Integrating with ARCON PAM Digital Vault

Before you begin

 

We recommend that you do not use DNS names in credential broker fields, as it requires a performant and reliable DNS server. Slow DNS queries significantly increase scan times; even with a fast DNS server scan times are impacted. Where multiple names are defined for an IP address, BMC Helix Discovery uses the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.

To integrate with ARCON PAM Digital Vault

1. From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
   The Manage Vault page opens. 

2. Select the ARCON PAM Digital Vault tab.
   

3. Enter the settings appropriate to your ARCON PAM Digital Vault on the page.

   Field Name	Description
   Status	A read-only display showing the status of the integration with ARCON PAM Digital Vault. This can be one of: WORKING, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.
   Enabled	Select the check box to enable the integration with ARCON PAM Digital Vault.
   URL	The URL of ARCON PAM Digital Vault. Only HTTPS URLs are permitted. This field is mandatory. You should ask your ARCON PAM Digital Vault administrator for the URL, user name, and password to access ARCON PAM Digital Vault.
   User Name	A user name for ARCON PAM Digital Vault. This field is mandatory.
   Set Password	Field in which you can enter the password. To make the field editable, select the check box and set the password. The password is not displayed.
   Open For Hours	The time (in hours) for which the vault remains open. Select a value from 1 to 4.
   Timeout (in seconds)	The timeout (in seconds) for requests to the provider. The default is 300 seconds.
   TLS verification type	Select one of the following: Public CA—use a default public root certificate. No verification—do not attempt verification. Disabling the TLS certificate check means that an attacker could perform a man-in-the-middle attack and intercept credentials received from the vault product. Only disable it in a test environment where providing a valid certificate is impractical. Private CA—selects the first matching CA from those uploaded from the Certificate Authorities page. Specific CA—choose a specific CA from the Specific TLS certificate drop-down. The drop-down lists the CAs uploaded from the Certificate Authorities page. The result is reported in the Status message.
   Specific TLS certificate	Select a specific TLS certificate from the list of installed private CAs.

4. Click Test to test the connection. The configuration is not saved until you click the Apply button.
5. Click Apply to save and apply the configuration.

The integration between BMC Helix Discovery and ARCON PAM Digital Vault is complete. See Adding-credentials for information on using credentials from ARCON PAM Digital Vault to access discovery targets.

How credentials are stored in ARCON PAM Digital Vault

 
The credentials stored in ARCON PAM Digital Vault are linked to a service, which is defined by a ServerIP and UserName. For information on configuring credentials in ARCON PAM Digital Vault, see the product documentation.  

Credential parameters in ARCON PAM Digital Vault, the corresponding BMC Helix Discovery Add Credential field name, and a description of their meaning in BMC Helix Discovery are shown in the following table:

ARCON PAM Digital Vault parameter	BMC Helix Discovery Add Credential field name	Meaning in BMC Helix Discovery
ServerIP	ARCON PAM Digital Vault System	The discovery target. May be an IP address or an FQDN. This field supports the %ip% and %fqdn% replacement markers described in Replacement markers.
Account	ARCON PAM Digital Vault Account	The user name with which to access the discovery target. This represents a service user account in ARCON PAM Digital Vault.
TargetType	ARCON PAM Digital Vault Service Type	The type of target, for example, SSH LINUX, or MongoDB. Select the approriate type for the credential from the drop‑down list.
DBInstanceName	ARCON PAM Digital Vault DB Instance Name	The database instance name associated with the service in ARCON PAM Digital Vault. It should only be populated for database‑type targets.

The filter fields accept the following replacement markers:

Marker	Description
%ip%	The IP address being accessed. This may be IPv4 or IPv6.
%port%	This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
%type%	The type of access being requested, for example, ssh, snmp, or vsphere.
%version%	The version number for SNMP queries.
%formatted_ip%	Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
%devicename%	The name of the device, as defined in DNS.
%fqdn%	The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined, %fqdn% will have the same value as %devicename%.

To use a credential from ARCON PAM Digital Vault in BMC Helix Discovery

In this example there is a server called "server74". The following details are stored in ARCON PAM Digital Vault:

• ServerIP - 192.68.1.74
• Account - root
• TargetType - SSH LINUX
• DBInstanceName - Not required for non-database targets.

The following screenshot shows adding the credential for server74: