Issue configuring new CyberArk CCP Integration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-22-2026 06:40 AM
Has anyone had any luck configuring the new CyberArk CCP Integration in Zurich. We have setup the config file and it is making calls to CyberArk, but it can not find the credential using the same Credential ID as it used for the AIM Client. I believe it may be adding a platform filter to the query, but it's not using a value that will ever match what we have in CyberArk. The debug logs are not clear on what it's doing.
Additionally, if anyone has been able to setup the secure config file using CyberArk CCP instead of the AIM Client, I would appreciate your steps there.
Example of the logs/error
Calling CredentialResolver for Credential(PRD-DISCOVERY-SERVICENOW:OS-WIN-CORP-REQUESTIT) to resolve PRD-DISCOVERY-SERVICENOW:OS-WIN-CORP-REQUESTIT/windows/10.116.77.38 with Vault provider: CyberArk CCP lookup key: credential_id Resolution type: com.snc.mid.external.credential.resolver.cyberark.ccp.CyberArkCCPCredentialResolver
Resolving credential using FQCN (com.snc.mid.external.credential.resolver.cyberark.ccp.CyberArkCCPCredentialResolver) with configuration map ({ext.cred.ccp_endpoint=******/AIMWebService/api/Accounts, ext.cred.safe_folder=root, ext.cred.type_specifier=false, ext.cred.use_cyberark=true, ext.cred.app_id=APP_PRD-DISCOVERY-SERVICENOW})
Problem with client's CredentialResolver: Problem resolving the Credential(null): after 15 ms :
com.service_now.mid.services.CredentialResolverProxyException: Problem with client's CredentialResolver:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago - last edited 4 weeks ago
have not looked at the new OoTB CCP integration method yet (we use a custom one). Some thoughts
- is firewall blocking traffic to the CCP endpoint (as it needs port 443 open, not 1858 as used by CP)?
- Is the certificate installed?
- has the Application ID been updated in CyberArk with the certificate details and with the Provider IDs (for the server(s) providing the CCP REST service)
- do you get any more detail if you enable MID Server debug logging?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
I recommend utilizing the two approaches below :
- Check if your CyberArk account has the Platform ID and Safe exactly matching what the MID Server expects. In many cases, adding a specific prefix or suffix to the Credential ID in ServiceNow (like
::PlatformName) helps if the resolver is hardcoded to look for a specific schema. - Lookup Key Recommendation: If you are doing Discovery, change the Lookup key to "All of the above". This allows the MID Server to try finding the credential by IP or FQDN if the static Credential ID lookup fails.
With CCP:
- AppID is mandatory and represents the MID Server’s identity in CyberArk.
- Credential ID is only a logical container in ServiceNow.
- Actual credential resolution happens dynamically at runtime using the lookup key.
Best practice configuration:
- Enable External credential store
- Set Credential storage vault = CyberArk CCP
- Use Lookup key = "IP address" or "All of the Above" to by pass the Credential Id failure
Ensure the MID Server is configured to use CyberArk CCP (not AIM) by enabling the external credential framework and providing the CCP endpoint and AppID using confi.xml file. Once this is in place, ServiceNow resolves credentials dynamically using the lookup key (typically IP addressor FQDN), not the Credential ID.
- <parameter name="ext.cred.ccp_endpoint" value="https://<CCP_HOST>/AIMWebService/api/Accounts"/>
- <parameter name="ext.cred.app_id" value="APP_Rishav-DISCOVERY-SERVICENOW"/>
Additional Best Practice :
- <parameter name="ext.cred.verify_ssl" value="true"/>
Important Note : During Discovery (including IP ranges), ServiceNow:
- Discovers each IP
- Sends the IP as the Address to CCP
- CyberArk returns the credential only if the AppID has access and the Address/Platform match
This is why AIM-style behavior (Credential ID–only lookup) does not work with CCP.
Hope that helps !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Can I ask, what do your config parameters look like? Or rather, what parameters are you using?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hey all, thanks for the replies. We backed away from implementing the CCP integration at this point because ServiceNow does not support CCP for the encrypted config.xml file on the mid server, so unfortunately I never got back to trying to get a credential to work.
If I try again in the future, I will return and update with a solution or additional questions.
Thanks @stevemac @Rishav Sanson1 and @Frederico Lacer
