Adding credentials


You add credentials from the Manage > Credentials page on the Discovery Outpost:

 

To add a credential, select the type of credential you want to add from the Add menu. The Add credential page is displayed. This page enables you to enter general details for the credential, and depending on the specific credential type, any additional parameters. For example, for a Linux host, you can specify an ssh key to use for authentication, or a username/password combination for escalated privileges. If you add an exception for matching IP addresses, the label of the credentials is updated with the exception.

You can use the following procedure to add credentials for Linux or Windows hosts, management controllers, network devices, storage devices, and so on. The preferred method of accessing remote devices using BMC Helix Discovery is by remote login. 

You can set up different login credentials to use on different computers, by individual IP address or a range of addresses. You can set up several access methods and define the order in which they are to be attempted. Each access method is attempted until a working credential is found or the list is exhausted. When BMC Helix Discovery successfully logs in to a host, the access method using which the login occurred is recorded. On subsequent scans, the access method used during the previous successful login to the host is first attempted. However, you must configure appropriate options on the BMC Helix Discovery configuration pages in the service UI for the successful attempts.
If an access login method (for example, telnet) is disabled and that method is recorded as the last successful login method, it is tried again on a subsequent scan. If it fails on that scan, then that method is not tried again until it is re-enabled. An access method is attempted only if it is seen to be available (for example, SSH access is attempted only if the SSH port is open).

Information on the success or failure of credentials is available on the Discovery Status page.

Tip

Credential brokers

Adding credentials when you have integrated with one of the supported credential brokers is described in the following topics:

User accounts on UNIX and Linux target systems

When creating a user account (the account that BMC Helix Discovery logs into to discover a host) on a UNIX or Linux target host, ensure that you specify the full path to the shell in the user profile; for example, SHELL=/bin/sh. Otherwise, the credentials are considered invalid. 

Note

Regarding Shell support, BMC Helix Discovery is tested to work with Bourne and Bourne-compatible shells (/bin/sh). In general, the best shell to use for BMC Helix Discovery is /bin/sh as it is widely available on Linux, Unix, AIX, and so on. Support for other shells such as the Korn shell is best effort only. The product has been sporadically tested and might work but with known issues, and BMC might not fix bugs that affect these shells.

Discover devices by using REST APIs

To add login credentials 

  1. From the menu bar, select Manage > Credentials.
    The Credentials page is displayed.
  2. From the top-right corner of the page, click the Add list to view the type of target for which you want to add the credential. The available types are:

    • Network Device
    • Database
    • Host
    • Cloud
    • Storage Device
    • Management Controller
    • Custom Credential
    • Web API

      Each type contains options under it. You can click an option to view the Add Credential page and enter details for the option. 
      For example, under Host, click SSH to populate the Add Credential page with the ssh and UNIX Settings access methods. The Add Credential page is displayed, pre-populated with fields relevant to your selection.

  3. (Optional) If you have configured integration with a credential broker, select the vault source from the list menu. It can be one of the following: 

  4. If you need to add more access methods to the selected credential type, click the + icon  in the Credential Types field or proceed to the next step.

  5. Choose the matching criteria. Either select Match All for the credential to be valid for any endpoint (the default), or deselect Match All to enter specific endpoints or ranges.

  6. To add matching exceptions, that is, endpoints that the credential will never match, click the + icon in the Matching exceptions field and enter the endpoints that you do not want this credential to match. You can use the same endpoint types for matching exceptions as you can for matching criteria. 

     Additional tips for entering matching criteria and matching exceptions

    For matching criteria, select Match All to match all endpoints; deselect it to enter values that will be used to determine if this credential is suitable for a particular endpoint. For matching exceptions, enter the endpoints.

    They can be one or more of the following, separated by commas:
    • IPv4 address: for example 192.168.1.100.
    • IPv4 range: for example 192.168.1.100-105, 192.168.1.100/24, or 192.168.1.*.
    • IPv6 address: for example 2001:500:100:1187:203:baff:fe44:91a0.
    • IPv6 network prefix: for example fda8:7554:2721:a8b3::/64.

    Note

    You cannot specify the following address types:
    • IPv6 link local addresses (prefix fe80::/64)
    • IPv6 multicast addresses (prefix ff00::/8)
    • IPv4 multicast addresses (224.0.0.0 to 239.255.255.255)

    As you enter text, the UI divides it into pills (discrete editable units) when you enter a space or a comma. According to the text entered, the pill is formatted to represent one of the previous types or presented as invalid.

     Invalid pills are labeled with a question mark. You can also paste a list of IP addresses or ranges into this field. If a pill is invalid, a message stating the number of invalid pills is displayed above the range field. Clicking the link applies a filter that shows only invalid pills, which you can then edit or delete. You can remove the filter by clicking clear in the Showing n of n label below the Range field. There is no paste option on the context-sensitive (right-click) menu.

    Warning

    Do not paste a comma-separated list of IP address information into the Range field in Mozilla Firefox. Doing so can crash the browser. You can use a space-separated list with no problems.

    To edit a pill, click the pill body and edit the text.
    • To delete a pill, click the X icon to the right of the pill, or click to edit and delete all of the text.
    • To view the unformatted source text, click the source toggle switch. The source view is useful for copying to a text editor or spreadsheet. Click the source toggle switch again to see the formatted pill view.

    Below the entry field is a filter box. Enter text in the filter box to show only matching pills.

    Information

    Pills are not supported in Opera.

  7. Select the Enabled box to enable the credentials.
    You can edit your credentials at any time or disable a given credential.
  8. In the Label field, specify an appropriate name for the credential.
    This label is used later for searching for credentials. Specifying a label is mandatory when adding credentials.
  9. In the Description field, specify a description for the credential.

  10. In the User – Name field, specify a username for the credential.
  11. In the User – Password field, specify a password for the credential. 

    Note

    In the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password.

  12. To save your credential details, click Apply or to exit the page without saving the changes, click Cancel.

Additional details for credential types

The following sections and tables list the information you must provide for the various credential types:

Network Device credentials

Credential type

Parameter

Description

SNMP



RetriesThe number of attempts made if no response is received. The default is five.
Timeout

The time (in seconds) in which a response is expected. The default is one second.

SNMP PortTo choose an SNMP port, select the check box and choose from the ports in the list. You must already have configured an SNMP port in the Discovery Configuration window.
SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULKUse GETBULK requests instead of GETNEXT requests. GETBULK improves Discovery performance, however, some devices do not support it correctly, which very occasionally may lead leading to scanning issues. If you experience scanning issues, uncheck this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.
SNMP v1/v2cCommunity: NameCommunity used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only.
SNMP v3









Security Level



For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client; for SNMP V3 credentials only. Select one of the following options from the drop-down list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

SHA-2 authentication protocols

 The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security—
Authentication Key

The key (passphrase) that will be used to encrypt the credentials; for SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters.

Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a privacy key to encrypt data using the DES algorithm.
  • AES 128—Uses a privacy key to encrypt data using the AES algorithm.
  • AES 192 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.
  • AES 256 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.

    AES 192 (draft std) and AES 256 (draft std)

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.
  • AES 256 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

    The AES 128/192/256 with 3DES key extension

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

Private key—ValueThe key (passphrase) that will be used to encrypt the data; for SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters.
ContextThe SNMP v3 context. This field is optional and only required for some devices.

AVI Vantage Web API

TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access ProtocolSelect Allow HTTP to enable REST API requests to be made over HTTP.
(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.
Cisco APIC REST APIAAA DomainThe AAA Domain to which the user belongs. Empty by default.
TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.
Citrix NetScaler NITRO REST APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access ProtocolSelect Allow HTTP to enable REST API requests to be made over HTTP.
(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Database credentials

Each credential type has the following parameters.

Credential type

Parameter

Description

One of:

  • IBM Db2
  • Ingres
  • Microsoft SQL Server
  • MySQL
  • Oracle
  • PostgreSQL
  • Sybase
DriverSelect a driver from the list of configured drivers. To add a new driver, or update an existing driver, see Managing database drivers.
TimeoutThe time (in seconds) in which a response is expected. The default is 60 seconds.

Credential Group
Encrypt Password(This option is available only for Sybase) Select if you want to encrypt the password.

Host credentials

Credential type

Parameter

Description

SSH

SSH PortIf the host for which this credential is created is configured to listen for SSH connections on a nonstandard port, pick a port from the drop-down list. You can specify only those SSH ports here that are defined in Discovery Configuration on the Administration page. For more information, see TCP and UDP ports to use for initial scan.
Timeout (in seconds)Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).
SSH Key—Private Key FileSpecify an existing SSH key that you already have deployed in your organization. Click Browse to locate the private key and click Open to select it. For more detailed information about setting up a private key, see Using SSH keys.
SSH KeyPassphraseSpecify the passphrase for the UNIX host here. When you click Apply on the Add Credentials page to save the credential, the key and passphrase are validated. We recommend that when you upload the private key to the BMC Discovery machine, you protect the vault with a passphrase.
SSH AuthenticationTo use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled.

Telnet

Telnet portIf the host for which this credential is created is configured to listen for Telnet connections on a nonstandard port, pick a port from the list. You can specify only those SSH ports here that are defined in the Discovery Configuration window on the Administration tab. For more information, see TCP and UDP ports to use for initial scan.
Timeout (in seconds)Enter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

UNIX Settings

Switch User?

To use the su command to change to the root or any other user, select Switch User.

In the following two fields, enter the user to change to, and the corresponding password. The password text is not echoed to the screen.

SU UserNameUsername used to log in to hosts identified by the key.
SU UserPassword

Enter the password into the password entry field; the password text is not echoed to the screen.

Note

On the Edit Login Credential page, this field is displayed as Set Password. The existing password is shown as a series of asterisks in this field, and it cannot be edited. To enter a new password, select the check box. The password entry field is cleared. Now enter the new password.

PromptRegular expression to define valid prompt characters expected.
Force SubshellTo force the session to open a Bourne (/bin/sh) subshell, if the default login shell is a C shell (/bin/csh /bin/tcsh), select Yes. This selection enables you to cater to machines using nonstandard shells.
Use password for privilege escalationSelect the check box to permit the password to be sent when a command requests a privilege escalation, for example sudo.
Active DirectoryNot applicable

A Windows Active Directory credential. Cannot be specified with a local Windows user credential.

No additional Active Directory parameters are required.

WindowsNot applicable

A local Windows user credential. Cannot be specified with an Active Directory credential.

No additional Windows parameters are required.

vCenterTimeoutThe time (in milliseconds) in which a response is expected. The default is 60 seconds.
HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration.
vSphereTimeoutEnter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).
HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration.
vSphere Web APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Mainframe z/OS AgentMainframe z/OS Agent PortPort to use to connect to the Mainframe z/OS Agent; the default is 3940. To use a different port, select a port number from the list. The list is populated with port numbers specified at Administation > Discovery Configuration.
TimeoutEnter a timeout period (in seconds) for a session. This timeout includes the credential handshaking (see also the Session Login Timeout) and is used to control sessions. The default is 180 seconds. In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure (error message Connection timed out).

Cloud credentials

Credential type

Parameter

Description

Amazon Web Services










Access Key ID

The access key ID. The equivalent to a username.
The AWS IAM console enables you to download the Access Key ID and Access Secret Key as a csv file. You can import the csv files downloaded from the IAM console, reducing scope for cut and paste errors when creating AWS credentials in BMC Discovery.

To upload a csv file containing the Key ID and Secret, click Upload CSV, select the file, and click Open.

Access Key PasswordThe access secret key or password.

(info) If the BMC Helix Discovery Outpost is running in an EC2 instance and and that instance is associated with an instance profile, you can use that profile rather than an Access Key ID and Access Secret Key. If you leave those fields blank, AWS discovery uses the EC2 instance profile to perform the discovery. In the credential list, the AWS credential is labelled "AWS Access Key ID: From EC2 Instance Profile".


Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

Assume Roles (ARNs)

(Optional) Use the Amazon Resource Name (ARN) only if you want to apply role-based authentication for a user, application, or service. You must have defined the role earlier in AWS Identify and Access Management (IAM). For information on defining roles, see Creating IAM roles .

Example for a single role: arn:aws:iam::123456789012:role/Discovery

To enable role-switching (multiple roles), enter each role as a new-line separated list. For more information on AWS roles and role-switching, see Discovering Amazon Web Services.

Note: If you do not specify the ARN, you will discover AWS resources associated with the Access Key ID credentials.

Proxy

If you need to connect to AWS through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • Hostname–the name of the proxy host.
  • Port–the port on which to connect to the proxy. The default is 3128.
Proxy Credentials

If you need to connect to AWS through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • User–username for the proxy.
  • Password–corresponding password.

Google Cloud Platform

Service AccountThe key used to access the Google Cloud Platform services. Download the key from the Google Cloud Console as a JSON formatted file. Upload the JSON file to BMC Discovery. Select Choose File, select the JSON file in the file browser and click Open.
Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

Proxy

If you need to connect to Google Cloud through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • Hostname–the name of the proxy host.
  • Port–the port on which to connect to the proxy. The default is 3128.
Proxy Credential

If you need to connect to Google Cloud through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • User–username for the proxy.
  • Password–corresponding password.
Microsoft Azure

Directory IDThe Directory ID also known as the Tenant ID. The Directory ID is a GUID. The Directory ID can be found in the Azure Active Directory properties in the Azure Portal.
Application IDThe Application ID key. The Application ID is a GUID.
Application KeyThe application password.
Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

Proxy

If you need to connect to Microsoft Azure through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • Hostname–the name of the proxy host.
  • Port–the port on which to connect to the proxy. The default is 3128.
Proxy Credentials

If you need to connect to Microsoft Azure through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • User–username for the proxy.
  • Password–corresponding password.
OpenStack

User DomainThe overall container for your OpenStack projects, users, and groups. See the OpenStack documentation for more information on user domains.
Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

Proxy

If you need to connect to OpenStack through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • Hostname–the name of the proxy host.
  • Port–the port on which to connect to the proxy. The default is 3128.
Proxy Credentials

If you need to connect to OpenStack through an HTTPS proxy, enter the details here. This is an authenticating HTTPS proxy rather than a BMC Discovery Windows proxy.

  • User–username for the proxy.
  • Password–corresponding password.

Storage Device credentials

Credential type

Parameter

Description

SNMP



RetriesThe number of attempts made if no response is received. The default is five.
Timeout

The time (in seconds) in which a response is expected. The default is one second.

SNMP PortTo choose an SNMP port, select the check box and choose from the ports in the list. You must already have configured an SNMP port in the Discovery Configuration window.
SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULKUse GETBULK requests instead of GETNEXT requests. GETBULK improves Discovery performance, however, some devices do not support it correctly, which very occasionally may lead leading to scanning issues. If you experience scanning issues, uncheck this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.
SNMP v1/v2cCommunity NameCommunity used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only.
SNMP v3




Security Level

For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client; for SNMP V3 credentials only. Select one of the following options from the drop-down list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

SHA-2 authentication protocols

 The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security-Authentication KeyThe key (passphrase) that will be used to encrypt the credentials; for SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters.
Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a privacy key to encrypt data using the DES algorithm.
  • AES 128—Uses a privacy key to encrypt data using the AES algorithm.
  • AES 192 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.
  • AES 256 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.

    AES 192 (draft std) and AES 256 (draft std)

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.
  • AES 256 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

    The AES 128/192/256 with 3DES key extension

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

Private keyThe key (passphrase) that will be used to encrypt the data; for SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters.
ContextThe SNMP v3 context. This field is optional and only required for some devices.
WBEM





TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds. WBEM queries may take some time, so you might need to increase this timeout.
Access ProtocolThe protocol to use to communicate with the WBEM server. Select HTTP, HTTPS, or both.
WBEM HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom WBEM HTTPS port in Administration > Discovery Configuration.
WBEM HTTP PortTo choose a custom HTTP port, choose from the ports in the list. You must already have configured a custom WBEM HTTP port in Administration > Discovery Configuration.
EMC VPLEX REST APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo choose an HTTPS port, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration.
EMC ECS Web APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.
HDI REST APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Nimble Storage Web APILogin pathEnter the URL on the target where the login token can be obtained.
TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Management Controller credentials

Credential type

Parameter

Description

SNMP



RetriesThe number of attempts made if no response is received. The default is five.
Timeout

The time (in seconds) in which a response is expected. The default is one second.

SNMP PortTo choose an SNMP port, select the check box and choose from the ports in the list. You must already have configured an SNMP port in the Discovery Configuration window.
SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULKUse GETBULK requests instead of GETNEXT requests. GETBULK improves Discovery performance, however, some devices do not support it correctly, which very occasionally may lead leading to scanning issues. If you experience scanning issues, uncheck this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.
SNMP v1/v2cCommunity: NameCommunity used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only.
SNMP v3




Security Level

For SNMP V3 credentials only. Shows the security level selected using the authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client; for SNMP V3 credentials only. Select one of the following options from the drop-down list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

SHA-2 authentication protocols

 The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security-Authentication KeyThe key (passphrase) that will be used to encrypt the credentials; for SNMP V3 credentials only, and only if you have chosen an authentication protocol. Must be at least 8 characters.
Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation over no encryption. This is for SNMP V3 credentials only, and only if you have chosen an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a privacy key to encrypt data using the DES algorithm.
  • AES 128—Uses a privacy key to encrypt data using the AES algorithm.
  • AES 192 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.
  • AES 256 (draft std)—Uses a privacy key to encrypt data according to the AES draft privacy protocol.

    AES 192 (draft std) and AES 256 (draft std)

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.
  • AES 256 with 3DES key extension—Uses a privacy key to encrypt data according to the AES draft privacy protocol with extensions.

    The AES 128/192/256 with 3DES key extension

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you choose one of these privacy protocols.

Private keyThe key (passphrase) that will be used to encrypt the data; for SNMP V3 credentials only, and only if you have chosen a privacy protocol. Must be at least 8 characters.
ContextThe SNMP v3 context. This field is optional and only required for some devices.
Cisco IMC Web APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo specify an HTTPS port for the Web API, choose from the ports in the list. You must already have configured an HTTPS port in Administration > Discovery Configuration.
HP iLO Web APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
HTTPS PortTo choose a custom HTTPS port, choose from the ports in the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration.

Custom credential

The Custom Credential group provides an option of adding a blank credential. If you have a specific requirement of adding a set of credentials that are listed under different groups in the UI then you do not need to add several separate credentials. You can configure a blank or custom credential by adding multiple credential types to it. For example, you may want to configure SSH, which is listed under the Host category and WBEM, which is listed under the Storage Device category.

Click Blank Credential and follow the steps listed earlier in To add login credentials and enter field information relevant to the credential type that you add.


Web API credentials

Credential type

Parameter

Description

REST API with basic authenticationTimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.
REST API with digest authenticationTimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.

REST API with OAuth2 authentication

Client details (optional)

You can specify an optional Client ID and secret to access REST APIs with OAuth2 authentication.

  • Client ID–A client ID (if required) to access the API.
  • Client secret–The corresponding client secret. To enter a new secret, select the check box. The entry field is cleared and you can enter the new secret.
Token endpointEnter the URL on the target where the token endpoint can be obtained.
TimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.
Control-M Web APITimeoutThe time (in seconds) in which a response is expected. The default is 180 seconds.
Access Protocol

Select Allow HTTP to enable Web API requests to be made over HTTP.

(warning) HTTP is not a secure protocol as communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Related topics

Configuring credentials

Was this page helpful? Yes No Submitting... Thank you

Comments