The passwords used to scan the network are stored in a vault that is encrypted with a default passphrase when the appliance is built. The vault provides a secure mechanism for storing credential information. Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI or at the command line). The content of the vault is secured using 256 bit AES encryption in ECB mode.
For further details, see Information security.
The credential vault can be open or closed. If no passphrase is set, the vault is opened automatically when Discovery starts. If a passphrase has been set, you are prompted to enter it before Discovery can begin. While the vault is open, BMC Atrium Discovery can use the credentials stored in it to access devices.
When Discovery is stopped, the vault is automatically closed if a passphrase is set. You can close the vault while Discovery is in progress. This will prevent access to further devices during the current Discovery runs.
When the state of the credential vault is changed, that is, when a passphrase is added or changed, or the vault is opened or closed, the system creates a backup copy. When adding a passphrase, the vault is protected, however, the backup copy of the vault is made before the passphrase is added, so is unprotected. Similarly when a passphrase is changed, the backup copy still has the old passphrase. You should delete or protect the backup copy in line with your organization's security procedures.
From the Discovery section of the Administration tab, select Vault Management.
From this page you can open or close the credential vault and specify a passphrase to secure it. You can also change the passphrase or remove it.
To set a passphrase:
To change a passphrase:
Setting or changing a passphrase does not change whether the vault is open or closed.
To clear a passphrase:
To open a closed credential vault:
Enter the passphrase and click Open the Vault.
You are requested to confirm the operation.
You can also open the credential vault from the Discovery Status page. When Discovery is not running and the vault is closed, a Passphrase entry box is displayed above START LOCAL SCANS.
To close the vault, it must be open and have the passphrase set:
Enter the passphrase and click Close the Vault.
You are requested to confirm the operation.
You can also close the vault from the Discovery Status page. When Discovery is running and a passphrase is set, stopping Discovery also closes the vault.