5.1 Credential Sets - BlueCat Infrastructure Assurance - 25.2.0

BlueCat LiveAssurance User Guide
ft:locale
en-US
Product name
BlueCat Infrastructure Assurance
Version
25.2.0

After you have created a LiveAssurance user for the device you want to add, From the Credentials Set list, click New+. Once you do, it would be good to name it immediately because once you click out of it, it will save the name as is. If that should happen, simply select the credential set you want to rename and click the Edit icon, and you should be able to rename it.

The following image shows the Credential Sets list, with the New and Edit icons highlighted.



After you have added the Set name in the List, you should then add the device credentials in the Credentials section by clicking New+, as shown in the following image.



After you have added the credentials, and the connection type, add the subnet you want to associate with the credentials.



Note: Privileged Password is required for the following vendors/products:
  • Bluecoat Proxy
  • Cisco ASA
  • FireEye NX
  • Gigamon Gigavue
  • Symantec CAS
Note: If you have created the same LiveAssurance credential across all device vendors you want to add to the system, we recommend using 0.0.0.0/0 subnet with SSH + HTTP (API) selected. This way you do not have to enter multiple credential sets with relevant connection types and the related IP subnet for every cluster you may have. This will greatly reduce complexity and time required when adding devices to the system.
Note: If you have devices that are not on the same subnet, but share the same credentials, we would recommend that you add the additional subnets in list, NOT create a user for each device. For ease of use it is always better to limit the number of credentials being used and instead leverage the subnet feature.

Credential Set by a Sort Order

LiveAssurance uses credential sets by a sort order where it sorts by the bitmask of the subnets. For example, /32 will come before /28.

You can create multiple credential sets as follows:

  1. Default (0.0.0.0/0) using LiveAssurance user
  2. Narrower (/24) using LiveAssurance user
  3. Even narrower (/32) using indeni-admin

In this example, the system will use the credential in #3 with the username indeni-admin as a preference when connecting to a device. If the system cannot connect to the device using the credential in #3, it will try #2, then #1.

Configuring SSH Keys

While you can use a username/password to authenticate to a device, it is not the most secure. Instead, you can use SSH keys for authentication when connecting to a device. SSH keys not only improve security but also enable the automation of connected processes.

To generate an SSH key pair, use the following procedure:
  1. To ensure that your SSH key is in a format that LiveAssurance supports, use the following command to generate the SSH key: 
    ssh-keygen -b 4096 -t rsa -m PEM -f BCIAKeys

    The generated keys are saved in their corresponding files that are automatically created based on the specified filename (that is, BCIAKeys for the private key and BCIAKeys.pub for the public key in this example).

  2. You are prompted to enter a passphrase:
    • If you choose to enter a passphrase, the private key file (BCIAKeys in this example) is encrypted.
    • If you choose not to enter a passphrase, the private key is stored in plaintext.

  3. A completion message is displayed.

Next, add new credentials in the LiveAssurance UI, with SSH Private Key as the authentication method:

  1. Select the Devices tab in the sidebar, then select Credential Sets.

  2. In the Credentials section, select New to create new credentials.

  3. In the New Credentials window that is displayed, select SSH Private Key from the drop-down menu and complete the configuration as required.

    Note:
    • The private key should be pasted in plaintext PEM format (typically starting with a line similar to –BEGIN PRIVATE KEY–). The private key data is kept on LiveAssurance in a highly confidential encrypted data store.
    • If you've entered a passphrase when generating the SSH keys, the private key file is encrypted. However, as the private key must be pasted in plaintext PEM format, use the following command to convert the encrypted key to plaintext with OpenSSL: 
      openssl rsa -in BCIAKeys -out BCIAKeys.decoded
    • For Linux-based systems, the Public Key should be added to the authorized_keys file located at /home/<user>/.ssh/authorized_keys for the device.

  4. Select Save.

The following image shows an example of the New Credentials window.



Configuring SNMP Credentials

Refer to 2.1 Creating Users on Vendor Devices for the specific vendor.

For example, refer to 2.1.9 Palo Alto Networks for instructions on how to add the credential sets.