Sandeep Kumar6
Giga Guru

 

ServiceNow CyberArk Integration Steps to follow

 

The MID Server obtains the credential identifier from the instance, and then uses a customer-provided JAR file to resolve the identifier from the repository into a usable credential.

Note: Customer provided JAR file will be kept in MID Server

 

  1. Activate external credential storage for Discovery and Orchestration
  2. Configure the CyberArk vault and install the AIM API
    1. Install the CyberArk AIM API on the MID Server machine. API should be provided by client
    2. Configured CyberArk to allow the MID Server to access the vault by creating an App-ID in CyberArk called 
    3. Every credential should be granted access to APP-ID ServiceNow_MID_Server.
  3. Provision CyberArk accounts and set permissions for application access.
  4. In the CyberArk Password Safe, create the privileged accounts required by Discovery, to access different devices and ensure that these accounts are members of the safes in which the necessary credentials are stored.
  5. Import the CyberArk JAR file
    1. Import the CyberArk JavaPasswordSDK.jar file into the instance to make it accessible to the MID Server.
      1. Use this process even if the JavaPasswordSDK.jar file already exists on the MID Server.
    2. Navigate to MID Server > JAR Files.
    3. Click New. And complete the form
    4. Attach the JAR file to this record
      1. The AIM JavaPasswordSDK.jar file comes with the AIM SDK installation files and is typically located on the MID Server in the AIM installation directory at<install_dir>/CyberArk/ApplicationPasswordSdk.
    5. Restart the MID Server service.
  6. Configure MID Server for CyberArk
    1. xmlfile to grant the MID Server access to the CyberArk vault
      1. We should have “JavaPasswordSDK.jar” inside MID Server
    2. Required configuration parameters
      1. ext.cred.safe_folder
        1. NameOfFolder : Folder to use for all credential lookups. For example, root.
      2. ext.cred.use_cyberark
        1. True : Boolean parameter indicating that this MID Server is integrated with CyberArk.
      3. Optional configuration parameters
        1. ext.cred.safe_timeout
          1. 5 Sec : Timeout of each credential lookup in the vault, specified in seconds.
        2. ext.cred.safe_name
          1. NameOfSafe : Default safe name used for all credential lookups. If parameters are in multiple safes, the credential ID may be specified in the format <safeName>:<CredentialID>.
  • ext.cred.app_id
    1. ServiceNow_MID_Server : Specifies the App-ID used to grant permission to the MID Server to access the CyberArk vault. The default value, ServiceNow_MID_Server, must be defined in the CyberArk vault. 
  1. ext.cred.type_specifier
    1. true : Forces an IP address lookup to return credentials that match both the CyberArk platform ID and the IP address.
  2. ext.cred.check_ssh_type
    1. False : When set to true, requires that the type of SSH credential returned from CyberArk matches the type of credential requested.
  3. Configure Cyber Ark for SNMP V2 Credential

Note: If the community string appears in the password field of the CyberArk credential, it is not necessary to perform this procedure.

  1. If we have system that uses SNMPv2, we need to create a special file to map the attribute in a credential to the community string.
    1. In a text editor, create a file called CredMap.properties, containing this code:
      1. Community=attribute_name
    2. Save the file to the /agentdirectory of your MID Server installation
  2. Configure The CyberArk Credential Identifier

Credential identifier configured:

  1. Discovery > Credentials or Orchestration > Credentials.
    • Credential ID
      • Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. This is the ID passed to the Java class in the parameter map.
  1. Select the External credential store check box.
    • The User name and Password fields disappear, and the Credential ID field appears.
  2. In Credential ID, enter the unique key configured for these credentials in the external repository. This is the identifier defined in the JAR file.

In the Credential ID field, enter an expression using one of these formats:

    • If all your credentials are in the same safe, configure this safe name in the MID Server config.xml file using the ext.cred.safe_name parameter, and then specify the credential ID by name only, as <credential ID>.
    • To name credentials for a given platform that reside is a specific safe, define the credential ID as <safe>:<credential ID>:<platform ID>.
    • If your credentials are in multiple safes, specify the credential ID in this format: <safe>:<credential ID>.
    • If you want CyberArk to look up the credential by IP address, using an alternate safe, specify the credential ID in this format: <safe>:.
    • If you want CyberArk to look up the credential for an alternate platform ID in the same safe, use this format: ::<platform ID>
    • If you want CyberArk to look up the credential in a configured safe by the IP address rather than the credential ID, leave this field blank. This is the best practice for handling installations in which each server has a unique credential. Without this type of lookup, you must create a credential ID record in your instance for every server in your environment.

Note: The credential ID must match the value in the Name field of the credential in the CyberArk vault. The Credential ID field has a limit of 40 characters.

 

Configure AWS Credential on CyberArk Vault

  • Store the credentials as an SSH key on the CyberArk vault.
  • When you configure access to the vault on your instance, the name you give to the SSH key must also be used as the credential ID.

Property: A property called Enable External Credential Storage 

com.snc.use_external_credentials

  • enables or disables the External Credential Storage plugin after it is activated
  • The property is located
    • Discovery Definition > Properties and Orchestration > MID Server Properties,

 

JAR File to resolve Credentials:

JAR file to resolve credential identifiers sent from the MID Server into actual credentials from the repository

Template to create JAR file

Note: Customer would be providing JAR file to resolve credential.

Reference: https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/product/credentials/concept/c_Ext...

 

 

Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

Credential Process Flow:

find_real_file.png

Property: A property called Enable External Credential Storage 

com.snc.use_external_credentials

  • enables or disables the External Credential Storage plugin after it is activated
  • The property is located
    • Discovery Definition > Properties and Orchestration > MID Server Properties,

 

Supported Credential Type:

The CyberArk integration supports these ServiceNow credential types:

  • CIM
  • JMS
  • SNMP Community
  • SSH
  • SSH Private Key (with key only)
  • VMware
  • Windows

 

Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:

 

 

Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

Please hit like or mark as Bookmark if this article helps you.

Regards

Sandeep

Comments
Paperclip2
Kilo Contributor

Does anyone have an example midserver config.xml for the cyberark integration? I want to be able to mimic the file with my own information to see if it works. Everything I have tried this far fails with the exception of the CLI command I ran.

 

<!-- Tells the MID server where to contact its associated ServiceNow instance.  Edit
         this value to provide the URL of your organization's ServiceNow instance. -->
    <parameter name="url" value="https://XXXX.service-now.com/"/>

    <!-- If your ServiceNow instance has authentication enabled (the normal case), set
         these parameters to define the user name and password the MID server will use
         to log into the instance.  -->


    <parameter name="mid.instance.username" value="XXXX.server"/>
    <parameter name="mid.instance.password" secure="true" value="encrypted:XXXXPASSWORD"/>
    
    <parameter name="ext.cred.safe_folder" value="root"/>
    <parameter name="ext.cred.use_cyberark" value="true"/>
    

    <!-- Defines the name by which your MID server is known on the ServiceNow instance.  
         Edit this value to provide the name you want, or leave it blank and the MID server
         will make up a name. -->


    <parameter name="name" value="XXXX_midserver_XXXX"/>

So this was ran from the Mid Server:
    
This will actually connect from the midserver via CLI

 

Clipasswordsdk.exe getpassword /p appdescs.appid=ServiceNow_MID_Server /p query=”safe=AX-00369-CS;folder=Root;object=AX00369-APP_SVCNOW" /o password

And will return a password

What have I got configured wrong thus the reason I was hoping someone could share their config.xml file with me. So I could match my changes

art_anderson2
Tera Expert

Good Day,

We are using CyberArk to manage our MID Server Agent Credentials.  My biggest gripe/problem here is that the ServiceNow credential storage of the credential password integration is (from my opinion) quite inadequate. The plugin works fine and dandy with current password connectivity for the Agent to my instance. However!!!, when CyberArk updates the password on our schedule (30 days), the new password is not updated in ServiceNow instance. ServiceNow support indicates this is as designed. So, every 30 days, I have to manually update my Agent Accounts in ServiceNow with the newly applied vault password. A major overhead inconvenience. Well, how bad could that be, so you have to update a couple of passwords here and there? Well, it's a pain, I currently have 64 Agents therefore 64 Agent accounts. Enough of my gripes, I'm looking at an in-house method to address this, we'll see.

Of course you need to define it in the vault, targeted to the specific server, and safe

In any event, here is the snip from my config.xml, values updated to protect the source:

# Start of relevant config ---------------------------------------------------------

    <!-- Tells the MID server where to contact its associated ServiceNow instance.  Edit
         this value to provide the URL of your organization's ServiceNow instance. -->
    <parameter name="url" value="https://my_instance.service-now.com/"/>

    <!-- If your ServiceNow instance has authentication enabled (the normal case), set
         these parameters to define the user name and password the MID server will use
         to log into the instance.  -->
    <parameter name="mid.instance.username" value="<my.agent.user.account>"/>

    <!-- <MyCompany> CyberArk configuration parameters -->
    <parameter name="mid.instance.password" secure="true" value="cyberark: id=<my.agent.user.account>, type=Win"/>
    <parameter name="mid.secure_config.provider" value="com.service_now.mid.services.config.CyberArkSecuredConfigProvider"/>

    <parameter name="ext.cred.safe_folder" value="Root"/>
    <parameter name="ext.cred.use_cyberark" value="true"/>
    <parameter name="ext.cred.app_id" value="ServiceNow_MID_Server"/>
    <parameter name="ext.cred.safe_name" value="<cyberarkSafeName>"/>
    <!-- Defines the name by which your MID server is known on the ServiceNow instance. 
         Edit this value to provide the name you want, or leave it blank and the MID server
         will make up a name. -->
    <parameter name="name" value="<myMIDServerAgentName>"/>

# End of relevant config -----------------------------------------------------------

 

You must establish the "normal" installed connection to your instance first, you may seed the instance password with your CyberArk credential password. If you don't seed here, you will need to update it with the CyberArk password later.

Make sure you add the "JavaPasswordSDK.jar" file to your instance before you attempt this. The Agent will copy this to ..\agent\extlib when it logs in to the instance. Any MID server patches wll automatically recopy this upon update.

I also had to add the library to my agent's ..\agent\lib folder for the first run.

This should give you the basis of information you need for your configuration.

 

Thank you,

Art

 

Paperclip2
Kilo Contributor

How would go about securing the communication with encryption? from the MidServer back to Cyberark and vice versa?

chuckm
Giga Guru

The Credential ID field [credential_id] (at 40 characters) wasn't large enough to accommodate the much larger Name field of the credential in the CyberArk vault.  ServiceNow has increased the Credential ID field value to 180 characters in the New York release.

chuckm
Giga Guru

SNMPv3 is now supported in the CyberArk Integration.  The following community article provides more details: The CyberArk Integration Now Supports SNMPv3.

martin_wenger
Tera Contributor

Hello Art,

Have you gotten this to work with securing additional parameters such as the "mid.instance.username" and the "url" as documented in 'Use CyberArk as a secure configuration provider'?

I am struggling to understand from the documented procedure how it references the different parameters into values in the CyberArk account.

When I try the same with the "mid.instance.username" parameter using the below entries, it uses the password value from the CyberArk account for the username, and thus connectivity fails.

<parameter name="mid.instance.username" secure="true" value="cyberark: id=<safe>:<credential ID>, type=Win"/>
<parameter name="mid.instance.password" secure="true" value="cyberark: id=<safe>:<credential ID>, type=Win"/>

Basically, I would like to "secure" and retrieve all of the instance specific parameters from CyberArk without having to hardcode any values in the config.xml.

Cheers,
Martin

 

 

RashikaVT
Tera Contributor

Hello ,

I have question regarding the password change for the credential ID's in service now and their passwords are stored externally in cyber ark safe. I would like to know if the password change in the PAM would reflect in LDAP as well for UNIX systems? or it has to be manually updated?
Can anyone comment on this please?

Thanks,
Rashika Padmanabhan

MDAQUIBK
Tera Contributor

Hi @Sandeep Kumar6 

 

Do you have any documentation on outh2.0 integration with ServiceNow. We already have outh 2.0 credential in ServiceNow . We need to know what the additional configuration are we need to do on the ServiceNow 

 

Regards,

Aquib

Version history
Last update:
‎05-14-2019 02:02 AM
Updated by: