×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

 

This documentation supports the 20.02 (12.0) version of BMC Discovery.

To view an earlier version of the product, select the version from the Product version menu.
BMC Discovery 20.02 ... Using Configuring credentials

Managing the credential vault

The appliance credentials used to log in to discovery targets, synchronize to the CMDB, and export data using adapters are stored in a vault that is encrypted with a default passphrase when the appliance is built. If the passphrase is lost, the contents of the vault cannot be recovered. The default vault passphrase is persisted on the appliance, and is common to all appliances, therefore it is highly recommended, and considered security best practice, to secure the vault with a manually entered passphrase. Without a manually entered passphrase the vault is only guarded against casual inspection, in which case vault security is dependent on Linux command line security.

You can configure a replacement passphrase for the appliance vault instead of using the default. However, we strongly recommend that you use the default to avoid any access issues due to an incorrect passphrase. Once configured, the passphrase is required every time the discovery process is run.

When the passphrase is set, the vault is automatically in a locked state when the appliance starts, and requires the passphrase to be unlocked. The encryption key used for encrypting the vault is derived from the passphrase. The passphrase can be stored on the appliance, which enables you to perform scans when the credential vault is open, without re-entering the passphrase. If the passphrase is saved, it is stored in the vault. If the vault is closed, you must enter the passphrase manually to open the vault.

The default passphrase used is a random string of 64 characters/512 bits to generate a 256 bit key. If you decide to use a manually entered passphrase you should ensure that it is of at least a similar complexity, or that it is changed at regular intervals. The content of the vault is secured using 256 bit AES encryption in CBC mode.

Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI or at the command line).

 For further details, see Information security.


Related topics

Configuring credentials

Credentials are not shared between vaults. That is:

  • A discovery scan from an appliance can only use credentials from its own vault.
  • A discovery scan from a BMC Discovery Outpost can only use credentials from its own vault.

The credential vault can be open or closed. If no passphrase is set or the passphrase is saved, the vault is opened automatically when BMC Discovery starts. If a passphrase has been set and not saved, you will be prompted to enter it before Discovery can begin. While the vault is open, BMC Discovery  can use the credentials stored in it to access devices.

When BMC Discovery is stopped, the vault is automatically closed if a passphrase is set and has not been saved. You can close the vault while the discovery process is in progress. This will prevent access to further devices during the current discovery runs.

Whenever a credential is added, removed, or changed, the vault is backed up. No more than two copies of the vault are held as back ups. When the vault passphrase is added, changed, or removed, all backups are deleted, ensuring that no backups of potentially less secure vaults are retained on the system.

To manage the credential vault

  1. From the main menu, click the Administration icon.
    The Administration page is displayed.
  2. From the Discovery section, click Vault Management.
    The Vault management page is displayed.

From the Vault management page you can open or close the credential vault and specify a passphrase to secure it. You can also change the passphrase or remove it.

Setting a passphrase

To set a passphrase:

  1. Enter the new passphrase in the New Passphrase field.
  2. Repeat it in the verify New Passphrase field.
  3. You can also choose to save the passphrase so that it is not required whenever scanning is enabled. You must still enter a passphrase to open a closed credential vault. To do so, select Save Passphrase.
  4. Click Set Passphrase.
    The passphrase is now set.

Changing a passphrase

To change a passphrase:

  1. Enter the new passphrase in the New Passphrase field.
  2. Repeat it in the Verify New Passphrase field.
  3. Click Change Passphrase.
    The passphrase is now changed.

Note

Setting or changing a passphrase does not change whether the vault is open or closed.

Clearing a passphrase

To clear a passphrase:

  1. Enter the current passphrase in the Current Passphrase field.
  2. Click Clear Passphrase.
    The passphrase is now cleared.

Opening the credential vault

To open a closed credential vault:
Enter the passphrase and click Open the Vault.
You are requested to confirm the operation.

You can also open the credential vault from the Discovery Home page. When BMC Discovery is not running and the vault is closed, a Passphrase entry box is displayed above START LOCAL SCANS.

Closing the credential vault

To close the vault, it must be open and have the passphrase set:
Click Close the Vault.
You are requested to confirm the operation.

You can also close the vault from the Discovery Home page. When BMC Discovery is running and a passphrase is set, stopping BMC Discovery also closes the vault.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Vinay Bellare on Jan 11, 2021
bmc_contributor credential_vault managing production_ready help_op_manage_creds

Comments

Log in or register to comment.

Testing credentials
Exporting and importing the credential vault
© Copyright 2004 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.