System communications

Wherever possible, communications between elements of the system use high-grade encryption.

The core of the application manages the discovery and reasoning engines. It consistently interacts with the security engine to ensure user authentication and request authorization so that each action taken by the application can only be triggered from the application itself or by a user through the application UI or command line. External communications between the user and the application can be configured to use HTTPS over 128bit SSL.

The encryption of communication between the discovery engine (appliance or Windows proxy) and the target depends on the discovery method used. For example, ssh is encrypted, but telnet and rlogin (which may both be disabled) are not. Discovery credentials can be configured to use a user supplied SSH key per credential. These keys and their associated passphrases are stored in the credential vault. It is recommended that SSH keys are always protected with a strong passphrase.

Secure communications

Secure communications between elements of the system uses CORBA over TLS (Transport Layer Security) with the following details:

• Protocol: TLSv1
• Encryption: AES_256_CBC
• Message hashing: SHA1
• Key Exchange: DHE_RSA (2048)

It is enabled using certificates in the following locations:

• Each appliance (scanning or consolidation)
• Each Windows proxy

• Certificate Authority on each appliance and proxy

  This refers to communications between components of the BMC Atrium Discovery system, not communications between BMC Atrium Discovery and discovery targets, or the user's web browser.

Support has not been built into the product to enable you to replace the default certificates with your own. However, it is possible to replace certificates on a like-for-like basis, that is, the same encryption type (MD5 RSA) and key length (2048 bytes). Any other type of certificate requiring new libraries does not work. Multiple certificates to perform unique encryption per component is not supported either.

Replacing the certificates

Three certificates are required to secure communications between the appliance and proxy:

• appliance_key_01.pem: the appliance certificate.
• slave_key_01.pem: the proxy certificate.
• ca_01.pem: the certificate authority.

The appliance_key_01.pem and ca_01.pem certificates are located in the $TIDEWAY/etc directory on the appliance. The slave_key_01.pem and ca_01.pem are located in the C:\Program Files\BMC Software\ADDM Proxy Type\etc directory on the proxy (where ADDM Proxy Type is either Active Directory or Credential).

1. Use a certificate authority to generate two signed certificates using RSA as the encryption type, with a length of 2048 bytes.
2. Copy the certificates to a temporary directory.
3. Rename one certificate appliance_key_01.pem and the other slave_key_01.pem.
4. Copy the Certification Authority public certificate and rename it ca_01.pem.
5. Copy appliance_key_01.pem and ca_01.pem to the $TIDEWAY/etc directory on the appliance.
6. Copy slave_key_01.pem and ca_01.pem to the C:\Program Files\BMC Software\ADDM Proxy Type\etc directory on the proxy.
7. Restart the tideway services on the appliance.
8. Restart the proxy.
9. From the Discovery > Devices > Windows Proxies page, select the proxy pool that the proxy belongs to by clicking its name. The Edit Windows Proxy Pool page is displayed.
10. From the Pool contents list, click the Ping link corresponding to the proxy to check whether it can be reached. If it can be contacted then the certificates have been replaced successfully.

Notes on managing your own certificates

Managing your own certificates in BMC Atrium Discovery is an entirely manual process. When the appliance is upgraded, you will have to copy the certificates onto the upgraded appliance. Also, when proxies are upgraded, you will have to copy the certificates onto the upgraded proxies. When you deploy new proxies from an appliance, the default keys on the new proxy will have to be replaced.

End-user authentication

End-user application authentication is critical to the security of the entire solution. BMC Atrium Discovery supports a number of Web authentication plug-ins and various levels of authentication strength, requiring one of many authentication factors:

• SSL Client Certificate Verification - Strong authentication using a public key infrastructure certificate. The client's SSL Certificate is verified by the Web server. The user name is extracted from the certificate and used for authorization via LDAP
• SSL Certificate Lookup - The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid
• LDAP Authentication - The user is authenticated against an LDAP server by entering a username and password
• Standard Web Authentication - The user is authenticated as a local user by entering a username and password

Secure export to CMDB

The communication between BMC Atrium Discovery and BMC Atrium CMDB is based on the CMDB API. The encryption that comes with the AR Server is the Standard Encryption 512-bit public key/56-bit DES encryption on the wire. If a customer acquired the higher levels of Remedy Encryption (a separate product), then the customer could obtain either 1024-bit public key/128-bit RC4 or 2048-bit public key/2048-bit RC4 encryption. Communication from BMC Atrium Discovery to the AR Server can be configured to use a single chosen port (ARTCPPORT).

Ports used for System Communication

The following ports are used by the BMC Atrium Discovery and may need to be opened on a firewall for correct operation. These will be required in addition to the ports directly used for Discovery communications

Appliance User Interface ports

These ports will need to be open to access the Main UI and CLI for both normal operation and administration of updates.
Note that enabling HTTPS in BMC Atrium Discovery allows use of SSLv3 and TLSv1, however there is no configuration of the supported protocols beyond enabling/disabling HTTPS.

Appliance Service ports

These ports will be used in general operation. If configured email alerts will be sent under certain conditions and an SMTP relay needs to be accessable to do this. As part of discovery the current domain names of IPs will be looked up and access to your DNS infrastructure is required for this to work. It is essential for correct operation of the system that accurate time is kept for timestamps and access to an NTP service may be required for this. If AD/LDAP UI user authentication is desired then access to your AD/LDAP infrastructure is required.

Appliance CMDB Sync ports

The BMC Atrium CMDB is built on the AR System platform. This uses a portmapper approach to do RPC calls in much the same way that WMI access occurs. As such unless action is taken the ports used will be 111 to contact the portmapper and an ephemeral port will be used for the duration of the connection.
You would be advised to arrange your architecture to not have a firewall between the appliance and the CMDB unless your CMDB is set to use a fixed port by setting the ARTCPPORT variable.

Windows proxy service ports

If an AD Windows proxy is deployed then the Windows Server hosting it must have access to your AD/LDAP infrastructure.