ITOM Visibility Zurich release notes

ITOM Visibility Zurich release notes

AWS SSM discovery

AWS Systems Manager (SSM) Agent discovery introduces a streamlined, agent-based approach to discovering Amazon Elastic Compute Cloud (EC2) using AWS SSM. This integration enhances Discovery by leveraging SSM agents to reduce dependency on traditional MID Server configurations, simplify credential management, and improve scalability across multi-region environments.

The overall process from a high level is as follows:

1. The ServiceNow AI Platform® sends discovery commands to the MID Server.
2. The MID interacts with AWS services (SSM, Simple Storage Service (S3), Parameter Store) to execute commands on target devices.
3. The SSM agents run the commands and return results to S3.
4. The MID retrieves and processes results.
5. The MID sends the results back to the ServiceNow AI Platform® via the ecc_queue, which updates the CMDB.

Benefits and usage

The following examples highlight the primary advantages and practical uses of AWS SSM Agent discovery:

• Execute discovery without needing additional credentials local to the operating system.
• Simplify deployment without the need of Agent Client Collector (ACC) or Virtual Private Cloud (VPC) access.
• Minimize the need for multiple MID Servers and direct network access to target devices.
• Securely manage credentials and command execution using AWS services.

Unsupported features

Currently, the following features don’t support AWS SSM discovery:

• File-based discovery
• Enhanced ADM
• Change/Unchange user step in patterns

Note: SSM supports only sudo for privileged command execution and defaults to the sh shell, with no support for alternate command or shell types.

 Activate a disabled pattern

Role required: discovery_admin

Starting with Visibility Content version 6.28.0, activating or deactivating a pattern won't be considered a customization, and it will continue to receive updates. Patterns that were previously activated or deactivated will reset to the latest predefined version after upgrading while retaining the last active field value.

Procedure

1. Navigate to All > Pattern Designer > Discovery Patterns.
2. In the Name field, search for the relevant pattern.
3. Select the pattern.
4. Select the Active check box.
5. Select Update.

Tag Categorization in Tag Governance

Tag Categorization automatically groups tagged CIs and cloud resources into five predefined categories, ensuring clear and consistent tagging (e.g., dev, test, prod under Environment).

It uses the CI tag category [svc_tag_categories] and CI tag key [svc_tag_names] tables from Service Mapping.

Tag Categorization Overview (Summary)

Tag Categorization automates grouping tagged Configuration Items (CIs) and cloud resources into five predefined categories: Application ID, Assignment Group, Cost Center, Environment, and Owner. This ensures consistent tagging and easier resource management.

A daily scheduled job categorizes new tags and maps unrecognized tag keys to the correct category. You can modify or create custom categories and add new tag keys as needed.

A Tag Category Policy checks that all categories are correctly mapped. CIs missing a category are marked non-compliant, helping identify and fix tagging issues.

The system uses the sn_itom_tag.recategorization_required property to decide if recategorization is needed. When a category changes, this property is set to true, triggering the next daily job to recategorize and update tag mappings within 24 hours (or immediately if initiated manually).

All changes are stored in the CI Tag Category table.

Tag Categorization and Domain Separation (Summary)

Tag Categorization supports domain-specific management. In domain-separated instances, categories are created in each leaf domain. When managing tags, the system uses the CI’s domain information to ensure tag mappings are added to the correct category within the appropriate domain.

Cloud License Estimator

The Cloud License Estimator allows you to get the estimated resource count for all the cloud resources that are eligible for licensing as per ITOM and CCM licensing rules.  It validates the  cloud  account details provided by the user and estimates the resource  count  based on the prevailing licensing rules.

The Cloud License Estimator makes it easy for users to get the count of cloud resources along with the required license estimates. CLE supports AWS and Azure cloud environments, but not government cloud services. A user can create a configuration by providing the necessary details and then run the license estimator to get the report. CLE also gives you the option to download the report in PDF format.

Discovery Admin Workspace Diagnostics

The Diagnostics page helps you prioritize and address errors and anomalies in IP-based and Cloud Discovery schedules. Resolve issues by creating error tasks, tracking progress, and using support tools and logs.

To access the Discovery Admin Workspace Diagnostics page, navigate to Workspaces > Discovery Admin Workspace > Diagnostics.

Use virtual agent to retrieve MID Server settings

Starting with Discovery Admin Workspace version 1.10.0, the virtual agent on the Diagnostics page now enables you to retrieve and download MID Server settings directly, eliminating the need to manually navigate through the MID Server [mid_servers] table.

Discovery Admin Workspace schedule details

Discovery Admin Workspace enables you to conveniently view, edit, and run both IP-based and Cloud Discovery schedules conveniently within a single interface.

To access Discovery schedule details in Discovery Admin Workspace, navigate to Workspaces > Discovery Admin Workspace > Schedules > Discovery schedules.

After selecting a schedule name from the table, the schedule header displays key information such as Discovery details, MID Server details, and anomaly severity.

Discovery Admin Workspace Home

The Discovery Admin Workspace Home page features tools to help you identify and address the most critical discovery tasks. Access critical information and applications to assess discovery, manage the discovery process, and resolve any related errors.

To access the Discovery Admin Workspace, navigate to Workspaces > Discovery Admin Workspace.

Map your application services using tags in the Service Mapping Workspace

Categorize and organize organization's configuration items and map them into application services using the Tag-based dashboard in the Service Mapping workspace.

1. Install Service Mapping Plus v1.16.3 – Required to use tag-based mapping in the Service Mapping workspace.
2. Review tag usage – Analyze your organization’s tags and their purposes using the Key Value [cmdb_key_value] table in the CMDB.
3. Use Tag Governance – Optimize how tags are applied and managed across the organization.
4. Tag relevant CIs – Assign tags to the configuration items you want included in application services.
5. Run Discovery – Perform horizontal discovery to populate the CMDB with CI data (including tags) for tag-based mapping in the Service Mapping workspace.

Name updates in Discovery and Service Mapping Patterns

Name updates starting with Discovery and Service Mapping Patterns version 1.28.0:

• The RHV cloud provider has been changed to oVirt
• The RHV MID Server capability has been changed to oVirt
• The label for the [cmdb_ci_rhv_ldc] datacenter type has been changed from RHV LDC to oVirt LDC
• The label for the [rhv_credentials] credential type has been changed from RHV Credentials to oVirt Credentials

The following pattern names have been changed from RHV to oVirt:

• From RHV Clusters and Hosts to oVirt Clusters and Hosts

• From RHV Discover Logical Datacenters to oVirt Discover Logical Datacenters

• From RHV Virtual Machines to oVirt Virtual Machines

• From RHV Discover Manager Instance to oVirt Discover Manager Instance

The following table labels have been changed from RHV to oVirt:

• The [cmdb_ci_rhv_vm_instance] table label from RHV Virtual Machine Instance to oVirt Virtual Machine Instance

• The [cmdb_ci_rhv_cluster] table label from RHV Cluster to oVirt Cluster

• The [cmdb_ci_rhv_ldc] table label from RHV LDC to oVirt LDC

• The [cmdb_ci_rhv_manager] table label from RHV Manager to oVirt Manager

• The [cmdb_ci_rhv_object] table label from RHV Object to oVirt Object

• The [cmdb_ci_rhv_server] table label from RHV Server to oVirt Server

Service Mapping Workspace

The Service Mapping workspace centralizes and streamlines the creation, monitoring, and management of application service maps through visualizations and reports.

Access:

Go to Workspaces > Service Mapping.

Key features:

• ML readiness: Ensure your Machine Learning environment is set up before mapping.
• Detailed service maps: View and analyze maps across different categories.
• Automated Service Suggestions: Review and use suggested service candidates to create or enhance application services.
• Improved resource utilization: Convert unmapped servers linked to candidates into application services.
• Tag-based service mapping: Use the Tag-based Mapping dashboard to organize CIs into application services.

ACME integration with KeyFactor EJBCA for automated flows

Automate the flow of requesting, renewing, and revoking your certificates by integrating Keyfactor EJBCA with the Automated Certificate Management Environment (ACME).

Keyfactor EJBCA is a certificate authority that issues your certificates. ACME are a set of protocols and rules that give you a secure environment to use an automated flow of managing certificates.

By configuring your routing policy fields, you can ensure that the content in your Certificate Signing Request (CSR) aligns with the correct routing policy. This streamlines the process of requesting, renewing, and revoking your certificates.

EJBCA has two types of Credentials. One includes External Account Binding (EAB), and the other doesn’t.

In EJBCA, automated certificate workflows start when you create routing policies for EJBCA ACME Certificates. For every routing policy, there are required fields where you have to give information.

Your platform has routing policies where you fill in all the fields of the routing policy. Your platform aligns that information to each CSR you create to request, renew, and revoke certificates.

Discover root certificates hosted outside your server

Collect information about root certificates stored outside your server. Create a specialized Discovery schedule.

Kubernetes Visibility Agent (KVA)

KVA performs continuous discovery to detect changes on resources in a Kubernetes cluster and updates the CMDB with the latest data.

Starting with KVA version 3.11.0, and Informer version 2.5.0, absent namespace CIs are not deleted automatically. Create a scheduled job to remove them.

Starting with KVA version 3.11.0, and Informer version 2.5.0, map application services based on traffic connections between the workloads in Kubernetes, by using istio and linked service meshes or the DaemonSet service.

Prevent credential exposure by updating HTTP Classify behavior

The HTTP Classify probe no longer attempts credentials over the HTTP protocol by default. This change enhances security by preventing potential exposure of credentials over unencrypted connections. To override this behavior, a new MID Server property, mid.http_classy.allow_credentials_over_http, has been introduced. Enabling this setting may expose credentials to man-in-the-middle (MitM) attacks. Therefore, it is strongly recommended to keep this property set to false and use HTTPS whenever possible.

Starting with version 3.8.2, Certificate Inventory and Management introduces automated renewal capabilities. Adminstrators can set certificates to renew automatically, either when creating the certificate or by applying the setting to an existing one. The system also allows you to define the renewal window by specifying the number of days before expiration that the process should begin.

Deprecations

Starting with the Zurich release, Cloud Discovery Workspace is being prepared for future deprecation. It is hidden and no longer activated on new instances but continues to be supported. Discovery Admin Workspace provides the latest experience for this functionality.

Related ServiceNow applications and features

ITOM Health

The ServiceNow ITOM Health product includes the ServiceNow Event Management and ServiceNow Metric Intelligence applications, which help you track and maintain the health of services in your organization.

Event Management gathers alerts from infrastructure events that both third-party monitoring tools and the ServiceNow internal agent capture. Event Management uses IT-related information that ServiceNow Discovery gathers so it can map alerts to configuration items. Based on the collected information, Event Management then provides dashboards that show a consolidated view of all service-impact events.

The Agent Client Collector application enables you to do the following:

• Monitor your service availability.
• Examine the health and performance of your environment.
• Ensure that your infrastructure and its applications are running properly.

Agent Client Collector collects events and metrics. It runs in either a Windows or Linux environment.

AIOps Learning Enhanced Automation Playbook (LEAP)

The AIOps Learning Enhanced Automation Playbook (LEAP) application uses AI to analyze incident data and facilitate the creation of automations that resolve high-impact issues for Service Operations teams. By leveraging data-driven analytics to accurately identify critical incidents, LEAP enables a more proactive problem management approach.

ITOM Cloud Accelerate

ITOM Cloud Accelerate workflows streamline cloud automation across the cloud adoption journey via self-service catalogs and controlled workflows. It expedites application migration by facilitating assessment, planning, and resource migration tracking.

ITOM Cloud Accelerate includes the following apps:

• Cloud Account Management
• Cloud Services Catalog
• Cloud Configuration Governance
• Cloud Action Library