Introduction
This article explains how to deploy and test a connector for "External Credential Storage" plugin.
For more generic information on the plugin:
- Official Documentation : https://docs.servicenow.com/csh?topicname=c_ExternalCredentialStorage.html&version=latest
- I created a more generic article on the vaults topic : https://www.servicenow.com/community/itom-articles/password-vaults-implementation/ta-p/2424263
- I created also an article to explain how to develop a custom connector : https://www.servicenow.com/community/itom-articles/how-to-develop-a-custom-external-storage-connecto...
Principle
- The connector is a Java JAR file, that will be deployed in ServiceNow
- By default, the JAR file will be deployed on every MID
- If it is necessary to deploy different versions to different MIDs, see the dedicated chapter below
How to deploy connector
- Check if plugin "External Credential Storage” is activated
- Get the JAR file
- Can be custom, provided by ServiceNow, an other company, or a partner
- Deploy the JAR file in the platform
- MID Server > JAR Files
- Create a new record
- Name and version are for the record, it doesn't have technical effects
- Add the JAR file as attachment
- To update a version, remove the old one before
- Configure the config.xml parameters on MID Server if necessary
- Parameters will be different depending on the connector
- Wallix example
<parameter name="ext.cred.bastion_host">abc.def.g.com</parameter> <parameter name="ext.cred.bastion_user">wallix-user</parameter> <parameter name="ext.cred.bastion_password">encrypted:xyz123</parameter> <parameter name="ext.cred.bastion_timeout">0</parameter>- Note : Some vaults like Wallix requires to encrypt the password for connection (using commands like "java.exe -jar lib\wallix.jar --encrypt")
- Configure the vault and create some account in the vault record if necessary
- Create the credential record in ServiceNow
- Note : If the connector is custom or not know, it might be necessary to create a new record in table "vault_configuration"
- Test
- See chapter below
How to check if JAR was downloaded by the MID
- By default, updating the JAR files should trigger the MID, ask them to download and restart the service
- If not after
- You can check what was downloaded in the folder "\extlib\" (ex : C:\agent\extlib)
- If nothing after few minutes, MID service restart could help
- It is possible to check on the MID Server in agent0.log.0 (ex : C:\agent\logs\agent0.log.0)
Test Credential from ServiceNow and logs
- To test, the easiest is to trigger a connection test from the associated credential
- For logs, you should be able to see it on the MID Server
- It should be agent0.log.0 (ex : C:\agent\logs\agent0.log.0)
- It happens some connectors log in wrapper.log, depending on the code
- If not sufficient, you can set in the platform the MID Server Parameter "mid.log.level" to "DEBUG"
Example of logs :
How to deploy different JAR versions on different MID Servers:
It might be necessary to have multiple versions. I had the issue with a customer having multiple versions of CyberArk at the same time.
Note : This procedure is not supported by ServiceNow
This procedure explains how to deploy JAR v1 and JAR v2
- JAR v1 will be deployed on every MID
- JAR v2 will be deployed manually on one or more specific MID
Procedure :
- Step 1 : Deploy a main JAR v1 in the platform has described in this article
- Step 1 : on the MID Server, create a directory customlib in the MID folder
- Path should look like : D:\mid_server_dev\agent\customlib
- Step 2 : Copy the custom JAR v2 in the directory
- Step 3 : Modify the file conf\wrapper-override.conf to load the custom lib before the main one and before standard libs :
wrapper.java.classpath.1=customlib/*.jar wrapper.java.classpath.2=lib/*.jar wrapper.java.classpath.3=extlib/*.jar
- Step 4 : Restart the MID
