MID Server: high number of credentials

Javier10
Tera Contributor

Dear community,

 

I have a customer with a high number of credentials (more than 700), handled with CyberArk.

Do you consider this could be an issue when running discovery, in terms of timeouts by searching the correct credential for a CI, moreover the first time is discovered?

 

Thank you so much in advance

Best regards,

 

Javier

3 REPLIES 3

Maik Skoddow
Tera Patron
Tera Patron

Hi @Javier10 

 

Yes, a high number of credentials managed via CyberArk can lead to increased discovery times and potential timeouts, especially during the first discovery of a CI. The key risk is not the number of credentials in ServiceNow itself (since you only need one external credential pointing to CyberArk), but rather the performance of credential resolution from the external vault and the need to try multiple credentials until a match is found. Optimizing CyberArk performance, leveraging IP affinity, and thoughtful credential management are recommended to mitigate these issues.

 

Please also read the following article External Credential Store - SNMPv1/v2 performance Impact

 

Maik

Dear @Maik Skoddow ,

 

Thank you very much for your answer. I found the article really helpful!

In addition to that, I would like to mention that my customer do not use SNMP credentials but SSH and Windows.

 

Do you think the root cause could be the same, anyway?

 

Regards

Javier

 

Hi @Javier10 

 

Yes, and please also take a look at the following mitigation tips:

 

  • Optimize CyberArk Performance: Ensure that the CyberArk server and network are optimized to handle a high volume of credential requests quickly

  • Use IP Affinity: Once a device is discovered, ServiceNow creates an affinity record linking the IP to the successful credential. This speeds up future discoveries for that device by skipping failed credential attempts

  • Limit Credential Scope: Where possible, limit the scope of credentials used in discovery schedules to only those relevant for the target devices, reducing unnecessary lookups

  • Monitor and Adjust Timeout Settings: For specific probes (like VMware), increase timeout values if credential lookup is consistently slow

  • Consider Credential Tagging or Affinity Pre-Population: Use credential tags or pre-populate the affinity table to reduce the number of credentials ServiceNow must try for known devices

Maik