addmi 14-discovery credentials

© 2009 BMC Educational Services

Discovery Credentials

Giving Atrium Discovery Authority to Discover


Outline

Vault Unix

Login SSH key

Windows Slave Choice

SNMP Software Credentials Credential Ordering Testing and Debugging Credentials


How Do We Get In?

To access your environment Atrium Discovery needs credentials These are provided in two ways

Entered locally on the appliance where they are stored in the Vault A Windows Discovery Slave is configured to run as a service on an

external host using a specific credential


The Vault


What Is the Vault?

The Vault is a passphrase encrypted store for credentials Blowfish encryption 64 Character/512 bit default

passphrase

Vault is opened/closed in sync with Discovery start/stop

Only Discovery sub-system can access the Vault

credential vault

Your IT estate

discovery process


Advanced Vault Management

If required a specific Vault Passphrase can be set Only advised if security conditions require it as the passphrase will

need to be entered every time Discovery is started

Administration > Discovery > Vault Management


Changing Vault Passphrase

Stop Discovery Enter the new passphrase twice Click “Set Passphrase”

Remember it’s a passphrase not a password Make it long otherwise the encryption will be weakened


Starting Discovery with Passphrase

With a passphrase set on the Vault you will need to enter it every time discovery is started

You will also need to enter it to view credentials


UNIX Credentials


Basic UNIX Credentials (1)

UNIX Credentials are stored in the Login Credentials section

Discovery > Credentials > Login Credentials



Click the “Add” button to get the credential editor



Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) - regex



Enter the username of the credential



Enter the password of the credential



Enter a description of the credential to aid credential management



Choose which access types this credential is valid for Click “Apply” button to commit the credential to the Vault


UNIX Credentials Advance Options (1)

If you wish to su to root or a higher privileged account after login Set the “SU” option Provide the username Enter the password ( if the account has a password set)


UNIX Credentials Advance Options (2)

If you know that SSH runs on a different port for these IPs set the “Enable custom SSH port” option enter a custom port here


SSH Key Exchange UNIX Credential (1)

SSH can use a key exchange as a more secure alternative to passwords

To generate a fresh key click “Generate RSA keys” Do not generate keys if one is already in existence and the public key

has been deployed!


SSH Key Exchange UNIX Credential (2)

To tell discovery to use key exchange set up a username with no password


Windows Credentials


Windows Credentials Basics

For Windows credentials you have two choices• Store credentials locally in the Appliance Vault and use a Credential

Slave to proxy the discovery

• Deploy a Active Directory or Workgroup Slave which will run as a service under a Domain/Workgroup credential and proxy the discovery

Your IT estate

usernames, passwords

discovery process

Connects to estate with supplied username/password

credential vault

Credential Slave

Delegates discovery to

Windows slave

Your IT estatediscovery process

Connects to the estate using the slave’s Windows Service account

Active Directory Slave

Delegates discovery to

Windows slave


Which Slave to Use

Large Scale Deployments Active Directory Slave Least painful way of managing and deploying credentials Works best with increasingly tightening Microsoft security approaches

in Server 2008 and Vista: User Account Control UAC Can have multiple AD Slaves to cope with many Domains

Test Lab, trials, small networks Credential Slave Have to create and deploy individual credentials May need additional work on some servers to allow remote

administration level rights Can only connect a single Credential Slave per Appliance


Credential Slave Overview

Credentials Required Tideway Slave runs as a service on customer hardware Administrator credentials are required to be setup in the Appliance

(Vault)

Many-to-One An appliance may configured for at most one Credential Slave A Credential Slave may be shared between appliances

Default Port: 4323


Active Directory Slave Overview

Credentials Required Runs as a service as Domain Administrator No Administrator credentials required on the Appliance

Many-to-Many An appliance may configured for more than one AD/Workgroup slave An AD/Workgroup slave may be shared between appliances

Default ports: 4321 (AD), 4322 (Workgroup)


Connecting a Windows Slave (1)

Discovery > Credentials > Slave Management Click on the appropriate “Add x Slave” button



For a Credential Slave Provide a name and the Slave Host IP address Take the default port and click “Apply”



For an Active Directory Slave Provide a name and the Slave Host IP address Provide the domain Take the default port and click “Apply”


Basic Windows Credentials for Credential Slave

Add under Login Credentials just like basic UNIX credentials Ensure the only access type is only windows Make sure you have a Credential Slave!


Restricted Slave (1)

If you know a Windows Slave can only access a particular part of the network you can restrict it

This works like the IP Range on Login Credentials


Restricted Slave (2)

Check the “Restricted” option to enable the feature

Upload a file of restricted IPs Can only have the form 10.0.0.1 – single IP 10.0.0.0/24 – range

Download the existing “Allowed IPs” list first if extending


Slave Self Scanning Limitation

Windows authentication works differently if commands are run locally

This means that a Slave, in general, cannot discover it’s own Host as it uses remote authentication

A common gotcha in testing and small trials


SNMP Credentials


SNMP Credentials (1)

SNMP Credentials are stored in the SNMP Credentials section

Discovery > Credentials > SNMP Credentials Click the “Add” button to get the credential editor



Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) - regex



Enter a community string



Enter a description of the credential to aid credential management



Set the correct protocol version Click “Apply” button to commit the credential to the Vault


Software Credential Groups

Database Credentials


What Are Software Credential Groups

If you have installed patterns that query Databases you will have Software Credential Groups TKU_DBDETAILS

Credentials are grouped by Software Product


Software Credentials Groups (1)

Used by patterns that interrogate relational databases via JDBC


Adding Software Credentials (1)

Click on “Credentials”

Click on“Create NewCredential”



name – use the username description – to help credential management username – enter the database user name password – enter the database user’s password database driver – you will need to select the correct JDBC driver



Database credentials need the appropriate DB driver selected Consult your DBA on the correct one to use

You may need to upload the actual JAR file Administration > JDBC Drivers Shows status of loaded drivers and links to vendor sites Consult an appropriate DBA if needed



Enter a range of IPs that this credential is valid for 10.0.0.1 – Single IP 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24 - range specification .* or 10.10.10.(23|25) – regex

Ignore other fields, the TKU patterns will provide this data on the fly as needed

There are a number of advance feature options in thisarea which are not needed for basic discovery


Credential Ordering


Credential Order and Re-ordering

All credentials are ordered and will be tried in turn, if more than one matches the IP and access Ordering is top to bottom They can be re-ordered by dragging the credential box


Credential Order Best Practise (1)

1. Have root accounts before restricted ones

2. Have specific credentials before general ones

3. If you have both an ssh key credential and ssh password credentials put the key ones first

4. Try to use specific ranges and not .* if you have several general credentials

5. If you have several general credentials put those you expect to work most often before the others

6. Only have relevant access types on your credentials

Discovery will be most slowed down by Hosts it can detect and spend time trying all the credentials it can


Best Practices Example (1)

The specific credentials are at the top of the list

The key credential is before the password

These are specific admin accounts so have high access rights so are at top

10.0.0.1 – ssh (key) admin

10.0.0.1 – ssh (password) admin

10.0.0.* – ssh (password) root


.* – ssh (key) discovery-user

.* – ssh (password) backupagent



The general credentials have well defined ranges

These are root accounts so have high access rights so are above the more general accounts but below the specific admin accounts









The general “discovery-user” credential that is being rolled out should work most places so it is above the “backupagent” credential that might work on only a few machines

We expect the “discovery-user” credential to have more rights than “backupagent” but not as much as the specific root/admin credentials








Testing Credentials


Testing from the Credentials UI

Credentials can be tested from within the system The check will test if a session can be established

BUT it cannot test commands from discovery or patterns so it is not a guarantee that discovery will be successful just that a connection can be made


Other Locations for Credential Tests

From a Host

From a Discovery Access


Testing IP Access

Select “Test IP Access” and enter a single IP

Test will run in background


Viewing IP Test Results

Click on the result to see details

Summary

Detail


Testing Slave Connectivity and Access

Use the Ping option in the Actions menu to check Appliance to Slave connectivity

The result of the ping will be shown in the information banner


Testing a Specific Slave IP Access

Select “Test” from the “Actions” menu and enter a single IP

Test will run in background


Testing Low Level Access

Sometimes it is useful to confirm that credentials work at a low level outside of the Discovery service

There are separate procedures for each type of credential UNIX SNMP Windows


Testing UNIX Credential

Test from the Appliance CLI as the user ‘tideway’ SSH

ssh <username>@<ip> accept identity if prompted enter password if prompted

Telnet telnet <ip> login <username> enter password

rlogin rlogin <ip> -l <username> enter password

RLOGIN

SSH

TELNET


Testing SNMP Credential

Test from the Appliance CLI as the user ‘tideway’

SNMP snmpwalk -On -v2c -c <string> <ip> .1.3.6.1.2.1.1.1.0

Expected Return.1.3.6.1.2.1.1.1.0 = STRING: Linux linuxdisc

2.6.5-1.358smp #1 SMP Sat May 8 09:25:36 EDT 2004 i686

SNMP


Testing Windows Credential (1)

Test from the Slave Host as the service user 1) Start wbemtest from Start -> Run -> wbemtest2) Click on the “Connect…” button top right

WMI



3) In the connect window that pops up replace the field “root\default” with “\\<target-machine>\root\cimv2”

4) Enter valid credentials for the target machine in the User and Password fields

5) Click “Connect” There should be a short delay

while wbemtest connects. You should return to the main wbemtest window with all the buttons enabled

WMI



This confirms remote WMI access is possible, but to confirm we will query Win32_ComputerSystem

6) Click “Open Class..”

7) In the Get Class Name window that pops up enter “Win32_ComputerSystem” and click OK

This should return an object editor window

WMI



8) Click on “Instances” which should return a single instance with the name of the target machine

9) Double click the instance to get an Object editor window for that instance and confirm that Domain, Name, Manufacturer and Model are populated

WMI


Further Resources

Online Documentation: http://www.tideway.com/confluence/display/81/Credentials

Tideway Foundation

Version 7.2

Documentation

Title

addmi 14-discovery credentials

Technology

windows discovery slave

single credential slave

basic unix credentials

individual credentials

adworkgroup slave

windows credentials

tideway slave

credential management