Default language.

Important This documentation space contains information about the on-premises version of BMC Helix Discovery. If you are using the SaaS version of BMC Helix Discovery, see BMC Helix Discovery (SaaS).

Adding credentials

Login credentials are usernames and passwords, SSH keys, and other authentication methods used to access a host. For BMC Discovery to access and scan the hosts in the IT environment, BMC Discovery needs to add and store their login credentials.You add credentials from the Manage > Credentials page in the UI.

Related topics

Configuring-credentials

Discovering-cloud-services

Discovering-services-with-API-providers

Integrating-with-credential-brokers

Adding-privileged-execution-to-commands

On the Add Credential page, you can enter general details for the credential, and depending on the specific credential type, any additional parameters. For example, for a Linux host, you can specify an SSH key to be used for authentication or a username/password combination for escalated privileges. If you add an exception for matching IP addresses, the label of the credentials is updated with the exception.

You can add credentials for Linux and Windows hosts, management controllers, network devices, storage devices, and so on. The preferred method of accessing remote devices through BMC Discovery is by using remote login. 

You can set up different login credentials to use on different computers, by an individual IP address or a range of addresses. You can set up several access methods and define the order in which they must be attempted. Each access method is attempted until a working credential is found or the list is exhausted. When BMC Discovery successfully logs in to a host for the first time, the access method used to log in is recorded. On subsequent scans, the access method used during the previous successful login to the host is attempted first. However, you must configure appropriate options on the Discovery Configuration page for successful attempts.

If BMC Discovery records an access login method (for example, telnet) as the last successful login method but this method is later disabled for any reason, then BMC Discovery tries the same method again on a subsequent scan. If the scan fails, then that method is not tried again until it is re-enabled. BMC Discovery attempts an access method only if it is seen to be available. For example, SSH access is attempted only if the SSH port is open. Information about the success or failure of credentials is displayed on the Discovery Status page.

Before you begin

If you have integrated BMC Discovery with a supported credential broker, then see the following topics for additional information about adding credentials:

See the following video (07:33), which explains how you can add, edit, test, and manage credentials. You can also explore the functioning of credential vaults and learn how to close, open, export, and import the vault.

icon-play.pnghttps://youtu.be/cBQDu27eI0E

User accounts on UNIX and Linux target systems

When creating a user account (the account that BMC Discovery logs into to discover a host) on a UNIX or Linux target host, make sure that you specify the full path to the shell in the user profile. For example, SHELL=/bin/sh. Otherwise, the credentials would be considered invalid. 

Important

Regarding Shell support, BMC Discovery is tested to work with Bourne and Bourne-compatible shells (/bin/sh). In general, the best shell to use for BMC Discovery is /bin/sh as it is widely available on Linux, Unix, AIX, and so on. Support for other shells such as the Korn shell is the best effort only. The product has been sporadically tested and might work but with known issues, and BMC might not fix bugs that affect these shells.

To add login credentials

  1. From the menu bar, select Manage > Credentials.
    The Credentials page is displayed.

  2. On the top-right corner of the page, click the Add list to view the type of target for which you want to add a credential.

    Login credentials.png

    The available credential types are:

    • Network Device
    • Database
    • Host
    • Cloud
    • Storage Device
    • Management Controller
    • Custom Credential
    • Web API
    • API Provider
      Each type contains options under it. You can click an option to view the Add Credential page and enter details for the option.
      The Add Credential page displays pre-populated fields relevant to your selection. For example, under Host, click SSH to configure the Add Credential page with the SSH and UNIX Settings access methods. 

  3. In the Label field, specify an appropriate name for the credential.

    This label is used later for searching credentials. This field is mandatory.

  4. (Optional) If you have configured integration with a credential broker, select the Vault source from the list menu. It can be one of the following:

  5. If you need to add more access methods to the selected credential type, click the + icon plus_icon.png in the Credential Types field or proceed to the next step.
  6. Select the Matching criteria. Either select Match All for the credential to be valid for any endpoint (this is the default), or clear Match All to enter specific endpoints or ranges.

  7. To add Matching exceptions, that is, endpoints that the credential must never match, click the + icon plus_icon.pngin the Matching exceptions field and enter the endpoints that you do not want this credential to match. You can use the same endpoint types for matching exceptions as you can for matching criteria. 

    Additional tips for entering matching criteria and matching exceptions

    For Matching criteria, select Match All to match all endpoints. Clear Match All to enter values that will be used to determine if this credential is suitable for a particular endpoint. For matching exceptions, enter the endpoints.

    They can be one or more of the following, separated by commas:
    • IPv4 address: for example 192.168.1.100.
    • IPv4 range: for example 192.168.1.100-105, 192.168.1.100/24, or 192.168.1.*.
    • IPv6 address: for example 2001:500:100:1187:203:baff:fe44:91a0.
    • IPv6 network prefix: for example fda8:7554:2721:a8b3::/64.

    Important

    You cannot specify the following address types:
    • IPv6 link local addresses (prefix fe80::/64)
    • IPv6 multicast addresses (prefix ff00::/8)
    • IPv4 multicast addresses (224.0.0.0 to 239.255.255.255)

    As you enter text, the UI divides it into pills (discrete editable units) when you enter a space or a comma. According to the text entered, the pill is formatted to represent one of the previous types or presented as invalid.

     Invalid pills are labeled with a question mark. You can also paste a list of IP addresses or ranges into this field. If a pill is invalid, a message stating the number of invalid pills is displayed above the range field. To edit or delete the invalid pills, click the link to apply a filter that shows only the invalid pills. You can remove the filter by clearing the Showing n of n label below the Range field. There is no paste option on the context-sensitive (right-click) menu.

    Warning

    Do not paste a comma-separated list of IP address information into the Range field in Mozilla Firefox. Doing so can crash the browser. Instead, use a space-separated list.

    You can perform the following tasks on a pill:

    • To edit a pill, click the pill body and edit the text.
    • To delete a pill, click the X icon next to the pill, or click to edit and delete all of the text.
    • To view the unformatted source text, click the source toggle switch. The source view is useful for copying to a text editor or spreadsheet. Click the source toggle switch again to see the formatted pill view.

    Below the entry field is a filter box. Enter text in the filter box to view only the matching pills.

    Tip

    Pills are not supported in Opera.

  8. Select the Enabled check box to enable the credentials.

    You can edit the credentials at any time or disable a given credential.

  9. In the Description field, specify a description for the credential.

    Add Credentials.png
  10. In the User – Name field, specify a username for the credential.

  11. In the User – Password field, specify a password for the credential. 

    Tip

    On the Edit Login Credential page, the User – Password field is displayed as Set Password. The existing password is displayed as a series of asterisks that cannot be edited. To enter a new password, select the check box. The password field is cleared, enabling you to enter the new password.

  12. Specify additional fields for the selected credential type. For more information about these fields, see the relevant credential type:
  13. Click Apply to save the credential details.

 

Network device credentials

Database credentials

Each credential type has the following parameters.

Host credentials

The following video explains, in brief, the process for adding an SSH credential and configuring a discovery scan to discover endpoints using the SSH credential.

Web API credentials

Storage device credentials


Management Controller credentials

Custom credential

The Custom Credential group provides an option of adding a blank credential. If you have a specific requirement of adding a set of credentials that are listed under different groups in the UI then you do not need to add several separate credentials. You can configure a blank or custom credential by adding multiple credential types to it. For example, you may want to configure SSH, which is listed under the Host category, and WBEM, which is listed under the Storage Device category.

Click Blank Credential and follow the steps listed earlier in To add login credentials and enter field information relevant to the credential type that you add.

API provider credentials 

The API provider credential optionally accepts an IP addresses or addresses in Matching criteria, and in Matching exceptions.

In an IP scan, when, for example container management software is discovered, this might trigger additional discovery using an API provider credential. The IP addresses specified in Matching criteria are those for which an API scan can be triggered using this API provider credential. Similarly, the IP addresses specified in Matching exceptions are those for which an API scan cannot be triggered using this API provider credential.


When testing a Kubernetes/OpenShift credential that uses OpenShift OAuth authentication, you only add one URL, as the username and password combination in the credential is the same for each cluster.


Cloud credentials

The following video explains, in brief, the process for adding an AWS cloud credential and configuring a discovery scan to discover endpoints using the AWS cloud credential.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*