System communications and network ports

The core of the application manages the discovery and reasoning engines. It consistently interacts with the security engine to ensure user authentication and request authorization so that each action taken by the application can only be triggered from the application itself or by a user through the application UI or command line. External communications between the user and the application are only permitted to use HTTPS.

The encryption of communication between the discovery engine (appliance or Windows proxy) and the target depends on the discovery method used. For example, SSH is encrypted, but telnet and rlogin (which might both be disabled) are not. Discovery credentials can be configured to use a user-supplied SSH key per credential. These keys and their associated passphrases are stored in the credential vault. It is recommended that SSH keys are always protected with a strong passphrase.

Important

The rlogin access method that is used to connect to an endpoint is not a secure protocol as communication is not encrypted. Rlogin is not available in the BMC Discovery Outpost UI. If required, you can use rlogin in the appliance UI.

Secure communications

Secure communications between elements of the system use CORBA over TLS (Transport Layer Security) with the following details:

  • Protocol: TLSv1.3
  • Encryption: AES_256_GCM
  • Message hashing: SHA-384
  • Key Exchange: DHE (2048)

It is enabled using certificates in the following locations:

Security of communication and data between BMC Discovery Outpost and the appliance 

  1. You must register the Outpost with the BMC Discovery appliance, and the BMC Discovery appliance with the Outpost. The registration process ensures that: 
    • The BMC Discovery appliance listens only for Outposts that you have registered it with.
    • Your Outposts only ask for jobs from the BMC Discovery appliance that you have registered them with.

  1. Communication between the Outpost and the BMC Discovery appliance is always encrypted, and always sent over HTTPS . 
  2. The registration process establishes the second level of encryption of the messages between the Outpost and the appliance, which means that we do not just rely on the security of HTTPS communications. The Outpost can communicate with the appliance by using web proxies, and even if a decrypting web proxy is used to transport the messages, the content cannot be read.
    • Messages are encrypted by using tokens exchanged at registration that are used for AES encryption, ensuring that only that Outpost and that appliance can read the messages.
    • The encrypted messages are sent over HTTPS.
  3. Communication between the Outpost and the BMC Discovery appliance is always from the Outpost to the BMC Discovery appliance. Communication is never initiated by the BMC Discovery appliance. 
  4. Credentials to access and discover your infrastructure never leave your premises.

For more information, see Secure deployment.

Apache SSL key passphrases

BMC recommend that you do not passphrase the Apache SSL server key used by the appliance. Doing so requires entry of the passphrase at service start-up, which conflicts with the following operations:

  • Resetting configuration of a machine (invoked from the Cluster Management UI and when a machine leaves the cluster)
  • Configuring HTTPS (via the UI and possibly when sending configuration to cluster members). A specific issue is that once a passphrase is applied it is no longer possible to restart HTTPS via the UI, without first regenerating the server key.
  • Remedy SSO
  • Backup/Restore (as SSL keys are restored)

End-user authentication

End-user application authentication is critical to the security of the entire solution. BMC Discovery supports a number of Web authentication plug-ins and various levels of authentication strength, requiring one of many authentication factors:

  • SSL Certificate Lookup–The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid.
  • LDAP Authentication–The user is authenticated against an LDAP server by entering a username and password.
  • Standard Web Authentication–The user is authenticated as a local user by entering a username and password.

Secure export to CMDB

The preferred communication between BMC Discovery and BMC CMDB uses the CMDB REST API, and for this, we recommend using HTTPS rather than HTTP.

The legacy CMDB API is still supported, though the CMDB REST API access mechanism is preferred as it uses a more secure encryption protocol

Ports used for system communication

The following ports are used by the BMC Discovery and you might need to open them on a firewall for correct operation. These will be required in addition to the ports directly used for Network ports used for discovery communications.

Incoming appliance user interface ports

These ports need to be open to access the UI and CLI for both normal operation and administration of updates. HTTPS in BMC Discovery only accepts TLS v1.3.

The appliance accepts incoming client connections on the following ports:

Port Number

Port assignment

Use

22

SSH

Appliance CLI access

443

HTTPS

Main UI Secure

HTTP access to the appliance is not permitted. 

Incoming and outgoing appliance port for communication with the BMC Discovery Outpost

See Security of communication and data between BMC Discovery Outpost and appliance.

Port Number

Port assignment

Use

443

HTTPS

Main BMC Discovery Outpost

Incoming and outgoing appliance consolidation port

Consolidation uses TLS communication. The scanning appliances connect to the consolidation appliance using TLS 1.3 to transfer CORBA messages:

Port Number

Port assignment

Use

25032

TLS/CORBA

Consolidation data

Incoming and outgoing appliance clustering ports

Clusters use TLS communication to communicate between members. All members of the cluster both create outgoing connections to these ports and accept incoming connections on them:

Port Number

Port assignment

Use

25030

TLS/CORBA

Cluster management

25031TLS/CORBADatastore
25032TLS/CORBA

Reasoning

Incoming user authentication and authorization

Where BMC Discovery is integrated with other BMC Helix products, user authentication/authorization uses this port:

Port Number

Port assignment

Use

25033

TLS/CORBA

Authentication/authorization for permitted BMC Helix users.

Outgoing appliance service ports

These ports will be used in general operation. If configured, email alerts will be sent under certain conditions and an SMTP relay needs to be accessible to do this. As part of discovery, the current domain names of IPs will be looked up, so access to your DNS infrastructure is required for this to work. For the correct operation of the system, accurate time is kept for timestamps and access to an NTP service might be required for this. If Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) UI user authentication is required, then access to your AD or LDAP infrastructure is also required.

Port Number

Port assignment

Use

25

SMTP

Email Relay

53

DNS

Domain Name Lookup

123

NTP

Time Synchronization

389

LDAP

LDAP UI User Authentication

636

LDAPS

Secure LDAP UI User Authentication

Outgoing appliance backup ports (Windows server) 

These ports are used for communication when you back up an appliance or cluster onto a Windows server.

Port Number

Port assignment

Use

135

DCE RPC Endpoint Manager.
DCOM Service Control

Appliance backup to Windows server

139

Netbios Session Service

Appliance backup to Windows server

445Microsoft Directory Services SMB

Appliance backup to Windows server

Outgoing appliance CMDB sync ports

The BMC Remedy CMDB is built on the AR System platform, which uses a portmapper approach to make RPC calls in much the same way that WMI access occurs. As such, unless action is taken, the ports used are 111 to contact the portmapper, and an ephemeral port is used for the duration of the connection. You are advised to avoid having a firewall between the appliance and the CMDB unless your CMDB uses a fixed port by setting the ARTCPPORT variable. 

Port Number

Port assignment

Use

ARTCPPORT Value

AR System

CMDB Sync

The BMC Discovery appliance can also sync to the BMC Remedy CMDB using the REST API.

Port Number

Port assignment

Use

8443AR System REST APICMDB sync

Incoming Windows proxy and outgoing appliance ports

The Windows proxies listen for incoming connections from appliances. Communication uses TLS 1.3 connections containing CORBA messages. You can configure the ports by using the Windows Proxy Manager. The default port numbers are:

Port Number

Port assignment

Use

4321

TLS/CORBA

Active Directory Proxy
4322TLS/CORBAObsolete Workgroup Proxy
4323TLS/CORBACredential Proxy
Was this page helpful? Yes No Submitting... Thank you

Comments