Communication between components of BMC Discovery is secured using TLS, and authenticated using certificates. The communication is:
For information about securing communication between the user's browser and the appliance web user interface, see Configuring HTTPS settings.
When one part of BMC Discovery connects to another, each end of the connection checks that the other end is approved. The certificate can be thought of as the public key half of a public-private key pair — if the endpoint's private key details match the expected public certificate details, the connection is approved. Note that although the underlying protocols are the same, the trust model in use in BMC Discovery is different to the trust model involved in HTTPS used on the public web. For more information, see Technical details.
Certificates are small text files containing an ugly jumble of letters and numbers. To enable visual comparison of certificates, they are reduced to a fingerprint, which is a somewhat shorter sequence of ugly hexadecimal digits, for example '7D:0B:13:54:4B:F1:39:87:A0:AB:4E:FA:3D:A0:A2:0C:2F:0A:A1:BA'. Certificate fingerprints are shown in various parts of BMC Discovery so that the identities of the endpoints can be confirmed.
The following topics are provided in this section:
The most secure way to deploy the components of BMC Discovery is for each component to have its own unique key and certificate. This is the default scheme for new deployments. In this scheme, each connection between components must be approved; any connections that have not been approved are denied.
In versions of BMC Discovery prior to 10.1, a single default certificate was used in all deployments. That default certificate is referred to as the legacy certificate. For added security, the recommendation was to deploy custom keys signed by a private certificate authority. Upon upgrade from an earlier version, the existing keys and certificates are retained, so that existing communication links are not broken. To increase security of existing deployments, we recommend that once all parts of the deployment have been upgraded to version 10.1 or later, unique keys and certificates are generated for each component.
When connecting components of BMC Discovery, the components' certificates must be exchanged. The actual certificate exchange is performed automatically, but the connection must be confirmed via the user interfaces on both ends of the connection.
Once a connection has been established, if either end changes its key and certificate details, the communication link will fail, and must be re-approved.
Upon upgrade from a release prior to 10.1 the existing keys and certificates are retained, so that existing communication links continue to function. To increase the overall security of the system we recommend that once all parts of the system have been upgraded to 10.1 or later, the old keys are replaced by new unique ones for each component. Components can be upgraded one at a time — there is no need to switch all components from legacy keys at the same time.
If the upgraded appliance or Windows proxy was previously using the default legacy keys, then when the switch to unique keys is made, appliances automatically approve the new certificate. If the default keys had been replaced with custom site-specific keys, a switch to new unique keys will disable the existing communication links until they are re-approved. When an appliance key and certificate is changed, the Windows proxy always requires approval of the new certificate.
If it is necessary to add a newly installed appliance or Windows proxy to a system involving older version components, communication will not immediately succeed because the newly installed component will have unique keys that are not known to the old components. In this situation, the newly-installed component should be switched to use the legacy key and certificate via the certificate management interface.
Within the BMC Discovery user interface, details of the appliance's own key and certificate, and the certificates of other components that it trusts are visible within the Administration tab, in Security > Appliance Certificates. The page permits the generation of new keys, and the installation of the legacy keys for successful interaction with older-version components.
On the Windows proxy, access information about the proxy's own key and certificate in the Proxy Manager via Edit > Key and Certificate Management. As with the Appliance Certificates page, the dialog permits the generation of a new key and certificate and the installation of the legacy key. Certificate details of the connected appliances are available via Edit > Known Appliances.
The TLS (Transport Layer Security) protocols used in BMC Discovery make use of both public-key and symmetric-key cryptography, and secure hashing. This section explains the effects of these cryptography techniques, how they are used in TLS, and how BMC Discovery uses the features of TLS to achieve authentication, authorization and end-to-end encryption.
As a simple example of how these techniques can be used, suppose Alice wishes to communicate with Bob. They each have a public-private key pair, and each knows the other's public key. Public-key encryption algorithms are computationally expensive, so they wish to use a symmetric-key algorithm to exchange messages. The interaction is as follows:
TLS negotiates communication in a similar manner, except that it adds an extra layer of indirection that is useful on the public web. Suppose that Alice and Bob do not know each others' public keys, but they do both trust Charlie, and they know his public key. Charlie can act as a certificate authority (or CA). Alice and Bob each ask Charlie to sign their public keys:
Since Charlie's public key is public, anyone can confirm that Alice's certificate was signed by Charlie, because they can decrypt the encrypted hash using his public key and check that the hash value is correct. Bob can similarly have his public key signed by Charlie or another trusted certificate authority.
Now, Alice and Bob can negotiate a session key to communicate as before, with an additional interaction at the start:
Alice and Bob now have each others' public keys, so they can proceed as before. This is, in a somewhat simplified form, how TLS works.
On the public web, a number of companies have established themselves as certificate authorities. Browser manufacturers have chosen to accept these certificate authorities, and embed their public keys within the browsers. Web sites that wish to use HTTPS pay a certificate authority to sign their public keys. Now, when Alice wishes to use her web browser to connect to Bob's Bank Inc's web site, her browser can see that the Bob's Bank Inc certificate was signed by Charlie's Certificate Authority Ltd, and it is happy to proceed. End users on the web do not have certificates signed by a certificate authority, so Alice's browser does not have a signed certificate, and the Bob's Bank server does not attempt to verify one — the TLS protocol is configured to only authenticate the server-side certificate, and not require a client certificate. Hopefully Bob's Bank uses another mechanism to verify that Alice really is who she claims to be.
The trust model on the web is only intended to allow browsers to verify that web servers are who they claim to be. It relies on there being a small number of public certificate authorities that are trusted by all browsers.
The way TLS is used in BMC Discovery is different from the public web. Both client and server wish to authenticate each other, and all connections are individually approved so there is no need to have a single trusted certificate authority. The TLS protocols require the use of certificate authorities, however, so when each BMC Discovery component (appliance or Windows proxy) generates a unique public-private key pair for itself, it also generates a unique certificate authority key pair for itself, and signs its own certificate with it. The certificate authority public key is also signed with its own private key, so it is referred to as a self-signed CA Certificate. After generation, the system discards the CA's private key so it can never sign any more certificates with that CA.
Each component in BMC Discovery therefore has a unique single-use CA with its own CA certificate. It is these CA certificates that are exchanged between components, and must be approved for communication to be permitted.