To discover data in your IT environment, BMC Discovery requires access to host systems and other network and management devices. BMC Discovery appliances store credentials and other login details, including IDs and passwords, and credential-like entities (data sources, Windows proxies and SNMP credentials) in secure credential vaults.
The appliance vault is protected by a 512-bit passphrase. You can configure an appropriate passphrase for the appliance vault instead of using the default. However, we strongly recommend that you use the default to avoid any access issues due to an incorrect passphrase. Once configured, the passphrase is required every time the discovery process is run.
Each BMC Discovery Outpost also has a credential vault. The BMC Discovery Outpost vault containing the credentials is encrypted with a generated passphrase when the Outpost registers with a BMC Discovery appliance. The passphrase is unique to each BMC Discovery appliance/Outpost pair. Where an Outpost is registered with more than one BMC Discovery appliance, a unique passphrase is stored for each appliance.
Credentials are not shared between vaults. That is:
- A discovery scan from an appliance can only use credentials from its own vault.
- A discovery scan from a BMC Discovery Outpost can only use credentials from its own vault.
The appliance acts as a standalone entity, that is by default enabled to perform discovery tasks. If you specify a discovery of an endpoint, and do not specify a BMC Discovery Outpost, then the appliance will perform the discovery. If it does not have a valid credential, the discovery will fail, irrespective of whether a BMC Discovery Outpost has a valid credential.
Windows proxies managed by Discovery Outpost
For Windows credentials, the Outpost creates and manages one credential proxy service for one or more Windows credentials.
For AD credentials, the Outpost automatically creates, updates, and deletes an AD Proxy service for each AD credential. An "AD credential" in this context is created when you choose Active Directory as the credential type in the Outpost credential UI.
The username and password are not stored in the vault. A Windows service is started, and Windows itself stores an authentication token associated with the service. The "credential" is retained in the Windows service control manager.
The username is not valid will appear when creating an AD credential from an Outpost which does not belong to Active Directory.
You can effectively manage credentials held in the appliance and on an Outpost using the BMC Discovery UI. In the BMC Discovery UI, the Manage > Credentials page lists the available credentials.
The Credentials page lists information on credentials held in the appliance. If you have a registered BMC Discovery Outpost, then credentials held on the Outpost are listed below them. All the listed credentials are called shadow credentials. Shadow credentials do not contain the actual credentials. They display only the UI labels of the credentials.
If you have permission to configure credentials:
- When you click a credential held in the appliance, the Edit Credential page is displayed; there you can edit the real credential.
- When you click a shadow credential held on the Outpost, you are redirected to the UI of the Outpost that holds the corresponding real credential. You are logged into the Outpost in a new browser tab as the user with which you were logged into the BMC Discovery UI.
For more information on editing credentials, see Editing credentials.
Managing credentials using the REST API
With the introduction of data sources,in BMC Discovery version 20.02 (12.0),credential types have been recategorized. Existing searches using the REST API might no longer provide the same results as in previous versions. You can use the REST API listing to determine the credential categories for your credentials:
The following topics are covered in this section:
- Adding credentials
- Adding data sources
- Using SSH keys
- Adding Windows proxies
- Editing credentials
- Testing credentials
- Managing the credential vault
- Exporting and importing the credential vault
- Best practices with credentials