MID Server Governance
-
- UpdatedAug 1, 2024
- 3 minutes to read
- Xanadu
- MID Server
Improve MID Server security by setting an automatic timeout to invalidate and shut down inactive MID Servers. You can enable this feature and set the inactivity timeout period globally and for each MID Server.
 |
Overview of MID Server Governance
MID Server Governance prevents forgotten MID Servers connected to ServiceNow instances from being utilized if the instance is compromised. MID Server Governance keeps a record of the last status change of the MID Server validation/invalidation process.
This feature is not enabled by default, and is available out-of-the-box as part of the MID Server plugin. Once enabled, MID Server authentication is expired after a predetermined period of inactivity unless explicitly configured to never expire.
Enable and Configure MID Server Governance
MID Server Governance is enabled for all MID Servers by setting the following true/false system property: mid.inactivity.timeout.enabled. This property is not defined by default. The global inactivity timeout is specified by setting the following integer system property: mid.inactivity.timeout.days. The property takes an integer which specifies the timeout in days. The default timeout is 30 days if unspecified.
You can override the timeout for a particular MID Server by specifying mid.inactivity.timeout.days as a configuration parameter on that MID Server. A timeout value of 0 disables MID Server Governance on that MID Server. Therefore, you can set a global timeout and also change or disable timeouts for certain MID Servers.
You do not need to restart the MID Server after changing the Governance configuration. Governance works with either basic or mutual authentication.
Activity Tracking
The MID Server analyzes activity by tracking incoming and outgoing ECC queue messages. Once per hour, the MID Server reports the last activity to instance, which is stored in the ecc_agent record, and checks if the inactivity timeout has been reached. If the inactivity timeout has been reached and the MID Server is up, the MID Server is invalidated and shuts down. If the timeout is reached when the MID Server is down, a job on the instance determines if the MID Server is idle and invalidates it on the instance.
An info message when 3-7 days remain before inactivity timeout.
An error message when less than 3 days remain before inactivity timeout.
After a MID has been auto-invalidated, an error message is displayed indicating the date the MID was auto-invalidated.
Clearing the auto-invalidated state
After a MID Server has been auto-invalidated, the auto-invalidated status must be manually cleared in order to bring the MID back up successfully. The MID Server shuts down immediately if it is restarted without clearing this state. In addition, a MID issue will be logged indicating this occurrence.
The auto-invalidated state of a MID Server can be cleared by selecting the Clear auto invalidated UI action from the MID Server instance page. After invoking this UI action, the user should start their MID Server and continue with the usual validation process.
Purpose field
The purpose is a text field that the customer can update at any point to indicate the intended usage for the MID Server. This field is purely descriptive and has no further interactions.
On this page
Related Content
- MID Server certificate check policies
MID Server uses three kinds of security checks to secure external traffic. The security checks use TLS/SSL certificate validation, hostname validation, and OCSP validation to improve security. Control these security checks with the MID Server certificate check policies table.
- Encrypt or decrypt MID Server configuration file values
The value of any MID Server parameter in the config.xml file can be encrypted. The attributes for all encrypted values are managed from within the configuration file, including the security attribute of the login password.
- MID Server configuration file security
Sensitive MID Server configuration data can be protected using several different schemes, including internal and external data encryption and external data storage.
- MID Server authentication credentials and SOAP requests
Set basic authentication credentials to update the web service invocation data. For added security, you can enforce basic authentication on each incoming SOAP request to the MID Server.
- MID Server unified key store
The MID Server unified key store allows all products on the MID Server to use common certificates and key pairs. This feature allows applications to use the same secure communication channel to the MID Server that the MID Server uses to connect to the instance.
- Enable MID Server mutual authentication
Configure the MID Server to use a client certificate for authenticating to the instance. This avoids the need to create a basic authentication credentials in the Key Store for the MID Server's configuration.
- MID Server Azure Key Vault integration
The MID Server integration with the Azure Key vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.
- MID Server command audit log
The command audit log records the commands run by the MID Server for the Discovery application. Review the commands to check for anomalies or errors.
- Rekey a MID Server
Rekey a MID Server to generate a new private key. Private keys are used to decrypt automation credentials, so that MID Servers can transmit information securely. Key pairs are initially generated when a MID Server is validated, and MID Servers should be rekeyed periodically to meet security requirements.
- Add SSL certificates for the MID Server
Configure the MID Server to connect to a source over SSL.
- MID Server SSH cryptographic algorithms
The MID Server utilizes SSH clients to perform many discovery actions. During the SSH handshake, both the client and server first determine which algorithms both parties support, then client picks the highest priority algorithm. For the Host Key Algorithm, the client picks highest priority algorithm which both parties support that matches the key type.
- Attach a script file to a file synchronized MID Server
You can attach a script file to synchronize to a connected MID Server. Windows Internet Explorer enhanced security blocks downloaded files that it determines are potentially dangerous. However synchronizing the files avoids this security problem.
- MID Server FIPS Enforced Mode
The MID Server supports the National Security Cloud (NSC) IL-5 environment, which requires all utilized cryptography to be FIPS validated. The MID server can be run in FIPS Enforced Mode, where only cryptographic algorithms which are FIPS validated are utilized.