWindow.Modify (Allows configuration, enable, and disable operations)
- InfraBlackoutWindow.* (Provides complete control, including read and modify permissions)
- InfraBlackoutWindow.Read (Allows to view blackout window status, allowlist, and message.)
Assign the role to the user who will manage the Infrastructure Blackout Window.

Important:
Only users with Modify or * authorization can enable or disable the Infrastructure Blackout Window.

To configure allowlisted users or roles

Define the users or roles that are allowed to log in and execute jobs during the Infrastructure Blackout Window.

To configure allowlisted users or roles, open a BLCLI session and run the following command:

blcli InfraBlackoutWindow setAdmins "<RoleName:UserName>;<RoleName:UserName>;<RoleName:*>"

Follow these rules when specifying entries:

Use the format RoleName:UserName.
Do not include spaces before or after the colon (:).
Separate multiple entries using a semicolon (;).
Use RoleName:* to allow all users in a role.

The command replaces any existing allowlist configuration.

Important:
Semicolons are required as separators because LDAP user names can contain commas.

2. Verify the configured allowlist by running the following command:

blcli InfraBlackoutWindow getAdmins

(Optional) To configure a custom login message

Configure a message to display when denylisted users attempt to log in during the blackout window by entering the following command.

blcli InfraBlackoutWindow setMessage "<custom message>"

2. To restore the default system message, run the following command:

blcli InfraBlackoutWindow setMessage ""

Important:
Job execution denial messages are system-generated and cannot be customized.

To enable the Infrastructure Blackout Window

Enable the blackout window by running the following command.

blcli InfraBlackoutWindow enable true

2. Verify that the blackout window is enabled by running the following command.

blcli InfraBlackoutWindow isEnabled

Important:
The user who enables the blackout window is automatically added to the allowlist to prevent administrative lockout.

To monitor behavior during the Infrastructure Blackout Window

Monitor enforcement and failures by reviewing the job logs, appserver.log, and blcli.log.

Important:
While the Infrastructure Blackout Window is active, do not attempt to modify the allowlist (modification is blocked).

2. Verify that denylisted login and job execution attempts are rejected as expected.

To verify that the Infrastructure Blackout Window is enforced correctly, attempt to log in and run a job using a user not on the allowlist, and confirm that the login is denied.

To disable the Infrastructure Blackout Windows

Disable the blackout window after maintenance is complete by running the following command.

blcli InfraBlackoutWindow enable false

Standard login and job execution resume immediately.

Patch job behavior during the blackout window

Issue symptom

When the Infrastructure Blackout Window is enabled while a Patch Analysis job with remediation is running, the remediation phase may be blocked. The parent Patch Analysis job may appear completed or may not show a failure icon, while the job run details indicate Completed with Errors. The job logs and appserver.log report that execution was denied due to an active Infrastructure Blackout Window.

Issue scope

This issue affects how the job status is displayed in the user interface. It does not impact system behavior or enforcement of the Infrastructure Blackout Window.