Skip to Content

Default language.

Information
Important This documentation space contains information about the SaaS version of BMC Helix Discovery. If you are using the on-premises version of BMC Helix Discovery, see BMC Helix Discovery 25.2 (On-Premises).

Integrating with BeyondTrust Password Safe

BeyondTrust Password Safe is application software that helps you to store and manage credentials securely, according to policies that your organization might require.

You can configure the integration with BeyondTrust Password Safe using the vault providers page in the BMC Discovery Outpost.

Related topics

Integrating with credential brokers

Credentials

Adding credentials

Custom Certificate Authorities

Before you begin

Information

Credential broker performance testing

Credential brokers are designed with human interaction in mind. When BMC Helix Discovery is scanning, it can make many simultaneous API calls. Before putting an integration with any supported credential broker into production, you should perform scale and performance testing in your IT environment.

We recommend that you do not use DNS names in credential broker fields, as it requires a performant and reliable DNS server. Slow DNS queries significantly increase scan times; even with a fast DNS server scan times are impacted. Where multiple names are defined for an IP address, BMC Helix Discovery uses the first name or FQDN returned by the DNS server, which may not be consistent, depending on the DNS server configuration.

To integrate with BeyondTrust Password Safe

  1. From the main menu in the BMC Discovery Outpost, click Manage > Vault Providers.
    The Manage Vault page opens. 
  2. Select the BeyondTrust Password Safe tab.
    beyond-trust-outpost.png

  3. Enter the settings appropriate to your BeyondTrust Password Safe on the page:

    Field Name

    Description

    Status

    A read-only display showing the status of the integration with BeyondTrust Password Safe. This can be one of: ACTIVE, DISABLED, or messages such as TEST OK, TEST ERROR, or ERROR and an explanatory message.

    Enabled

    Select the check box to enable the integration with BeyondTrust Password Safe.

    URL

    The URL of BeyondTrust Password Safe. Only HTTPS URLs are permitted. This field is mandatory.

    You should ask your BeyondTrust Password Safe administrator for the URL, API key, user name, and password to access BeyondTrust Password Safe.

    Set API Key

    Field in which you can enter an API key. To make the field editable, select the check box and paste in the key. The key is not displayed. This field is mandatory.

    User Name

    A user name for BeyondTrust Password Safe. This field is mandatory.

    Set Password

    Field in which you can enter the password corresponding to the User name.
    To make the field editable, select the check box and set the password. The password is not displayed.

    Checkout Duration
    (in minutes)

    The time (in minutes) for which the password is guaranteed to remain valid. The default is 15 minutes and the minimum is one minute.

    Timeout (in seconds)

    The timeout (in seconds) for requests to the provider. The default is 300 seconds and the minimum 5 seconds.

    TLS verification type

    Select one of the following:

    • Public CA—use a default public root certificate.
    • No verification—do not attempt verification. Disabling the TLS certificate check means that an attacker could perform a man-in-the-middle attack and intercept credentials received from the vault product. Only disable it in a test environment where providing a valid certificate is impractical.
    • Private CA—selects the first matching CA from those uploaded from the Certificate Authorities page.
    • Specific CA—choose a specific CA from the Specific TLS certificate drop-down. The drop-down lists the CAs uploaded from the Certificate Authorities page.

    The result is reported in the Status message.

    Specific TLS certificate

    Select a specific TLS certificate from the list of installed private CAs.

  4. Click Test to test the connection. The configuration is not saved until you click the Apply button.
  5. Click Apply to save and apply the configuration.

The integration between BMC Helix Discovery and BeyondTrust Password Safe is complete. For information on using credentials from BeyondTrust Password Safe to access discovery targets, see Adding-credentials.

How credentials are stored in BeyondTrust Password Safe

The credentials stored in BeyondTrust Password Safe are linked to an asset. You create the asset, and then add credentials to that asset, according to the BeyondTrust Password Safe documentation

Credential parameters in BeyondTrust Password Safe, the corresponding BMC Helix Discovery Add Credential field name, and a description of their meaning in BMC Helix Discovery are shown in the following table:

BeyondTrust Password Safe parameter

BMC Helix Discovery Add Credential field name

Meaning in BMC Helix Discovery

System

BeyondTrust System

The name of the system in BeyondTrust Password Safe is taken from the asset name. 

The system name should be considered as the credential name in BMC Helix Discovery. It has no effect on the target that BMC Helix Discovery scans, it simply locates the credential in BeyondTrust Password Safe. This field accepts the replacement markers described in Replacement markers.

Account

BeyondTrust Account

The user name with which to access the discovery target. The integration retrieves the corresponding password from BeyondTrust Password Safe.

There might be more than one account for each system. For example, an account called discovery and one called root or admin for discovering targets using elevated permissions. This field accepts the replacement markers described in Replacement markers.

  

 Replacement markers

Marker Description
%ip% The IP address being accessed. This may be IPv4 or IPv6.
%port% This is the port being used for ssh, telnet, SNMP, and so on. For SQL queries this is the port on which the database instance is listening.
%type% The type of access being requested, for example, ssh, snmp, or vsphere.
%version% The version number for SNMP queries.
%formatted_ip% Formatted version of the IP address being accessed, suitable for use in URLs as defined by RFC2732. For IPv4, the IP address is unchanged, for IPv6 the IP address will be enclosed in square brackets.
%devicename% The name of the device, as defined in DNS.
%fqdn% The fully qualified domain name of the device, as defined in DNS. If no fully qualified name is defined, %fqdn% will have the same value as %devicename%.

To use a credential from BeyondTrust Password Safe in BMC Helix Discovery

In this example there is a server called "server74". The following details are configured in BeyondTrust Password Safe:

  • System — server74
    • Account — discovery. A UNIX account called discovery and its corresponding password
    • Account — root. A UNIX root account for the server and its corresponding password

For the discovery account, you specify the credential using server74 for the system and discovery for the user.

For the root account, you specify the credential using server74 for the system and root for the user.

The following screenshot shows adding the credential for server74:

BeyondTrustAddCredential.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Discovery (SaaS)