Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform capabilities
Table of Contents
Choose your release version
    Home New York Now Platform Capabilities Now Platform capabilities Credentials and connection information Getting started with credentials Create and test your credentials SSH credentials

    SSH credentials

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    SSH credentials

    Discovery, Orchestration, and IntegrationHub explore UNIX and Linux devices by using SSH credentials to execute commands over Secure Shell (SSH). SSH commands must run with root privileges, either with root credentials or through the use of sudo.

    Privileged commands

    The platform provides default privileged commands for the MID Server to use and the ability to add additional commands to the system. For details about using sudo and other privileged commands, see MID Server privileged commands.

    Commands that require root privileges for Discovery, Orchestration, and IntegrationHub

    These examples assume that the user name is Disco. Substitute the actual user name and ensure that the paths for the commands match the paths on the system.
    Note: Sudo commands do not work with private key credentials, because there is no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.
    Table 1. UNIX and Linux commands requiring root privileges
    Command Purpose
    HP-UX
    adb Gathers CPU speed and memory.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
    • Used by: Discovery
    All Linux and UNIX versions
    chage Changes the number of days between password changes and the date of the last password change.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/chage
    • Used by: Orchestration and IntegrationHub
    chpasswd Changes user passwords.
    • /etc/sudoers line example: Disco ALL=(root) /etc/chpasswd
    • Used by: Orchestration and IntegrationHub
    All Linux
    dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.
    • /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
    • Used by: Discovery
    fdisk Gathers the disks and size information on the system.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
    • Used by: Discovery
    multipath Gathers device mappings for MPIO.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
    • Used by: Discovery
    Linux and Solaris
    dmsetup Examines a low level volume.
    • /etc/sudoers line example:
      • Disco ALL=(root) /usr/bin/dmsetup table *
      • Disco ALL=(root) /usr/bin/dmsetup ls
    • Used by: Discovery
    All UNIX versions
    lsof Determines the relationship between processes and the connections being made to the system.
    • /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
    • Used by: Discovery
    oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
    • /etc/sudoers line example: N/A
    • Used by: Discovery
    Solaris
    iscsiadm Gets iSCSI IQNs
    • /etc/sudoers line example: ${sudo:iscsiadm list target -S}
    • Used by: Discovery
    fcinfo Gets WWPNs for ports.
    • /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
    • Used by: Discovery
    prtvtoc Reports information about disk partitions.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
    • Used by: Discovery
    /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.
    • /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
    • Used by: Discovery
    /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.
    The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery, Orchestration, and IntegrationHub require the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262 .
    • /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
    • Used by: Discovery

    For a list of privileged commands that you need for Discovery and Service Mapping, see Service Mapping commands requiring a privileged user for a list of the commands that require elevated rights to discover and map Unix-based hosts in your organization.

    Granting root privileges

    Use either of these approaches to allow users to run SSH commands with root privileges:
    • Give root credentials. These are obviously the most powerful credentials, but may not be desirable from a security perspective. If Discovery, Orchestration, or IntegrationHub have the root credentials to any UNIX or Linux system, no further configuration is required.
    • Give other credentials for Discovery, Orchestration, or IntegrationHub, but grant the user in those credentials the right to execute certain commands with root privileges, using sudo. This is a secure way to grant limited privileges. Discovery, Orchestration, or IntegrationHub use sudo on any probe that has the must_sudoparameter set to true (it defaults to false). However, each system must be configured to allow sudo to work. This is done by editing the /etc/sudoers file using the visudo command.

    Access Requirements for Non-Root Credentials

    If you do not provide Discovery with root access credentials, you must provide credentials with the following access requirements.
    Application File or Directory Access Required
    Apache httpd.conf Read
    Hbase hbase-site.xml Read
    JBoss jboss-service.xml Read
    JBoss home directory Read
    web.xml Read
    MySQL my.cnf Read
    NGINX nginx.conf Read
    Oracle oratab Read
    Associated (s) pfiles Read
    Oracle Listener lsnrctl Execute
    listener.ora Read
    Tomcat catalina.jar Read
    server.xml Read
    web.xml Read
    Unix /etc/*release Read
    /etc/bashrc Read
    /etc/profile Read
    /proc/cpuinfo Read
    /proc/vmware/sched/ncpus Read
    /var/log/dmesg Read
    APD directory Read
    WebSphere cell.xml Read
    server.xml Read
    serverindex.xml Read

    SSH credential type

    These fields are available in the SSH credentials form.
    Field Description
    Name Enter a unique and descriptive name for this credential.
    Active Enable or disable these credentials for use.
    User name Enter the user name to create in the Credentials table. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name. For CIM discovery, the user must have the admin role.
    Password Enter the password.
    Credential ID Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. The Credential ID field has a limit of 40 characters.

    This field is only visible when the External credential store check box is selected.

    Credential alias
    • Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Credentials and connection information.
    • Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow. To use the credential for discovering CIs not belonging to this CI type using Service Mapping and Discovery patterns, enter the table name for the CI type to which the CI belongs, for example cmdb_ci_apache_web_server. For more information, see Change credentials to non-default.
    External credential store Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. External credential storage is only available when the External Credential Storage plugin in activated.
    Note: Currently, the only supported external storage system is CyberArk.
    Applies to

    Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.

    MID servers Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
    Order

    Order (sequence) in which Discovery tries this credential as it attempts to log on to devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), the instance tries the credentials in a random order.

    SSH private key credential type

    Note: SSH private key credentials provide better security than SSH password credentials.
    Field Input value
    Name Unique and descriptive name for this credential. For example, you might call it SSH Atlanta.
    Active Enable or disable these credentials for use.
    User name Enter a UNIX or Linux user name. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name.
    Password Enter the UNIX or Linux password. For SSH Private Key type credentials, enter the sudo password if one is required for the user name.
    SSH passphase Type a secure SSH passphrase. This field is available only for SSH Private Key credentials.
    SSH private key Enter a secure, private key that can be used instead of a password for SSH logins.

    The private key must be entered in the proper format to ensure it is correctly encrypted. The private key must start with the string -----BEGIN.

    Here is an example of a correctly formatted private key

    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEAsEK65scPssPSobpDFMpR+Btv3MS4Q7NP8ERaStRZsh3IWz+x...
    ...7hrxV2dbSug60FahyupGWBGtPnXm5PaE2X5WPLuUj94ue48i1Fs
    -----END RSA PRIVATE KEY-----

    The Now Platform supports private keys in the PEM format generated by the OpenSSH ssh-keygen utility. To convert PPK keys that were generated by PuTTY:

    • Open your private key in PuTTYGen.
    • Export it in OpenSSH format from the menu Conversions > Export OpenSSH key.
    • Save the new OpenSSH key.
    Credential alias
    • Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Credentials and connection information.
    • Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
    External credential store Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. Currently, the only supported external storage system is CyberArk.
    MID servers Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
    Applies to Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.
    Order The order (sequence) in which the platform tries this credential as it attempts to log onto devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), Discovery or Orchestration tries the credentials in a random order.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      SSH credentials

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      SSH credentials

      Discovery, Orchestration, and IntegrationHub explore UNIX and Linux devices by using SSH credentials to execute commands over Secure Shell (SSH). SSH commands must run with root privileges, either with root credentials or through the use of sudo.

      Privileged commands

      The platform provides default privileged commands for the MID Server to use and the ability to add additional commands to the system. For details about using sudo and other privileged commands, see MID Server privileged commands.

      Commands that require root privileges for Discovery, Orchestration, and IntegrationHub

      These examples assume that the user name is Disco. Substitute the actual user name and ensure that the paths for the commands match the paths on the system.
      Note: Sudo commands do not work with private key credentials, because there is no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.
      Table 1. UNIX and Linux commands requiring root privileges
      Command Purpose
      HP-UX
      adb Gathers CPU speed and memory.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
      • Used by: Discovery
      All Linux and UNIX versions
      chage Changes the number of days between password changes and the date of the last password change.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/chage
      • Used by: Orchestration and IntegrationHub
      chpasswd Changes user passwords.
      • /etc/sudoers line example: Disco ALL=(root) /etc/chpasswd
      • Used by: Orchestration and IntegrationHub
      All Linux
      dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.
      • /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
      • Used by: Discovery
      fdisk Gathers the disks and size information on the system.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
      • Used by: Discovery
      multipath Gathers device mappings for MPIO.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
      • Used by: Discovery
      Linux and Solaris
      dmsetup Examines a low level volume.
      • /etc/sudoers line example:
        • Disco ALL=(root) /usr/bin/dmsetup table *
        • Disco ALL=(root) /usr/bin/dmsetup ls
      • Used by: Discovery
      All UNIX versions
      lsof Determines the relationship between processes and the connections being made to the system.
      • /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
      • Used by: Discovery
      oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
      • /etc/sudoers line example: N/A
      • Used by: Discovery
      Solaris
      iscsiadm Gets iSCSI IQNs
      • /etc/sudoers line example: ${sudo:iscsiadm list target -S}
      • Used by: Discovery
      fcinfo Gets WWPNs for ports.
      • /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
      • Used by: Discovery
      prtvtoc Reports information about disk partitions.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
      • Used by: Discovery
      /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.
      • /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
      • Used by: Discovery
      /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.
      The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery, Orchestration, and IntegrationHub require the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262 .
      • /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
      • Used by: Discovery

      For a list of privileged commands that you need for Discovery and Service Mapping, see Service Mapping commands requiring a privileged user for a list of the commands that require elevated rights to discover and map Unix-based hosts in your organization.

      Granting root privileges

      Use either of these approaches to allow users to run SSH commands with root privileges:
      • Give root credentials. These are obviously the most powerful credentials, but may not be desirable from a security perspective. If Discovery, Orchestration, or IntegrationHub have the root credentials to any UNIX or Linux system, no further configuration is required.
      • Give other credentials for Discovery, Orchestration, or IntegrationHub, but grant the user in those credentials the right to execute certain commands with root privileges, using sudo. This is a secure way to grant limited privileges. Discovery, Orchestration, or IntegrationHub use sudo on any probe that has the must_sudoparameter set to true (it defaults to false). However, each system must be configured to allow sudo to work. This is done by editing the /etc/sudoers file using the visudo command.

      Access Requirements for Non-Root Credentials

      If you do not provide Discovery with root access credentials, you must provide credentials with the following access requirements.
      Application File or Directory Access Required
      Apache httpd.conf Read
      Hbase hbase-site.xml Read
      JBoss jboss-service.xml Read
      JBoss home directory Read
      web.xml Read
      MySQL my.cnf Read
      NGINX nginx.conf Read
      Oracle oratab Read
      Associated (s) pfiles Read
      Oracle Listener lsnrctl Execute
      listener.ora Read
      Tomcat catalina.jar Read
      server.xml Read
      web.xml Read
      Unix /etc/*release Read
      /etc/bashrc Read
      /etc/profile Read
      /proc/cpuinfo Read
      /proc/vmware/sched/ncpus Read
      /var/log/dmesg Read
      APD directory Read
      WebSphere cell.xml Read
      server.xml Read
      serverindex.xml Read

      SSH credential type

      These fields are available in the SSH credentials form.
      Field Description
      Name Enter a unique and descriptive name for this credential.
      Active Enable or disable these credentials for use.
      User name Enter the user name to create in the Credentials table. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name. For CIM discovery, the user must have the admin role.
      Password Enter the password.
      Credential ID Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. The Credential ID field has a limit of 40 characters.

      This field is only visible when the External credential store check box is selected.

      Credential alias
      • Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Credentials and connection information.
      • Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow. To use the credential for discovering CIs not belonging to this CI type using Service Mapping and Discovery patterns, enter the table name for the CI type to which the CI belongs, for example cmdb_ci_apache_web_server. For more information, see Change credentials to non-default.
      External credential store Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. External credential storage is only available when the External Credential Storage plugin in activated.
      Note: Currently, the only supported external storage system is CyberArk.
      Applies to

      Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.

      MID servers Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
      Order

      Order (sequence) in which Discovery tries this credential as it attempts to log on to devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), the instance tries the credentials in a random order.

      SSH private key credential type

      Note: SSH private key credentials provide better security than SSH password credentials.
      Field Input value
      Name Unique and descriptive name for this credential. For example, you might call it SSH Atlanta.
      Active Enable or disable these credentials for use.
      User name Enter a UNIX or Linux user name. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name.
      Password Enter the UNIX or Linux password. For SSH Private Key type credentials, enter the sudo password if one is required for the user name.
      SSH passphase Type a secure SSH passphrase. This field is available only for SSH Private Key credentials.
      SSH private key Enter a secure, private key that can be used instead of a password for SSH logins.

      The private key must be entered in the proper format to ensure it is correctly encrypted. The private key must start with the string -----BEGIN.

      Here is an example of a correctly formatted private key

      -----BEGIN RSA PRIVATE KEY-----
      MIIEogIBAAKCAQEAsEK65scPssPSobpDFMpR+Btv3MS4Q7NP8ERaStRZsh3IWz+x...
      ...7hrxV2dbSug60FahyupGWBGtPnXm5PaE2X5WPLuUj94ue48i1Fs
      -----END RSA PRIVATE KEY-----

      The Now Platform supports private keys in the PEM format generated by the OpenSSH ssh-keygen utility. To convert PPK keys that were generated by PuTTY:

      • Open your private key in PuTTYGen.
      • Export it in OpenSSH format from the menu Conversions > Export OpenSSH key.
      • Save the new OpenSSH key.
      Credential alias
      • Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Credentials and connection information.
      • Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
      External credential store Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. Currently, the only supported external storage system is CyberArk.
      MID servers Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
      Applies to Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.
      Order The order (sequence) in which the platform tries this credential as it attempts to log onto devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), Discovery or Orchestration tries the credentials in a random order.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login