Specific Credential for single IP Address in Discovery

Voona Rohila · ‎03-15-2019

Hi

I want a specific credential to be triggered for single IP Address during Discovery.

Is there any way i can achieve this.

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Rohila V
2022-25 ServiceNow Community MVP

tim_broberg · ‎03-15-2019

There are a few ways:

Affinities

When a credential successfully authenticates, a "credential affinity" is created in the dscy_credentials_affinity table which prioritizes that credential for future probes.

When an outbound ecc_queue record is created, a business rule looks in the credential affinities table for the current IP and mid server, and if there is a record, sets the credential_id parameter to the sys_id of the credential.

The mid server then moves this credential to the front of the line of credentials to try.

If it fails to authenticate for any reason, and another credential succeeds, a new affinity will get created for the other credential, so this approach tends to work until it fails, and you may find yourself creating finicky little business rules or sysauto_scripts to keep it in place.

It's kludgey, but it's not difficult.

Credential Tags (AKA aliases)

Starting in Madrid, you can associate a credential alias with a discovery schedule and with credentials. This causes the discovery to only use credentials with this tag. The probes for the schedule will have a credential_tag parameter with a comma-separated list of tags.

So, you could add an alias to your special credential and have a special schedule for any IPs that need this credential which are also tagged, assuming you can get to Madrid.

You could create a business rule to insert the credential_tag parameter for that IP. Editing the payload is slow, but you would only do it if the source matched your IP, so it's probably not a big deal. The affinity business rule should give some insights on how to do this as it fills in the credential_id in the payload much like you would fill in the credential_tag.

Of course, if you're doing a business rule for that IP, you could just shove in the credential_id and it would at least try that credential first every time.

*****************************

Tying credentials to mids or using credential tags are sure things, even if they may be a little cumbersome. They are actually filtering the set of credentials down to what you want.

Affinities just require one record per mid server / IP pair, but they will stop working permanently any time they fail to authenticate once.

You may find you need to make some business rule tweaks to make what you want robust.

Personally, I prefer the credential tagging approach where possible, but it does require Madrid.

- Tim.

View solution in original post

Andrew Westerv4 · ‎03-15-2019

You can only limit credentials to specific MID servers that are allowed to use it. My suggestion would be to create the credential with a large priority (ex. 9999) and leverage Credential Affinity to use it on that IP address.

Your only other option would be to have a dedicated MID server for that credential and setting the IP Range for that particular IP address.

Shekhar Deshing · ‎03-15-2019

Hello,

Select the MID server and give the single IP range which you would like to discover.

Or from credentials you can select the which server you would like to discovery.If you know the server and IP address you can add the crentials and test the connection. Once you got the connection you can schedule the discovery.

In Credentials you can find all types of testing connections just click on New.

Here you can verify your desitnation server Username and password.

tim_broberg · ‎03-15-2019