How to fetch credentials and use them in separate API Call

frank121
Kilo Sage

‎04-21-2023 06:35 AM

Hi all, my company is starting to store Basic Auth credentials externally in CyberArk. I have to use a separate API call to grab those credentials from CyberArk to then use them in another API call. My Question is when I do get those credentials from CyberArk, how to I use them in my other API call? I cannot set up a Basic Auth cred in ServiceNow because username and password have to be defined when you save the record and I wont have the credential till i make the CyberArk call. There is a plugin I have be reading about where you can externally get creds from the CyberArk vault via mid server JAR file but I want to see if there are any other ways before I go that route. I am using flow designer and a connection alias for both CyberArk Call and my separate API call. Im wondering if i have to go the RESTMESSAGEV2 route in order to accomplish this.

 

My Solution: I have figured out a way to get this done using flow designer but not really sure if its the correct way.

  • I am first creating a Basic Auth cred called CyberArk Credential, I am leaving User name and Password empty for now. 
  • I am creating a flow action that calls CyberArk to get Creds, parse through the response to get username and password then using that same flow action to find the CyberArk Basic Auth credential record and overwrite the user name and password with what I parsed out. (you have to script the password when updating because ServiceNow wont let you drag a data pill to overwrite password).
  • After the job runs you will see the user name and password change, you then take CyberArk credential Basic Authentication record and use them in the other API call you have.

So far this has worked 100% for me but it does not feel right overwriting the password. Im going to keep this solution till I see something better. ServiceNow told me I would have to go away from flow designer and do something with double headers. Im not too sure but the support has not been real good on that end since its outside of scope of ServiceNow support.

 

Let me know. Thanks.

0 Helpfuls
  • 1,657 Views
2 REPLIES 2

VaranAwesomenow
Mega Sage

‎04-23-2023 11:19 PM

@frank121 thanks for posting this, are you using external credential storage method by creating CredentialResolver  java and other setup to fetch credentials from CyberArk ?

If so, am doing something similar, am still doing the design though.

You can pass user name and password as headers in REST API call instead of using basic auth credential, it would look something like this.

VaranAwesomenow_0-1682317092909.png

In order to generate the encoded string below function cane be used.

var text = "<username>:<password>";

var base64string = GlideStringUtil.base64Encode(text);
gs.info(base64string);
Checkout Varan awesomenow youtube channel for more learning videos!

frank121
Kilo Sage
In response to VaranAwesomenow

‎04-24-2023 05:57 AM

This is def helpful. I am not using any type of external credential storage method BUT I will probably be using External Credential Storage plugin. I am not exactly sure how it works but with the plugin installed when you set up a basic auth record you will see a checkbox for external storage and from there you can configure a JAR file on the midserver to go a fetch credentials from CyberArk's vault. Im still looking into that method.

0 Helpfuls