System communications and network ports
The core of the application manages the discovery and reasoning engines. It consistently interacts with the security engine to ensure user authentication and request authorization so that each action taken by the application can only be triggered from the application itself or by a user through the application UI or command line. External communications between the user and the application can be configured to use HTTPS.
The encryption of communication between the discovery engine (appliance or Windows proxy) and the target depends on the discovery method used. For example, ssh is encrypted, but telnet and rlogin (which might both be disabled) are not. Discovery credentials can be configured to use a user supplied SSH key per credential. These keys and their associated passphrases are stored in the credential vault. It is recommended that SSH keys are always protected with a strong passphrase.
This topic contains the following sections:
Secure communications
Secure communications between elements of the system use CORBA over TLS (Transport Layer Security). The TLS communication is negotiated between client and server based on the version of OpenSSL in use. OpenSSL is continually upgraded as part of the OS update, and it will always negotiate the best practice algorithms. For example, an updated proxy connecting to an updated appliance could use the following:
$ openssl s_client -connect proxy.host.name:4321
[…]
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
where:
- Protocol: TLSv1.2
- Encryption: AES_256_GCM
- Message hashing: SHA-256
- Key Exchange: DHE_RSA (2048)
It is enabled using certificates in the following locations:
- Each appliance (scanning or consolidation)
- Each Windows proxy
Certificate Authority public certificate on each appliance and proxy
This refers to communications between components of the BMC Discovery system, not communications between BMC Discovery and discovery targets, or between the user's web browser and the appliance UI.
For more information, see Secure deployment.
Apache SSL key passphrases
BMC recommend that you do not passphrase the Apache SSL server key used by the appliance. Doing so requires entry of the passphrase at service start-up, which conflicts with the following operations:
- Resetting configuration of a machine (invoked from the Cluster Management UI and when a machine leaves the cluster)
- Configuring HTTPS (via the UI and possibly when sending configuration to cluster members). A specific issue is that once a passphrase is applied it is no longer possible to restart HTTPS via the UI, without first regenerating the server key.
- Atrium SSO (via the UI and possibly when sending configuration to cluster members)
- Backup/Restore (as SSL keys are restored)
End-user authentication
End-user application authentication is critical to the security of the entire solution. BMC Discovery supports a number of Web authentication plug-ins and various levels of authentication strength, requiring one of many authentication factors:
- SSL Client Certificate Verification–Strong authentication using a public key infrastructure certificate. The client's SSL Certificate is verified by the Web server. The user name is extracted from the certificate and used for authorization via LDAP.
- SSL Certificate Lookup–The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid.
- LDAP Authentication–The user is authenticated against an LDAP server by entering a username and password.
- Standard Web Authentication–The user is authenticated as a local user by entering a username and password.
Secure export to CMDB
The preferred communication between BMC Discovery and BMC CMDB uses the CMDB REST API, and for this, we recommend using HTTPS rather than HTTP.
The legacy CMDB API is still supported, though the CMDB REST API access mechanism is preferred as it uses a more secure encryption protocol.
Ports used for System Communication
The following ports are used by the BMC Discovery and you might need to open them on a firewall for correct operation. These will be required in addition to the ports directly used for Discovery communications and network ports.
Incoming Appliance User Interface ports
These ports need to be open to access the UI and CLI for both normal operation and administration of updates. Enabling HTTPS in BMC Discovery allows any protocols except SSLv1 and SSLv2. The Apache module (mod_ssl) used to provide SSL and TLS support supports TLS v1.2
The appliance accepts incoming client connections on the following ports:
Port Number | Port assignment | Use |
---|---|---|
22 | SSH | Appliance CLI access |
80 | HTTP | Redirects to HTTPS (443) by default |
443 | HTTPS | Main UI Secure |
Incoming / Outgoing Appliance Consolidation port
Consolidation uses TLS communication. The scanning appliances connect to the consolidation appliance using TLS 1.2 to transfer CORBA messages:
Port Number | Port assignment | Use |
---|---|---|
25032 | TLS/CORBA | Consolidation data |
Incoming / Outgoing Appliance Clustering ports
Clusters use TLS communication to communicate between members. All members of the cluster both create outgoing connections to these ports and accept incoming connections on them:
Port Number | Port assignment | Use |
---|---|---|
25030 | TLS/CORBA | Cluster management |
25031 | TLS/CORBA | Data store |
25032 | TLS/CORBA | Reasoning |
Outgoing Appliance Service ports
These ports will be used in general operation. If configured, email alerts will be sent under certain conditions and an SMTP relay needs to be accessible to do this. As part of discovery the current domain names of IPs will be looked up, so access to your DNS infrastructure is required for this to work. It is essential for correct operation of the system that accurate time is kept for timestamps and access to an NTP service might be required for this. If Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) UI user authentication is required, then access to your AD or LDAP infrastructure is also required.
Port Number | Port assignment | Use |
---|---|---|
25 | SMTP | Email Relay |
53 | DNS | Domain Name Lookup |
123 | NTP | Time Synchronization |
389 | LDAP | LDAP UI User Authentication |
636 | LDAPS | Secure LDAP UI User Authentication |
Outgoing appliance backup ports (Windows server)
These ports are used for communication when you back up an appliance or cluster onto a Windows server.
Port Number | Port assignment | Use |
---|---|---|
135 | DCE RPC Endpoint Manager. | Appliance backup to Windows server |
139 | Netbios Session Service | Appliance backup to Windows server |
445 | Microsoft Directory Services SMB | Appliance backup to Windows server |
Outgoing Appliance CMDB Sync ports
The BMC Atrium CMDB is built on the AR System platform, which uses a portmapper approach to do RPC calls in much the same way that WMI access occurs. As such, unless action is taken the ports used are 111 to contact the portmapper and an ephemeral port is used for the duration of the connection. You are advised to avoid having a firewall between the appliance and the CMDB unless your CMDB is set to use a fixed port by setting the ARTCPPORT variable.
Port Number | Port assignment | Use |
---|---|---|
ARTCPPORT Value | AR System | CMDB Sync |
Incoming Windows Proxy / Outgoing Appliance ports
The Windows proxies listen for incoming connections from appliances. Communication uses TLS 1.2 connections containing CORBA messages. You can configure the ports by using the Windows Proxy Manager. The default port numbers are:
Port Number | Port assignment | Use |
---|---|---|
4321 | TLS/CORBA | Active Directory Proxy |
4322 | TLS/CORBA | Obsolete Workgroup Proxy |
4323 | TLS/CORBA | Credential Proxy |
Comments
Log in or register to comment.