Credential Management in ServiceNow discovery

Service now is an agent less discovery mechanism that we use to populate CMDB with critical assets and applications in support of business services.  To accomplish these goals, the use of specific credentials is needed to access the client’s systems.

Credentials are stored in your ServiceNow instance or in the case of Windows systems they can also be used to run the MID Server Application on the host itself, but not preferred.



Credentials are kept in the instance and encrypted in the ServiceNow database and are loaded by the MID Server application at start up. The credentials are kept only in running memory local to the Host, they are not written to any local files.  With any update made to these entries, we should put a request in the queue for the MID Server to reload the credential table ensuring we have the most available and current access to your targets.

As discovery runs through its process we learn what protocol a particular IP responds to (WMI/SSH/SNMP) and on subsequent classification the MID Server uses the appropriate credential to query the target.

If there are multiple credentials for the same protocol, discovery process will try one after the other based on its ordered value.  Once it finds a match, it will create an affinity for that Configuration Item to the successful credential. So, on subsequent discoveries discovery process knows which credential is the correct one to use.  If there comes a time that the credential no longer works, discovery process will then go back through the list of all credentials for that protocol.

For specific situations you do have the ability to choose what MID Server can load which credentials.  While it is a best practice to allow all your MID Servers to access the entire credential table you have this available flexibility especially in secured zones where you don’t want a credential to be tried across the enterprise.