Does Servicenow support Delinea (Secret Sever) Credential Resolver?

Suman21 · ‎06-23-2022

We are planning to integrate Delinea (earlier called as Thycotic) Secret server with the ServiceNow Discovery tool.

But as per the ServiceNow Product documentation it supports only CyberArk (currently) as Out of Box.

Also I have came across one KB article from Servicenow stating it does not support Thycotic Integration.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0955942

I am bit confused here, Even Delinea official sites says current version of the Secret Server Credential Resolver has been superseded by the new version documented and published here. But the link does not work.

https://docs.thycotic.com/ssi/current/servicenow/mid-server

Can some one help me understand, Can we integrate the Delinea Secret Server with our Servicenow for Discovery?

If we integrate also, Does Servicenow team support in case of any issue?

Michael Walsh · ‎05-11-2023

Did you run in to any errors in your MID Server Agent log at any point like, "Problem with client's CredentialResolver: unsupported API version reported: 2.0, MID SERVER supports 1.1"

We have gotten as far as loading the JAR and configuring the config.xml and trying a test scan using a secret ID and can see that it's attempting to reach out to the Secret Server with the credential ID we want, but we're getting that error. We didn't set up the, "Password safe external credential storage for Discovery," plugin though. What led you to do that? I didn't see anywhere in the Delinea or ServiceNow docs on all this that referenced it. They all just said to request the "External Credential Storage Plugin" from Service Now via a support ticket, which we did do and have verified is there.

Our thought right now is that we've been seeing things telling us that Oauth 2.0 is not supported on the mid servers and that the only way to use 2.0 is for direct integrations that don't go through the MID, and that maybe the error message we're seeing has to do with that. But you seem to have gotten past that ok and gotten your MID to use Oauth 2.0 ok. Is that why you needed the Password Safe plugin?

The other thing we've noticed is that we have, as you do above, in the settings, added the parameter:

This is only referenced in the PAS configuration out on the Delinea site. Do we need to do that part of the PAS configuation:

Once the user is created, go to Apps > Web Apps and click Add Web Apps.
Select Custom and add OAuthClient.
Update the settings of the OAuth Client application.
Click Apps > Web Apps again and click the OAuth Client row you just created.
- Under the Settings tab enter as follows:
  - Application ID: set to oauth_2_client
  - Name: OAuth Client
  - Description enter: “Use this template to set up an application that is making OAuth secured REST calls to the PAS Platform”

The other thing that is different for us is that we're not using an On Prem secret server. Is that a problem? The documentation seems to say it is ok because it mentions that you only need to do some of the steps for On Prem instances of Secret Server (i.e. the certificate import stuff).

By the way, thanks for your answers here 🙂 Also, we're opening a HI ticket (and maybe a Delenia ticket too on this. Just thought we'd post what were experiencing here in case you ran in to some of the same things (or someone else :))

Community Alums · ‎07-11-2023

Did you ever get a solution for this? Were in the process of trying to get this integration as well and ServiceNow basically stated they dont support the integration OOB and the Delinea Rep stated that ServiceNow has to help with any installation questions.

Michael Walsh · ‎07-11-2023

Well, we have gotten it working, yes. We got the same answer when we attempted a ticket with ServiceNow but have had better luck with opening Delinea cases. We're still trying to figure out if we can use the wide value for the credential_lookup_type parameter (which we think will allow us to look up a credential when the cred has been deployed but the device (IP) hasn't been discovered by Secret Server). We're also trying to determine if we can use the use_cred_cache parameter and set it to true, because right now it's taking a long time for our scans to run and SN support said it was because it's looking up the cred in Secret Server each time it needs it and taking like 1000ms each time. We have a case opened to find out if the use_cred_cache parameter can be utilized with a cloud based Secret Server.

The thing that was throwing us initially was that we needed to download the latest JAR. We didn't need to have the "Password safe external credential storage for Discovery" plugin activated, just the "External credential storage" plugin. We also had to include all the params from the PAS setup with a bunch of them commented out...see the PAS documentation (https://docs.delinea.com/int/current/servicenow/mid-server-credential-resolvers/pas/config/setup-mid...).

There is a note in there about including the dummy parameters.

The other thing that threw us a little was where to get the jar file. The Delinea documentation refers to the Jar file as the "ServiceNow Plugin." If you look here (https://docs.delinea.com/int/current/servicenow/mid-server-credential-resolvers/secret-server/setup....) under the "ServiceNow Plugin" section there is a link to download the Jar file.

Community Alums · ‎07-12-2023

In ServiceNow I go into the credential that we created for Delinea. When I check the credential storage vault field, the only options that I have are none and Cyberark. Any idea where I'm going wrong with this?

Michael Walsh · ‎07-12-2023

There is a process where you can create an option for Secret Server there, but you don't need to. You can just select None and it works fine.