- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 02:02 PM
Hi, I am deploying a ServiceNow midserver as part of my CMDB project. I am being asked for different ways to secure the communication between Midserver and main ServiceNow instance in the Production instance. Is there any other way than Add SSL Certs to enhance the security of the communication?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2025 12:35 AM
Hi @kishanbarai ,
How MID Server–Instance Communication Works
* Communication is always outbound from MID Server → ServiceNow instance (no inbound ports required).
* All traffic goes over HTTPS/TLS (port 443).
* MID authenticates to the instance using a user account with mid_server role.
* Optional: You can use mutual TLS (client certificates).
Security Best Practices Beyond SSL Certificates
1. Use MID Server User with Least Privilege
* Create a dedicated integration user with:
* mid_server role (mandatory).
* Additional roles only if required (e.g., evt_mgmt_integration for Event Mgmt).
* Disable interactive login for this account.
2. Mutual Authentication with Client Certificates
* ServiceNow supports mutual TLS where the MID Server presents a client certificate to the instance.
* This prevents rogue MID Servers from connecting, even if they know instance credentials.
3. IP Whitelisting / Network Segmentation
* Restrict the MID Server host so it can only talk outbound to your instance URL (and required discovery targets).
* Block all other internet access.
* Use a DMZ or jump server if needed.
4. Keystore Hardening
* Store SSL and client certs in the MID Server keystore.
* Encrypt the keystore with a strong passphrase.
* Rotate certificates regularly.
5. Secure MID Server Host
* Harden the OS:
* Apply latest security patches.
* Disable unnecessary services.
* Enforce AV/malware protection.
* Run MID Server as a non-admin service account.
* Monitor logs (agent.log) for unusual activity.
6. Proxy + Firewall
* Force MID traffic through a secure outbound proxy for logging and inspection.
* Limit the MID server to only required discovery ports (e.g., SNMP, SSH, WMI, WinRM).
* Monitor and alert on unexpected traffic patterns.
7. Credential Storage in ServiceNow
* Store discovery credentials in Credential records (encrypted in instance keystore).
* Avoid hardcoding creds in patterns/probes.
* Use Vault integrations (CyberArk, HashiCorp) if possible.
8. MID Server Clustering & High Availability
* Use multiple MID Servers in validated clusters (not security per se, but resilience).
* Ensure failover does not bypass security policies.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 02:22 PM
Hi @kishanbarai ,
Please check the MidServer Unified Keystore and Certificate check policies documentation .
https://www.servicenow.com/docs/bundle/zurich-servicenow-platform/page/product/mid-server/concept/mi...
https://www.servicenow.com/docs/bundle/zurich-servicenow-platform/page/product/mid-server/concept/mi...
Please mark helpful and accept as solution, if this helped in anyway.
Regards,
Mahathi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 02:39 PM
Hi Kishanbarai,
Probably the best would be to Secure Host such as;
- organization or Host Firewall rules to prevent unwanted traffic/Limit ports
- keep Java updated on the Host (since Mid application use Java) and,
- follow all other standard operating system hardening as needed
Few things we can consider when it comes to Mid Server Security
- Enable cert checks via Mid Security Policies
- Encrypt Mid login Credentials in config.xml
- Change default keystore password
- Disable weaker algorithms in Mid Server(jre/lib/security/java.security >
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1) - Disable SSLv2 and SSLv3 in the Now Platform (Outbound SSL)
You might have already reffered this for more info 🙂 Securing and encrypting MID Server data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2025 12:35 AM
Hi @kishanbarai ,
How MID Server–Instance Communication Works
* Communication is always outbound from MID Server → ServiceNow instance (no inbound ports required).
* All traffic goes over HTTPS/TLS (port 443).
* MID authenticates to the instance using a user account with mid_server role.
* Optional: You can use mutual TLS (client certificates).
Security Best Practices Beyond SSL Certificates
1. Use MID Server User with Least Privilege
* Create a dedicated integration user with:
* mid_server role (mandatory).
* Additional roles only if required (e.g., evt_mgmt_integration for Event Mgmt).
* Disable interactive login for this account.
2. Mutual Authentication with Client Certificates
* ServiceNow supports mutual TLS where the MID Server presents a client certificate to the instance.
* This prevents rogue MID Servers from connecting, even if they know instance credentials.
3. IP Whitelisting / Network Segmentation
* Restrict the MID Server host so it can only talk outbound to your instance URL (and required discovery targets).
* Block all other internet access.
* Use a DMZ or jump server if needed.
4. Keystore Hardening
* Store SSL and client certs in the MID Server keystore.
* Encrypt the keystore with a strong passphrase.
* Rotate certificates regularly.
5. Secure MID Server Host
* Harden the OS:
* Apply latest security patches.
* Disable unnecessary services.
* Enforce AV/malware protection.
* Run MID Server as a non-admin service account.
* Monitor logs (agent.log) for unusual activity.
6. Proxy + Firewall
* Force MID traffic through a secure outbound proxy for logging and inspection.
* Limit the MID server to only required discovery ports (e.g., SNMP, SSH, WMI, WinRM).
* Monitor and alert on unexpected traffic patterns.
7. Credential Storage in ServiceNow
* Store discovery credentials in Credential records (encrypted in instance keystore).
* Avoid hardcoding creds in patterns/probes.
* Use Vault integrations (CyberArk, HashiCorp) if possible.
8. MID Server Clustering & High Availability
* Use multiple MID Servers in validated clusters (not security per se, but resilience).
* Ensure failover does not bypass security policies.
Please appreciate the efforts of community contributors by marking appropriate response as Mark my Answer Helpful or Accept Solution this may help other community users to follow correct solution in future.
Thank You
AJ - TechTrek with AJ - ITOM Trainer
LinkedIn:- https://www.linkedin.com/in/ajay-kumar-66a91385/
YouTube:- https://www.youtube.com/@learnitomwithaj
Topmate:- https://topmate.io/aj_techtrekwithaj (Connect for 1-1 Session)
ServiceNow Community MVP 2025
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2025 09:11 PM
Hi @kishanbarai
The MID Server and ServiceNow instance communicate securely via HTTPS over port 443. This communication is facilitated through an outbound connection, where the MID Server initiates all interactions with the instance. The MID Server acts as a bridge between the ServiceNow instance and external systems, enabling secure data exchange and integration.
For more check below link
if my answer helps you mark helpful and accept solution
