Configuring host login credentials
The preferred method of accessing remote hosts using discovery is by a remote login. You can set up different login credentials to use on different machines, by individual IP address or a range of addresses.
Available access methods are ssh, telnet, rlogin, and windows.
You can set up several access methods and define the order in which they are to be attempted. Each access method is attempted until a working credential is found or the list is exhausted.
When you enter a user name and password for use by a credential Windows proxy, you must prefix the user name with
localhost (for example, localhost\Administrator).
For each host that is successfully logged into, the successful access method is recorded. On subsequent scans the first access method attempted is the one that succeeded for that host on the previous attempt, so long as the appropriate option is selected in the Discovery Configuration page.
If an access login method is disabled (for example, telnet) and that method is recorded as the last successful login method, it is tried again on a subsequent scan. If it fails on that scan then that method will not be tried again until it is re-enabled.
An access method is only attempted if it is seen to be available (for example, SSH access will only be attempted if the SSH port is open).
Viewing login credentials
To view existing login credentials:
- From the secondary navigation bar on the Discovery tab, click Credentials.
- Click Devices.
The following screen illustrates an example of the host login credentials page:
At the top of the host login credentials page, the system displays the total number of host login credentials and also the number of host login credentials by each access method.
The credentials are checked in sequence, and the first matching entry is used. After a working credential is found, further credentials are not checked. If you want to reorder login credentials, drag the credential to the required position in the list.
The credentials are shown in color coded boxes. The colors represent the level of login success achieved with that credential:
- Green: 100% success rate.
- Yellow: partial success.
- Blue: the credential has never been used.
- Red: 0% success rate.
Show matching credentials – new in 8.3 SP2
A new feature is introduced in BMC Atrium Discovery 8.3 SP2 which enables you to highlight all credentials which match a specified IP address.
To show matching credentials:
- From the Credentials > Devices > Hosts page, click the Show Matching Credentials button.
- Enter the IP address that you want to check into the dialog box and click Search.
- Any credential which has an IP range matching the specified IP address is highlighted in yellow and a banner summarizing the results is displayed just below the page heading.
If no matching credentials are found this is stated in the banner.
The Show matching credentials button is available on the following credential pages:
The following information is shown for each credential:
This is the first part of the heading link for the credential. The range of IP addresses on which this credential is intended to be used. A link is also provided showing the last successful use of the credential. This links to the Discovery Access for that use.
This is the second part of the heading link for the credential. The user name used for this credential.
A free text description of the credential supplied by the user who created the credential.
A summary of the success rate when the credential has been used, information about failures, and links to DiscoveryAccesses, credential lists and other useful diagnostic pages.
Additional options used with this credential. With the exception of No Password (use ssh key exchange), the options are those selected from the Options section when the credential is set up. The No Password (use ssh key exchange) option is selected by not entering a password. For information about these, see the Field Name-Details table for #Setting up host login credentials.
A list with the following options:
Setting up host login credentials
- From the login credentials page, click Add.
Set up the login credentials as follows:
Enter an IP address, a range of IP addresses, or a regular expression representing the IP addresses for which this credential is valid.
IP address: for example,
Range of IP addresses:
Username used to log in to hosts identified by the key. If this is a Windows credential that will be used by a credential Windows proxy, ensure you prefix the user name with
Enter the password into the password entry field; the password text is not echoed to the screen.
In the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field and it cannot be edited. To enter a new password, select the checkbox. The password entry field is cleared. Now enter the new password.
A free-text description of this login credential.
Choose the access methods to be attempted for any host identified by the key by selecting them and moving them to the right-hand (enabled) list box using the right arrow button. By default, all access methods are placed in this box, that is, they are all enabled.
You can also change the order in which the access methods are attempted by selecting them and moving them up or down with the up or down arrow buttons.
If you want to create a session log, select Enabled. This logs all communication between the BMC Atrium Discovery appliance and a host and should only be used for diagnosing discovery problems with that host. There is currently no option for recording a session log for Windows hosts.
A regular expression to define valid prompt characters expected.
To use the su command to change to the root or any other user, select Switch User. Enter the user to change to, and the corresponding password. The password text is not echoed to the screen.
Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, it is not used to limit the time to scan devices. Note that more than one session can be used to scan one device. For this reason, a scan can take more time than this timeout. A typical consequence of this timeout (when the execution of the platform script for getInterfaceList takes more than this timeout) is that the scan will fail with a script failure (error message Connection timed out).
To force the session to open a Bourne (
/bin/sh) subshell, if the default login shell is a C shell (
/bin/tcsh), select Yes. This enables you to cater for machines using non-standard shells.
Specify an existing SSH key which you already have deployed in your organization. Click Browse to locate the private key and click Open to select it. Enter the passphrase in the passphrase field. When you click Apply to save the credential, the key and passphrase are validated. When you upload the private key to the appliance it is strongly recommended that you protect it with a passphrase. See #SSH keys below for more detailed information.
To use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is dimmed.
Custom SSH Port
If the host for which this credential is intended is configured to listen for SSH connections on a non-standard port, enter this here. To do this, select the Enable custom ssh port? checkbox and enter the port number in the entry field. If you add a port here, it is automatically added to the TCP ports to use for initial scan. For more information, see the TCP and UDP ports to use for initial scan section in Configuring discovery.
Custom Telnet Port
If the host for which this credential is intended is configured to listen for Telnet connections on a non-standard port, enter this here. To do this, select the Enable custom telnet port? checkbox and enter the port number in the entry field. If you add a port here, it is automatically added to the TCP ports to use for initial scan. For more information, see the TCP and UDP ports to use for initial scan section in Configuring discovery.
- To add the credentials, click Apply.
- Repeat for all the credentials you want to add.
Editing host login credentials
- From the login credentials page, click Actions for the credential.
- Select Edit.
- In the Edit Login Credential page, edit the host login credential fields.
The fields in this page are the same as the fields in the Create Login Credential page. For more information about the fields, see the field-details table for #Setting up host login credentials.
- To add the edited credentials, click Apply.
Repeat this for all the credentials you want to edit.
You can attach an SSH key to any credential using the SSH access method.
BMC Atrium Discovery supports only RSA2 and DSA private keys for certificate-based authentication. For the hosts that only support SSH v1 it is recommended to use credentials for authentication.
When using SSH keys, the appliance must identify itself to discovery targets so must use the private key. It is strongly recommended that you protect the private key with a strong passphrase. When they are uploaded to the appliance, the key and the passphrase are stored in the credential vault.
If the attempted login is unsuccessful using the SSH key, the credential falls back and attempts to login using the configured username and password.
It is important to configure a username and password even when an SSH key is to be used. When privileged command execution is required, that password is used in the command, for example
sudo password command.
After the key is stored in the credential vault, it is encrypted and cannot be recovered from the vault. You are strongly recommended to keep copies of private keys in secure storage according to your local security guidelines.
Testing login credentials
When you have added the credentials, you can test them by performing the following actions:
- On the login credentials page, click Actions for the login credential.
If the test link is not displayed, click START ALL SCANS on the Discovery Status page.
- To test the credential, enter a single IP address in the IP Address field.
For example, 126.96.36.199.
- Click Test.
The page is refreshed to show that the test in progress and when complete, the results are shown.
- You can perform other credential tests from the Credential Tests page.