Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform capabilities
Table of Contents
Choose your release version
    Home London Platform Capabilities Now Platform capabilities Credentials and connection information Getting started with credentials

    Getting started with credentials

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Getting started with credentials

    The MID Server uses the credentials you create in the Credentials [discovery_credentials] table to access resources for Discovery, Orchestration, Service Mapping, and Cloud Management.

    How MID Servers use credentials

    By default, Windows MID Servers use the login credentials of the MID Server service on the host machine to discover Windows devices in the network. You should configure these service credentials so that they have at least local administrator privileges. For Linux and UNIX machines and network devices, the MID Server uses the SSH and SNMP credentials configured in the instance in Discovery > Credentials.

    MID Servers that Orchestration uses must have access to the necessary credentials to execute commands on computers in the network as specified by the Workflow activities. Orchestration can use the same SSH and SNMP credentials as Discovery, but has two additional credentials designed for specific Workflow activities: Windows (for PowerShell) and VMware.

    Encryption and decryption

    The platform stores credentials in an encrypted field on the Credentials [discovery_credentials] table. Once they are entered, they cannot be viewed.

    When credentials are requested by the MID Server, the platform decrypts the credentials using the following process:
    1. The credentials are decrypted on the instance with the password2 fixed key.
    2. The credentials are re-encrypted on the instance with the MID Server's public key.
    3. The credentials are encrypted on the load balancer with SSL.
    4. The credentials are decrypted on the MID Server with SSL.
    5. The credentials are decrypted on the MID Server with the MID Server's private key.
    Note: The platform does not have separate encryption keys for multi-tenant instances.

    Credential order

    Credentials can be assigned an order value in the Credentials Form, which forces the application to try all the credentials at their disposal in a certain sequence. If you do not specify an order value, the application tries the credentials in the Credentials [discovery_credential] table randomly, until it finds one that works, such as when Orchestration attempts to run a command on an SSH server (such as a Linux or UNIX machine), or when Discovery attempts to query an SNMP device (such as a printer, router, or UPS).

    After identifying the credentials for a device, Discovery and Orchestration create an affinity between the credentials and the device using the Credential Affinity [dscy_credentials_affinity] table. All subsequent discoveries or Orchestration activities attempt to match the credentials in this table with a device for which an affinity exists. If credentials for a device change, Discovery and Orchestration try all available credentials again until they create a new affinity.
    Note: If Orchestration and Discovery are installed, and credential alias is enabled, multiple affinities can exist. In this case, the platform looks up credentials for each affinity and inserts the credential for the affinity with the lowest order into the probe.
    Ordering credentials is useful in the following situations:
    • The credentials table contains many credentials, with some used more frequently than others. For example, if the table contains 150 SSH credentials, and 5 of those are used to log into 90% of the devices, it is good practice to configure those five with low order numbers, which places them at the top of the execution list. Discovery and Orchestration will work faster if they try these common credentials first. After the first successful connection, the system knows which credentials to use the next time for each device.
    • The system has aggressive login security. For example, if the Solaris database servers in the network only allow three failed login attempts before they lock out the MID Server, configure the database credentials with a low order value.

    Credential alias

    Credential alias allows flow and workflow creators to:
    • Assign individual credentials to any activity in an Orchestration workflow
    • Assign individual credentials to any action in Flow Designer
    • Assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
    • Assign different credentials to each occurrence of the same action in designer flow.
    Credential alias also works with credential affinities.

    External credential stores

    If you do not want credentials stored in your instance, you can use external credential repositories. External credential stores save the credentials in an external site that your instance can access. Only CyberArk is supported, although other external stores can be configured using the ServiceNow API.

    • Create and test your credentials

      Create and test the credentials that Discovery, Service Mapping, Cloud Management, and Orchestration require to access hardware and software in your network.

    • Credential affinity for Discovery and Orchestration

      Credential affinity is an association between a set of credentials and a device on your network.

    • Credentials troubleshooting

      Review the <credentials_debug> section of the ECC queue payload to troubleshoot issues with credentials.

    • External credential storage

      An instance can store credentials used by Discovery, Orchestration, and Service Mapping in an external credential repository rather than directly in a ServiceNow credentials record.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Getting started with credentials

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Getting started with credentials

      The MID Server uses the credentials you create in the Credentials [discovery_credentials] table to access resources for Discovery, Orchestration, Service Mapping, and Cloud Management.

      How MID Servers use credentials

      By default, Windows MID Servers use the login credentials of the MID Server service on the host machine to discover Windows devices in the network. You should configure these service credentials so that they have at least local administrator privileges. For Linux and UNIX machines and network devices, the MID Server uses the SSH and SNMP credentials configured in the instance in Discovery > Credentials.

      MID Servers that Orchestration uses must have access to the necessary credentials to execute commands on computers in the network as specified by the Workflow activities. Orchestration can use the same SSH and SNMP credentials as Discovery, but has two additional credentials designed for specific Workflow activities: Windows (for PowerShell) and VMware.

      Encryption and decryption

      The platform stores credentials in an encrypted field on the Credentials [discovery_credentials] table. Once they are entered, they cannot be viewed.

      When credentials are requested by the MID Server, the platform decrypts the credentials using the following process:
      1. The credentials are decrypted on the instance with the password2 fixed key.
      2. The credentials are re-encrypted on the instance with the MID Server's public key.
      3. The credentials are encrypted on the load balancer with SSL.
      4. The credentials are decrypted on the MID Server with SSL.
      5. The credentials are decrypted on the MID Server with the MID Server's private key.
      Note: The platform does not have separate encryption keys for multi-tenant instances.

      Credential order

      Credentials can be assigned an order value in the Credentials Form, which forces the application to try all the credentials at their disposal in a certain sequence. If you do not specify an order value, the application tries the credentials in the Credentials [discovery_credential] table randomly, until it finds one that works, such as when Orchestration attempts to run a command on an SSH server (such as a Linux or UNIX machine), or when Discovery attempts to query an SNMP device (such as a printer, router, or UPS).

      After identifying the credentials for a device, Discovery and Orchestration create an affinity between the credentials and the device using the Credential Affinity [dscy_credentials_affinity] table. All subsequent discoveries or Orchestration activities attempt to match the credentials in this table with a device for which an affinity exists. If credentials for a device change, Discovery and Orchestration try all available credentials again until they create a new affinity.
      Note: If Orchestration and Discovery are installed, and credential alias is enabled, multiple affinities can exist. In this case, the platform looks up credentials for each affinity and inserts the credential for the affinity with the lowest order into the probe.
      Ordering credentials is useful in the following situations:
      • The credentials table contains many credentials, with some used more frequently than others. For example, if the table contains 150 SSH credentials, and 5 of those are used to log into 90% of the devices, it is good practice to configure those five with low order numbers, which places them at the top of the execution list. Discovery and Orchestration will work faster if they try these common credentials first. After the first successful connection, the system knows which credentials to use the next time for each device.
      • The system has aggressive login security. For example, if the Solaris database servers in the network only allow three failed login attempts before they lock out the MID Server, configure the database credentials with a low order value.

      Credential alias

      Credential alias allows flow and workflow creators to:
      • Assign individual credentials to any activity in an Orchestration workflow
      • Assign individual credentials to any action in Flow Designer
      • Assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
      • Assign different credentials to each occurrence of the same action in designer flow.
      Credential alias also works with credential affinities.

      External credential stores

      If you do not want credentials stored in your instance, you can use external credential repositories. External credential stores save the credentials in an external site that your instance can access. Only CyberArk is supported, although other external stores can be configured using the ServiceNow API.

      • Create and test your credentials

        Create and test the credentials that Discovery, Service Mapping, Cloud Management, and Orchestration require to access hardware and software in your network.

      • Credential affinity for Discovery and Orchestration

        Credential affinity is an association between a set of credentials and a device on your network.

      • Credentials troubleshooting

        Review the <credentials_debug> section of the ECC queue payload to troubleshoot issues with credentials.

      • External credential storage

        An instance can store credentials used by Discovery, Orchestration, and Service Mapping in an external credential repository rather than directly in a ServiceNow credentials record.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login