Adding credentials
You add credentials from the Manage > Credentials page:
To add a credential, select the type of credential you want to add from the Add menu. The Add credential page is displayed. The Add credential page enables you to enter general details for the credential, and depending on the credential type, and additional parameters. For example, for a UNIX host, you can specify an ssh key to use for authentication, a username/password combination for escalated privileges, or enable session logging. If you add an exception for matching IP addresses, the label of the credentials is updated with the exception.
You can use the following procedure to add credentials for UNIX or Windows hosts, management controllers, network devices, storage devices, and so on. The preferred method of accessing remote devices using BMC Discovery is by remote login.
You can set up different login credentials to use on different computers, by individual IP address or a range of addresses. You can set up several access methods and define the order in which they are to be attempted. Each access method is attempted until a working credential is found or the list is exhausted. When BMC Discovery successfully logs in to a host, the access method using which the login occurred is recorded. On subsequent scans, the access method used during the previous successful login to the host is first attempted.
However, you must configure appropriate options on the Discovery Configuration page for the successful attempts.
If an access login method (for example, telnet) is disabled and that method is recorded as the last successful login method, it is tried again on a subsequent scan. If it fails on that scan, then that method is not tried again until it is re-enabled. An access method is attempted only if it is seen to be available (for example, SSH access is attempted only if the SSH port is open).
Information on the success or failure of credentials is available on the Discovery Status page.
Adding credentials when you have integrated with the CyberArk Enterprise Password Vault is described in the Integrating with CyberArk Enterprise Password Vault page.
User accounts on UNIX and Linux target systems
When creating a user account (the account that BMC Discovery logs into to discover a host) on a UNIX or Linux target host, ensure that you specify the full path to the shell in the user profile; for example, SHELL=/bin/sh
. Otherwise, the credentials are considered invalid.
Shell support
/bin/sh
). In general, the best shell to use for BMC Discovery is /bin/sh
as it is widely available on Linux, Unix, AIX, and so on. Support for other shells such as the Korn shell is best effort only. The product has been sporadically tested and might work but with known issues, and BMC might not fix bugs that affect these shells.To add login credentials
- From the menu bar, select Manage > Credentials.
The Credentials page is displayed showing the Devices tab by default. From the top-right corner of the page, select the type of target to use the credential for from the Add drop down list. The types available are:
- Unix Host
- Windows Host
- Device
- Cloud Provider
- Web API
- Other
These types are shortcuts, and when the Add Credential page is displayed, it is pre-populated with the typical access method for that target type. For example, select UNIX Host to populate the Add Credential page with the ssh and UNIX Settings access methods.
The Add Credential page is displayed, pre-populated according to your selection.
Click the green + icon in the Credential Types field to add more access methods to the credential.
Choose matching criteria, either select Match All for the credential to be valid for any endpoint (the default), or deselect Match All to enter specific endpoints or ranges.
To add matching exceptions, that is, endpoints that the credential will never match, click the green + icon in the Matching exceptions field. Enter the endpoints that you do not want this credential to match. You can use the same endpoint types for matching exceptions as you can for matching criteria.
- Check the Enabled box to enable the credentials.
You can edit your credentials at any time or disable a given credential. - In the Label field, specify an appropriate name for the credential.
This label is used later for searching for credentials. Specifying a label is mandatory when adding credentials. In the Description field, specify a description for the credential.
- In the Username field, specify a username for the credential.
- In the Password field, specify a password for the credential.
Note
In the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password.
Specify additional details for the selected credential type. For more information about these details, see Adding device credentials.
To save your credential details, click Apply.
To exit the page without saving the changes, click Cancel.
Additional details for credential types
The following table lists the information to provide for the various credential types that you can create.
UNIX host credentials
Credential type | Parameter | Description |
---|---|---|
SSH credential | SSH Port | If the host for which this credential is created is configured to listen for SSH connections on a nonstandard port, pick a port from the drop-down list. You can specify only those SSH ports here that are defined in Discovery Configuration on the Administration page. For more information, see TCP and UDP ports to use for initial scan. |
Timeout (in seconds) | Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out). | |
Private Key File | Specify an existing SSH key that you already have deployed in your organization. Click Browse to locate the private key and click Open to select it. For more detailed information about setting up a private key, see Using SSH keys. | |
Passphrase | Specify the passphrase for the UNIX host here. When you click Apply on the Add Credentials page to save the credential, the key and passphrase are validated. We recommend that when you upload the private key to the BMC Discovery machine, you protect the vault with a passphrase. | |
SSH Authentication | To use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled. | |
Telnet credential | Telnet port | If the host for which this credential is created is configured to listen for Telnet connections on a nonstandard port, pick a port from the drop-down list. You can specify only those SSH ports here that are defined in the Discovery Configuration window on the Administration tab. For more information, see TCP and UDP ports to use for initial scan. |
Timeout (in seconds) | Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out). | |
rLogin credential | Timeout (in seconds) | Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out). |
UNIX credential | SU | To use the su command to change to the root or any other user, select Switch User. Enter the user to change to, and the corresponding password. The password text is not echoed to the screen. |
Username | Username used to log in to hosts identified by the key. | |
Password | Enter the password into the password entry field; the password text is not echoed to the screen. Note On the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field, and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password. | |
Session Logging | If you want to create a session log, select Enabled. This selection logs all communication between the BMC Discovery appliance and a host and should be used only for diagnosing discovery problems with that host. No option exists for recording a session log for Windows hosts. | |
Prompt | Regular expression to define valid prompt characters expected. | |
Force Subshell | To force the session to open a Bourne (/bin/sh ) subshell, if the default login shell is a C shell (/bin/csh /bin/tcsh ), select Yes. This selection enables you to cater to machines using nonstandard shells. |
Windows host credentials
Credential type | Parameter | Description |
---|---|---|
Windows credential | Not applicable | See Adding Windows proxies. |
Mainview z/OS Agent credentials
Credential type | Parameter | Description |
---|---|---|
Mainview z/OS Agent credential | Mainview Port | Port to use to connect to the mainframe; the default is 3940. To use a different port, select the Enable custom mainview port? check box and choose a port number from the list. The list is populated with port numbers specified at Administation > Discovery Configuration. |
Timeout | Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout) and is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out). |
Device credentials
Credential type | Parameter | Description |
---|---|---|
vSphere credential | Timeout | Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out). |
HTTPS Port | To choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration. | |
vCenter credential | Timeout | The time (in milliseconds) in which a response is expected. The default is 60 seconds. |
HTTPS Port | To choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration. | |
SNMP credential | Retries | The number of attempts made if no response is received. The default is five. |
Timeout | The time (in seconds) in which a response is expected. The default is one second. | |
SNMP Port | To choose an SNMP port, select the check box and choose from the ports in the list. You must already have configured an SNMP port in the Discovery Configuration window. | |
SNMP Version | The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list. | |
Use GETBULK | Use GETBULK requests instead of GETNEXT requests. GETBULK improves Discovery performance, however, some devices do not support it correctly, which very occasionally may lead leading to scanning issues. If you experience scanning issues, uncheck this option to revert to GETNEXT. GETBULK is supported only by SNMP v2c and v3. | |
SNMP v1/v2c credential | Community | Community used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only. |
SNMP v3 credential | Security Name | For SNMP V3 credentials only. |
Security Level | For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols:
No setting exists for privacy without authentication. | |
Authentication Protocol | Protocol used to encrypt the authentication with the client; for SNMP V3 credentials only. Select one of the following options from the drop-down list:
The hashed passphrase is used to access the target system. SHA-2 authentication protocols The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860. | |
Authentication Key | The key (passphrase) that will be used to encrypt the credentials; for SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters. | |
Privacy Protocol | The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:
| |
Private key | The key (passphrase) that will be used to encrypt the data; for SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters. | |
WBEM | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. WBEM queries may take some time, so you might need to increase this timeout. |
Access Protocol | The protocol to use to communicate with the WBEM server. Select HTTP, HTTPS, or both. | |
WBEM HTTPS Port | To choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom WBEM HTTPS port in Administration > Discovery Configuration. | |
WBEM HTTP Port | To choose a custom HTTP port, choose from the ports in the list. You must already have configured a custom WBEM HTTP port in Administration > Discovery Configuration. | |
Cisco IMC Web API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To specify an HTTPS port for the Web API, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration. | |
HP iLO Web API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration. | |
EMC VPLEX REST API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To choose an HTTPS port, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration. |
Cloud provider credentials
Credential type | Parameter | Description |
---|---|---|
Amazon Web Services | Access Key ID | The access key ID. The equivalent to a username, and refers to the initial account. The AWS IAM console enables you to download the Access Key ID and Access Secret Key as a csv file. You can import the csv files downloaded from the IAM console, reducing scope for cut and paste errors when creating AWS credentials in BMC Discovery. To upload a csv file containing the Key ID and Secret, click Upload CSV, select the file, and click Open. |
Access Secret Key | The access secret key. The equivalent to a password. | |
If the BMC Discovery appliance is running in an EC2 instance and and that instance is associated with an instance profile, you can use that profile rather than an Access Key ID and Access Secret Key. If you leave those fields blank, AWS discovery uses the EC2 instance profile to perform the discovery. In the credential list, the AWS credential is labelled "AWS Access Key ID: From EC2 Instance Profile". | ||
Assume Roles (ARNs) | (Optional) Use the Amazon Resource Name (ARN) only if you want to apply role-based authentication for a user, application, or service. You must have defined the role earlier in AWS Identify and Access Management (IAM). For information on defining roles, see Creating IAM roles . Example for a single role: To enable role-switching (multiple roles), enter each role as a new-line separated list. For more information on AWS roles and role-switching, see Discovering Amazon Web Services. From the December 2021 TKU, the ARN field supports expansions using
Note: If you do not specify the ARN, you will discover AWS resources associated with the Access Key ID credentials. | |
Timeout | The connection timeout and the read timeout (in seconds). The default is 60 seconds. The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum. | |
Proxy | If you need to connect to AWS through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.
| |
Microsoft Azure | Directory ID | The Directory ID is a GUID. It is also known as the Tenant ID. The Directory ID can be found in the Azure Active Directory Properties in the Azure Portal. |
Application ID | The Application ID key. The Application ID is a GUID | |
ApplicationPassword | The application password. | |
Timeout | The connection timeout and the read timeout (in seconds). The default is 60 seconds. The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum. | |
Proxy | If you need to connect to Microsoft Azure through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.
| |
Google Cloud Platform | Service Account Key | The key used to access the Google Cloud Platform services. Download the key from the Google Cloud Console as a JSON formatted file. Upload the JSON file to BMC Discovery. Select Choose File, select the JSON file in the file browser and click Open. |
Timeout | The connection timeout and the read timeout (in seconds). The default is 60 seconds. The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum. | |
Proxy | If you need to connect to Google Cloud through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.
| |
OpenStack | User Domain | The overall container for your OpenStack projects, users, and groups. See the OpenStack documentation for more information on user domains. |
Timeout | The connection timeout and the read timeout (in seconds). The default is 60 seconds. The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum. | |
Proxy | If you need to connect to OpenStack through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.
|
Web API credentials
Credential type | Parameter | Description |
---|---|---|
Cisco APIC REST API credential | AAA Domain | The AAA Domain to which the user belongs. Empty by default. |
Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. | |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
AVI Vantage Web API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
Cisco IMC Web API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To specify an HTTPS port for the Web API, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration. Cisco CIMC can be discovered using an XML API or SNMP. | |
HP iLO Web API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration. To fully discover HP iLO Management Controller, valid HP iLO Web API credentials should be set up. However, it is available to discover HP iLO without valid credentials by using the unauthenticated XMLDATA request (GET request to /xmldata?item=all). | |
EMC VPLEX REST API credential | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
HTTPS Port | To choose an HTTPS port, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration. | |
RESTful Web API with basic authentication | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
RESTful Web API with digest authentication | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
RESTful Web API with OAuth2 authentication | Token endpoint | Enter the URL on the target where the token endpoint can be obtained. |
Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. | |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
Nimble Web API with token authentication | Login path | The Login Path field should be left as is if no changes were made on Nimble storage API side. The field value (/v1/tokens) is not a login path but instead, it is a token resource (to obtain a token for Rest API Authentication) on the Nimble storage API. This path is configurable on different versions of Nimble storage and hence left as a configurable option. It is recommended to use the default path. Contact your Nimble Storage vendor if the default path does not work and update the credential. |
Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. | |
Access Protocol | Check Allow HTTP to enable REST API requests to be made over HTTP. HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen. | |
vSphere Web API with token authentication | Timeout | The time (in seconds) in which a response is expected. The default is 180 seconds. |
Comments
The "Presets" drop-down list field quoted above doesn't exist. The image was changed, but not the text.
Hi,
Thanks for your observation. Yes, the Presets list is no longer available in the UI. We have removed the text relevant to it.
Regards.
The option to add credentials for Mainview z/OS Agent is not available on the Add drop down list. You have to Add a Unix credential and choose Mainview z/OS Agent as the Credential Type.
Thanks for pointing this out. We've removed the entire bullet list itself (including Mainview z/OS Agent) because in any case step 2 clearly lists out the types of targets (UNIX Host, Windows Host, etc.) for which a user can add credentials. Further, the Additional details for credential types section provides field details for all sub-types, such as Mainview z/OS Agent etc.
Regards.
Log in or register to comment.