Skip to Content

Default language.

Information
Important This documentation space contains information about the on-premises version of BMC Helix Discovery. If you are using the SaaS version of BMC Helix Discovery, see BMC Helix Discovery (SaaS).

Security of communication

BMC Discovery service

The BMC Discovery service is the cloud-native element of BMC Discovery in which infrastructure, upgrades, resilience, and availability are all managed by BMC. The BMC Discovery service registers with the selected Outpost, and the Outpost registers with the BMC Discovery service. The process is not automated, which ensures that registration between the two is always a positive action.

The BMC Discovery service does not initiate communication with the Outpost. It responds to Outpost requests for tasks, such as discovery requests, and responds to the registered Outpost with associated actions. When an Outpost requests a task, the service only sends a task that it can do, such as a scan of IP addresses that the Outpost is permitted to scan, and if an IP address has already been scanned, then the request is sent to the Outpost that has already successfully scanned it.

The BMC Discovery service intelligently infers information about hosts and programs from the Directly Discovered Data (DDD) that is returned using the patterns. Each pattern represents knowledge about a particular software or hardware and the BMC Discovery service uses this knowledge to create more detailed, "inferred" data. Inferred data represents the scanned IT environment and is stored in the datastore. Data written to the datastore is instantly indexed, which enables you to search for the required information by using simple keywords in the service UI. The provenance of each item of inferred data is also stored, which means that when examining an inferred entity in the UI, you can also examine the information used to create it.

Patterns can be updated either through monthly Technology Knowledge Updates (TKUs) that are applied by BMC when the updates are released, or by writing new custom patterns using The Pattern Language (TPL).

BMC Discovery Outpost

Information about your organization's hardware and software is obtained by BMC Discovery Outpost. The Outpost is an application software that runs on a dedicated Windows server in your data center or on a public cloud. The BMC Discovery service sends a request to an Outpost to scan the IP address required, and the Outpost accesses the target by using the credentials that are held in a secure, encrypted vault. The targets are accessed by using a variety of methods, such as SSH, Telnet, WMI, and SNMP. Once logged into a discovery target, the Outpost executes commands to access the target details, and their results are encrypted and sent to the BMC Discovery service. When the BMC Discovery service receives the data, it stores it in the datastore as Directly Discovered Data (DDD). 

The BMC Discovery Outpost performs ssh discovery using an API rather than an ssh client. Consequently, alternative ssh clients are not supported on the BMC Discovery Outpost. 

The BMC Discovery Outpost is FIPS compliant. 

Multiple Outposts can be deployed to handle segmented networks, which can all communicate with a single BMC Discovery service. Similarly, the BMC Discovery Outpost can be registered with multiple services and receive work from those services. The BMC Discovery Outpost can also communicate with the BMC Discovery service through HTTP(S) proxies; that is, web proxies that adhere to the HTTP protocol specification. We test using the Squid proxy, but any web proxies that adhere to the HTTP protocol specification should be suitable.

The Outpost is self-updating. When a new version is available, you are notified, and you can choose to have the Outpost update installed automatically when it is idle.

Security of communication and data in BMC Discovery

  1. You must register the Outpost with the BMC Discovery service, and the BMC Discovery service with the Outpost. The registration process ensures that: 
    1. The BMC Discovery service listens only for Outposts that you have registered it with.
    2. Your Outposts only asks for jobs from the BMC Discovery service that you have registered them with.
  2. Communication between the Outpost and the BMC Discovery service is always encrypted, and always sent over HTTPS . 
  3. The registration process establishes the second level of encryption of the messages between the Outpost and the service, which means that we do not just rely on the security of HTTPS communications. The Outpost can communicate with the service by using web proxies, and even if a decrypting web proxy is used to transport the messages, the content cannot be read.
    1. Messages are encrypted by using tokens exchanged at registration that are used for AES encryption, ensuring that only that Outpost and that service can read the messages.
    2. The encrypted messages are sent over HTTPS.
  4. Communication between the Outpost and the BMC Discovery service is always from the Outpost on your premises to the BMC Discovery service in the cloud. Communication is never initiated by the BMC Discovery service in the cloud. 
  5. Credentials to access and discover your infrastructure never leave your premises.

Allowed IP addresses

BMC Discoveryenables you to specify the IP addresses from which you are permitted to access your BMC Discovery instance. To do this you will need to contact BMC Customer Support, and they will make the required configuration changes for you.

Shadow credentials

Credentials are held in the secure credential vault in the BMC Discovery Outpost. As you use BMC Discovery, your credentials never leave your premises. You configure and manage your credentials through the BMC Discovery Outpost UI. In the BMC Discovery service UI, the Manage > Credentials page also displays information on credentials. These credentials are called shadow credentials. Shadow credentials do not contain the actual credentials. They display only the UI labels of the credentials.

Shadow credentials enable the service to display information on the available credentials, the Outpost the credential is stored on, and usage, such as the credential used to discover a target, without ever taking the actual credentials outside your premises.

When you click a shadow credential, and you have permission to configure credentials, you are redirected to the UI of the Outpost that holds the corresponding real credential. You are logged into the Outpost as the user with which you were logged into the BMC Discovery service UI. The credentials on the Outpost are held in the secure vault which is protected by a key. This key, in turn, is protected by a generated key that is stored on the service.

When you start a Discovery run, the service requests that the Outpost scans each of the endpoints in the run, and the Outpost selects the appropriate credential. The credential is accessed from the vault, by the Outpost, by using the generated key from the service.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Discovery 25.2 (On-Premises)