Configuring the Infrastructure Blackout Window


The Infrastructure Blackout Window provides a controlled maintenance mode that temporarily restricts user logins and job execution across the TrueSight Server Automation (TSSA) environment. Administrators can use the Infrastructure Blackout Window during planned maintenance, upgrades, or validation activities to control system access. When enabled, the system blocks logins and job execution for unauthorized users and actively terminates their existing sessions across all supported interfaces with a message. Only explicitly authorized users or roles can log in and perform permitted operations during the Infrastructure Blackout Window.

Considerations during the active Infrastructure Blackout period

When the Infrastructure Blackout Window is active, the following protocols are established to ensure security and maintain system integrity:

  • Existing sessions of unauthorized users are automatically terminated when the Infrastructure Blackout Window is enabled.
  • Session invalidation is enforced across all supported interfaces, including the TrueSight Server Automation Console (RCP), BLCLI, REST APIs, and SOAP APIs.
  • Scheduled jobs for unauthorized users do not start, and manual job execution is blocked.
  • Jobs that are already running when the Infrastructure Blackout Window is enabled continue to completion. Jobs that are skipped are not automatically rerun after the Infrastructure Blackout Window ends.
  • Configuration persists across application server restarts. Updating the authorized user list replaces the existing configuration.
  • The Infrastructure Blackout Window can be configured and managed only through BLCLI.
  • Job execution denial messages are system-generated and cannot be customized.

Behavior by interface

InterfaceBehavior
RCP (Console)Displays a session invalidation message and redirects the user to the login screen.
BLCLIConnection is reset; next command fails and requires re-login.
REST APIsNext requests return an invalid session error.
SOAP APIsNext requests return an invalid session error.

To assign required authorizations

RBAC authorizations govern the configuration and management of the Infrastructure Blackout Window, and these permissions are granted to users through the RBACAdmin or a user with RBAC permissions. 

  1. Log in to TrueSight Server Automation as an RBAC administrator.
  2. Create a new role or select an existing role.
  3. Assign one of the following authorizations to the role:
    •  InfraBlackoutWindow.Modify  (Allows configuration, enable, and disable operations)
    • InfraBlackoutWindow.*  (Provides complete control, including read and modify permissions)
    • InfraBlackoutWindow.Read (Allows to view Infrastructure Blackout Window status, list of authorized users, and message.)
  4. Assign the role to the user who will manage the Infrastructure Blackout Window.    

Important:
Only users with Modify or * authorization can enable or disable the Infrastructure Blackout Window.

To configure authorized users or roles

Define the users or roles that are allowed to log in and execute jobs during the Infrastructure Blackout Window.

  1. To configure authorized users or roles, open a BLCLI session and run the following command:
blcli InfraBlackoutWindow setAdmins "<RoleName:UserName>;<RoleName:UserName>;<RoleName:*>"

     Follow these rules when specifying entries:              

  • Use the format RoleName:UserName. 
  • Do not include spaces before or after the colon (:).
  • Separate multiple entries using a semicolon (;).
  • Use RoleName:* to allow all users in a role.                    

The command replaces any existing authorized users' configuration.

Important: 
Semicolons are required as separators because LDAP user names can contain commas.

       2. To Verify the configured authorized users' list run the following command:

blcli InfraBlackoutWindow getAdmins

(Optional) To configure a custom login message

  1. To configure a message to display when unauthorized users attempt to log in during the Infrastructure Blackout Window, run the following command:
blcli InfraBlackoutWindow setMessage "<custom message>"

       2. To restore the default system message, run the following command:

blcli InfraBlackoutWindow setMessage ""

Important: 
Job execution denial messages are system-generated and cannot be customized.

To enable the Infrastructure Blackout Window

  1. To enable the Infrastructure Blackout Window, run the following command:
blcli InfraBlackoutWindow enable true

      2. To verify that the Infrastructure Blackout Window is enabled, run the following command:

blcli InfraBlackoutWindow isEnabled

Result:

  • Unauthorized users cannot log in.
  • Job execution is blocked for unauthorized users.
  • Existing sessions of unauthorized users are automatically terminated.

Important: 
The user who enables the Infrastructure Blackout Window is automatically added to the list of authorized users to prevent administrative lockout. 

To monitor behavior during the Infrastructure Blackout Window

  1. To monitor enforcement and failures, review the job logs, appserver.log, and blcli.log.

Important:
While the Infrastructure Blackout Window is active, do not attempt to modify the list of authorized users, as modifications are blocked.

      2. Verify that unauthorized login and job execution attempts are rejected as expected.

To verify that the Infrastructure Blackout Window is enforced correctly, attempt to log in and run a job using a user not on the authorized users list, and confirm that the login is denied. If an unauthorized user is already logged in when the Infrastructure Blackout Window is enabled, confirm that the session is terminated and that the user must log in again.

To disable the Infrastructure Blackout Windows

To disable the Infrastructure Blackout Window after maintenance is complete, run the following command:

blcli InfraBlackoutWindow enable false

Standard login and job execution resume immediately, and users who were previously logged out can log in again.

Patch job behavior during the Infrastructure Blackout Window

Issue symptom

When the Infrastructure Blackout Window is enabled while a Patch Analysis job with remediation is running, the remediation phase may be blocked. The parent Patch Analysis job may appear completed or may not show a failure icon, while the job run details indicate Completed with Errors. The job logs and appserver.log report that execution was denied due to an active Infrastructure Blackout Window.

Issue scope

This issue affects how the job status is displayed in the user interface. It does not impact system behavior or enforcement of the Infrastructure Blackout Window.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 26.2