addmi 14-discovery credentials
TRANSCRIPT
© 2009 BMC Educational Services
Discovery Credentials
Giving Atrium Discovery Authority to Discover
© 2010 BMC Educational Services
Outline
Vault Unix
Login SSH key
Windows Slave Choice
SNMP Software Credentials Credential Ordering Testing and Debugging Credentials
© 2010 BMC Educational Services
How Do We Get In?
To access your environment Atrium Discovery needs credentials These are provided in two ways
Entered locally on the appliance where they are stored in the Vault A Windows Discovery Slave is configured to run as a service on an
external host using a specific credential
© 2009 BMC Educational Services
The Vault
© 2010 BMC Educational Services
What Is the Vault?
The Vault is a passphrase encrypted store for credentials Blowfish encryption 64 Character/512 bit default
passphrase
Vault is opened/closed in sync with Discovery start/stop
Only Discovery sub-system can access the Vault
credential vault
Your IT estate
discovery process
© 2010 BMC Educational Services
Advanced Vault Management
If required a specific Vault Passphrase can be set Only advised if security conditions require it as the passphrase will
need to be entered every time Discovery is started
Administration > Discovery > Vault Management
© 2010 BMC Educational Services
Changing Vault Passphrase
Stop Discovery Enter the new passphrase twice Click “Set Passphrase”
Remember it’s a passphrase not a password Make it long otherwise the encryption will be weakened
© 2010 BMC Educational Services
Starting Discovery with Passphrase
With a passphrase set on the Vault you will need to enter it every time discovery is started
You will also need to enter it to view credentials
© 2009 BMC Educational Services
UNIX Credentials
© 2010 BMC Educational Services
Basic UNIX Credentials (1)
UNIX Credentials are stored in the Login Credentials section
Discovery > Credentials > Login Credentials
© 2010 BMC Educational Services
Basic UNIX Credentials (2)
Click the “Add” button to get the credential editor
© 2010 BMC Educational Services
Basic UNIX Credentials (3)
Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) - regex
© 2010 BMC Educational Services
Basic UNIX Credentials (4)
Enter the username of the credential
© 2010 BMC Educational Services
Basic UNIX Credentials (5)
Enter the password of the credential
© 2010 BMC Educational Services
Basic UNIX Credentials (6)
Enter a description of the credential to aid credential management
© 2010 BMC Educational Services
Basic UNIX Credentials (7)
Choose which access types this credential is valid for Click “Apply” button to commit the credential to the Vault
© 2010 BMC Educational Services
UNIX Credentials Advance Options (1)
If you wish to su to root or a higher privileged account after login Set the “SU” option Provide the username Enter the password ( if the account has a password set)
© 2010 BMC Educational Services
UNIX Credentials Advance Options (2)
If you know that SSH runs on a different port for these IPs set the “Enable custom SSH port” option enter a custom port here
© 2010 BMC Educational Services
SSH Key Exchange UNIX Credential (1)
SSH can use a key exchange as a more secure alternative to passwords
To generate a fresh key click “Generate RSA keys” Do not generate keys if one is already in existence and the public key
has been deployed!
© 2010 BMC Educational Services
SSH Key Exchange UNIX Credential (2)
To tell discovery to use key exchange set up a username with no password
© 2009 BMC Educational Services
Windows Credentials
© 2010 BMC Educational Services
Windows Credentials Basics
For Windows credentials you have two choices• Store credentials locally in the Appliance Vault and use a Credential
Slave to proxy the discovery
• Deploy a Active Directory or Workgroup Slave which will run as a service under a Domain/Workgroup credential and proxy the discovery
Your IT estate
usernames, passwords
discovery process
Connects to estate with supplied username/password
credential vault
Credential Slave
Delegates discovery to
Windows slave
Your IT estatediscovery process
Connects to the estate using the slave’s Windows Service account
Active Directory Slave
Delegates discovery to
Windows slave
© 2010 BMC Educational Services
Which Slave to Use
Large Scale Deployments Active Directory Slave Least painful way of managing and deploying credentials Works best with increasingly tightening Microsoft security approaches
in Server 2008 and Vista: User Account Control UAC Can have multiple AD Slaves to cope with many Domains
Test Lab, trials, small networks Credential Slave Have to create and deploy individual credentials May need additional work on some servers to allow remote
administration level rights Can only connect a single Credential Slave per Appliance
© 2010 BMC Educational Services
Credential Slave Overview
Credentials Required Tideway Slave runs as a service on customer hardware Administrator credentials are required to be setup in the Appliance
(Vault)
Many-to-One An appliance may configured for at most one Credential Slave A Credential Slave may be shared between appliances
Default Port: 4323
© 2010 BMC Educational Services
Active Directory Slave Overview
Credentials Required Runs as a service as Domain Administrator No Administrator credentials required on the Appliance
Many-to-Many An appliance may configured for more than one AD/Workgroup slave An AD/Workgroup slave may be shared between appliances
Default ports: 4321 (AD), 4322 (Workgroup)
© 2010 BMC Educational Services
Connecting a Windows Slave (1)
Discovery > Credentials > Slave Management Click on the appropriate “Add x Slave” button
© 2010 BMC Educational Services
Connecting a Windows Slave (2)
For a Credential Slave Provide a name and the Slave Host IP address Take the default port and click “Apply”
© 2010 BMC Educational Services
Connecting a Windows Slave (3)
For an Active Directory Slave Provide a name and the Slave Host IP address Provide the domain Take the default port and click “Apply”
© 2010 BMC Educational Services
Basic Windows Credentials for Credential Slave
Add under Login Credentials just like basic UNIX credentials Ensure the only access type is only windows Make sure you have a Credential Slave!
© 2010 BMC Educational Services
Restricted Slave (1)
If you know a Windows Slave can only access a particular part of the network you can restrict it
This works like the IP Range on Login Credentials
© 2010 BMC Educational Services
Restricted Slave (2)
Check the “Restricted” option to enable the feature
Upload a file of restricted IPs Can only have the form 10.0.0.1 – single IP 10.0.0.0/24 – range
Download the existing “Allowed IPs” list first if extending
© 2010 BMC Educational Services
Slave Self Scanning Limitation
Windows authentication works differently if commands are run locally
This means that a Slave, in general, cannot discover it’s own Host as it uses remote authentication
A common gotcha in testing and small trials
© 2009 BMC Educational Services
SNMP Credentials
© 2010 BMC Educational Services
SNMP Credentials (1)
SNMP Credentials are stored in the SNMP Credentials section
Discovery > Credentials > SNMP Credentials Click the “Add” button to get the credential editor
© 2010 BMC Educational Services
SNMP Credentials (2)
Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) - regex
© 2010 BMC Educational Services
SNMP Credentials (3)
Enter a community string
© 2010 BMC Educational Services
SNMP Credentials (4)
Enter a description of the credential to aid credential management
© 2010 BMC Educational Services
SNMP Credentials (5)
Set the correct protocol version Click “Apply” button to commit the credential to the Vault
© 2009 BMC Educational Services
Software Credential Groups
Database Credentials
© 2010 BMC Educational Services
What Are Software Credential Groups
If you have installed patterns that query Databases you will have Software Credential Groups TKU_DBDETAILS
Credentials are grouped by Software Product
© 2010 BMC Educational Services
Software Credentials Groups (1)
Used by patterns that interrogate relational databases via JDBC
© 2010 BMC Educational Services
Adding Software Credentials (1)
Click on “Credentials”
Click on“Create NewCredential”
© 2010 BMC Educational Services
Adding Software Credentials (2)
name – use the username description – to help credential management username – enter the database user name password – enter the database user’s password database driver – you will need to select the correct JDBC driver
© 2010 BMC Educational Services
Adding Software Credentials (3)
Database credentials need the appropriate DB driver selected Consult your DBA on the correct one to use
You may need to upload the actual JAR file Administration > JDBC Drivers Shows status of loaded drivers and links to vendor sites Consult an appropriate DBA if needed
© 2010 BMC Educational Services
Adding Software Credentials (4)
Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) – regex
Ignore other fields, the TKU patterns will provide this data on the fly as needed
There are a number of advance feature options in thisarea which are not needed for basic discovery
© 2009 BMC Educational Services
Credential Ordering
© 2010 BMC Educational Services
Credential Order and Re-ordering
All credentials are ordered and will be tried in turn, if more than one matches the IP and access Ordering is top to bottom They can be re-ordered by dragging the credential box
© 2010 BMC Educational Services
Credential Order Best Practise (1)
1. Have root accounts before restricted ones
2. Have specific credentials before general ones
3. If you have both an ssh key credential and ssh password credentials put the key ones first
4. Try to use specific ranges and not .* if you have several general credentials
5. If you have several general credentials put those you expect to work most often before the others
6. Only have relevant access types on your credentials
Discovery will be most slowed down by Hosts it can detect and spend time trying all the credentials it can
© 2010 BMC Educational Services
Credential Order Best Practise (2)
1. Have root accounts before restricted ones
2. Have specific credentials before general ones
3. If you have both an ssh key credential and ssh password credentials put the key ones first
4. Try to use specific ranges and not .* if you have several general credentials
5. If you have several general credentials put those you expect to work most often before the others
6. Only have relevant access types on your credentials
Discovery will be most slowed down by Hosts it can detect and spend time trying all the credentials it can
© 2010 BMC Educational Services
Credential Order Best Practise (3)
1. Have root accounts before restricted ones
2. Have specific credentials before general ones
3. If you have both an ssh key credential and ssh password credentials put the key ones first
4. Try to use specific ranges and not .* if you have several general credentials
5. If you have several general credentials put those you expect to work most often before the others
6. Only have relevant access types on your credentials
Discovery will be most slowed down by Hosts it can detect and spend time trying all the credentials it can
© 2010 BMC Educational Services
Best Practices Example (1)
The specific credentials are at the top of the list
The key credential is before the password
These are specific admin accounts so have high access rights so are at top
10.0.0.1 – ssh (key) admin
10.0.0.1 – ssh (password) admin
10.0.0.* – ssh (password) root
20.0.0.* – ssh (password) root
.* – ssh (key) discovery-user
.* – ssh (password) backupagent
© 2010 BMC Educational Services
Best Practices Example (2)
The general credentials have well defined ranges
These are root accounts so have high access rights so are above the more general accounts but below the specific admin accounts
10.0.0.1 – ssh (key) admin
10.0.0.1 – ssh (password) admin
10.0.0.* – ssh (password) root
20.0.0.* – ssh (password) root
.* – ssh (key) discovery-user
.* – ssh (password) backupagent
© 2010 BMC Educational Services
Best Practices Example (3)
The general “discovery-user” credential that is being rolled out should work most places so it is above the “backupagent” credential that might work on only a few machines
We expect the “discovery-user” credential to have more rights than “backupagent” but not as much as the specific root/admin credentials
10.0.0.1 – ssh (key) admin
10.0.0.1 – ssh (password) admin
10.0.0.* – ssh (password) root
20.0.0.* – ssh (password) root
.* – ssh (key) discovery-user
.* – ssh (password) backupagent
© 2009 BMC Educational Services
Testing Credentials
© 2010 BMC Educational Services
Testing from the Credentials UI
Credentials can be tested from within the system The check will test if a session can be established
BUT it cannot test commands from discovery or patterns so it is not a guarantee that discovery will be successful just that a connection can be made
© 2010 BMC Educational Services
Other Locations for Credential Tests
From a Host
From a Discovery Access
© 2010 BMC Educational Services
Testing IP Access
Select “Test IP Access” and enter a single IP
Test will run in background
© 2010 BMC Educational Services
Viewing IP Test Results
Click on the result to see details
Summary
Detail
© 2010 BMC Educational Services
Testing Slave Connectivity and Access
Use the Ping option in the Actions menu to check Appliance to Slave connectivity
The result of the ping will be shown in the information banner
© 2010 BMC Educational Services
Testing a Specific Slave IP Access
Select “Test” from the “Actions” menu and enter a single IP
Test will run in background
© 2010 BMC Educational Services
Testing Low Level Access
Sometimes it is useful to confirm that credentials work at a low level outside of the Discovery service
There are separate procedures for each type of credential UNIX SNMP Windows
© 2010 BMC Educational Services
Testing UNIX Credential
Test from the Appliance CLI as the user ‘tideway’ SSH
ssh <username>@<ip> accept identity if prompted enter password if prompted
Telnet telnet <ip> login <username> enter password
rlogin rlogin <ip> -l <username> enter password
RLOGIN
SSH
TELNET
© 2010 BMC Educational Services
Testing SNMP Credential
Test from the Appliance CLI as the user ‘tideway’
SNMP snmpwalk -On -v2c -c <string> <ip> .1.3.6.1.2.1.1.1.0
Expected Return.1.3.6.1.2.1.1.1.0 = STRING: Linux linuxdisc
2.6.5-1.358smp #1 SMP Sat May 8 09:25:36 EDT 2004 i686
SNMP
© 2010 BMC Educational Services
Testing Windows Credential (1)
Test from the Slave Host as the service user 1) Start wbemtest from Start -> Run -> wbemtest2) Click on the “Connect…” button top right
WMI
© 2010 BMC Educational Services
Testing Windows Credential (2)
3) In the connect window that pops up replace the field “root\default” with “\\<target-machine>\root\cimv2”
4) Enter valid credentials for the target machine in the User and Password fields
5) Click “Connect” There should be a short delay
while wbemtest connects. You should return to the main wbemtest window with all the buttons enabled
WMI
© 2010 BMC Educational Services
Testing Windows Credential (3)
This confirms remote WMI access is possible, but to confirm we will query Win32_ComputerSystem
6) Click “Open Class..”
7) In the Get Class Name window that pops up enter “Win32_ComputerSystem” and click OK
This should return an object editor window
WMI
© 2010 BMC Educational Services
Testing Windows Credential (4)
8) Click on “Instances” which should return a single instance with the name of the target machine
9) Double click the instance to get an Object editor window for that instance and confirm that Domain, Name, Manufacturer and Model are populated
WMI
© 2010 BMC Educational Services
Further Resources
Online Documentation: http://www.tideway.com/confluence/display/81/Credentials
Tideway Foundation
Version 7.2
Documentation
Title