Skip to Content

Best Practices for securing BMC TrueSight Server Automation

BMC recommends implementing the following best practices and security hardening measures for TrueSight Server Automation. The table following, later shows recommendations for securing various system components.

Component	Recommendation
Remote Console Protocol (RCP) Security	Restrict Access: The RCP console should only be accessible from a terminal server, which provides and additional layer of authorization and allows the administrator to limit connectivity to the application servers. Enforce Secure Communication: All RCP-to-app server connections must use TLS 1.2 to make sure encrypted communication. (bladsadmin EnabledSecureProtocols setting: Configuring the TLS protocol - BMC Documentation)
TrueSight Server Automation User Authentication & Authorization	Use External Authentication: Where possible, prefer using Active Directory (AD), LDAP, or other external authentication providers for user verification rather than relying on built-in authentication. https://docs.bmc.com/xwiki/bin/view/Automation-DevSecOps/Server-Automation/TrueSight-Server-Automation/tssa244/Configuring-after-installation/Administering-security/Implementing-authentication/ Secure Built-in Authentication: If Secure Remote Password (SRP) is used, make sure: Set various password complexity and aging values: Setting logon requirements - BMC Documentation
Remote System Call Daemon (RSCD) Security	Review Securing the RSCD Agent: Walkthrough: Securing an RSCD agent - BMC Documentation. Never include a wildcard () or allow user=root or unrestricted (rw) access. Restrict Users File:* The user’s file should contain nousers as the default setting to prevent unauthorized user mappings. Regularly push Access Control Lists (ACLs) to enforce security policies. Configuring the users or users.local files - BMC Documentation Minimize users.local entries: users.local should have only minimal entries, ideally used only for recovering from a bad ACL push. Secure Communications: TLS 1.2 should be enforced for secure communication. (blasadmin EnabledRscdProtocols) Configuring the TLS protocol - BMC Documentation Consider setting up X.509 certificate authentication for additional security. https://docs.bmc.com/xwiki/bin/view/Automation-DevSecOps/Server-Automation/TrueSight-Server-Automation/tssa244/Configuring-after-installation/Administering-security/Implementing-security-for-communication-legs/ Restrict Root Access: If all users map to root, enable the root-only mode of the RSCD agent to prevent unintended privilege escalation. Managing world writable permissions of files and directories in TrueSight Server Automation - BMC Documentation Network-Level Security: Configure host-based firewalls to allow connections to the RSCD port only from the TSSA infrastructure, reducing the risk of unauthorized access.
Application Server	Use strong cryptographic ciphers and enforce TLS 1.2 for all connections. Restrict local system access to OS administrators only. Do not install the RCP console on an application server or use it as a jump host. Enable the lowpriv account. Restricting access to the Application Server file system - BMC Documentation Regularly update security certificates. Implementing private certificates in TrueSight Server Automation - BMC Documentation Restrict app server port access to TSSA users via network or host-based firewalls. Enable TLSv1.2 for other communication legs: Configuring the TLS protocol - BMC Documentation
Database	Encrypting your database connection - BMC Documentation
Remote Site Access	Remote sites should use a SOCKS proxy as a single point of entry. Consider implementing a repeater for payload caching.

Last modified by Dhiraj Mali on 2026/04/13 13:56

Was this page helpful? Submitting... Thank you

‹ Smart Hub to Application Server and Smar... Installing ›

© Copyright 2026 BMC Software, Inc.

TrueSight Server Automation 26.1