Configuring credentials
To discover data in your IT environment, BMC Helix Discovery requires access to host systems and other network and management devices.
The credentials used to log in to discovery targets and synchronize to the CMDB are stored in a vault on the Outpost; the credentials never leave your premises. The vault containing the credentials is encrypted with a generated passphrase when the Outpost registers with a BMC Helix Discovery service. The passphrase is unique to each BMC Helix Discovery service/Outpost pair. Where an Outpost is registered with more than one BMC Helix Discovery service, a unique passphrase is stored for each service. When you unregister an Outpost, the passphrase is deleted. When you remove the last Outpost registered with a service, the credentials configured for that service are also deleted, though you are warned and can choose not to unregister the Outpost.
The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI). The content of the vault is secured by using 256-bit AES encryption in CBC mode. A "Security Best Practice" could be to defer credential management to the in-house security team who would manage credentials according to their own requirements. Permission could be granted for the security team to update the passwords stored in the vault and for other users to run discovery using the stored passwords.BMC Helix Discovery also provides an integration with a number of credential brokers.
Shadow credentials
Credentials are held in the secure credential vault in the BMC Discovery Outpost. As you use BMC Helix Discovery, your credentials never leave your premises. You configure and manage your credentials through the BMC Discovery Outpost UI. In the BMC Helix Discovery service UI, the Manage > Credentials page also displays information on credentials. These credentials are called shadow credentials. Shadow credentials do not contain the actual credentials. They display only the UI labels of the credentials.
Shadow credentials enable the service to display information on the available credentials, the Outpost the credential is stored on, and usage, such as the credential used to discover a target, without ever taking the actual credentials outside your premises.
When you click a shadow credential, and you have permission to configure credentials, you are redirected to the UI of the Outpost that holds the corresponding real credential. You are logged into the Outpost as the user with which you were logged into the BMC Helix Discovery service UI. The credentials on the Outpost are held in the secure vault which is protected by a key. This key, in turn, is protected by a generated key that is stored on the service.
When you start a Discovery run, the service requests that the Outpost scans each of the endpoints in the run, and the Outpost selects the appropriate credential. The credential is accessed from the vault, by the Outpost, by using the generated key from the service.
For more information on editing credentials, see Editing credentials.
Managing credentials using the REST API
Note
With the introduction of data sources,credential types have been recategorized. Existing searches using the REST API might no longer provide the same results as in previous versions. You can use the REST API listing to determine the credential categories for your credentials:
GET /vault/credential_types
The following topics are covered in this section:
- Adding credentials
- Adding data sources
- Using SSH keys
- Adding Kerberos realms for discovery authentication
- Editing credentials
- Testing credentials
- Exporting and importing the credential vault
- Best practices with credentials
Comments
Log in or register to comment.