External credential storage

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External credential storage

    ServiceNow instances can securely store credentials used by Discovery, Orchestration, and Service Mapping in an external credential repository instead of directly in the ServiceNow credentials records. This approach enhances security by keeping sensitive credential details outside the instance.

    Show full answer Show less

    The instance retains only metadata such as a unique credential identifier, the credential type (e.g., SSH, SNMP, Windows), and credential affinities. The MID Server retrieves these identifiers and uses a customer-provided Java Credential Resolver (JAR file) to fetch actual credential details from an external vault. Currently, ServiceNow supports integration with CyberArk and BeyondTrust external credential repositories.

    Key Features

    • External Credential Retrieval: The MID Server obtains credentials by requesting the Credential Resolver with the credential ID and related details, which then retrieves the actual credentials securely from the external vault.
    • Caching Mechanism: Credential Resolvers like CyberArk can use vendor-supplied applications on the MID Server machine to cache credentials, reducing network calls and improving performance. The out-of-box CyberArk resolver caches credentials briefly in encrypted MID Server memory.
    • Credential Affinity Support: Affinity rules still apply, ensuring proper credential use during Discovery and Orchestration operations.
    • Logging and Troubleshooting: The MID Server logs relevant messages about external credential storage operations and errors, aiding in issue diagnosis.
    • Business Rule Controls: A business rule adjusts the credential record views and triggers MID Server cache refreshes when enabling or disabling external credential storage.
    • Configurable System Property: The Enable External Credential Storage property controls activation of external credential storage. Disabling it sets external credentials inactive, requiring manual reactivation when re-enabled.
    • OAuth 2.0 Support: OAuth client ID and secret credentials can be stored in CyberArk and retrieved by the MID Server for token management, with automatic token refresh.

    Practical Benefits for ServiceNow Customers

    • Enhanced Security: Credentials are not stored in ServiceNow instance records, reducing risk of exposure.
    • Improved Credential Management: Centralized credential storage in trusted vaults like CyberArk or BeyondTrust simplifies administration and compliance.
    • Seamless Integration: Existing Discovery, Orchestration, and Service Mapping processes continue to function without change from the MID Server perspective, aside from credential resolution.
    • Operational Efficiency: Caching mechanisms minimize latency and network traffic to external vaults during credential retrieval.
    • Configurable and Transparent: Administrators can enable or disable external credential storage and monitor operations through logs and system views.

    Next Steps for Customers

    • Request activation of the External Credential Storage plugin for your instance.
    • Configure your MID Server with the appropriate Credential Resolver JAR and vault integration (CyberArk or BeyondTrust).
    • Enable the external credential storage system property to switch credential retrieval to the external repository.
    • Manually activate external credential records as needed after enabling the feature.
    • Monitor MID Server logs for any credential resolution issues.

    An instance can store credentials used by Discovery, Orchestration, and Service Mapping in an external credential repository rather than directly in a ServiceNow credentials record.

    The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier from the instance, and then uses a customer-provided JAR file to resolve the identifier from the repository into a usable credential. Currently, the ServiceNow® platform supports the use of the CyberArk vault or BeyondTrust for external credential storage.

    External credential storage architecture

    Figure 1. External credential storage architecture
    ServiceNow external credential storage architecture

    Credential process flow

    The MID Server retrieves credentials from an external store using this process:
    1. MID Server downloads credential objects from the ServiceNow Credentials [discovery_credentials] table that contain the corresponding credential ID from the target vault.
    2. As each probe or pattern runs from Discovery or Orchestration jobs, the MID Server requests the credential by passing information such as credential ID, target IP address, and credential type to the Credential Resolver Java Jar file. The details about the correct credential object to retrieve from the vault are determined by the Credential Resolver.

      Many Credential Resolvers such CyberArk call an application supplied by the third-party vault vendor running on same machine as the MID Server. That application can often be configured to cache credentials and knows to update the cache when a credential changes in the vault, which is very important to avoid unnecessary network calls to the vault each time MID Server requests a credential. The Credential Resolver (using optional vendor application if present) makes a call to the vault to get the actual user name, password, etc.

      For Credential Resolvers supplied out-of-box (only CyberArk today), the MID Server only caches a credential for up to several seconds using encryption in MID Server process memory. This means the MID Server can make multiple requests to the Credential Resolver for the same credential even when discovering a single device. Contact third party vendors for information about caching implementations for other Credential Resolvers.

    3. MID Server executes the probe with the appropriate credential.
    Note:
    Credential affinity still applies. The mechanism remains the same, since the only real difference from the MID Server's perspective is that the real credential details (user name and password) come from the third party vault.

    External credential storage logging

    The MID Server posts log messages about external credential storage.

    If the repository encounters an error while attempting to resolve a credentials request, the MID Server posts log messages with this prefix: Problem with client's CredentialResolver:

    Components installed with External Credential Storage

    Business rule

    The External Credential Storage business rule performs the following tasks when an administrator makes any change to the Enable External Credential Storage property:

    • Changes the view for the Credentials record list and form to the External Storage view. This view enables users to see the Credential ID column in the list.
    • Instructs the MID Server to refresh its credentials cache in preparation for a change in the way credentials are obtained.
    Property

    A property called Enable External Credential Storage [com.snc.use_external_credentials] enables or disables the External Credential Storage plugin after it’s activated. The property is located in Discovery Definition > Properties and Orchestration > MID Server Properties, and is enabled when you activate the plugin.

    If you disable external credential storage with the system property, the system automatically sets all the external credentials to inactive in the instance. If you re-enable the feature with this property, the system doesn’t reset the external credential records to active. You must reactivate each credential record manually.