Smarts: Users can issue "brquit" command without providing user name and password credentials from client; How to secure the broker from clients issuing the brquit command without credentials?
search cancel

Smarts: Users can issue "brquit" command without providing user name and password credentials from client; How to secure the broker from clients issuing the brquit command without credentials?

book

Article ID: 304109

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Symptoms:


Users can issue "brquit" command without providing user name and password credentials from client.

How to secure the broker from clients issuing the brquit command without credentials?

Smarts users can issue brquit command without providing user name and password credentials from client

Environment

VMware Smart Assurance - SMARTS

Cause

The Smarts broker has been configured as secured. The Smarts broker is not secure by default, but this behavior is expected if the broker is  configured to be secured.

Resolution

To change this behavior and prevent users from issuing the brquit command from a console client, you have two options:

1.) Configure the Smarts broker as nonsecure for all users:

  1. Open the Smarts serverConnect.conf configuration file for editing using sm_edit as follows:

    <BASEDIR>/smarts/bin/sm_edit conf/serverConnect.conf
     
  2. Change the <BROKER> setting in the serverConnect.conf from Secure to NonSecure as follows:

    <BROKER>:BrokerNonsecure:Nonsecure:All
     
  3. Save and close the serverConnect.conf configuration file.
2.) Secure the Smarts broker so that it will only allow authorized users execute commands such as brquit and brcontrol, while the rest of the users (console users) will only be able to attach to a console.
 
  1. Change default <BROKER>:NonSecure:<password> line in serverConnect.conf on the broker machine and append:Monitor. Example: <BROKER>:BrokerNonsecure:<E1.0>B8F1E825A7BCC3F10FB07DAD66363DC3947D44249773BC64D4E375531771A603:Monitor
  2. All consoles will be sending credentials for BrokerNonsecure user as this is the user they have configured by default (in the clientConnect.conf on the client machine).
  3. Next add another line in serverConnect.conf on the machine running broker                                           <BROKER>:Secure:<password>:All                                                                                                                                          Example:                                                                                                                                                    <BROKER>:secure:<E1.0>B8F1E825A7BCC3F10FB07DAD66363DC3947D44249773BC64D4E375531771A603:All


Powered by Wolken Software