Adding device credentials

You can use the following procedure to add credentials for UNIX or Windows hosts, management controllers, network devices, storage devices, mainframes, and so on. The preferred method of accessing remote devices using BMC Discovery is by remote login. You can set up different login credentials to use on different computers, by individual IP address or a range of addresses. You can set up several access methods and define the order in which they are to be attempted.

Each access method is attempted until a working credential is found or the list is exhausted. When BMC Discovery successfully logs in to a host, the access method using which the login occurred is recorded. On subsequent scans, the access method used during the previous successful login to the host is first attempted. However, you must configure appropriate options on the Discovery Configuration page for the successful attempts. The following access methods are available:

  • ssh
  • telnet
  • rlogin
  • Windows
  • vSphere
  • vCenter
  • SNMP
  • WBEM
  • Mainview z/OS Agent
  • Cisco IMC Web API
  • HP iLO Web API
  • EMC VPLEX REST API

If an access login method (for example, telnet) is disabled and that method is recorded as the last successful login method, it is tried again on a subsequent scan. If it fails on that scan, then that method is not tried again until it is re-enabled. An access method is attempted only if it is seen to be available (for example, SSH access is attempted only if the SSH port is open).

Device credential usage is no longer displayed on the credentials page. Information on the success or failure of credentials is available on the Discovery Status page.

User accounts on UNIX and Linux target systems

When creating a user account (the account that BMC Discovery logs into to discover a host) on a UNIX or Linux target host, ensure that you specify the full path to the shell in the user profile; for example, SHELL=/bin/sh. Otherwise, the credentials are considered invalid. 

Shell support

BMC Discovery is tested to work with Bourne and Bourne-compatible shells. Support for other shells such as the Korn shell is best effort only. The product has been sporadically tested and might work but with known issues, and BMC might not fix bugs that affect these shells.

To add device login credentials

  1. From the menu bar, select Manage > Credentials.
    The Device Credentials page is displayed by default.
  2. From the top-right corner of the page, click Add.
    The Add Credential page is displayed.

    To add credentials for a specific range of endpoints, uncheck the Match All check box and enter the required IP addresses in the text box displayed below.
    The Match All box is checked by default.

     Additional tips

    Select "Match All" to match all endpoints; deselect it to enter values that will be used to determine if this credential is suitable for a particular endpoint. They can be one or more of the following, separated by commas:
    • IPv4 address: for example 192.168.1.100.
    • IPv4 range: for example 192.168.1.100-105, 192.168.1.100/24, or 192.168.1.*.
    • IPv6 address: for example 2001:500:100:1187:203:baff:fe44:91a0.
    • IPv6 network prefix: for example fda8:7554:2721:a8b3::/64.

    Note

    You cannot specify the following address types:
    • IPv6 link local addresses (prefix fe80::/64)
    • IPv6 multicast addresses (prefix ff00::/8)
    • IPv4 multicast addresses (224.0.0.0 to 239.255.255.255)

    As you enter text, the UI divides it into pills (discrete editable units) when you enter a space or a comma. According to the text entered, the pill is formatted to represent one of the previous types or presented as invalid.

     Invalid pills are labeled with a question mark. You can also paste a list of IP addresses or ranges into this field. If any pills are invalid, a message stating the number of invalid pills is displayed above the range field. Clicking the link applies a filter that shows only invalid pills, which you can then edit or delete. You can remove the filter by clicking clear in the Showing n of n label below the Range field. There is no paste option on the context-sensitive (right-click) menu.

    Warning

    Do not paste a comma-separated list of IP address information into the Range field in Mozilla Firefox. Doing so can crash the browser. You can use a space-separated list with no problems.

    To edit a pill, click the pill body and edit the text.
    To delete a pill, click the X icon to the right of the pill, or click to edit and delete all of the text.
    To view the unformatted source text, click the source toggle switch. The source view is useful for copying to a text editor or spreadsheet. Click the source toggle switch again to see the formatted pill view.

    Underneath the entry field is a filter box. Enter text in the filter box to show only matching pills.

    Information

    Pills are not supported in Opera.

  3. Check the Enabled box to enable the credentials.
    You can edit your credentials at any time or disable a given credential.
  4. In the Label field, specify an appropriate name for the credential.
    This label is used later for searching for credentials.
  5. In the Description field, specify a description for the credential.
  6. From the Presets drop-down list, select the type of target for which you want to create the credentials.
    When you select a value in the Preset list, the appropriate Credential Types check boxes in the following section are automatically checked, and further details are requested based on the option that you selected. For example, if you choose UNIX Host from the list, the ssh, telnet, and rlogin credential type boxes are checked, and further information for the credential is gathered in the fields below. Alternatively, you can use the All, None, and Invert buttons to select or deselect a credential type option.

  7. In the Username field, specify a username for the credential.
  8. In the Password field, specify a password for the credential.

    Note

    In the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password.

  9. To save your credential details, click Apply.

  10. To exit the page without saving the changes, click Cancel.

Additional details for credential types

The following table lists the information to provide for the various credential types that you can create.

ParameterDescription
SSH credential type
SSH PortIf the host for which this credential is created is configured to listen for SSH connections on a nonstandard port, pick a port from the drop-down list. You can specify only those SSH ports here that are defined in Discovery Configuration on the Administration page. For more information, see TCP and UDP ports to use for initial scan.
Timeout (in seconds)Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).
Private Key FileSpecify an existing SSH key that you already have deployed in your organization. Click Browse to locate the private key and click Open to select it. For more detailed information about setting up a private key, see  Using SSH keys.
PassphraseSpecify the passphrase for the UNIX host here. When you click Apply on the Add Credentials page to save the credential, the key and passphrase are validated. BMC recommends that when you upload the private key to the BMC Discovery machine, you protect the vault with a passphrase.
SSH AuthenticationTo use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled.

Telnet credential type

Telnet portIf the host for which this credential is created is configured to listen for Telnet connections on a nonstandard port, pick a port from the drop-down list. You can specify only those SSH ports here that are defined in the Discovery Configuration window on the Administration tab. For more information, see TCP and UDP ports to use for initial scan.
Timeout (in seconds)Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

rLogin credential type

Timeout (in seconds)Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

UNIX credential type

SUTo use the su command to change to the root or any other user, select Switch User. Enter the user to change to, and the corresponding password. The password text is not echoed to the screen.
UsernameUsername used to log in to hosts identified by the key. If this username is a Windows credential that will be used by a pre-8.2 Windows credential proxy, ensure that you add a localhost prefix to the username (for example, localhost\Administrator).
Password

Enter the password into the password entry field; the password text is not echoed to the screen.

Note

On the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field, and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password.

Session LoggingIf you want to create a session log, select Enabled. This selection logs all communication between the BMC Discovery appliance and a host and should be used only for diagnosing discovery problems with that host. No option exists for recording a session log for Windows hosts.
PromptRegular expression to define valid prompt characters expected.
Force SubshellTo force the session to open a Bourne (/bin/sh) subshell, if the default login shell is a C shell (/bin/csh /bin/tcsh), select Yes. This selection enables you to cater to machines using nonstandard shells.

vSphere credential type

TimeoutEnter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

Mainview z/OS Agent credential type

Mainview PortPort to use to connect to the mainframe; the default is 3940. To use a different port, select the Enable custom mainview port? check box and choose a port number from the list. The list is populated with port numbers specified at Administation > Discovery Configuration.
TimeoutEnter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout) and is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

SNMP credential type

RetriesThe number of attempts made if no response is received. The default is five.
Timeout

The time (in seconds) in which a response is expected. The default is one second.

SNMP PortTo choose an SNMP port, select the check box and choose from the ports in the list. You must already have configured an SNMP port in the Discovery Configuration window.
SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULKUse GETBULK requests instead of GETNEXT requests. GETBULK improves Discovery performance, however, some devices do not support it correctly, which very occasionally may lead leading to scanning issues. If you experience scanning issues, uncheck this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.

SNMP v1/v2c and V3 credential types

CommunityCommunity used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only.
Security NameFor SNMP V3 credentials only.
Security Level

For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client; for SNMP V3 credentials only. Select one of the following options from the drop-down list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—An authentication passphrase is entered and MD5 hashed. The MD5 hashed passphrase is used to access the target system.
  • SHA—An authentication passphrase is entered and SHA hashed. The SHA hashed passphrase is used to access the target system.
Authentication KeyThe key (passphrase) that will be used to encrypt the credentials; for SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters.
Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a privacy key to encrypt data using the DES algorithm.
  • AES CFB128—Uses a privacy key to encrypt data using the AES algorithm.
Private keyThe key (passphrase) that will be used to encrypt the data; for SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters.

Cisco IMC Web API credential type

TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo specify an HTTPS port for the Web API, choose from the ports in the list. You must already have configured an HTTPS port in Administation > Discovery Configuration.
HP iLO Web API credential type
TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration.

WBEM

TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds. WBEM queries may take some time, so you might need to increase this timeout.
Access ProtocolThe protocol to use to communicate with the WBEM server. Select HTTP, HTTPS, or both.
WBEM HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom WBEM HTTPS port in Administration > Discovery Configuration.
WBEM HTTP PortTo choose a custom HTTP port, choose from the ports in the list. You must already have configured a custom WBEM HTTP port in Administration > Discovery Configuration.
EMC VPLEX REST API  credential type
TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo choose an HTTPS port, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration.
Windows credential type
Not applicableSee Adding Windows proxies

vCenter credential type

TimeoutThe time (in milliseconds) in which a response is expected. The default is 60 seconds.
Was this page helpful? Yes No Submitting... Thank you

Comments