This discussion applies to SSH credentials (user name and password or certificates) and SNMP credentials (community strings, aka passwords). Windows credentials are handled completely differently, as discussed in the link above.
The MID server has to know the SSH and SNMP credentials "in the clear", meaning unencrypted — exactly as you have to know them in order to access a system.
When you enter a credential into the Service-now instance, it is encrypted (with DES) before being stored in the database. Once it's in the database, it is never displayed to any user in unencrypted form again (not even admins or maint). In fact, the password is never decrypted on the instance at all.
When a MID server starts up, and when any change is made to a credential, the MID server asks the instance for a list of all the credentials that apply to it. These credentials are transmitted over HTTPS (which is encrypted with a session key), and the passwords are still in their encrypted form — so they are doubly-encrypted during transmission. Once the credential is in the MID server, the password is decrypted — but not saved to disk; the MID server keeps the credential in its memory only.
Was that more than you ever wanted to know, or what?
1 Comment
