Chapter 3. Adding sources and credentials


To prepare Discovery to run scans, you must add the parts of your IT infrastructure that you want to scan as one or more sources. You must also add the authentication information, such as a username and password or SSH key, that is required to access those sources as one or more credentials. Because of differing configuration requirements, you add sources and credentials according to the type of source that you are going to scan.

Learn more

As part of the general process of adding sources and credentials that encompass the different parts of your IT infrastructure, you might need to complete a number of tasks.

Add network sources and credentials to scan assets such as physical machines, virtual machines, or containers in your network. To learn more, see the following information:

Add satellite sources and credentials to scan your deployment of Red Hat Satellite Server to find the assets that it manages. To learn more, see the following information:

Add vcenter sources and credentials to scan your deployment of vCenter Server to find the assets that it manages. To learn more, see the following information:

Add OpenShift sources and credentials to scan your deployment of Red Hat OpenShift Container Platform clusters. To learn more, see the following information:

Add Ansible sources and credentials to scan your deployment of Ansible Automation Platform to find the secured clusters that it manages. To learn more, see the following information:

Add RHACS sources and credentials to scan your deployment of Red Hat Advanced Cluster Security for Kubernetes to find the secured clusters that RHACS manages. To learn more, see the following information:

3.1. Adding network sources and credentials

To run a scan on one or more of the physical machines, virtual machines, or containers on your network, you must add a source that identifies each of the assets to scan. Then you must add credentials that contain the authentication data to access each asset.

Learn more

Add one or more network sources and credentials to provide the information needed to scan the assets in your network. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with assets on your network, see the following information. This information includes guidance about running commands with elevated privileges, a choice that you might need to make during network credential configuration:

3.1.1. Adding network sources

You can add sources from the initial Welcome page or from the Sources view.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add.

    The Add Source wizard opens.

  2. On the Type page, select Network Range as the source type and click Next.
  3. On the Credentials page, enter the following information.

    1. In the Name field, enter a descriptive name.
    2. In the Search Addresses field, enter one or more network identifiers separated by commas. You can enter hostnames, IP addresses, and IP ranges.

      • Enter hostnames as DNS hostnames, for example, server1.example.com.
      • Enter IP ranges in CIDR or Ansible notation, for example, 192.168.1.0/24 for CIDR notation or 192.168.1.[1:254] for Ansible notation.
    3. Optional: In the Port field, enter a different port if you do not want a scan for this source to run on the default port 22.
    4. In the Credentials list, select the credentials that are required to access the network resources for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    5. If your network resources require the Ansible connection method to be the Python SSH implementation, Paramiko, instead of the default OpenSSH implementation, select the Connect using Paramiko instead of OpenSSH check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.1.2. Adding network credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source. You might need to add several credentials to authenticate to all of the assets that are included in a single source.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add Network Credential.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. In the Authentication Type field, select the type of authentication that you want to use. You can select either Username and Password or SSH Key.
  4. Enter the authentication data in the appropriate fields, based on the authentication type.

    • For username and password authentication, enter a username and password for a user. This user must have root-level access to your network or to the subset of your network that you want to scan. Alternatively, this user must be able to obtain root-level access with the selected become method.
    • For SSH key authentication, enter a username and paste the contents of the ssh keyfile. Entering a passphrase is optional.
  5. Enter the become method for privilege elevation. Privilege elevation is required to run some commands during a network scan. Entering a username and password for the become method is optional.
  6. Click Save to save the credential and close the Add Credential wizard.

3.1.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.1.4. Network authentication

The Discovery application inspects the remote systems in a network scan by using the SSH remote connection capabilities of Ansible. When you add a network credential, you configure the SSH connection by using either a username and password or a username and SSH keyfile pair. If remote systems are accessed with SSH key authentication, you can also supply a passphrase for the SSH key.

Also during network credential configuration, you can enable a become method. The become method is used during a scan to elevate privileges. These elevated privileges are needed to run commands and obtain data on the systems that you are scanning. For more information about the commands that do and do not require elevated privileges during a scan, see Commands that are used in scans of remote network assets.

3.1.4.1. Commands that are used in scans of remote network assets

When you run a network scan, Discovery must use the credentials that you provide to run certain commands on the remote systems in your network. Some of those commands must run with elevated privileges. This access is typically acquired through the use of the sudo command or similar commands. The elevated privileges are required to gather the types of facts that Discovery uses to build the report about your installed products.

Although it is possible to run a scan for a network source without elevated privileges, the results of that scan will be incomplete. The incomplete results from the network scan will affect the quality of the generated report for the scan.

The following information lists the commands that Discovery runs on remote hosts during a network scan. The information includes the basic commands that can run without elevated privileges and the commands that must run with elevated privileges to gather the most accurate and complete information for the report.

Note

In addition to the following commands, Discovery also depends on standard shell facilities, such as those provided by the bash shell.

3.1.4.1.1. Basic commands that do not need elevated privileges

The following commands do not require elevated privileges to gather facts during a scan:

  • cat
  • egrep
  • sort
  • uname
  • ctime
  • grep
  • rpm
  • virsh
  • date
  • id
  • test
  • whereis
  • echo
  • sed
  • tune2fs
  • xargs
3.1.4.1.2. Commands that need elevated privileges

The following commands require elevated privileges to gather facts during a scan. Each command includes a list of individual facts or categories of facts that Discovery attempts to find during a scan. These facts cannot be included in reports if elevated privileges are not available for that command.

  • awk
  • cat
  • chkconfig
  • command
  • df
  • dirname
  • dmidecode
  • echo
  • egrep
  • fgrep
  • find
  • ifconfig
  • ip
  • java
  • locate
  • ls
  • ps
  • readlink
  • sed
  • sort
  • stat
  • subscription-manager
  • systemctl
  • tail
  • test
  • tr
  • unzip
  • virt-what
  • xargs
  • yum

3.2. Adding satellite sources and credentials

To run a scan on a Red Hat Satellite Server deployment, you must add a source that identifies the Satellite Server server to scan. Then you must add a credential that contains the authentication data to access that server.

Learn more

Add a satellite source and credential to provide the information needed to scan Satellite Server. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with your Satellite Server server, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during satellite credential configuration.

3.2.1. Adding satellite sources

You can add sources from the initial Welcome page or from the Sources view.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add.

    The Add Source wizard opens.

  2. On the Type page, select Satellite as the source type and click Next.
  3. On the Credentials page, enter the following information.

    1. In the Name field, enter a descriptive name.
    2. In the IP Address or Hostname field, enter the IP address or hostname of the Satellite server for this source. Enter a different port if you do not want a scan for this source to run on the default port 443. For example, if the IP address of the Satellite server is 192.0.2.15 and you want to change the port to 80, you would enter 192.0.2.15:80.
    3. In the Credentials list, select the credential that is required to access the Satellite server for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    4. In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source.

      Note

      Satellite Server does not support the disabling of SSL. If you select the Disable SSL option, this option is ignored.

    5. If you need to upgrade the SSL validation for the Satellite server to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.2.2. Adding satellite credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add Satellite Credential.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. Enter the username and password for a Satellite Server administrator.
  4. Click Save to save the credential and close the Add Credential wizard.

3.2.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.2.4. Satellite Server authentication

For a satellite scan, the connectivity and access to Satellite Server derives from basic authentication (username and password) that is encrypted over HTTPS. By default, the satellite scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.

Note

The Satellite Server credentials that you use for a satellite scan must be a user with a role that contains the view permissions for hosts, subscriptions, and organizations.

You might need to adjust the level of certificate validation to connect properly to the Satellite server during a scan. For example, your Satellite server might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your Satellite server might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that a scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.

Although the option to disable SSL is currently available in the interface, Satellite Server does not support the disabling of SSL. If you select the Disable SSL option when you create a satellite source, this option is ignored.

3.3. Adding vcenter sources and credentials

To run a scan on a vCenter Server deployment, you must add a source that identifies the vCenter Server server to scan. Then you must add a credential that contains the authentication data to access that server.

Learn more

Add a vcenter source and credential to provide the information needed to scan vCenter Server. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with your vCenter Server server, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during vcenter credential configuration:

3.3.1. Adding vcenter sources

You can add sources from the initial Welcome page or from the Sources view.

Note

A vCenter source is only compatible with a vCenter deployment. You cannot use this source to scan other virtualization infrastructures, even those that are supported by Red Hat.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add.

    The Add Source wizard opens.

  2. On the Type page, select vCenter Server as the source type and click Next.
  3. On the Credentials page, enter the following information:

    1. In the Name field, enter a descriptive name.
    2. In the IP Address or Hostname field, enter the IP address or hostname of the vCenter Server for this source. Enter a different port if you do not want a scan for this source to run on the default port 443. For example, if the IP address of the vCenter Server is 192.0.2.15 and you want to change the port to 80, you would enter 192.0.2.15:80.
    3. In the Credentials list, select the credential that is required to access the vCenter Server for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    4. In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
    5. If you need to upgrade the SSL validation for the vCenter Server to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.3.2. Adding vcenter credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add VCenter Credential.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. Enter the username and password for a vCenter Server administrator.
  4. Click Save to save the credential and close the Add Credential wizard.

3.3.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.3.4. vCenter Server authentication

For a vcenter scan, the connectivity and access to vCenter Server derives from basic authentication (username and password) that is encrypted over HTTPS. By default, the vcenter scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.

You might need to adjust the level of certificate validation to connect properly to the vCenter server during a scan. For example, your vCenter server might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your vCenter server might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.

You might also need to disable SSL as the method of secure communication during the scan if the vCenter server is not configured to use SSL communication for web applications. For example, your vCenter server might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.

3.4. Adding OpenShift sources and credentials

To run a scan on a Red Hat OpenShift Container Platform deployment, you must add a source that identifies the Red Hat OpenShift Container Platform cluster to scan. Then you must add a credential that contains the authentication data to access that cluster.

Learn more

Add an OpenShift source and credential to provide the information needed to scan a Red Hat OpenShift Container Platform cluster. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with your Red Hat OpenShift Container Platform cluster, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during OpenShift credential configuration:

3.4.1. Adding Red Hat OpenShift Container Platform sources

You can add sources from the initial Welcome page or from the Sources view.

Prerequisites

  • You will need access to the Red Hat OpenShift Container Platform web console administrator perspective to get the API address and token values.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add.

    The Add Source wizard opens.

  2. On the Type page, select OpenShift as the source type and click Next.
  3. On the Credentials page, enter the following information:

    1. In the Name field, enter a descriptive name.
    2. In the IP Address or Hostname field, enter the Red Hat OpenShift Container Platform cluster API address for this source. You can find the cluster API address by viewing the overview details for the cluster in the web console
    3. In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    4. In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
    5. If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.4.2. Adding Red Hat OpenShift Container Platform credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.

Prerequisites

  • You will need access to the Red Hat OpenShift Container Platform web console administrator perspective to get the API address and token values.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add OpenShift.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. Enter the API token for the Red Hat OpenShift Container Platform cluster from your Administrator console. You can find the API token by clicking your username in the console, clicking the Display Token option and copying the value displayed for Your API token is.
  4. Click Save to save the credential and close the Add Credential wizard.

3.4.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.4.4. Red Hat OpenShift Container Platform authentication

For a OpenShift scan, the connectivity and access to OpenShift cluster API address derives from basic authentication with a cluster API address and an API token that is encrypted over HTTPS. By default, the OpenShift scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.

You might need to adjust the level of certificate validation to connect properly to the Red Hat OpenShift Container Platform cluster API address during a scan. For example, your OpenShift cluster API address might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your cluster API address might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.

You might also need to disable SSL as the method of secure communication during the scan if the OpenShift cluster API address is not configured to use SSL communication for web applications. For example, your OpenShift server might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.

3.5. Adding Ansible sources and credentials

To run a scan on a Ansible deployment, you must add a source that identifies the Ansible Automation Platform to scan. Then, you must add a credential that contains the authentication data to access that cluster.

Learn more

Add an Ansible source and credential to provide the information needed to scan your Ansible Automation Platform deployment. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with your Ansible deployment, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during Ansible credential configuration:

3.5.1. Adding Red Hat Ansible Automation Platform sources

You can add sources from the initial Welcome page or from the Sources view.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add Source.

    The Add Source wizard opens.

  2. On the Type page, select Ansible Controller as the source type and click Next.
  3. On the Credentials page, enter the following information:

    1. In the Name field, enter a descriptive name.
    2. In the IP Address or Hostname field, enter the Ansible host IP address for this source. You can find the host IP address by viewing the overview details for the controller in the portal.
    3. In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    4. In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
    5. If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.5.2. Adding Red Hat Ansible Automation Platform credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add Ansible Credential.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. In the User Name field, enter the username for your Ansible Controller instance.
  4. In the Password field, enter the password for your Ansible Controller instance.
  5. Click Save to save the credential. The Add credential wizard closes.

3.5.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.5.4. Ansible authentication

For a Ansible scan, the connectivity and access to Ansible host IP addresses derives from basic authentication with a host IP address and a password that is encrypted over HTTPS. By default, the Ansible scan runs with certificate validation and secure communication through the SSL (Secure Sockets Layer) protocol. During source creation, you can select from several different SSL and TLS (Transport Layer Security) protocols to use for the certificate validation and secure communication.

You might need to adjust the level of certificate validation to connect properly to the Ansible host IP address during a scan. For example, your Ansible host Ip address might use a verified SSL certificate from a certificate authority. During source creation, you can upgrade SSL certificate validation to check for that certificate during a scan of that source. Conversely, your host IP address might use self-signed certificates. During source creation, you can leave the SSL validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.

You might also need to disable SSL as the method of secure communication during the scan if the Ansible host IP address is not configured to use SSL communication for web applications. For example, your Ansible host IP address might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable SSL communication for scans of that source.

3.6. Adding Red Hat Advanced Cluster Security for Kubernetes sources and credentials

To run a scan on a Red Hat Advanced Cluster Security for Kubernetes (RHACS) deployment, you must add a source that identifies the RHACS instance to scan. Then you must add a credential that contains the authentication data to access that instance.

Learn more

Add a RHACS source and credential to provide the information needed to scan a RHACS instance. To learn more, see the following information:

To learn more about sources and credentials and how Discovery uses them, see the following information:

To learn more about how Discovery authenticates with your Red Hat Advanced Cluster Security for Kubernetes instance, see the following information. This information includes guidance about certificate validation and SSL communication choices that you might need to make during RHACS credential configuration:

3.6.1. Adding Red Hat Advanced Cluster Security for Kubernetes sources

You can add sources from the initial Welcome page or from the Sources view.

Prerequisites

  • You will need access to the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal to generate admin API token values.
  • You will need either access to the RHACS portal to find the RHACS Central endpoint or access the RHACS Configuration Management Cloud Service instance details.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Welcome page, click Add Source.
    • From the Sources view, click Add.

    The Add Source wizard opens.

  2. On the Type page, select RHACS as the source type and click Next.
  3. On the Credentials page, enter the following information:

    1. In the Name field, enter a descriptive name.
    2. In the IP Address or Hostname field, enter the Red Hat Advanced Cluster Security for Kubernetes Central address for this source.

      • You can find the address by viewing the network routes for the cluster if RHACS was deployed on OpenShift.
      • If RHACS was deployed on the cloud, you can find this information in the instance details.
    3. In the Credentials list, select the credential that is required to access the cluster for this source. If a required credential does not exist, click the Add a credential icon to open the Add Credential wizard.
    4. In the Connection list, select the SSL protocol to be used for a secure connection during a scan of this source. Select Disable SSL to disable secure communication during a scan of this source.
    5. If you need to upgrade the SSL validation for the cluster to check for a verified SSL certificate from a certificate authority, select the Verify SSL Certificate check box.
  4. Click Save to save the source and then click Close to close the Add Source wizard.

3.6.2. Adding RHACS credentials

You can add credentials from the Credentials view or from the Add Source wizard during the creation of a source.

Prerequisites

  • You will need access to the Red Hat Advanced Cluster Security for Kubernetes (RHACS) portal to generate admin API token values.
  • You will need either access to the RHACS portal to find the RHACS Central endpoint or access the RHACS Configuration Management Cloud Service instance details.

Procedure

  1. Click the option to add a new credential based on your location:

    • From the Credentials view, click Add RHACS.
    • From the Add Source wizard, click the Add a credential icon for the Credentials field.

    The Add Credential wizard opens.

  2. In the Credential Name field, enter a descriptive name.
  3. Enter the API token for RHACS from yourRHACS portal. If you do not already have a token, you can generate a token on the RHACSConfiguration Management Cloud Service portal.
  4. Click Save to save the credential and close the Add Credential wizard.

3.6.3. About sources and credentials

To run a scan, you must configure data for two basic structures: sources and credentials. The type of source that you are going to inspect during the scan determines the type of data that is required for both source and credential configuration.

A source contains a single asset or a set of multiple assets that are to be inspected during the scan. You can configure any of the following types of sources:

Network source
One or more physical machines, virtual machines, or containers. These assets can be expressed as hostnames, IP addresses, IP ranges, or subnets.
vCenter source
A vCenter Server systems management solution that is managing all or part of your IT infrastructure.
Satellite source
A Satellite systems management solution that is managing all or part of your IT infrastructure.
Red Hat OpenShift source
A Red Hat OpenShift Container Platform cluster that is managing all or part your Red Hat OpenShift Container Platform nodes and workloads.
Ansible source
An Ansible management solution that is managing your Ansible nodes and workloads.
Red Hat Advanced Cluster Security for Kubernetes source
A RHACS security platform solution that secures your Kubernetes environments.

When you are working with network sources, you determine how many individual assets you should group within a single source. Currently, you can add multiple assets to a source only for network sources. The following list contains some of the other factors that you should consider when you are adding sources:

  • Whether assets are part of a development, testing, or production environment, and if demands on computing power and similar concerns are a consideration for those assets.
  • Whether you want to scan a particular entity or group of entities more often because of internal business practices such as frequent changes to the installed software.

A credential contains data such as the username and password or SSH key of a user with sufficient authority to run the scan on all or part of the assets that are contained in that source. As with sources, credentials are configured as the network, vCenter, satellite, OpenShift, Ansible, or RHACS type. Typically, a network source might require multiple network credentials because it is expected that many credentials would be needed to access all of the assets in a broad IP range. Conversely, a vCenter or satellite source would typically use a single vCenter or satellite credential, as applicable, to access a particular system management solution server, and an OpenShift, Ansible, or RHACS source would use a single credential to access a single cluster.

You can add new sources from the Sources view and you can add new credentials from the Credentials view. You can also add new or select previously existing credentials during source creation. It is during source creation that you associate a credential directly with a source. Because sources and credentials must have matching types, any credential that you add during source creation shares the same type as the source. In addition, if you want to use an existing credential during source creation, the list of available credentials contains only credentials of the same type. For example, during network source creation, only network credentials are available for selection.

3.6.4. Red Hat Advanced Cluster Security for Kubernetes authentication

For a Red Hat Advanced Cluster Security for Kubernetes (RHACS) scan, the connectivity and access to the RHACS API derives from bearer token authentication with an API token that is encrypted over TLS (Transport Layer Security). By default, the RHACS scan runs with certificate validation and secure communication through the TLS protocol. During source creation, you can select from several different SSL (Secure Sockets Layer) and TLS protocols to use for the certificate validation and secure communication.

You might need to adjust the level of certificate validation to connect to the RHACS portal during a scan. For example, your RHACS instance might use a verified TLS certificate from a certificate authority. During source creation, you can upgrade TLS certificate validation to check for that certificate during a scan of that source. Conversely, your RHACS instance might use self-signed certificates. During source creation, you can leave the TLS validation at the default so that scan of that source does not check for a certificate. This choice, to leave the option at the default for a self-signed certificate, could possibly avoid scan errors.

You might also need to disable TSL as the method of secure communication during the scan if the RHACS instance is not configured to use TSL communication for web applications. For example, your RHACS instance might be configured to communicate with web applications by using HTTP with port 80. If so, then during source creation you can disable TSL communication for scans of that source.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.