Solutions

  • Products
  • Use cases
  • Industries
  • EBOOK
  • Making it #EasyForEmployees
  • A guide with best practices for transforming the employee service experience.
  • WHITE PAPER
  • Modernizing government via ITSM
  • A research doc about government agencies’ digital transformation challenges.

Platform

  • REPORT
  • Gartner names ServiceNow a leader
  • 2018 Magic Quadrant for Enterprise High-Productivity Application PaaS.

Customers

  • CUSTOMER STORY
  • General Mills transforms HR
  • Global employee service experience shows entire corporation how it’s done.

Explore

  • PERSPECTIVE
  • Do you need an AI council?
  • Formal collaboration helps implement new technology safely and effectively.

Create a robust credentials strategy

Get buy‑in on your strategy from network, security, and other teams to stay on track.

  • Align your credentials strategy with network and security teams to avoid project delays.
  • Use credential‑less discovery for basic configuration data about devices and apps.
  • Run a full discovery to complete the CMDB update process.  
  • Create a credentials ordering mechanism to speed up discovery.

Without working credentials, your Discovery implementation project could fail or see delays. The good news is that the agentless mechanism of Discovery means that you don’t have to install agents on every device. But you still need administrator access via username and password, so set appropriate expectations with network and security teams.

Want a proven credentials management strategy? Consider these two options:

  1. Use the internal encrypted table stored in the ServiceNow instance – With this strategy, it’s easier for you to keep a credential table updated when there’s a change in device credentials.
  2. Use the local security vault that you’re already using – ServiceNow has OOTB integration with CyberArk. Consult your security team for other credentials management vaults. You can easily integrate these vaults with ServiceNow Discovery. Read the product documentation about using CyberArk for your credentials storage.

In order to gather data, you need to know the protocols used to scan for credentials. Here’s a list of the most common protocols to get you started:

  • Windows Management Instrumentation (WMI) – You need a domain user that has local administrator privileges on the targets you want to discover. Keep in mind that if you’re using Microsoft User Access Control, non‑domain and non‑admin users won’t be able to access the targets remotely. Typically, this step takes longer since Windows access requires full credentials. Prioritize this task early by working with your network, security, and server teams. Note that this may take a little bit longer than Secure Shell (SSH) and Simple Network Management Protocol (SNMP) setup. 
  • Secure Shell (SSH)  For Unix/Linux targets, you need a standard SSH user or private key (with an optional pass phrase) to connect to these systems. ServiceNow Discovery has defined unique commands that run as “sudo nopasswd” to extract all required operational and configuration data. Read the product documentation page for more details on managing Unix and Linux credentials
  • Simple Network Management Protocol (SNMP You need to get the read‑only string for your network‑based devices such as routers, switches, and printers. Whitelist MID Servers in the routers and switches access control lists (ACLs). You may also need local shell access for some load balancers to capture configuration data. 
  • VMWare  You need read‑only user access that will query the vCenter API when running as a process or as a discovered vCenter appliance. 
  • Storage  You need full administrator user access to the storage agent (SLP) and the host where it’s deployed. Discovery uses CIM credentials to query the provider to explore the storage environment.
  • Cloud  You need to acquire full credentials to access cloud instances and APIs. This means that you have to reach out to all business units using cloud instances and get credentials before you start the discovery process. Some have a master account that allows access to all cloud instances. If your company has such an account, request access to it.

Read this product documentation page for a complete list of the credentials you need.

Good credential ordering can speed up Discovery performance

We recommend that all MID Servers have access to the entire credential table, especially in secured zones. This is important because you likely have multiple credentials for one protocol. With the credential affinity method, Discovery performs targeted scans of the network segments where you know a credential works. Discovery usually tries all of these credentials and, after finding the right one, updates the CI with that information. If credentials stop working, Discovery will go through the process again. For this reason, you avoid unnecessary bottlenecks with access to the entire table. 

MID Server

Each MID Server is a lightweight Java process that can run on a Linux, Unix, or Windows server. During discovery, the MID Server executes probes and patterns and returns the results back to the instance for processing. It doesn’t retain any information.

 

 

Figure 3: How you automate credential look‑up with the affinity method

MID Server

Each MID Server is a lightweight Java process that can run on a Linux, Unix, or Windows server. During discovery, the MID Server executes probes and patterns and returns the results back to the instance for processing. It doesn’t retain any information.

 

You can also speed up credential ordering in these two ways:

  1. If the table contains 150 SSH credentials and five of those can access 90% of your devices, configure those five with low order numbers, which places them at the top of the execution list. Discovery works faster when trying these common credentials first. After the first successful connection, the system knows which credentials to use the next time for each device.
  2. Some organizations have strict log‑in security. For instance, access to the Solaris system locks after three failed tries. In this case, you should configure the database credentials with a low order value. This ensures that Discovery tries the database credentials before other device credentials, reducing the risk of lockdown.

MID Server

Each MID Server is a lightweight Java process that can run on a Linux, Unix, or Windows server. During discovery, the MID Server executes probes and patterns and returns the results back to the instance for processing. It doesn’t retain any information.

 

Figure 4: ServiceNow Discovery gives you many options for creating a credentials table

MID Server

Each MID Server is a lightweight Java process that can run on a Linux, Unix, or Windows server. During discovery, the MID Server executes probes and patterns and returns the results back to the instance for processing. It doesn’t retain any information.

 

Credential‑less discovery offers a fast start but gives you limited CI data

You may find that full discovery doesn’t work due to authentication failures. You can still collect some basic data with credential‑less discovery for some processes, such as applications currently running, IP addresses, and operating systems. ServiceNow Discovery builds a skeleton CI to provide basic visibility when credentials are missing or insufficient. But you still need full access to targets to gather complete CI data. ServiceNow gives precedence to the credentials‑based discovery. That means if there’s a duplicate record, the CMDB should prioritize the full CI record. Make sure that your security team knows about this approach, since you need to implement an Nmap (network mapper) protocol on the MID Server, which might get flagged by your intrusion prevention systems. Credential‑less discovery doesn’t work for cloud services—make sure you acquire full credentials beforehand.

Heads up!

Develop a credential strategy with security and network teams early. When you do, you can ensure complete access to discovery targets and reduce project delays.

MID Server

Each MID Server is a lightweight Java process that can run on a Linux, Unix, or Windows server. During discovery, the MID Server executes probes and patterns and returns the results back to the instance for processing. It doesn’t retain any information.

 

Explore additional phases

Plan

You want to be sure everything is in place for a smooth, successful deployment.

Deploy

You want to be sure you’re following best practices during implementation.

Optimize

You’re up and running and want to get the most from your investment.

Extend

You’re ready to extend ServiceNow into other areas of your enterprise.

Thank You

Thank you for submitting your request. A ServiceNow representative will be in contact within 48 hours.

form close button

Contact Us

I would like to hear about upcoming events, products and services from ServiceNow. I understand I can unsubscribe any time.

  • By submitting this form, I confirm that I have read and agree to the Privacy Statement.