Today there is a limitation with the OOTB CyberArk integration for ITOM products. When CyberArk is setup to use hostnames vs IP address and has more than 1 credential for all devices. ServiceNow will only pass over credential id and see if we have a match, but if you match on more than 1, then it tries IP address. If no match on credential ID, then it will lookup via IP address. There is no change to OOTB settings to use hostname. When it comes to discovery, we do not get hostname of device until we are past classify phase (meaning we can login). So how to over come this limitation.
First, the long term solution would be to build a new custom credential storage jar file to handle the hostname/dns lookup via IP. This jar file will handle the calls toCyberArk.
If you are not able to create custom jar file, we can use below solution to trick the system. Again this solution should only be used for short term.
This temp work around solution is going to pre populate "dscy_credentials_affinity" table with cred sys_id and IP address of device. This solution will need to be maintain with new adds and removals.
First we need to have the team who controls the cyberark creds export the following information into a spreadsheet:
1. Target system address (Hostname)
2. IP Address (If they have it, if not someone will need to update spreadsheet with devices IPs.)
3. Credential ID
Take this data, and update spreadsheet with below columns. (See attached example spreadsheet).
1. Target system address (Hostname)
2. IP Address (If they have it, if not someone will need to update spreadsheet with devices IPs.)
3. ServiceNow Credential Name (Credential ID)
4. Type (Cred type)
What is package in solution under update set DISCO-cyberark workaround:
1. New Data source = "cyberark_creds_imp"
2. Transform Map = "cyberark Cred Tmap"
Map target table is "discovery_credentials"
The 4 filed maps are as follow:
Source = u_target_system_address | target field = name | coalesce = true
Source = u_servicenow_credential_name | Target field = credential_id | coalesce = true
Source = script (return source.u_type.toString().trim();) | target field = type | coalesce = false
Source = script (return "true") | target field =use_high_security (External Credential Store) | coalesce = false
1 Transform Script, onComplete. (** Please read notes below for mid sever selection**)
(function runTransformScript(source, map, log, target /*undefined onStart*/ ) {
/*
Import CyberArk export of Credential ID with target IP in Discovery IP Affinity table.
Script should loop through all Disco mid servers and create a affinity record per cred per mid servers.
*/
// Loop through imp table
var imp = new GlideRecord('u_cyber_ark_cred_imp');
imp.addEncodedQuery('sys_import_set='+source.sys_import_set);
imp.query();
while (imp.next()) {
//gs.info('PD CyberArk Cred aff update = '+imp.u_target_system_address);
//get cred record
var cred = new GlideRecord('discovery_credentials');
cred.addQuery('name', imp.u_target_system_address.toString().trim());
cred.query();
if (cred.next()) {
// look through mid server m2m applicaiton mapping to find disco mid servers / If you dont have a mid server with discovery application, you will need to mod below look up to meet your needs. If you have mid servers that can only make the scan, update spreadsheet to ask for Mid server with common sep and change below logic to parse it out.
var midApp = new GlideRecord('ecc_agent_application_m2m');
midApp.addEncodedQuery('application=4dd99657d7002200bdbaee5b5e61032c');
midApp.query();
while (midApp.next()) {
var credAff = new GlideRecord('dscy_credentials_affinity');
credAff.addQuery('agent', midApp.agent.sys_id+'');
credAff.addQuery('credential_id', cred.sys_id+'');
credAff.addQuery('ip_address', imp.u_ipaddress.toString().trim());
credAff.query();
if(!credAff.next()){
//no match we create
credAff.agent = midApp.agent.sys_id+'';
credAff.credential_id = cred.sys_id+'';
credAff.ip_address = imp.u_ipaddress.toString().trim();
credAff.type = cred.type;
credAff.insert();
}
}
}
}
})(source, map, log, target);
After your import, you should see a new credential record and IPaffinity records filled out with a record per cred, pre mid server. Ex: If I have 10 mid server for disco, I should see 10 IP affinity records for the same cred.
Please keep in mind this solution is a temp workaround. Please use if you are not able to create a custom jar file to do DNS look up.
