Introduction to credentials

Credentials are used by Discovery, Orchestration, and Service Mapping to access the external devices that they explore or manage.

How MID Server uses credentials

Windows MID Servers use the login credentials of the MID Server service on the host machine to discover Windows devices in the network. This login is configured when the MID Server is installed and must have domain or local administrator privileges. For Linux and UNIX machines and network devices, the MID Server uses the SSH and SNMP credentials configured in the ServiceNow instance in Discovery > Credentials.

MID Servers used by Orchestration must have access to the necessary credentials to execute commands on computers in the network as specified by the Workflow activities Orchestration can use the same SSH and SNMP credentials as Discovery, but has two additional credentials designed for specific Workflow activities: Windows (for PowerShell) and VMware.

Encryption and decryption

Credentials are encrypted automatically with a fixed instance key when they are submitted or updated in the Credentials [discovery_credentials] table. Once they are entered, they cannot be viewed.

When credentials are requested by the MID Server, the platform decrypts the credentials using the following process:
  1. The credentials are decrypted on the instance with the password2 fixed key.
  2. The credentials are re-encrypted on the instance with the MID Server's public key.
  3. The credentials are encrypted on the load balancer with SSL.
  4. The credentials are decrypted on the MID Server with SSL.
  5. The credentials are decrypted on the MID Server with the MID Server's private key.
Note: The platform does not have separate encryption keys for multi-tenant instances.

Credential order

When Orchestration attempts to run a command on an SSH server (such as a Linux or UNIX machine), or when Discovery attempts to query an SNMP device (such as a printer, router, or UPS), the application tries the credentials in the Credentials [discovery_credential] table randomly, until it finds one that works.

Credentials can be assigned an order value in the Credentials Form, which forces Discovery and Orchestration to try all the credentials at their disposal in a certain sequence. Ordering credentials is useful in the following situations:
  • The credentials table contains many credentials, with some used more frequently than others. For example, if the table contains 150 SSH credentials, and 5 of those are used to log into 90% of the devices, it is good practice to configure those five with low order numbers, which places them at the top of the execution list. Discovery and Orchestration will work faster if they try these common credentials first. After the first successful connection, the system knows which credentials to use the next time for each device.
  • The system has aggressive login security. For example, if the Solaris database servers in the network only allow three failed login attempts before they lock out the MID Server, configure the database credentials with a low order value.

Tagging

Credential tagging allows workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow. Credential tagging also works with credential affinities.