21.3 (12.3) enhancements

BMC Discovery 21.3 (12.3) runs on CentOS 7 or Red Hat Enterprise Linux. You can upgrade directly to BMC Discovery version 21.3 (12.3) from version 20.02 (12.0) and later if you retain the same OS. To move from CentOS 7 to Red Hat Enterprise Linux you must install BMC Discovery 21.3 (12.3) on Red Hat Enterprise Linux and then migrate your data. To migrate your data, you must back up the CentOS based appliance and restore it to a new BMC Discovery appliance running on Red Hat Enterprise Linux. To move from Red Hat Enterprise Linux to CentOS you must install BMC Discovery 21.3 (12.3) on CentOS and then migrate your data.

If you are new to BMC Discovery, we recommend that you see Getting started as an introduction to using the product.

Integration with third-party credential manager HashiCorp Vault

BMC Discovery supports integration with a new third-party credential manager, HashiCorp Vault. HashiCorp Vault is an application software that stores and manages credentials securely, according to the policies that your organization implements.

For the BMC Discovery appliance to be able to access HashiCorp Vault, you must perform the integration from the appliance on the Administration > Vault Management page.

For a registered BMC Discovery Outpost to be able to access HashiCorp Vault, you must also perform the integration from the BMC Discovery Outpost.

For information on performing the integration, see Integrating with HashiCorp Vault.

Introducing Kerberos authentication for discovery credentials

Kerberos is a widely used authentication protocol that uses mutual encryption and a trusted third party, to enable a client and server to verify their identities. BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials. Kerberos authentication uses realms as logical network groupings, each administered by a Key Distribution Center (KDC) that has the authority to authenticate a user, host, or service. 

To configure BMC Discovery to discover, you must add the realm administering the target and authenticate the appliance with the realm's KDC. You perform all Kerberos realm configurations from the Kerberos page.

After the appliance joins the realm, you can test whether a user can obtain a ticket-granting ticket (TGT) for that realm.

You can add an ssh credential that uses Kerberos authentication from the Credentials page. Known or added realms are available in a list when you add a credential.

A new tw_kerberos utility enables you to perform Kerberos operations from the command line.

For information on using Kerberos authentication, see Adding Kerberos realms for discovery authentication, Adding credentials, and tw_kerberos.

Introducing OpenShift OAuth authentication

Discovering Red Hat OpenShift clusters has been simplified by the addition of OpenShift OAuth authentication. Red Hat OpenShift clusters are discovered by using an API scan and an improved Kubernetes/OpenShift credential. The OpenShift OAuth authentication obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the provided username and password. Once the token is obtained, it is used to access and discover the OpenShift clusters specified in the credential.

OpenShift OAuth provides the ability to discover many OpenShift clusters using a single credential. The WKE authorization server must be resolvable.

For more information, see Discovering Red Hat OpenShift clusters and Adding credentials.

Scanning performance improvements

In many environments, scanning is now faster. It benefits from more efficient rule indexing, and better system utilization on large appliances and large clusters.

Miscellaneous changes

REST API is now available in the Community Edition of BMC Discovery. These APIs enable you to perform a variety of tasks, such as submitting discovery runs or managing credentials that you currently perform through the BMC Discovery UI.