Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 3. Adding sources and credentials
To prepare Discovery to run scans, you must add the parts of your IT infrastructure that you want to scan as one or more sources. You must also add the authentication information, such as a username and password or SSH key, that is required to access those sources as one or more credentials. Because of differing configuration requirements, you add sources and credentials according to the type of source that you are going to scan.
Learn more
As part of the general process of adding sources and credentials that encompass the different parts of your IT infrastructure, you might need to complete a number of tasks.
Add network sources and credentials to scan assets such as physical machines, virtual machines, or containers in your network. To learn more, see the following information:
Add satellite sources and credentials to scan your deployment of Red Hat Satellite Server to find the assets that it manages. To learn more, see the following information:
Add vcenter sources and credentials to scan your deployment of vCenter Server to find the assets that it manages. To learn more, see the following information:
Add OpenShift sources and credentials to scan your deployment of Red Hat OpenShift Container Platform clusters. To learn more, see the following information:
Add Ansible sources and credentials to scan your deployment of Ansible Automation Platform to find the secured clusters that it manages. To learn more, see the following information:
Add RHACS sources and credentials to scan your deployment of Red Hat Advanced Cluster Security for Kubernetes to find the secured clusters that RHACS manages. To learn more, see the following information:
3.1. Adding network sources and credentials
To run a scan on one or more of the physical machines, virtual machines, or containers on your network, you must add a source that identifies each of the assets to scan. Then you must add credentials that contain the authentication data to access each asset.
Learn more
Add one or more network sources and credentials to provide the information needed to scan the assets in your network. To learn more, see the following information:
- To add a network source, see Adding network sources.
- To add a network credential, see Adding network credentials.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with assets on your network, see the following information. This information includes guidance about running commands with elevated privileges, a choice that you might need to make during network credential configuration:
3.1.1. Adding network sources
You can add sources from the initial Welcome page or from the Sources view.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add.
The Add Source wizard opens.
- On the Type page, select Network Range as the source type and click Next.
On the Credentials page, enter the following information.
- In the Name field, enter a descriptive name.
In the Search Addresses field, enter one or more network identifiers separated by commas. You can enter hostnames, IP addresses, and IP ranges.
-
Enter hostnames as DNS hostnames, for example,
server1.example.com
. -
Enter IP ranges in CIDR or Ansible notation, for example,
192.168.1.0/24
for CIDR notation or192.168.1.[1:254]
for Ansible notation.
-
Enter hostnames as DNS hostnames, for example,
- Optional: In the Port field, enter a different port if you do not want a scan for this source to run on the default port 22.
- In the Credentials list, select the credentials that are required to access the network resources for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
- If your network resources require the Ansible connection method to be the Python SSH implementation, Paramiko, instead of the default OpenSSH implementation, select the Connect using Paramiko instead of OpenSSH check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.1.2. Adding network credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source. You might need to add several credentials to authenticate to all of the assets that are included in a single source.
Prerequisites
If you want to use the SSH key authentication type for network credentials, each SSH private key that you are going to use must be copied into the directory that was mapped to
/sshkeys
during Discovery server installation. The default path for this directory is"${HOME}"/.local/share/discovery/sshkeys
.For more information about the SSH keys that are available for use in the
/sshkeys
directory, or to request the addition of a key to that directory, contact the administrator who manages your Discovery server.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- In the Authentication Type field, select the type of authentication that you want to use. You can select either Username and Password or SSH Key.
Enter the authentication data in the appropriate fields, based on the authentication type.
- For username and password authentication, enter a username and password for a user. This user must have root-level access to your network or to the subset of your network that you want to scan. Alternatively, this user must be able to obtain root-level access with the selected become method.
-
For SSH key authentication, enter a username and the path to the SSH keyfile that is local to the Discovery server container. For example, if the keyfile is in the
"${HOME}"/.local/share/discovery/sshkeys
default path on the server, enter that path in the SSH Key File field. Entering a passphrase is optional.
- Enter the become method for privilege elevation. Privilege elevation is required to run some commands during a network scan. Entering a username and password for the become method is optional.
- Click Save to save the credential and close the Add Credential wizard.
3.1.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.1.4. Network authentication
The Discovery application inspects the remote systems in a network scan by using the SSH remote connection capabilities of Ansible. When you add a network credential, you configure the SSH connection by using either a username and password or a username and SSH keyfile pair. If remote systems are accessed with SSH key authentication, you can also supply a passphrase for the SSH key.
Also during network credential configuration, you can enable a become method. The become method is used during a scan to elevate privileges. These elevated privileges are needed to run commands and obtain data on the systems that you are scanning. For more information about the commands that do and do not require elevated privileges during a scan, see Commands that are used in scans of remote network assets.
3.1.4.1. Commands that are used in scans of remote network assets
When you run a network scan, Discovery must use the credentials that you provide to run certain commands on the remote systems in your network. Some of those commands must run with elevated privileges. This access is typically acquired through the use of the sudo
command or similar commands. The elevated privileges are required to gather the types of facts that Discovery uses to build the report about your installed products.
Although it is possible to run a scan for a network source without elevated privileges, the results of that scan will be incomplete. The incomplete results from the network scan will affect the quality of the generated report for the scan.
The following information lists the commands that Discovery runs on remote hosts during a network scan. The information includes the basic commands that can run without elevated privileges and the commands that must run with elevated privileges to gather the most accurate and complete information for the report.
In addition to the following commands, Discovery also depends on standard shell facilities, such as those provided by the bash
shell.
3.1.4.1.1. Basic commands that do not need elevated privileges
The following commands do not require elevated privileges to gather facts during a scan:
- cat
- egrep
- sort
- uname
- ctime
- grep
- rpm
- virsh
- date
- id
- test
- whereis
- echo
- sed
- tune2fs
- xargs
3.1.4.1.2. Commands that need elevated privileges
The following commands require elevated privileges to gather facts during a scan. Each command includes a list of individual facts or categories of facts that Discovery attempts to find during a scan. These facts cannot be included in reports if elevated privileges are not available for that command.
- awk
- cat
- chkconfig
- command
- df
- dirname
- dmidecode
- echo
- egrep
- fgrep
- find
- ifconfig
- ip
- java
- locate
- ls
- ps
- readlink
- sed
- sort
- stat
- subscription-manager
- systemctl
- tail
- test
- tr
- unzip
- virt-what
- xargs
- yum
3.2. Adding satellite sources and credentials
To run a scan on a Red Hat Satellite Server deployment, you must add a source that identifies the Satellite Server server to scan. Then you must add a credential that contains the authentication data to access that server.
Learn more
Add a satellite source and credential to provide the information needed to scan Satellite Server. To learn more, see the following information:
- To add a satellite source, see Adding satellite sources.
- To add a satellite credential, see Adding satellite credentials.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with your Satellite Server server, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during satellite credential configuration.
3.2.1. Adding satellite sources
You can add sources from the initial Welcome page or from the Sources view.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add.
The Add Source wizard opens.
- On the Type page, select Satellite as the source type and click Next.
On the Credentials page, enter the following information.
- In the Name field, enter a descriptive name.
-
In the IP Address or Hostname field, enter the IP address or hostname of the Satellite server for this source. Enter a different port if you do not want a scan for this source to run on the default port 443. For example, if the IP address of the Satellite server is 192.0.2.15 and you want to change the port to 80, you would enter
192.0.2.15:80
. - In the Credentials list, select the credential that is required to access the Satellite server for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source.
NoteSatellite Server does not support the disabling of SSL. If you select the Disable SSL option, this option is ignored.
- If you need to upgrade the SSL validation for the Satellite server to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.2.2. Adding satellite credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- Enter the username and password for a Satellite Server administrator.
- Click Save to save the credential and close the Add Credential wizard.
3.2.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.2.4. Satellite Server authentication
For a satellite scan, the connectivity and access to Satellite Server derives from basic authentication (username and password) that is encrypted over HTTPS. By default, the satellite scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.
The Satellite Server credentials that you use for a satellite scan must be a user with a role that contains the view permissions for hosts, subscriptions, and organizations.
You might need to adjust the level of certificate validation to connect properly to the Satellite server during a scan. For example, your Satellite server might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your Satellite server might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that a scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.
Although the option to disable SSL is currently available in the interface, Satellite Server does not support the disabling of SSL. If you select the Disable SSL option when you create a satellite source, this option is ignored.
3.3. Adding vcenter sources and credentials
To run a scan on a vCenter Server deployment, you must add a source that identifies the vCenter Server server to scan. Then you must add a credential that contains the authentication data to access that server.
Learn more
Add a vcenter source and credential to provide the information needed to scan vCenter Server. To learn more, see the following information:
- To add a vcenter source, see Adding vcenter sources.
- To add a vcenter credential, see Adding vcenter credentials.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with your vCenter Server server, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during vcenter credential configuration:
3.3.1. Adding vcenter sources
You can add sources from the initial Welcome page or from the Sources view.
A vCenter source is only compatible with a vCenter deployment. You cannot use this source to scan other virtualization infrastructures, even those that are supported by Red Hat.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add.
The Add Source wizard opens.
- On the Type page, select vCenter Server as the source type and click Next.
On the Credentials page, enter the following information:
- In the Name field, enter a descriptive name.
-
In the IP Address or Hostname field, enter the IP address or hostname of the vCenter Server for this source. Enter a different port if you do not want a scan for this source to run on the default port 443. For example, if the IP address of the vCenter Server is 192.0.2.15 and you want to change the port to 80, you would enter
192.0.2.15:80
. - In the Credentials list, select the credential that is required to access the vCenter Server for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
- In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
- If you need to upgrade the SSL validation for the vCenter Server to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.3.2. Adding vcenter credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- Enter the username and password for a vCenter Server administrator.
- Click Save to save the credential and close the Add Credential wizard.
3.3.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.3.4. vCenter Server authentication
For a vcenter scan, the connectivity and access to vCenter Server derives from basic authentication (username and password) that is encrypted over HTTPS. By default, the vcenter scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.
You might need to adjust the level of certificate validation to connect properly to the vCenter server during a scan. For example, your vCenter server might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your vCenter server might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.
You might also need to disable SSL as the method of secure communication during the scan if the vCenter server is not configured to use SSL communication for web applications. For example, your vCenter server might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.
3.4. Adding OpenShift sources and credentials
To run a scan on a Red Hat OpenShift Container Platform deployment, you must add a source that identifies the Red Hat OpenShift Container Platform cluster to scan. Then you must add a credential that contains the authentication data to access that cluster.
Learn more
Add an OpenShift source and credential to provide the information needed to scan a Red Hat OpenShift Container Platform cluster. To learn more, see the following information:
- To add an OpenShift source, see Add an OpenShift source.
- To add an OpenShift credential, see Add an OpenShift credential.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with your Red Hat OpenShift Container Platform cluster, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during OpenShift credential configuration:
3.4.1. Adding Red Hat OpenShift Container Platform sources
You can add sources from the initial Welcome page or from the Sources view.
Prerequisites
- You will need access to the Red Hat OpenShift Container Platform web console administrator perspective to get the API address and token values.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add.
The Add Source wizard opens.
- On the Type page, select OpenShift as the source type and click Next.
On the Credentials page, enter the following information:
- In the Name field, enter a descriptive name.
- In the IP Address or Hostname field, enter the Red Hat OpenShift Container Platform cluster API address for this source. You can find the cluster API address by viewing the overview details for the cluster in the web console
- In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
- In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
- If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.4.2. Adding Red Hat OpenShift Container Platform credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.
Prerequisites
- You will need access to the Red Hat OpenShift Container Platform web console administrator perspective to get the API address and token values.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- Enter the API token for the Red Hat OpenShift Container Platform cluster from your Administrator console. You can find the API token by clicking your username in the console, clicking the Display Token option and copying the value displayed for Your API token is.
- Click Save to save the credential and close the Add Credential wizard.
3.4.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.4.4. Red Hat OpenShift Container Platform authentication
For a OpenShift scan, the connectivity and access to OpenShift cluster API address derives from basic authentication with a cluster API address and an API token that is encrypted over HTTPS. By default, the OpenShift scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.
You might need to adjust the level of certificate validation to connect properly to the Red Hat OpenShift Container Platform cluster API address during a scan. For example, your OpenShift cluster API address might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your cluster API address might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.
You might also need to disable SSL as the method of secure communication during the scan if the OpenShift cluster API address is not configured to use SSL communication for web applications. For example, your OpenShift server might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.
3.5. Adding Ansible sources and credentials
To run a scan on a Ansible deployment, you must add a source that identifies the Ansible Automation Platform to scan. Then, you must add a credential that contains the authentication data to access that cluster.
Learn more
Add an Ansible source and credential to provide the information needed to scan your Ansible Automation Platform deployment. To learn more, see the following information:
- To add an Ansible source, see Add an Ansible source.
- To add an Ansible credential, see Add an Ansible credential.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with your Ansible deployment, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during Ansible credential configuration:
3.5.1. Adding Red Hat Ansible Automation Platform sources
You can add sources from the initial Welcome page or from the Sources view.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add Source.
The Add Source wizard opens.
- On the Type page, select Ansible Controller as the source type and click Next.
On the Credentials page, enter the following information:
- In the Name field, enter a descriptive name.
- In the IP Address or Hostname field, enter the Ansible host IP address for this source. You can find the host IP address by viewing the overview details for the controller in the portal.
- In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
- In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
- If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.5.2. Adding Red Hat Ansible Automation Platform credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- In the User Name field, enter the username for your Ansible Controller instance.
- In the Password field, enter the password for your Ansible Controller instance.
- Click Save to save the credential. The Add credential wizard closes.
3.5.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.5.4. Ansible authentication
For a Ansible scan, the connectivity and access to Ansible host IP addresses derives from basic authentication with a host IP address and a password that is encrypted over HTTPS. By default, the Ansible scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.
You might need to adjust the level of certificate validation to connect properly to the Ansible host IP address during a scan. For example, your Ansible host Ip address might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your host IP address might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.
You might also need to disable SSL as the method of secure communication during the scan if the Ansible host IP address is not configured to use SSL communication for web applications. For example, your Ansible host IP address might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.
3.6. Adding Red Hat Advanced Cluster Security for Kubernetes sources and credentials
To run a scan on a Red Hat Advanced Cluster Security for Kubernetes (RHACS) deployment, you must add a source that identifies the RHACS instance to scan. Then you must add a credential that contains the authentication data to access that instance.
Learn more
Add a RHACS source and credential to provide the information needed to scan a RHACS instance. To learn more, see the following information:
- To add an RHACS source, see Add a RHACS source.
- To add an RHACS credential, see Add a RHACS credential.
To learn more about sources and credentials and how Discovery uses them, see the following information:
To learn more about how Discovery authenticates with your Red Hat Advanced Cluster Security for Kubernetes instance, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during RHACS credential configuration:
3.6.1. Adding Red Hat Advanced Cluster Security for Kubernetes sources
You can add sources from the initial Welcome page or from the Sources view.
Prerequisites
- You will need access to the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal to generate admin API token values.
- You will need either access to the RHACS portal to find the RHACS Central endpoint or access the RHACS Configuration Management Cloud Service instance details.
Procedure
Click the option to add a new credential based on your location:
- From the Welcome page, click Add Source.
- From the Sources view, click Add.
The Add Source wizard opens.
- On the Type page, select RHACS as the source type and click Next.
On the Credentials page, enter the following information:
- In the Name field, enter a descriptive name.
In the IP Address or Hostname field, enter the Red Hat Advanced Cluster Security for Kubernetes Central address for this source.
- You can find the address by viewing the network routes for the cluster if RHACS was deployed on OpenShift.
- If RHACS was deployed on the cloud, you can find this information in the instance details.
- In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
- In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
- If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
- Click Save to save the source and then click Close to close the Add Source wizard.
3.6.2. Adding RHACS credentials
You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.
Prerequisites
- You will need access to the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal to generate admin API token values.
- You will need either access to the RHACS portal to find the RHACS Central endpoint or access the RHACS Configuration Management Cloud Service instance details.
Procedure
Click the option to add a new credential based on your location:
-
From the Credentials view, click
. - From the Add Source wizard, click the Add a credential icon for the Credentials field.
The Add Credential wizard opens.
-
From the Credentials view, click
- In the Credential Name field, enter a descriptive name.
- Enter the API token for RHACS from yourRHACS portal. If you do not already have a token, you can generate a token on the RHACSConfiguration Management Cloud Service portal.
- Click Save to save the credential and close the Add Credential wizard.
3.6.3. About sources and credentials
To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.
A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:
- Network source
- One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
- vCenter source
- A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
- Satellite source
- A Satellite systems management solution that is managing all or part of your IT infrastructure.
- Red Hat OpenShift source
- A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
- Ansible source
- An Ansible management solution that is managing your Ansible nodes and workloads.
- Red Hat Advanced Cluster Security for Kubernetes source
- A RHACS security platform solution that secures your Kubernetes environments.
When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:
- Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
- Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.
A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.
You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.
3.6.4. Red Hat Advanced Cluster Security for Kubernetes authentication
For a Red Hat Advanced Cluster Security for Kubernetes (RHACS) scan, the connectivity and access to the RHACS API derives from bearer token authentication with an API token that is encrypted over TLS (Transport Layer Security). By default, the RHACS scan runs with certificate validation and secure communication through the TLS protocol. During source creation, you can select from several different SSL (Secure Sockets Layer) and TLS protocols to use for the certificate validation and secure communication.
You might need to adjust the level of certificate validation to connect to the RHACS portal during a scan. For example, your RHACS instance might use a verified TLS certificate from a certificate authority. During source creation, you can upgrade TLS certificate validation to check for that certificate during a scan of that source. Conversely, your RHACS instance might use self-signed certificates. During source creation, you can leave the TLS validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.
You might also need to disable TSL as the method of secure communication during the scan if the RHACS instance is not configured to use TSL communication for web applications. For example, your RHACS instance might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable TSL communication for scans of that source.