I want to limit the number of credential attempts during discovery

Walter Ahn
Tera Contributor

‎07-05-2024 09:52 AM

As I said in the title, I want to limit the number of credentials I try to give the device when doing discovery.

I know it sounds very strange.

We need these features for a number of unspeakable reasons.

The way we use aliases is not a substitute for the functionality we want to see.

I already know how credentials are applied and behave when doing discovery.

I've been looking for scripts to perform tests to implement that functionality, but I haven't found any that pull credentials from within ServiceNow and pass them to a mid-server. (Of course, I'm sure I'm not looking for it. Please, it has to be.)

 

So we ask a lot of experts.

In which script can I find the behavior I'm talking about (passing the credentials to the midserver)?

Is it possible for me to modify it?

If you can't fix it, at least tell me what behavior is preventing you from fixing it.

 

Please answer.

Labels:
0 Helpfuls
  • 774 Views
10 REPLIES 10

David104
Tera Guru

‎07-07-2024 03:35 PM

This is not a short-term solution (or free) but, given that you have so many credentials, it could make sense to use a password manager like Cyberark (for example). When you configure ServiceNow to retrieve credentials from Cyberark, my understanding is that it can request credentials for a specific IP and return only the correct value

 

"The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential. The credential resolver can also look up the hostname, fqdn, and use reverse DNS lookup to get fqdn."

https://docs.servicenow.com/bundle/washingtondc-platform-security/page/product/credentials/concept/c...

 

Doing it this way would mean that you always get the correct credential for that specific IP address, and also gives your security team to ability to perform activities such as password rotation without breaking discovery.

 

Regards,

David

0 Helpfuls