ServiceNow Discovery Credentials
Infocenter DEVSHOP™ – Discovery Operations
Create a Robust Organizational Credential Strategy For Optimal Discovery Performance
This process guide will provide a detailed explanation on how the Infocenter Configuration Management Discovery Process for Infocenter DEVSHOP™ managed services optimizes credential strategy to ensure asset discovery results. As a ServiceNow Elite Partner, Infocenter’s team of experts can help you plan, implement and provide ongoing help with your ServiceNow platform. To learn more about the benefits of choosing the right ServiceNow Partner, Infocenter’s planning engagement, RADIUS™ and DEVSHOP™ managed services, contact us today.
ServiceNow encourages establishing a credential program approach which ensures that the credentials gathered and managed fully enable the ServiceNow Discovery capability. Without proper credentials, the full power of discovery can never be realized. The #1 reason for lack of success in Discovery Implementations is due to lack of proper credentialing.
Customers who implement the ServiceNow platform with a focus on building a comprehensive credential program increase their success rates with discovery. A comprehensive program requires participation from key stakeholders across the organization. Gaining buy-in and participation from key stakeholders requires a consistent concentrated effort. In today’s dynamic technology landscapes, an effective credential program is rarely a one and done situation. IT Organizations have to be prepared to sustain a credential management program for discovery. For more on ServiceNow implementation tips, check out our ServiceNow Tips page here.
Credential Principals and Basic Concepts
A configuration item (CI) is any component or other service asset that needs to be managed in order to provide an IT service. Configuration Management Database (CMDB) is used to build logical representations of assets, services, and the relationships between them that comprise the IT infrastructure of an organization. Details about these components are stored in the Configuration Management database (CMDB) which you can use to monitor the infrastructure, helping ensure integrity, stability, and continuous service operation. For more tips on CMDB, check out Infocenter’s ServiceNow CMDB Ultimate Guide.
The role of discovery is to aid in the dynamic management of these critical configuration items and their attributes. Attributes on Configuration Items are split between two types. Discoverable and Non-Discoverable. The prior, the discoverable, is the goal of a healthy credential program. The credentials are a means to an end for accurate consistent and reliable attribute management for the Configuration Item and the CMDB.
The goal of the Configuration Management process, with discovery as the primary means, is to manage the life cycle of all configuration items and their relationships with one another in a controlled manner. Effective service management processes, by providing accurate configuration information aligned to services, enable organizations to make the right decisions at the right time for support, root cause analysis, service restoration, release management, and problem management.
There are strong inter-process relationships between Configuration Management and the other IT service management processes. Configuration Management and the CMDB are the foundation to integrated ITSM processes, namely Event Change, and Incident Management, and should be considered at the very beginning of any IT service management transformation effort.
Credentials, the lowest common denominator for success with discovery, is vitally important as a foundation to success with the CMDB. Without it, we cease to populate the critical configuration items and our Configuration Management process suffers.
 ServiceNow CMDB Process Guide, Madrid
Best Practices for ServiceNow Credential Gathering
Essential to a successful credential strategy is to obtain buy-in from Network, Security, Platform, Application, and Governance teams. Establishing this relationship will often require the following:
An Executive Sponsor
Establishing an executive sponsor to re-iterate the value and benefits of your Discovery Program is vital. Infocenter strongly suggests creating a short walk around deck for presenting and socializing the program. Call a meeting with the sponsor in attendance and provide that sponsor a talking point during the meeting. Attendees for that meeting should include all of the major stakeholders identified, those whom will provide the needed credentials and those whom will benefit from a mature discovery program. The Executive Sponsor’s peer in security is a critical attendee to this meeting. Create your value presentation and have the executive sponsor review and approve prior to the larger meeting.
Forming Key Partnerships
Establishing good relationships and partnerships prior to program kickoff will yield you better and faster results with credential gathering. As the owner of the discovery program you should seek to build the following relationships.
- Security Credential Owner, per protocol, (i.e windows, Linux, SNMP etc.)
- Administrators for each platform
A Strong Business Case for ServiceNow Discovery
Building a strong business case for credential is a vital portion of a successful program. Your business case should answer the following:
- Why ServiceNow Discovery?
- Who can use this information and consume it?
- What are the qualitative benefits?
- What are the quantitative benefits?
- How does ServiceNow Discovery work in conjunction with other discovery solutions?
- What about relationships and dependencies for CIs?
- What ITSM processes benefit and how?
Understand the ongoing support and maintenance required to sustain an effective Discovery program, including total cost of ownership, training and licensing.
A high-level summary of the business case, both qualitative and quantitative, should be a slide in your overall executive sponsor presentation. It will be most effective if the sponsor had input, review and approval of each benefit.
A Value Proposition for Each Stakeholder
In your larger benefits summary build a traceable benefit from the discovery program to each respective stakeholder. These benefits ideally are measurable. At some point in the future, as the program is underway, you will want to take these measures and present them back to your larger stakeholder community. Measurable KPIs for discovery should be drafted with your program charter.
A Technical Review of Discovery and Organizational Signoff
Prior to establishing your tool in your environment, it may be necessary to build a consensus around the use of the ServiceNow Discovery solution. Peer tool owners may need to actually see and touch the solution to provide technical approval. Early in your program make sure you align with technical committees and an internal process for tools, tool governance, and selection. A technical review presentation, with a demo may be required to seek approval. That presentation should incorporate, at a minimum, the following items:
- Tool Architecture
- Security Architecture
- MID Server Use and Architecture
Writing Detailed Use Cases for Credentials
While you are forming your Discovery Program and building out your stakeholders it will be very useful to establish a written requirements summary for credentials.
When you have your CMDB requirements one of the answers to that requirement will be “how will the records be populated and maintained?” Take each table requirements and divide them into discoverable and non-discoverable data elements. For each discoverable attribute write a requirement. This requirement can take the form of well stated story that explains how the credential will be needed for each attribute to be successfully populated. An example of a credential use case would read as follows:
As A ———— I need to ————- So that I can ————-
As a windows server owner I need a domain level credential to properly discover the server and the required attributes so that I can perform meaningful impact analysis in the change management process.
As a windows server owner I need the WMI credential to provide installed software on each server so that I can manage the licensing for that software.
Building a Credential RACI
Take the time to build a RACI around the entire program. This can help your stakeholders understand their role, responsibility and what will be expected of them.
When creating your RACI, especially one which results in a new TO-BE operationally, make sure your stakeholders understand their new responsibility. It will be necessary to obtain the resource commitment from the key resource, their manager, and their executive.
Establishing Ownership for Credentials
- Windows Server
In some organizations this may be distributed ownership, while in other organizations it will be a centralized managed and governed function. During your charter process you should identify your specific organizational structure.
Discovery Log Monitoring
The Discovery Log and the Horizontal Discovery Log display the activity that takes place during a discovery. Use the logs to debug failed discoveries.
The Discovery Log shows information such as classification failures, CMDB updates, and authentication failures. A Discovery Log record is created for each action associated with a discovery status.
Discovery Log Records
Discovery Pattern and Horizontal Discovery Log
The Pattern Discovery log includes Horizontal Discovery log records, which display information about discoveries that were performed with patterns. A horizontal discovery log record is created for an entire horizontal discovery run, which includes the results of all the operations specified in the pattern.
The Horizontal Discovery Log
Open the Discovery Log
Open the Discovery Log to troubleshoot a discovery.
Discovery logs and frequent review will be essential to maintaining a healthy and robust Discovery Solution. The credential performance for discovery runs through its process we learn what protocol a particular IP responds to (WMI/SSH/SNMP) and on subsequent classification the MID Server uses the appropriate credential to query the target.
Notwithstanding, the Discovery Error Messages and warnings is available to aid in troubleshooting.
The Keys to Credentials
Windows – the best option for Windows credentials is to load them in the ServiceNow instance.
Windows Credentials require a Domain User that has local Administrator privileges on the targets you are looking to discover. While a local (administrator) user can be utilized for non-domain machines if you utilize User Access Control Microsoft has removed remote access capability for non-domain users.
Secure Shell (SSH) – SSH credentials require a standard SSH user or private key (with an optional pass phrase) to connect to Unix based systems. There are unique commands that require SUDO access that are outlined on our WIKI based on Operating System
SNMP – For your network-based devices (Routers/Switches/Printers/UPS/PDU) we require the ‘Read only’ string.
VMWare – vCenter credentials require a read only user that will be used to query the vCenter API when found as a running process or as a discovered vCenter appliance.
Storage – When using an SLP Provider to discover storage systems we require an Admin user configured on the storage agent and that same user needs to be configured on the host in which its deployed as admin/root as well.
External Credential Store
If there is a requirement for credentials to be stored in a local network OOB functionality comes in the way of the External Credential Store capabilities. CyberArk is supported out of box and other tools can be utilized by creating a custom Jar file to communicate to the system.
Want a proven credentials management strategy? Consider these two options:
- Use the internal encrypted table stored in the ServiceNow instance. With this strategy, it’s easier for you to keep a credential table updated when there’s a change in device credentials.
- Use the local security vault that you’re already using. ServiceNow has OOTB integration with CyberArk. Consult your security team for other credentials management vaults. You can easily integrate these vaults with ServiceNow Discovery.
Read the product documentation about using CyberArk for your credentials storage. In order to gather data, you need to know the protocols used to scan for credentials. Here’s a list of the most common protocols to get you started:
- Windows Management Instrumentation (WMI) – You need a domain user that has local administrator privileges on the targets you want to discover. Keep in mind that if you’re using Microsoft User Access Control, non-domain and non-admin users won’t be able to access the targets remotely. Typically, this step takes longer since Windows access requires full credentials. Prioritize this task early by working with your network, security, and server teams. Note that this may take little bit longer than Secure Shell (SSH) and Simple Network Management Protocol (SNMP) setup.
- Secure Shell (SSH) – For Unix/Linux targets, you need a standard SSH user or private key (with an optional pass phrase) to connect to these systems. ServiceNow Discovery has defined unique commands that run as “sudo nopasswd” to extract all required operational and configuration data. Read the product documentation page for more details on managing Unix and Linux credentials. © 2019 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated. 12
- Simple Network Management Protocol (SNMP) – You need to get the read-only string for your network-based devices such as routers, switches, and printers. Whitelist MID Servers in the routers and switches access control lists (ACLs). You may also need local shell access for some load balancers to capture configuration data.
- VMWare – You need read-only user access that will query the vCenter API when running as a process or as a discovered vCenter appliance.
- Storage – You need full administrator user access to the storage agent (SLP) and the host where it’s deployed. Discovery uses CIM credentials to query the provider to explore the storage environment.
- Cloud – You need to acquire full credentials to access cloud instances and APIs. This means that you have to reach out to all business units using cloud instances and get credentials before you start the discovery process. Some have a master account that allows access to all cloud instances. If your company has such an account, request access to it.
Establishing Event and Incident Management for Credentials
The scope of Event Management and Incident Management should also have Credentials in scope. The error logs for Discovery Credentials can serve as the input to Event Management, and also Incident Management. When a credential error or issue becomes impactful to a critical service managing that criticality through event and incident management will prove to be useful.
The Infocenter DEVSHOP™ offering incorporates these two services to ensure that any repeat failure on credentials are managed as a critical warning, event or incident.
The objectives of Governance are to:
Ensure Credentials under control are identified and properly managed throughout their lifecycle.
Identify, control, record, report, audit and verify issuance of credentials, including versions, baselines, constituent components, their attributes and relationships.
Account for, manage and protect the integrity of Credentials, through the service lifecycle by working with change management to ensure that only authorized credentials are used, and only authorized changes to credentials are reviewed and approved.
The Configuration Management Process Owner’s primary objective is to own and maintain the Configuration Management process. The role of the Process Owner is usually a senior manager with the ability and authority to ensure the process is defined, implemented, that training is available, that the process is followed and continually improved upon for the benefit of all stakeholders.
Infocenter Managed Services for Governance Delivers the Following:
Defining the overall mission of the credential Configuration Management process:
Establishing and communicating the credential process mission, goals, and objectives to all stakeholders within the organization. Infocenter-led sessions (Infocenter RADIUS™ strategic ServiceNow planning engagements) by CMDB Credential expert practitioners co-deliver the program with client team.
Infocenter will document and maintain the credential process and procedures within the client knowledge base.
Resolving any cross-functional (departmental) issues for credential Configuration Management, Credential Ownership, or Credential access, privileges and/or security remediation.
Ensuring proper staffing (both internal and external) and training for execution of the Credential Management process.
Ensuring consistent execution of the credential process across the organization by deploying Configuration Management and credential control plans and access KPIs.
Monitoring, measuring, and reporting on the effectiveness of the credential gathering and management process to senior management with periodic program checkpoints and performance recaps.
Continually improving the credential process by maturing and refining the process for maximum efficiency within the organization.
The DEVSHOP™ Configuration Manager role is responsible for day to day facilitation of the Configuration Management process. The role is included in the managed service offering from Infocenter. The primary objective of the role is to ensure changes to the Credential data in CMDB, including CIs, CI Classes, Relationships, and CI Reconciliations, are controlled and to enable efficient resolution of integrity issues. The DEVSHOP™ configuration manager will work with the client CI Owners as needed.
Managing the day-to-day activities of the Credential process; ensuring operating procedures are documented to support the activities.
Maintains the Configuration Management System, including the CI data model and relationships
Assigning approved Credential updates and Change tasks to CMDB.
Coordinating interfaces between Configuration Management and other access and security processes.
Ensuring that all operational services (and those being prepared) are recorded within the ServiceNow platform.
Ensuring that all credential information within the MID Server, discovery application, is accurate and up to date.
Tracking security and access compliance to the process
Works with client Service Management Office to set policy and governance as needed.
Works with Architecture Review Boards (ARBs) as needed to ensure credential and access decisions follow corporate policy.
Other DEVSHOP™ Processes
DEVSHOP™ Incident Management
Configuration Management assists Incident Management by providing the Service Desk with immediate information on the Credentials affected, and more timely resolution of faults by understanding what Credentials have been affected and changed.
In addition, a well maintained CMDB with relationships will aid the incident manager with a reduced MTTR and resolution by allowing pinpoint accuracy in identifying root cause of a credential issue. Aiding in root cause analysis is the primary function of a well maintained CMDB.
DEVSHOP™ Problem Management
Configuration Management assists Problem Management by linking the Credentials affected by problems to the Incident / Problem / Change Management processes and ensuring the related CI status is properly maintained.
DEVSHOP™ Change Management
Configuration Management assists Change Management by recording which Credentials have been changed and controlling the status of Credentials throughout the entire CI lifecycle.
Speak with an Expert
To learn more about how ServiceNow Elite Partner, Infocenter can help you plan, implement and manage your ServiceNow across the platform, reach out to speak with an expert today!