Regaining Access if Locked Out by NACM¶
If the NACM configuration prevents an administrator from accessing TNSR in a required way, NACM can be disabled or its configuration removed to regain access.
Method 1: Temporarily Disable NACM¶
With a complicated NACM configuration, the easiest way to regain access is to
disable NACM, fix the configuration, and then enable it again. This involves
disabling NACM in /etc/tnsr.xml
, which is copied from one of the following
locations, depending on which services are stopped/started:
/etc/tnsr/tnsr-none.xml
, /etc/tnsr/tnsr-running.xml
, and
/etc/tnsr/tnsr-startup.xml
. The best practice is to edit all three files.
Stop TNSR
Edit
/etc/tnsr/tnsr-startup.xml
Locate the line with
CLICON_NACM_MODE
and change it to:<CLICON_NACM_MODE>disabled</CLICON_NACM_MODE>
Repeat the edit in
/etc/tnsr/tnsr-none.xml
and/etc/tnsr/tnsr-running.xml
Restart TNSR
Use the TNSR CLI to fix the broken NACM rules
Save the new configuration
Stop TNSR
Edit
/etc/tnsr/tnsr-startup.xml
Locate the line with
CLICON_NACM_MODE
and change it to:<CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
Repeat the edit in
/etc/tnsr/tnsr-none.xml
and/etc/tnsr/tnsr-running.xml
Restart TNSR
TNSR will start with the new, fixed, NACM configuration. If access is still not working properly, repeat the process making changes to NACM until it is, or proceed to the next method to start over.
Method 2: Remove NACM Configuration¶
Stop TNSR
Edit
/var/tnsr/startup_db
Remove the entire
<nacm>...</nacm>
section fromstartup_db
Start TNSR
TNSR will restart without any NACM configuration and it can then be reconfigured from scratch as shown in NACM Example.