To discover data in your IT environment, BMC Helix Discovery requires access to host systems and other network and management devices. BMC Discovery stores credentials and other login details, including IDs and passwords, and SNMP credentials in a secure credential vault on the BMC Discovery Outpost. The vault stores only an encrypted key. This key is then used to access data on various devices in your environment.
Credentials are held in the secure credential vault in the BMC Helix Discovery Outpost. As you use BMC Helix Discovery, your credentials never leave your premises. You configure and manage your credentials through the BMC Helix Discovery Outpost UI. In the BMC Helix Discovery service UI, the Manage > Credentials page also displays information on credentials. These credentials are called shadow credentials. Shadow credentials do not contain the actual credentials. They display only the UI labels of the credentials.
Shadow credentials enable the service to display information on the available credentials, the Outpost the credential is stored on, and usage, such as the credential used to discover a target, without ever taking the actual credentials outside your premises.
When you click a shadow credential, and you have permission to configure credentials, you are redirected to the UI of the Outpost that holds the corresponding real credential. You are logged into the Outpost as the user with which you were logged into the BMC Helix Discovery service UI. The credentials on the Outpost are held in the secure vault which is protected by a key. This key, in turn, is protected by a generated key that is stored on the service.
When you start a Discovery run, the service requests that the Outpost scans each of the endpoints in the run, and the Outpost selects the appropriate credential. The credential is accessed from the vault, by the Outpost, by using the generated key from the service.
The following topics are covered in this section: