Default language.

Adding credentials


Login credentials are usernames and passwords, SSH keys, and other authentication methods used to access a host. For BMC Discovery to access and scan the hosts in the IT environment, BMC Discovery needs to add and store their login credentials.

You add credentials from the Manage > Credentials page in the UI.

On the Add Credential page, you can enter general details for the credential, and depending on the specific credential type, any additional parameters. For example, for a Linux host, you can specify an SSH key to be used for authentication or a username/password combination for escalated privileges. If you add an exception for matching IP addresses, the label of the credentials is updated with the exception.

You can add credentials for Linux and Windows hosts, management controllers, network devices, storage devices, and so on. The preferred method of accessing remote devices through BMC Discovery is by using remote login. 

You can set up different login credentials to use on different computers, by an individual IP address or a range of addresses. You can set up several access methods and define the order in which they must be attempted. Each access method is attempted until a working credential is found or the list is exhausted. When BMC Discovery successfully logs in to a host for the first time, the access method used to log in is recorded. On subsequent scans, the access method used during the previous successful login to the host is attempted first. 

However, you must configure appropriate options on the Discovery Configuration page for successful attempts.

If BMC Discovery records an access login method (for example, telnet) as the last successful login method but this method is later disabled for any reason, then BMC Discovery tries the same method again on a subsequent scan. If the scan fails, then that method is not tried again until it is re-enabled. BMC Discovery attempts an access method only if it is seen to be available. For example, SSH access is attempted only if the SSH port is open. Information about the success or failure of credentials is displayed on the Discovery Status page.

Before you begin

If you have integrated BMC Discovery with a supported credential broker, then see the following topics for additional information about adding credentials:

User accounts on UNIX and Linux target systems

When creating a user account (the account that BMC Discovery logs into to discover a host) on a UNIX or Linux target host, make sure that you specify the full path to the shell in the user profile. For example, SHELL=/bin/sh. Otherwise, the credentials would be considered invalid. 

Important

Regarding Shell support, BMC Discovery is tested to work with Bourne and Bourne-compatible shells (/bin/sh). In general, the best shell to use for BMC Discovery is /bin/sh as it is widely available on Linux, Unix, AIX, and so on. Support for other shells such as the Korn shell is the best effort only. The product has been sporadically tested and might work but with known issues, and BMC might not fix bugs that affect these shells.

To add login credentials

  1. From the menu bar, select Manage > Credentials.
    The Credentials page is displayed.
  2. On the top-right corner of the page, click the Add list to view the type of target for which you want to add a credential.

    Login credentials.png

    The available credential types are:

    • Network Device
    • Database
    • Host
    • Cloud
    • Storage Device
    • Management Controller
    • Custom Credential
    • Web API
    • API Provider
      Each type contains options under it. You can click an option to view the Add Credential page and enter details for the option.
      The Add Credential page displays pre-populated fields relevant to your selection. For example, under Host, click SSH to configure the Add Credential page with the SSH and UNIX Settings access methods. 
  3. In the Label field, specify an appropriate name for the credential.

    This label is used later for searching credentials. This field is mandatory.

  4. (Optional) If you have configured integration with a credential broker, select the Vault source from the list menu. It can be one of the following:

     

  5. If you need to add more access methods to the selected credential type, click the + icon plus_icon.png in the Credential Types field or proceed to the next step.
  6. Select the Matching criteria. Either select Match All for the credential to be valid for any endpoint (this is the default), or clear Match All to enter specific endpoints or ranges.
  7. To add Matching exceptions, that is, endpoints that the credential must never match, click the + icon plus_icon.pngin the Matching exceptions field and enter the endpoints that you do not want this credential to match. You can use the same endpoint types for matching exceptions as you can for matching criteria. 

    Additional tips for entering matching criteria and matching exceptions

    For Matching criteria, select Match All to match all endpoints. Clear Match All to enter values that will be used to determine if this credential is suitable for a particular endpoint. For matching exceptions, enter the endpoints.

    They can be one or more of the following, separated by commas:
    • IPv4 address: for example 192.168.1.100.
    • IPv4 range: for example 192.168.1.100-105, 192.168.1.100/24, or 192.168.1.*.
    • IPv6 address: for example 2001:500:100:1187:203:baff:fe44:91a0.
    • IPv6 network prefix: for example fda8:7554:2721:a8b3::/64.

    Important

    You cannot specify the following address types:
    • IPv6 link local addresses (prefix fe80::/64)
    • IPv6 multicast addresses (prefix ff00::/8)
    • IPv4 multicast addresses (224.0.0.0 to 239.255.255.255)

    As you enter text, the UI divides it into pills (discrete editable units) when you enter a space or a comma. According to the text entered, the pill is formatted to represent one of the previous types or presented as invalid.

     Invalid pills are labeled with a question mark. You can also paste a list of IP addresses or ranges into this field. If a pill is invalid, a message stating the number of invalid pills is displayed above the range field. To edit or delete the invalid pills, click the link to apply a filter that shows only the invalid pills. You can remove the filter by clearing the Showing n of n label below the Range field. There is no paste option on the context-sensitive (right-click) menu.

    Warning

    Do not paste a comma-separated list of IP address information into the Range field in Mozilla Firefox. Doing so can crash the browser. Instead, use a space-separated list.

    You can perform the following tasks on a pill:

    • To edit a pill, click the pill body and edit the text.
    • To delete a pill, click the X icon next to the pill, or click to edit and delete all of the text.
    • To view the unformatted source text, click the source toggle switch. The source view is useful for copying to a text editor or spreadsheet. Click the source toggle switch again to see the formatted pill view.

    Below the entry field is a filter box. Enter text in the filter box to view only the matching pills.

    Tip

    Pills are not supported in Opera.

  8. Select the Enabled check box to enable the credentials.

    You can edit the credentials at any time or disable a given credential.

  9. In the Description field, specify a description for the credential.

    AddCredentials.png

  10. In the User – Name field, specify a username for the credential.
  11. In the User – Password field, specify a password for the credential. 
     

    Tip

    On the Edit Login Credential page, the User – Password field is displayed as Set Password. The existing password is displayed as a series of asterisks that cannot be edited. To enter a new password, select the check box. The password field is cleared, enabling you to enter the new password.

  12. Specify additional fields for the selected credential type. For more information about these fields, see the relevant credential type:
  13. Click Apply to save the credential details.

 

Network device credentials

Credential type

Parameter

Description

SNMP


 

Retries

The number of attempts made if no response is received. The default is five.

Timeout

The time (in seconds) in which a response is expected from the host. The default is one second.

SNMP Port

Select the check box and then select an SNMP port from the list. The list is populated with SNMP ports that you have configured in the Discovery Configuration window.

SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULK

Use GETBULK requests instead of GETNEXT requests. GETBULK improves discovery performance. However, some devices do not support it correctly, which occasionally may lead to scanning issues. If you experience scanning issues, clear this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.

SNMP v1/v2c

Community: Name

The community used for SNMP read access to the defined host or hosts; for SNMP V1 and V2c credentials only.

SNMP v3








 

Security Level

 

For SNMP V3 credentials only. This field shows the security level selected by using the following authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client. This is applicable for SNMP V3 credentials only. Select one of the following options from the list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

Tip

The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security—
Authentication Key

The key (passphrase) that is used to encrypt the credentials. This is applicable for SNMP V3 credentials only, and only if you have selected an authentication protocol. The key must be at least 8 characters.

Privacy Protocol

The protocol that is used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation as compared to not encrypting the data. This is applicable for SNMP V3 credentials only, and only if you have selected an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the list:

  • None—No data encryption is used. This operates in the same way as v1 and v2.
  • DES—Uses a private key to encrypt data by using the DES algorithm.
  • AES 128—Uses a private key to encrypt data by using the AES algorithm.
  • AES 192 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

  • AES 256 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

    Important

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these protocols, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 256 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

    Important

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these protocols, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

Private key—Value

The key (passphrase) that is used to encrypt the data. This is applicable for SNMP V3 credentials only, and only if you have selected a privacy protocol. The key must be at least 8 characters.

Context

The SNMP v3 context. This field is optional and only required for some devices.

AVI Vantage Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Cisco APIC REST API

AAA Domain

The AAA domain to which the user belongs. This field is empty by default.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Citrix NetScaler NITRO REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

BeyondTrust Remote Support Web API


 

Client details (optional)

You can specify an optional Client ID and a secret to access the web API.

  • Client ID–A client ID (if required) to access the API.
  • Client secret–The corresponding client secret. To enter a new secret, select the check box. The entry field is cleared and you can enter the new secret.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

Fortinet FortiADC REST API

 

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

F5 REST API with token based authentication

 

Login Provider name

The name of the authentication provider. The default value is "tmos".

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

ArubaOS REST API with token based authentication

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Database credentials

Each credential type has the following parameters.

Credential type

Parameter

Description

One of:

  • Cassandra
  • IBM Db2
  • Ingres
  • Microsoft SQL Server
  • MySQL
  • Oracle
  • PostgreSQL
  • Sybase
  • Teradata
  • YugabyteDB
  • Other Database

Driver

Select a driver from the list of configured drivers. To add a new driver or to update an existing driver, see Managing-database-drivers.

Database Name

Specify the name of the database. By default, the check box Treat as regular expression is selected. Clear the check box if the database name is not to be treated as a regular expression.

Port

Specify the port number applicable for the database. By default, the check box Treat as regular expression is selected. Clear the check box if the port number is not to be treated as a regular expression.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 60 seconds.

Credential Group

If a credential can be used for multiple database types, it can be added to a credential group in TPL. Enter the name of that credential group.

Additional Properties

Specify the other database properties by using the format, key=value. For example, to encrypt the password, enter ENCRYPT_PASSWORD=true.

In earlier releases, the Encrypt Password check box was available to encrypt the password. This checkbox was removed in the August 2020 TKU (TKU 2020-Aug-1). 

Tip

Microsoft SQL Server with a domain account

If you are connecting to Microsoft SQL Server with a domain account, you must add the following lines for the credential:
domain=<DomainName>
useNTLMv2=true
authenticationScheme=NTLM
integratedSecurity=true

Host credentials

The following video explains, in brief, the process for adding an SSH credential and configuring a discovery scan to discover endpoints using the SSH credential.

Credential type

Parameter

Description

SSH

Kerberos Realm

Where one or more Kerberos realms are configured, select the realm for which the credential will be valid. For information about adding realms and testing authorization for those realms, see Adding-Kerberos-realms-for-discovery-authentication.

SSH Port

If the host for which this credential is created is configured to listen for SSH connections on a nonstandard port, pick a port from the list. You can specify only those SSH ports that are defined in Discovery Configuration on the Administration page. For more information, see TCP and UDP ports to use for initial scan.

Timeout (in seconds)

Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used m to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

SSH Key—Private Key File

Specify an existing SSH key that you already have deployed in your organization. Click Browse to locate the private key and click Open to select it. For more information about setting up a private key, see Using-SSH-keys.

BMC Discovery supports RSA2, DSA, ECDSA, and ED25519 keys in PEM format, generated with OpenSSH or OpenSSL. For hosts that only support SSH v1, you must use credentials for authentication.

SSH Key—Passphrase

Specify the passphrase for the UNIX host. When you click Apply on the Add Credentials page to save the credential, the key and passphrase are validated. BMC Software recommends that you protect the vault with a passphrase when you upload the private key to BMC Discovery

SSH Authentication

To use an SSH key or password, select Key or Password. If you have not configured an SSH key, Key is disabled.

To use the realm you have chosen, select Kerberos. If no realms are configured, or you have not chosen a realm, Kerberos is disabled.

When using Kerberos authentication and you have selected a realm, the username and password specified are not used. However, if the BMC Discovery appliance has not yet obtained a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) then the username and password are used as the Principal Name and password for obtaining the TGT.

Cisco Catalyst Center REST API 


Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect to the credential type. The default port is 443.

HPE OneView REST API



Domain

The domain name to which the credential belongs. The default is local.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

PowerShell

PowerShell Timeout

Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used m to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

PowerShell Authentication

The type of authentication used. This can be one of the following:

  • Basic–User name and password authentication. Not encrypted.
  • Negotiate–Dynamically chooses between supported authentication types (not including Basic). Currently, the only supported authentication type other than Basic is NTLM.
  • NTLM–Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain.

Just Enough Administration (JEA)

  • Enabled–enable Windows host discovery by using Just Enough Administration (JEA).
  • Endpoint Name–enter the JEA Endpoint Name. The JEA Endpoint Name is defined during registration of the session configuration file, and is required when BMC Discovery connects to the target host using JEA.

Access Protocol

  • HTTPS–enable PowerShell requests to be made over HTTPS. The default is HTTPS.
  • HTTP–enable PowerShell requests to be made over HTTP. Over HTTP, the content returned is encrypted, although using HTTP with Basic authentication would make it possible for credentials to be compromised. We recommend you use NTLM (Negotiate) authentication.

PowerShell HTTPS Port

If the host for which this credential is created is configured to listen for PowerShell connections on a nonstandard port, pick a port from the list. You can specify only those ports here that are defined in the Discovery Configuration window on the Administration tab. For more information, see PowerShell ports.

PowerShell HTTP Port

If the host for which this credential is created is configured to listen for PowerShell connections on a nonstandard port, pick a port from the list. You can specify only those ports here that are defined in the Discovery Configuration window on the Administration tab. For more information, see PowerShell ports.

Proxy

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

Telnet

Telnet port

If the host for which this credential is created is configured to listen for Telnet connections on a nonstandard port, pick a port from the list. You can specify only those telnet ports that are defined in Discovery Configuration on the Administration page. For more information, see TCP and UDP ports to use for initial scan.

Timeout (in seconds)

Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

rlogin

Timeout (in seconds)


Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

Important

The rlogin access method used to connect to an endpoint is not a secure protocol as communication is not encrypted. Rlogin is not available in the BMC Discovery Outpost UI. If required, you can use rlogin in the appliance UI.

UNIX Settings

Switch User?

To use the su command to change to the root or any other user, select Switch User.

In the following two fields, enter the user to be changed to, and the corresponding password. The password text is not displayed on the screen.

SU User—Name

The username used to log in to hosts that are identified by the key.

SU User—Password

Enter the password for the SU username. The password text is not displayed on the screen.

Tip

On the Edit Login Credential page, this field is displayed as Set Password. The existing password is displayed as a series of asterisks that cannot be edited. To enter a new password, select the check box. The password field is cleared, enabling you to enter the new password.

Prompt

Specify a regular expression to define the valid and expected prompt characters.

Force Subshell

To force the session to open a Bourne (/bin/sh) subshell, if the default login shell is a C shell (/bin/csh /bin/tcsh), select Yes. This selection enables you to cater to machines by using nonstandard shells.

Use password for privilege escalation

Select the check box to permit the password to be sent when a command requests a privilege escalation, for example, sudo.

Active Directory

Use Group Managed Service Account

Only applicable when using a BMC Discovery Outpost. You cannot change an Active Directory credential. Rather, you should delete and recreate the credential.

A Windows Active Directory credential. Cannot be specified with a local Windows user credential.

No additional Active Directory parameters are required unless the BMC Discovery Outpost is running on a Windows host with a Group Managed Service Account (gMSA) configured. For information about configuring a gMSA, see Running-the-BMC-Discovery-Outpost-under-a-gMSA-account.

Just Enough Administration (JEA)

  • Enabled–enable Windows host discovery by using Just Enough Administration (JEA).
  • Endpoint Name–enter the JEA Endpoint Name. The JEA Endpoint Name is defined during registration of the session configuration file, and is required when BMC Discovery connects to the target host using JEA.

Windows

Not applicable

A local Windows user credential. Cannot be specified with an Active Directory credential.

No additional Windows parameters are required.

vCenter

Timeout

The time (in milliseconds) in which a response is expected from the host. The default is 60 seconds.

HTTPS Port

Select an HTTPS port from the list. You must already have configured a custom HTTPS port in Administration > Discovery Configuration.

Use SSO for guest scanning

Select this check box to enable vCenter SSO authentication for VMware guest scanning.

vCenter SSO authentication is based on SAML authentication, which is a security token exchange mechanism that eliminates the need for individual sets of VMware guest credentials (vCenter and VMware) for deep guest OS discovery. vCenter SSO is an alternative to user name and password, which is by default used as a primary authentication method. vCenter SSO authentication is efficient for a large or limitless number of VMware guests because it does not require user name and password verification. The term limitless depends on the quantity of VMs mapped on the VMware side.

You need not configure vCenter SSO in BMC Discovery. vCenter SSO is fully configured and managed on the VMware side by a user with vCenter administrator privileges. By default, VMware guests are not mapped with the vCenter SSO, so a VMware administrator must first map each individual VMware guest with a domain account (used by SAML-based SSO). With vCenter SSO authentication enabled, when BMC Discovery scans the vCenter, it scans the mapped VMware guests. If there are individual unmapped VMs, BMC Discovery will fall back to the VM Guest credential method (meaning that a user name and password will be verified to access those unmapped VMs). For more information about vCenter SSO, see the official VMware documentation.

vSphere

Timeout

Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout). This timeout is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

HTTPS Port

Select a custom HTTPS port from the list. The list is populated with custom HTTPS ports that you have configured in Administration > Discovery Configuration.

vSphere Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

VMware Guest

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Mainframe z/OS Agent

Mainframe z/OS Agent Port

Port to use to connect to the Mainframe z/OS Agent. The default is 3940. To use a different port, select a port number from the list. The list is populated with port numbers specified in Administration > Discovery Configuration.

Timeout

Enter a timeout period (in seconds) for a session. This timeout includes the period for a credential handshake (see also the Session Login Timeout) and is used to control sessions. The default is 180 seconds.

In general, timeout is not used to limit the time to scan devices. More than one session can be used to scan one device. For this reason, a scan can take more time than the specified timeout. A typical consequence of this timeout (for example, when the execution of the platform script for getInterfaceList takes longer than this timeout) is that the scan will fail with a script failure and an error message, Connection timed out.

Web API credentials

Credential type

Parameter

Description

Ceph API

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

SANnav REST API

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Dell EMC ScaleIO / VxFlex / PowerFlex REST API

Timeout

The time (in seconds) in which a response is expected. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

REST API with API key authentication

API Key

The API key name.

Header Name

The header that is used in API requests to authenticate and authorize access. Examples: X-PAN-KEY, Authorization, Y-Cisco-Meraki-API-Key.

Header Prefix (optional)

Optional header prefix. For example: Bearer <API Key>.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

REST API with basic authentication

Identification Timeout

The time (in seconds) to identify a device. The default is 5 seconds.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

REST API with digest authentication

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

REST API with OAuth2 authentication
 

Client details (optional)

You can specify an optional Client ID and the secret to access REST APIs with OAuth2 authentication.

  • Client ID–A client ID (if required) to access the API.
  • Client secret–The corresponding client secret. To enter a new secret, select the check box. The entry field is cleared and you can enter the new secret.

Token endpoint

Enter the URL of the target where the token endpoint can be obtained.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Control-M Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable Web API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

BMC Helix ITSM authentication with token

Timeout

Add the time (in seconds) in which a response is expected. The default value is 180 seconds.

Access Protocol

Select Allow HTTP to enable Web API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

Specify the port to use to connect to the API. The default port is 443.

Storage device credentials

Credential type

Parameter

Description

SNMP


 

Retries

The number of attempts made if no response is received from the host. The default is five.

Timeout

The time (in seconds) in which a response is expected from the host. The default is one second.

SNMP Port

Select the check box and then select an SNMP port from the list. The list is populated with SNMP ports that you have configured in the Discovery Configuration window.

SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULK

Use GETBULK requests instead of GETNEXT requests. GETBULK improves discovery performance. However, some devices do not support it correctly, which occasionally may lead to scanning issues. If you experience scanning issues, clear this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.

SNMP v1/v2c

Community Name

The community used for SNMP read access to the defined host or hosts. This is applicable for SNMP V1 and V2c credentials only.

SNMP v3



 

Security Level

For SNMP V3 credentials only. This field shows the security level selected by using the following authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client. This is applicable for SNMP V3 credentials only. Select one of the following options from the list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

Tip

The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security-Authentication Key

The key (passphrase) used to encrypt the credentials. This is applicable for SNMP V3 credentials only, and only if you have selected an authentication protocol. This field must be at least 8 characters.

Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation as compared to not encrypting the data. This is for SNMP V3 credentials only, and only if you have selected an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a private key to encrypt data by using the DES algorithm.
  • AES 128—Uses a private key to encrypt data by using the AES algorithm.
  • AES 192 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

  • AES 256 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

    Important

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these protocols, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 256 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

    Important

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these protocols, you must be sure that the vendor of the device type you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

Private key

The key (passphrase) used to encrypt the data. This is applicable for SNMP V3 credentials only, and only if you have selected a privacy protocol. This field must be at least 8 characters.

Context

The SNMP v3 context. This field is optional and only required for some devices.

WBEM




 

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds. WBEM queries may take some time, so you might need to increase this timeout.

Access Protocol

The protocol to communicate with the WBEM server. Select HTTP, HTTPS, or both.

WBEM HTTPS Port

Select a custom HTTPS port from the list. The list is populated with custom WBEM HTTPS ports that you have configured in Administration > Discovery Configuration.

WBEM HTTP Port

Select a custom HTTP port from the list. The list is populated with custom WBEM HTTP ports that you have configured in Administration > Discovery Configuration.

EMC VPLEX REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

HTTPS Port

Select an HTTPS port from the list. The list is populated with HTTPS ports that you have configured in Administration > Discovery Configuration.

Dell EMC ECS Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Dell EMC Powervault Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

HDI REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

IBM DS8000 REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Nimble Storage Web API

Login path

The login path is the path to a token resource (to obtain a token for Rest API Authentication) on the Nimble storage API. The path is configurable on some versions of Nimble storage. You must use the default path for your Nimble storage device version. Contact your Nimble Storage vendor if the default path does not work and update the credential to match.

The default value in the UI is /v1/tokens.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Nutanix HCI REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Pure Storage FlashBlade REST API



 

Identification Timeout

The time (in seconds) to identify a device. The default is 5 seconds.

Pure Storage Token

The API token generated by CLI for a specific user registered in the FlashBlade system.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

Pure Storage FlashArray REST API


 

Identification Timeout

The time (in seconds) to identify a device. The default is 5 seconds.

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

Tintri REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Management Controller credentials

Credential type

Parameter

Description

SNMP


 

Retries

The number of attempts made if no response is received from the host. The default is five.

Timeout

The time (in seconds) in which a response is expected from the host. The default is one second.

SNMP Port

Select the check box and then select an SNMP port from the list. The list is populated with SNMP ports that you have configured in the Discovery Configuration window.

SNMP Version

The SNMP version to use. From the SNMP version list, select one of the following: 1, 2c, or 3. The default is Version 2c. If you are setting up credentials for discovering Netware, you must select Version 1 from the SNMP version list.

Use GETBULK

Use GETBULK requests instead of GETNEXT requests. GETBULK improves discovery performance. However, some devices do not support it correctly, which occasionally may lead to scanning issues. If you experience scanning issues, clear this option to revert to GETNEXT.
GETBULK is supported only by SNMP v2c and v3.

SNMP v1/v2c

Community: Name

The community used for SNMP read access to the defined host or hosts. This is applicable for SNMP V1 and V2c credentials only.

SNMP v3



 

Security Level

For SNMP V3 credentials only. This field shows the security level selected by using the following authentication and privacy protocols:

  • noAuthNoPriv—No authentication and no privacy.
  • authNoPriv—Authentication, no privacy.
  • authPriv—Authentication and privacy.

No setting exists for privacy without authentication.

Authentication Protocol

Protocol used to encrypt the authentication with the client. This is applicable for SNMP V3 credentials only. Select one of the following options from the list:

  • None—No encryption used. Operates in the same way as v1 and v2.
  • MD5—The authentication passphrase you enter is MD5 hashed. 
  • SHA-1—The authentication passphrase you enter is SHA-1 hashed.
  • SHA-224—The authentication passphrase you enter is SHA-224 hashed.
  • SHA-256—The authentication passphrase you enter is SHA-256 hashed.
  • SHA-384—The authentication passphrase you enter is SHA-384 hashed.
  • SHA-512—The authentication passphrase you enter is SHA-512 hashed.

The hashed passphrase is used to access the target system.

Tip

The SHA-2 authentication protocols (SHA-224, SHA-256, SHA-384, and SHA-512) are specified in the proposed standard RFC 7860.

Security Name

For SNMP V3 credentials only.

Security-Authentication Key

The key (passphrase) used to encrypt the credentials. This is applicable for SNMP V3 credentials only, and only if you have selected an authentication protocol. This field must be at least 8 characters.

Privacy Protocol

The protocol used to encrypt data retrieved from the target. Encrypting the data retrieved from a discovery target causes performance degradation as compared to not encrypting the data. This is for SNMP V3 credentials only, and only if you have selected an authentication protocol. That is, you cannot have privacy without authentication. Select one of the following options from the drop-down list:

  • None—No data encryption is used. Operates in the same way as v1 and v2.
  • DES—Uses a private key to encrypt data by using the DES algorithm.
  • AES 128—Uses a private key to encrypt data by using the AES algorithm.
  • AES 192 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

  • AES 256 (draft std)—Uses a private key to encrypt data according to the AES draft privacy protocol.

    Important

    The AES 192 (draft std) and AES 256 (draft std) AES draft privacy protocols are drafts and may not be supported by all manufacturers. If you choose to use one of these protocols, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

  • AES 128 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 192 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

  • AES 256 with 3DES key extension—Uses a private key to encrypt data according to the AES draft privacy protocol with extensions.

    Important

    The AES 128/192/256 with 3DES key extension (draft std) AES draft privacy protocol with extensions are drafts and may not be supported by all manufacturers. Examples of manufacturers who have used this draft standard in their equipment are Cisco Systems and Extreme Networks. If you choose to use one of these protocols, you must be sure that the vendor of the device type that you intend to discover has implemented AES192 or AES256 support according to this draft standard. A message is displayed in the UI if you select one of these privacy protocols.

Private key

The key (passphrase) used to encrypt the data. This is applicable for SNMP V3 credentials only, and only if you have selected a privacy protocol. This field must be at least 8 characters.

Context

The SNMP v3 context. This field is optional and only required for some devices.

Cisco IMC Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

HTTPS Port

Select an HTTPS port for the Web API from the list. The list is populated with HTTPS ports that you have configured in Administration > Discovery Configuration.

Tip

Cisco CIMC can be discovered by using XML API or SNMP.
The XML API provides detailed information, facilitating the CIMC to be linked to its contained host, while SNMP provides only basic information.

Cohesity REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

HP iLO Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

HTTPS Port

Select a custom HTTPS port from the list. The list is populated with custom HTTPS ports that you have configured in Administration > Discovery Configuration.

Tip

To fully discover HP iLO Management Controller, valid HP iLO Web API credentials should be set up. However, it is possible to discover HP iLO without valid credentials by using the unauthenticated XMLDATA request (GET request to /xmldata?item=all).
In such a case, the Management Controller can be discovered with some basic information (for example, serial, model, and for some iLO versions MAC addresses). Though, some of the information, such as IP addresses and interfaces will be missing.

HP Moonshot Web API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Access Protocol

Select Allow HTTP to enable REST API requests to be made over HTTP.

Warning

HTTP is not a secure protocol as the communication is not encrypted. This is a security risk that allows access credentials to be stolen.

Port

The port number on which to connect. The default port is 443.

Ubiquiti REST API

Timeout

The time (in seconds) in which a response is expected from the host. The default is 180 seconds.

Port

The port number on which to connect. The default port is 443.

Custom credential

The Custom Credential group provides an option of adding a blank credential. If you have a specific requirement of adding a set of credentials that are listed under different groups in the UI then you do not need to add several separate credentials. You can configure a blank or custom credential by adding multiple credential types to it. For example, you may want to configure SSH, which is listed under the Host category, and WBEM, which is listed under the Storage Device category.

Click Blank Credential and follow the steps listed earlier in To add login credentials and enter field information relevant to the credential type that you add.

API provider credentials 

The API provider credential optionally accepts an IP addresses or addresses in Matching criteria, and in Matching exceptions.

In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.
 

Credential type

Parameter

Description

Kubernetes/
OpenShift

Authentication

The authentication to use with Kubernetes/OpenShift.

  • Token—A user-supplied bearer token.
  • OpenShift OAuth—Obtains an OAuth token from the OpenShift REST API Well Known Endpoint (WKE) using the username/password from the General section. The WKE authorization server must be resolvable.

Bearer Token

The token enabling access to the API. For information on getting a Kubernetes bearer token, see this article If OpenShift OAuth is selected, this option is disabled.

Cluster URLs

An optional newline-separated list of cluster URLs (including ports) to be scanned when performing an API scan using this credential. If you leave this field empty, the credential is not available when you create an API scan.

Port

The port to use when dynamically building a cluster URL for requests performed during an IP scan. The default is 6443.

Extend Cluster URLs with Port: If you specify Cluster URL without a prescription port, you can select this check box to set a default port for this URL.

Warning

If you enable port extension, the cluster URLs with no port will be extended with the credential port.

Timeout

The time (in seconds) in which a response is expected. The default is 60 seconds.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the Kubernetes/OpenShift credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the Kubernetes/OpenShift credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

MongoDB

Port

The port number on which to connect. The default port is 27017.

Timeout

The time (in seconds) in which a response is expected. The default is 60 seconds.

MongoDB Atlas

Public Key

A key formed by MongoDB Atlas together with a private key to set permissions with which to access the MongoDB Atlas user account.

Private Key

A key formed by MongoDB Atlas in a pair with a public key to set permissions with which to access the MongoDB Atlas user account.

A private key is generated just once and cannot be restored.

Use Proxy

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the MongoDB Atlas credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the MongoDB Atlas credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Timeout

The time (in seconds) in which a response is expected. The default is 60 seconds.

Rancher

Rancher Token

The token enabling access to the API. For information on getting a Rancher token, see this article.

Rancher URL

A URL to the Rancher management tool.

Timeout

The time (in seconds) in which a response is expected. The default is 30 seconds.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the Rancher credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the Rancher credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

When testing a Kubernetes/OpenShift credential that uses OpenShift OAuth authentication, you only add one URL, as the username and password combination in the credential is the same for each cluster.

Cloud credentials

The following video explains, in brief, the process for adding an AWS cloud credential and configuring a discovery scan to discover endpoints using the AWS cloud credential.

Credential type

Parameter

Description

Alibaba Cloud

Access Key ID

The access key ID. The equivalent to a username.
The Alibaba Cloud console enables you to download the Access Key ID and Access Secret Key as a csv file. You can import the csv files downloaded from Alibaba, reducing scope for cut and paste errors when creating Alibaba credentials in BMC Discovery.

To upload a csv file containing the Key ID and Secret, click Upload CSV, select the file, and click Open.

Access Key Password

The access secret key or password.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

Assume Roles (ARNs)

(Optional) Use the Alibaba Resource Name (ARN) only if you want to apply role-based authentication for a user, application, or service. You must have defined the role earlier in the Alibaba Cloud console. For information about defining roles, see Discovering-Alibaba-Cloud-Platform.

Example for a single role: acs:ram::<account>:role/<name> where <account> is the account ID and <name> is the role name.

To enable role-switching (multiple roles), enter each role as a new-line separated list. For more information about AWS roles and role-switching, see Discovering-Alibaba-Cloud-Platform.

Note: If you do not specify the ARN, you will discover Alibaba resources associated with the Access Key ID credentials.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the Alibaba Cloud credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the Alibaba Cloud credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect to Alibaba Cloud through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to Alibaba Cloud through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

Amazon Web Services

 

Access Key ID

The access key ID. The equivalent to a username, and refers to the initial account.

The AWS IAM console enables you to download the Access Key ID and Access Secret Key as a csv file. You can import the csv files downloaded from the IAM console, reducing scope for cut and paste errors when creating AWS credentials in BMC Discovery.

To upload a csv file containing the Key ID and Secret, click Upload CSV, select the file, and click Open.

Access Key Secret

The access secret key or password.

Tip

If the BMC Discovery appliance is running in an EC2 instance and that instance is associated with an instance profile, you can use that profile rather than an Access Key ID and Access Secret Key. If you leave those fields blank, AWS discovery uses the EC2 instance profile to perform the discovery. In the credential list, the AWS credential is labeled, AWS Access Key ID: From EC2 Instance Profile.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the AWS credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the AWS credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Assume Roles (ARNs)

(Optional) Use the Amazon Resource Name (ARN) only if you want to apply role-based authentication for a user, application, or service. You must have defined the role earlier in AWS Identify and Access Management (IAM). For information on defining roles, see Creating IAM roles.

Example for a single role: arn:aws:iam::123456789012:role/Discovery

To enable role-switching (multiple roles), enter each role as a new-line separated list. For more information about AWS roles and role-switching, see Discovering Amazon Web Services.

From the December 2021 TKU, the ARN field supports expansions using *. You must have defined an organization structure to use the expansion as it depends on the AWS Organizations API. For example, you might specify one of:

  • arn:aws:iam::123456789012:role/Discovery or 
  • arn:aws:iam::*:role/Discovery, where * expands to the access key (123456789012).

Note: If you do not specify the ARN, you will discover AWS resources associated with the Access Key ID credentials.

External ID

By default, BMC Discovery uses an external ID with the "BMCDiscovery" value, which does not impact accounts without an AWS external ID. If a user account does have an AWS external ID, update this field with a valid value. AWS recommends to use one external ID for each AWS account. For more information, see How to use an external ID when granting access to your AWS resources to a third party.

System Manager Session Timeout

The time (in seconds) in which a response is expected from the System Manager session. The default is 180 seconds.

Proxy

If you need to connect to AWS through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to AWS through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

Google Cloud Platform
 

Service Account

The key used to access the Google Cloud Platform services. Download the key from the Google Cloud Console as a JSON formatted file. Upload the JSON file to BMC Discovery. Select Choose File, select the JSON file in the file browser and click Open.

When viewing the credential, this information populates the Project ID and Service Account Email fields.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the GCP credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the GCP credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Identity-Aware Proxy Sessions

Automatically manage SSH keys for Linux compute instances accessed via IAP
Select this option for 

BMC Discovery or the BMC Discovery Outpost to manage the SSH keys for Linux compute instances accessed through IAP. 

Requires that the service account has the compute.projects.setCommonInstanceMetadata and iam.serviceAccounts.actAs permissions.

If automatic management is disabled or the managed key does not work, standard SSH credential matching will be used based on the VM's private IP address.

Automatically manage passwords for Windows compute instances accessed via IAP
Select this option for 

BMC Discovery or the  BMC Discovery Outpost to manage the passwords for Windows compute instances accessed through IAP. 

Requires that the service account has the compute.instances.setMetadata  permission.

If automatic management is disabled or the generated password does not work, standard PowerShell credential matching will be used based on the VM's private IP address.

Proxy

If you need to connect to GCP through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credential

If you need to connect to GCP through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

IBM Cloud

API Key:
Key name

The API key name. Download the key as a JSON file from the IBM Cloud API keys console when you create it. Upload the file to BMC Discovery. To do this, click Upload JSON.

API Key:
Key value

The API key name.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the IBM Cloud credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the IBM Cloud credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect to IBM Cloud through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to IBM Cloud through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

Microsoft Azure
 

Directory ID

The Directory ID also known as the Tenant ID. The Directory ID is a GUID. The Directory ID can be found in the Azure Active Directory properties in the Azure Portal.

Application ID

The Application ID key. The Application ID is a GUID.

Application Key

The application password.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the Microsoft Azure credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the Microsoft Azure credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect to Microsoft Azure through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to Microsoft Azure through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

OpenStack
 

User Domain

The overall container for your OpenStack projects, users, and groups. See the OpenStack documentation for more information on user domains.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpostcheck the TLS certificate against the OpenStack credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the OpenStack credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Proxy

If you need to connect to OpenStack through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–Name of the proxy host.
  • Port–Port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to OpenStack through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–Username for the proxy.
  • Password–Corresponding password.

Oracle Cloud Infrastructure

User ID

The User ID provided in the Oracle Cloud Infrastructure API key configuration file.

For more information about generating the API key and the configuration file in Oracle Cloud Infrastructure, see Discovering Oracle Cloud Infrastructure.

Tenancy ID

The Tenancy ID provided in the Oracle Cloud Infrastructure API key configuration file.

API Key Fingerprint

The API Key Fingerprint provided in the Oracle Cloud Infrastructure API key configuration file.

Api Key

  • Private key file–the private PEM key that you generated in Oracle Cloud Infrastructure. Click Browse to locate the private key and click Open to select it. 
  • Passphrase–the corresponding passphrase.

Timeout

The connection timeout and the read timeout (in seconds). The default is 60 seconds.

The value specified here is a value for two separate timeouts. Consequently, the time before receiving data back on an initial connection could be up to almost twice the timeout value. That is, if the connection time was almost the maximum and the time to read the content was almost the maximum.

 

TLS Certificate Check

By default, BMC Discovery and the  BMC Discovery Outpost check the TLS certificate against the Oracle Cloud Infrastructure credentials.

Warning

If you clear (deselect) the TLS certificate check box, an attacker could perform a man-in-the-middle attack and intercept the Oracle Cloud Infrastructure credentials. Clear the check box only in a test environment where your server cannot be given a valid certificate.

Endorsed Tenancies

A list of tenancies for which the credential is valid.

Bastion Sessions

The Bastion session settings should not normally need to be modified.

  • Timeout—the Bastion session timeout. The default is 180 seconds.
  • Time To Live—the Bastion session time to live. The default is 10800 seconds.
  • Session Connection Delay—the time to wait from establishing the session to making the connection. The default is 10 seconds.

Proxy

If you need to connect to Oracle Cloud Infrastructure through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • Hostname–the name of the proxy host.
  • Port–the port on which to connect to the proxy. The default is 3128.

Proxy Credentials

If you need to connect to Oracle Cloud Infrastructure through an HTTP proxy, enter the details here. This is an authenticating HTTP proxy rather than a BMC Discovery Windows proxy.

  • User–username for the proxy.
  • Password–corresponding password.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*