Credentials Encryption| MID Server and Credentials Encryption/Decryption
This article explains the detailed workflow on how the credentials used for Discovery and Orchestration are encrypted/decrypted in ServiceNow platform and the MID Server:
(1) All credentials are currently stored on our instance using 3DES encryption and are decrypted on the instance with the password2 fixed key. Password2 fields are 2-way encryption fields using 3DES (192/168) and an IV. The 3DES key is also double encrypted using an AES128 wrapper key unique to the instance. The password2-type fields, including for the credential tables, are encrypted twice when stored into the database:
- first, we are using our regular GlideEncrypter with 3DES cipher where the 3DES decryption key is stored in the instance DB
- second, we further encrypt the 3DES key using AES with a 256 bit key size, where the key is stored in the safenet devices (a separate key storage appliance and retrieved by the instance)
NOTE: Our on-prem customers are usually not using the second level of encryption, unless they add and configure the safenet devices themselves. Each instance has its own key, so even for the same customer their prod and subprod instances would have different encryption keys in the safenet devices.
(2) When a MID Server is created, it generates a keypair consisting of a public and private key. And after the MID server is validated it can use the private key to decrypt credentials. (explained below). The credentials are re-encrypted on the instance with the MID Server's public key. ServiceNow then further encrypts the credentials using SSL (on the load balancer), and sends them to the MID Server.
(3) The MID Server decrypts the credentials using SSL. and finally, it further decrypts the credentials using the private key.
(4) The connection inside the customer's environment (MID server and remote hosts including SCCM) is now governed by their own security team as we use the generic OS protocols to do so depending on the MID server OS whether it is Windows or Unix. We do not have a default setup, each protocol (ssh/wmi/SNMP) encrypt their information differently in their own generic way. We do not contribute in any way as this is out of our scope. Once the information reaches the MID server, then its up to the OS to transfer the data within the customer's network. However, we do have pre-requisites as follows: