SSH credentials

Zurich Platform security

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

SSH credentials

Release version: Zurich

Updated July 31, 2025

9 minutes to read

Discovery, Orchestration, and Integration Hub explore UNIX and Linux devices by using SSH credentials to execute commands over Secure Shell (SSH). SSH commands must run with root privileges, either with root credentials or through the use of sudo. SSH private key credentials provide additional security.

Granting root privileges

Before granting root privileges, review your security policy and options with your organization's security team.

Use either of these approaches to allow users to run SSH commands with root privileges:

Give other credentials for Discovery, Orchestration, or Integration Hub, but grant the user in those credentials the right to execute certain commands with root privileges, using sudo. This is a secure way to grant limited privileges. Discovery, Orchestration, or Integration Hub use sudo on any probe that has the must_sudoparameter set to true (it defaults to false). However, each system must be configured to allow sudo to work. This is done by editing the /etc/sudoers file using the visudo command.
Give root credentials. These are obviously the most powerful credentials, but may not be desirable from a security perspective. If Discovery, Orchestration, or Integration Hub have the root credentials to any UNIX or Linux system, no further configuration is required.

Privileged commands

The platform provides default privileged commands for the MID Server to use and the ability to add additional commands to the system. For details about using sudo and other privileged commands, see MID Server privileged commands.

SSH private key credential type

Note:

SSH private key credentials should be used in most cases. They provide better security than SSH password credentials, including against MitM (man-in-the-middle) attacks in which communications between two parties are intercepted.


Field	Input value
Name	Unique and descriptive name for this credential. For example, you might call it SSH Atlanta.
Active	Enable or disable these credentials for use.
User name	Enter a UNIX or Linux user name. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name.
Password	Enter the UNIX or Linux password. For SSH Private Key type credentials, enter the sudo password if one is required for the user name.
SSH passphrase	Type a secure SSH passphrase. This field is available only for SSH Private Key credentials.
SSH private key	Enter a secure, RSA, DSA, ECDSA or ED25519 private key. The private key must be entered in the proper format to ensure it is correctly encrypted. The private key must start with the string `-----BEGIN`. Here is an example of a correctly formatted RSA private key: `-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAsEK65scPssPSobpDFMpR+Btv3MS4Q7NP8ERaStRZsh3IWz+x... ...7hrxV2dbSug60FahyupGWBGtPnXm5PaE2X5WPLuUj94ue48i1Fs -----END RSA PRIVATE KEY-----` An example of a DSA key: `-----BEGIN DSA PRIVATE KEY----- MIIEogIBAAKCAQEAsEK65scPssPSobpDFMpR+Btv3MS4Q7NP8ERaStRZsh3IWz+x... ...7hrxV2dbSug60FahyupGWBGtPnXm5PaE2X5WPLuUj94ue48i1Fs -----END DSA PRIVATE KEY-----` An example of a ECDSA key: `-----BEGIN EC PRIVATE KEY----- MIIEogIBAAKCAQEAsEK65scPssPSobpDFMpR+Btv3MS4Q7NP8ERaStRZsh3IWz+x... ...7hrxV2dbSug60FahyupGWBGtPnXm5PaE2X5WPLuUj94ue48i1Fs -----END EC PRIVATE KEY-----` And an example of an ED25519 private key: `-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACAlYlqhcdwx8VQzZ5XaIC5ltQpjRr3lIlq/aE66mufmiwAAAKDQUtxZ0FLc WQAAAAtzc2gtZWQyNTUxOQAAACAlYlqhcdwx8VQzZ5XaIC5ltQpjRr3lIlq/aE66mufmiw AAAECuvsTkFUPdpTh0kw23i8TYx19qsFOZ3TRgowkkHBh6wSViWqFx3DHxVDNnldogLmW1 CmNGveUiWr9oTrqa5+aLAAAAGmFiaGluYXYuc3V0YXJATVJFTUE3OTAzMkI3AQID -----END OPENSSH PRIVATE KEY-----` Note: For an ED25519 private key, only the OpenSSH key format is supported, which is generated using OpenSSH SSH-keygen utility. The ServiceNow AI Platform supports private keys in the PEM format generated by the OpenSSH ssh-keygen utility. To convert PPK keys that were generated by PuTTY: Open your private key in PuTTYGen. Export it in OpenSSH format from the menu Conversions > Export OpenSSH key. Save the new OpenSSH key.
SSH Certificate	Enter an RSA or ED25519 based OpenSSH certificate. When the certificate is entered, a private key is used for certificate based authentication. This authentication is supported from OpenSSH 7.8 onwards.
Credential alias	Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Connections and Credentials. Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow.
External credential store	Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. Currently, the only supported external storage system is CyberArk.
MID servers	Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
Applies to	Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.
Order	The order (sequence) in which the platform tries this credential as it attempts to log onto devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), Discovery or Orchestration tries the credentials in a random order.

SSH credential type

These fields are available in the SSH credentials form.


Field	Description
Name	Enter a unique and descriptive name for this credential.
Active	Enable or disable these credentials for use.
User name	Enter the user name to create in the Credentials table. Avoid leading or trailing spaces in user names. A warning appears if the platform detects leading or trailing spaces in the user name. For CIM discovery, the user must have the admin role.
Password	Enter the password.
Credential ID	Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. The Credential ID field has a limit of 40 characters. This field is only visible when the External credential store check box is selected.
Credential alias	Allow flow designers to use aliases to manage connection and credential information. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you do not need to update any actions that use the connection. For more information, see Connections and Credentials. Allow workflow creators to assign individual credentials to any activity in an Orchestration workflow or assign different credentials to each occurrence of the same activity type in an Orchestration workflow. To use the credential for discovering CIs not belonging to this CI type using Service Mapping and Discovery patterns, enter the table name for the CI type to which the CI belongs, for example cmdb_ci_apache_web_server.
External credential store	Select this check box to use an external credential storage system. When you select this option the User name and Password fields are replaced with the Credential ID field. External credential storage is only available when the External Credential Storage plugin in activated. Note: Currently, the only supported external storage system is CyberArk.
Applies to	Select whether to apply these credentials to All MID servers in your network, or to one or more Specific MID servers. Specify the MID Servers that should use these credentials in the MID servers field.
MID servers	Select one or more MID Servers from the list of available MID Servers. The credentials configured in this record are available to the MID Servers in this list. This field is available only when you select Specific MID servers from the Applies to field.
Order	Order (sequence) in which Discovery tries this credential as it attempts to log on to devices. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), the instance tries the credentials in a random order.

Commands that require root privileges for Discovery, Orchestration, and Integration Hub

These examples assume that the user name is Disco. Substitute the actual user name and ensure that the paths for the commands match the paths on the system.

Note:

Sudo commands do not work with private key credentials, because there is no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter:

disco
                                                ALL=(root)
                                                NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig

Table 1. UNIX and Linux commands requiring root privileges
Command	Purpose
HP-UX
adb	Gathers CPU speed and memory. /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb Used by: Discovery
All Linux and UNIX versions
chage	Changes the number of days between password changes and the date of the last password change. /etc/sudoers line example: Disco ALL=(root) /usr/bin/chage Used by: Orchestration and Integration Hub
chpasswd	Changes user passwords. /etc/sudoers line example: Disco ALL=(root) /etc/chpasswd Used by: Orchestration and Integration Hub
All Linux
dmidecode	Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard. /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode Used by: Discovery
fdisk	Gathers the disks and size information on the system. /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l Used by: Discovery
multipath	Gathers device mappings for MPIO. /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll Used by: Discovery
ls	Gathers the contents of a directory. /etc/sudoers line example: Disco ALL=(root) /usr/bin/ls, /bin/ls Used by: Discovery
Linux and Solaris
dmsetup	Examines a low level volume. /etc/sudoers line example: Disco ALL=(root) /usr/bin/dmsetup table * Disco ALL=(root) /usr/bin/dmsetup ls Used by: Discovery
All UNIX versions
lsof	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: Disco ALL=(root) /sbin/lsof Used by: Discovery
oratab	Grants read access to the oratab file for locating the Oracle Home and pfile. /etc/sudoers line example: N/A Used by: Discovery
Solaris
iscsiadm	Gets iSCSI IQNs /etc/sudoers line example: ${sudo:iscsiadm list target -S} Used by: Discovery
fcinfo	Gets WWPNs for ports. /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port} Used by: Discovery
prtvtoc	Reports information about disk partitions. /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc Used by: Discovery
pfiles	Used for gathering TCP connections information. /etc/sudoers line example: Disco ALL=(root) /usr/bin/pfiles Used by: Discovery
pgrep	Used for listing process IDs of a particular region to run pfiles on. /etc/sudoers line example: Disco ALL=(root) /usr/bin/pgrep Used by: Discovery
/usr/bin/ps	Lists running process. As an alternative to running with root access, add a proc_owner role. /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps Used by: Discovery
/usr/ucb/ps	Lists running process. As an alternative to running with root access, add a proc_owner role. The use of the `/usr/ucb/ps` command is deprecated as of Solaris 11. Because Discovery, Orchestration, and Integration Hub require the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262. /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps Used by: Discovery

For a list of privileged commands that you need for Discovery and Service Mapping, see Service Mapping commands requiring a privileged user. This list includes commands that require elevated rights to discover and map Unix-based hosts in your organization.

Access Requirements for Non-Root Credentials

If you do not provide Discovery with root access credentials, you must provide credentials with the following access requirements.


Application	File or Directory	Access Required
Apache	httpd.conf	Read
Hbase	hbase-site.xml	Read
JBoss	jboss-service.xml	Read
	JBoss home directory	Read
	web.xml	Read
MySQL	my.cnf	Read
NGINX	nginx.conf	Read
Oracle	oratab	Read
Oracle	Associated (s) pfiles	Read
Oracle Listener	lsnrctl	Execute
Oracle Listener	listener.ora	Read
Tomcat	catalina.jar	Read
	server.xml	Read
	web.xml	Read
Unix	/etc/*release	Read
	/etc/bashrc	Read
	/etc/profile	Read
	/proc/cpuinfo	Read
	/proc/vmware/sched/ncpus	Read
	/var/log/dmesg	Read
	APD directory	Read
WebSphere	cell.xml	Read
	server.xml	Read
	serverindex.xml	Read