Regaining Access if Locked Out by NACM

If the NACM configuration prevents an administrator from accessing TNSR in a required way, NACM can be disabled or its configuration removed to regain access.

Method 1: Temporarily Disable NACM

With a complicated NACM configuration, the easiest way to regain access is to disable NACM, fix the configuration, and then enable it again. This involves disabling NACM in /etc/tnsr.xml, which is copied from one of the following locations, depending on which services are stopped/started: /etc/tnsr/tnsr-none.xml, /etc/tnsr/tnsr-running.xml, and /etc/tnsr/tnsr-startup.xml. The best practice is to edit all three files.

  • Stop TNSR

  • Edit /etc/tnsr/tnsr-startup.xml

  • Locate the line with CLICON_NACM_MODE and change it to:

    <CLICON_NACM_MODE>disabled</CLICON_NACM_MODE>
    
  • Repeat the edit in /etc/tnsr/tnsr-none.xml and /etc/tnsr/tnsr-running.xml

  • Restart TNSR

  • Use the TNSR CLI to fix the broken NACM rules

  • Save the new configuration

  • Stop TNSR

  • Edit /etc/tnsr/tnsr-startup.xml

  • Locate the line with CLICON_NACM_MODE and change it to:

    <CLICON_NACM_MODE>internal</CLICON_NACM_MODE>
    
  • Repeat the edit in /etc/tnsr/tnsr-none.xml and /etc/tnsr/tnsr-running.xml

  • Restart TNSR

TNSR will start with the new, fixed, NACM configuration. If access is still not working properly, repeat the process making changes to NACM until it is, or proceed to the next method to start over.

Method 2: Remove NACM Configuration

  • Stop TNSR

  • Edit /var/tnsr/startup_db

  • Remove the entire <nacm>...</nacm> section from startup_db

  • Start TNSR

TNSR will restart without any NACM configuration and it can then be reconfigured from scratch as shown in NACM Example.