×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 21.3 (12.3) version of BMC Discovery.
BMC Discovery 21.3 ... Using Configuring credentials

Adding Kerberos realms for discovery authentication

Kerberos is a widely used authentication protocol that uses mutual encryption and a trusted third party, to enable a client and server to verify their identities. BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials. 

Kerberos authentication uses realms as logical network groupings, each administered by a Key Distribution Center (KDC) that has the authority to authenticate a user, host, or service. 

Before you begin

Kerberos authentication relies on the following:

  • Accurate timings—BMC Discovery, the BMC Discovery Outpost, and the KDC must use NTP. 
  • Hostnames—DNS must be enabled, and the hostnames must match. That is, hostname is not the same as hostname.company.com.

Related topics

Adding credentials

Endpoints in the REST API

tw_kerberos

To add a Kerberos realm for discovery authentication


To configure BMC Discovery to discover, you must add the realm administering the target and authenticate the appliance and  BMC Discovery Outpost with the realm's KDC. You can perform all Kerberos realm configurations from the Kerberos page.  

For advanced options and automations, see the Kerberos endpoints in the REST API, and the command line utility, tw_kerberos.

  1. From the main menu, click the Administration icon , and in the Discovery section, select Kerberos.
    or:
    from the BMC Discovery Outpost Manage menu    , select Kerberos.
  2. The Kerberos page displays details of any realms already added.

  3. Click Add a Realm.
    The Add a Realm dialog box is displayed. Enter the following information:

    Field name

    Description

    The realm name.

    KDC

    The KDC name or IP address.

    KDC Port

    The port to use on the KDC. The default is 88. You only need to add a port if it is not the default.

    Admin Server

    		The admin server name or IP address. If you do not set a value here, the system uses the KDC name or IP address.
    PortThe port to use on the admin server. The default is 749. You only need to add a port if it is not the default.

  4. Click Apply to add the realm.

To test authentication

The authentication test is a test of whether the principal name and password can be used to obtain a Ticket Granting Ticket (TGT) from the KDC. The principal name and password that you enter are not stored. You use the same principal name and password to add credentials that use the realm.

  1. In the Kerberos page, click the Actions menu for the realm for which you want to test authentication.  

  2. Click Test Authentication...
    The Test KDC Authentication dialog box is displayed. Enter the following information:

    Field name

    Description

    Principal Name

    The user principal name with which to test authentication.

    Password

    		The corresponding password.

  3. Click Test.


    The test result is displayed.

Encryption and SSH support

BMC Discovery uses the following types of encryption.

  • aes256-cts-hmac-sha1-96
  • aes256-cts
  • aes256-sha1
  • aes128-cts-hmac-sha1-96
  • aes128-cts
  • aes128-sha1
  • aes256-cts-hmac-sha384-192
  • aes256-sha2
  • aes128-cts-hmac-sha256-128
  • aes128-sha2
  • camellia256-cts-cmac
  • camellia256-cts
  • camellia128-cts-cmac
  • camellia128-cts
  • arcfour-hmac
  • rc4-hmac
  • arcfour-hmac-md5

Modifying the encryption type is not supported.

For more information on the encryptions, see:

  • MIT Kerberos Open link
  • Microsoft Windows Kerberos Open link

BMC Discovery supports Kerberos authentication for target discovery by using SSH credentials using standard clients. Although the BMC Discovery can be configured to use Tectia SSH and x.509 certificates, this is not supported for Kerberos authentication.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Vinay Bellare on Jan 19, 2022
production_ready help_op_manage_creds kerberos_authentication kerberos realms help_op_admin_kerberos help_manage_kerb_op

Comments

Log in or register to comment.

Using SSH keys
Adding Windows proxies
© Copyright 2004 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.