To discover data in your IT environment, BMC Helix Discovery requires access to host systems and other network and management devices.
The credentials used to log in to discovery targets and synchronize to the CMDB are stored in a vault on the Outpost; the credentials never leave your premises. The vault containing the credentials is encrypted with a generated passphrase when the Outpost registers with a BMC Helix Discovery service. The passphrase is unique to each BMC Helix Discovery service/Outpost pair. Where an Outpost is registered with more than one BMC Helix Discovery service, a unique passphrase is stored for each service. When you unregister an Outpost, the passphrase is deleted. When you remove the last Outpost registered with a service, the credentials configured for that service are also deleted, though you are warned and can choose not to unregister the Outpost.
The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI). The content of the vault is secured using 256 bit AES encryption in CBC mode.
A "Security Best Practice" could be to defer credential management to the in house security team who would manage credentials according to their own requirements. Permission could be granted for the security team to update the passwords stored in the vault, and for other users to run discovery using the stored passwords.
Credentials are held in the secure credential vault in the BMC Helix Discovery Outpost. As you use BMC Helix Discovery, your credentials never leave your premises. You configure and manage your credentials through the BMC Helix Discovery Outpost UI. In the BMC Helix Discovery service UI, the Manage > Credentials page also displays information on credentials. These credentials are called shadow credentials. Shadow credentials do not contain the actual credentials. They display only the UI labels of the credentials.
Shadow credentials enable the service to display information on the available credentials, the Outpost the credential is stored on, and usage, such as the credential used to discover a target, without ever taking the actual credentials outside your premises.
When you click a shadow credential, and you have permission to configure credentials, you are redirected to the UI of the Outpost that holds the corresponding real credential. You are logged into the Outpost as the user with which you were logged into the BMC Helix Discovery service UI. The credentials on the Outpost are held in the secure vault which is protected by a key. This key, in turn, is protected by a generated key that is stored on the service.
When you start a Discovery run, the service requests that the Outpost scans each of the endpoints in the run, and the Outpost selects the appropriate credential. The credential is accessed from the vault, by the Outpost, by using the generated key from the service.The following topics are covered in this section: