Integrating Secret Server with MID Server Credential Resolver

Integrating Secret Server with the MID Server Credential Resolver in ServiceNow allows for the secure storage and retrieval of credentials during ServiceNow's automation tasks, such as Discovery and Scanning. This integration enables the MID Server in your ServiceNow instance to dynamically retrieve credentials from Secret Server, eliminating the need to store sensitive credentials directly in ServiceNow.

During Discovery, ServiceNow does not treat credentials as "once per device"; instead, credentials are resolved per probe and per discovery phase. For a single machine, different discovery activities such as port scanning, OS detection, and horizontal discovery run independently and may each request credentials on their own. As a result, the same credential can be resolved multiple times during a single discovery run. This behavior is by design in ServiceNow.

Secret Server Implementation Modes

Secret Server offers the following two implementation modes.

  • Just-In-Time mode

In this mode, the MID Server agent configuration file is modified to include the Secret Server API account's credential in encrypted format. The MID Server agent handles authenticating to the REST API and requesting the needed OAuth2 token to retrieve secrets.

You must provide credentials (for example, username and password) in encrypted format within the configuration file. If this method is used to ensure access to the MID Server, the agent's folder is restricted.

  • Grant File Mode

In this mode, the MID Server agent configuration file is modified to include the path to an oauth2_grant.json file. This file contains the access token the agent will use to authenticate API calls. It requires an external source to write the OAuth2 token to the file.

The external source requires execution on a regular schedule based on the Web Services configuration of your Secret Server instance. The Windows Task Scheduler is the recommended mechanism.

We recommend using the grant file authentication option to avoid issues with self-DDOS.

This integration works only with Secret Server Cloud.

For more information about this integration, see the following topics: