Configuring the Infrastructure Blackout Window
The Infrastructure Blackout Window provides a controlled maintenance mode that temporarily restricts user logins and job execution across the TrueSight Server Automation (TSSA) environment. Administrators can use the Infrastructure Blackout Window during planned maintenance, upgrades, or validation activities to control system access. When enabled, the system blocks logins and job execution for unauthorized users and actively terminates their existing sessions across all supported interfaces with a message. Only explicitly authorized users or roles can log in and perform permitted operations during the Infrastructure Blackout Window.
Considerations during the active Infrastructure Blackout period
When the Infrastructure Blackout Window is active, the following protocols are established to ensure security and maintain system integrity:
- Existing sessions of unauthorized users are automatically terminated when the Infrastructure Blackout Window is enabled.
- Session invalidation is enforced across all supported interfaces, including the TrueSight Server Automation Console (RCP), BLCLI, REST APIs, and SOAP APIs.
- Scheduled jobs for unauthorized users do not start, and manual job execution is blocked.
- Jobs that are already running when the Infrastructure Blackout Window is enabled continue to completion. Jobs that are skipped are not automatically rerun after the Infrastructure Blackout Window ends.
- Configuration persists across application server restarts. Updating the authorized user list replaces the existing configuration.
- The Infrastructure Blackout Window can be configured and managed only through BLCLI.
- Job execution denial messages are system-generated and cannot be customized.
Behavior by interface
| Interface | Behavior |
|---|---|
| RCP (Console) | Displays a session invalidation message and redirects the user to the login screen. |
| BLCLI | Connection is reset; next command fails and requires re-login. |
| REST APIs | Next requests return an invalid session error. |
| SOAP APIs | Next requests return an invalid session error. |
To assign required authorizations
RBAC authorizations govern the configuration and management of the Infrastructure Blackout Window, and these permissions are granted to users through the RBACAdmin or a user with RBAC permissions.
- Log in to TrueSight Server Automation as an RBAC administrator.
- Create a new role or select an existing role.
- Assign one of the following authorizations to the role:
- InfraBlackoutWindow.Modify (Allows configuration, enable, and disable operations)
- InfraBlackoutWindow.* (Provides complete control, including read and modify permissions)
- InfraBlackoutWindow.Read (Allows to view Infrastructure Blackout Window status, list of authorized users, and message.)
- Assign the role to the user who will manage the Infrastructure Blackout Window.
To configure authorized users or roles
Define the users or roles that are allowed to log in and execute jobs during the Infrastructure Blackout Window.
- To configure authorized users or roles, open a BLCLI session and run the following command:
Follow these rules when specifying entries:
- Use the format RoleName:UserName.
- Do not include spaces before or after the colon (:).
- Separate multiple entries using a semicolon (;).
- Use RoleName:* to allow all users in a role.
The command replaces any existing authorized users' configuration.
2. To Verify the configured authorized users' list run the following command:
(Optional) To configure a custom login message
- To configure a message to display when unauthorized users attempt to log in during the Infrastructure Blackout Window, run the following command:
2. To restore the default system message, run the following command:
To enable the Infrastructure Blackout Window
- To enable the Infrastructure Blackout Window, run the following command:
2. To verify that the Infrastructure Blackout Window is enabled, run the following command:
Result:
- Unauthorized users cannot log in.
- Job execution is blocked for unauthorized users.
- Existing sessions of unauthorized users are automatically terminated.
To monitor behavior during the Infrastructure Blackout Window
- To monitor enforcement and failures, review the job logs, appserver.log, and blcli.log.
2. Verify that unauthorized login and job execution attempts are rejected as expected.
To verify that the Infrastructure Blackout Window is enforced correctly, attempt to log in and run a job using a user not on the authorized users list, and confirm that the login is denied. If an unauthorized user is already logged in when the Infrastructure Blackout Window is enabled, confirm that the session is terminated and that the user must log in again.
To disable the Infrastructure Blackout Windows
To disable the Infrastructure Blackout Window after maintenance is complete, run the following command:
Standard login and job execution resume immediately, and users who were previously logged out can log in again.
Patch job behavior during the Infrastructure Blackout Window
Issue symptom
When the Infrastructure Blackout Window is enabled while a Patch Analysis job with remediation is running, the remediation phase may be blocked. The parent Patch Analysis job may appear completed or may not show a failure icon, while the job run details indicate Completed with Errors. The job logs and appserver.log report that execution was denied due to an active Infrastructure Blackout Window.
Issue scope
This issue affects how the job status is displayed in the user interface. It does not impact system behavior or enforcement of the Infrastructure Blackout Window.