Internal and external communication between elements of the system rely on CORBA calls using 128 bit SSL to ensure the confidentiality and integrity of the data and processes.

The core of the application manages the discovery and reasoning engines. It consistently interacts with the security engine to ensure user authentication and request authorization so that each action taken by the application can only be triggered from the application itself or by a user through the application UI or command line. External communications between the user and the application can be configured to use HTTPS over 128bit SSL.

The encryption of communication between the discovery engine (appliance or discovery slave) and the target depends on the discovery method used. For example, ssh is encrypted, but telnet and rlogin (which may both be disabled) are not.

Adding user supplied certificates

Secure communications between elements of the system uses CORBA over SSL. It is enabled using certificates in the following locations:

• Each appliance (scanning or consolidation)
• Each slave
• Certificate Authority on each appliance

  This refers to communications between components of the BMC Atrium Discovery system, not communications between BMC Atrium Discovery and discovery targets, or the user's web browser.

Support has not been built into the product to enable you to replace the default certificates with your own. However, it is possible to replace certificates on a like-for-like basis, that is, the same encryption type and key length. Any other type of certificate requiring new libraries would not work. Multiple certificates to perform unique encryption per component is not supported either.

End-user Web authentication

End-user application authentication is critical to the security of the entire solution. BMC Atrium Discovery supports a number of Web authentication plug-ins and various levels of authentication strength, requiring one of many authentication factors:

• SSL Client Certificate Verification - Strong authentication using a public key infrastructure certificate. The client's SSL Certificate is verified by the Web server. The user name is extracted from the certificate and used for authorization via LDAP
• SSL Certificate Lookup - The user is authenticated by looking up custom parts of the client's SSL Certificate via LDAP. The certificate is not verified, but it must be valid
• Standard Web Authentication - The user is authenticated by entering a username and password

Secure export to CMDB

The communication between BMC Atrium Discovery and BMC Atrium CMDB is based on the CMDB API. The encryption that comes with the AR Server is the Standard Encryption 512-bit public key/56-bit DES encryption on the wire. If a customer acquired the higher levels of Remedy Encryption (a separate product), then the customer could obtain either 1024-bit public key/128-bit RC4 or 2048-bit public key/2048-bit RC4 encryption. Communication from BMC Atrium Discovery to the AR Server can be configured to use a single chosen port (ARTCPPORT).