Benoit Crestey
ServiceNow Employee
ServiceNow Employee

Introduction

 

This article explains how to create a custom connector for "External Credential Storage" plugin.

If the vault is not supported by ServiceNow, then it is possible to develop a custom connector.

 

For more generic information on the plugin :

 

Principle

 

  • The connector is a Java JAR file, that will be deployed in ServiceNow
  • The connector is deployed on each MID, and a specific "resolve" function will be called when the MID will request the credentials
  • the "resolve" function will take in parameters and return the credentials

 BenoitCrestey_0-1707230546302.png

Technical requirements of the Java Class to develop :

 

It is necessary to create a JAR File, containing a specific Java Class

  • public Class com.snc.discovery.CredentialResolver
    • Containing a Java function resolve(Maps args)
BenoitCrestey_0-1707317309217.png

 

 

  • For other types of credentials, please refer to the credential table. Most of the time it is the same that in ServiceNow.
    • Examples
      • api_key : api_key
      • azure : tenant_id, client_id, secret_key
      • basic_auth : user, pswd
      • snmpv3 : authprotocol, authkey, privprotocol, privkey, contextname

 

Structure of the classes

 

Here is an example of implementation :

BenoitCrestey_0-1707296759573.png
  • CredentialResolver.java
    • Contains the resolve() function that will be called by ServiceNow
    • Can also implement cache depending on implementation
    • Can implement code that will read configuration parameters
      • Configuration parameters (like vault API URL) are usually configured in MID Server config.xml file, but it is also possible to deploy it in a specific configuration file
  • CustomResolver.java
    • I prefer to create a custom class for the vault, to keep CredentialResolver.java standard
  • CustomResolverTest.java
    • I like to create a specific class to trigger tests. Most of the time I won't package it in the final JAR file
  • Vault API Librairies
    • Depending of the vault, it is easiest to use the provided Java APIs

 

Logging tips

 

If you want to write logs in agent0.log.0 instead of the wrapper.log.0, I advise you to create a logger class and use MID logging capabilities

 

import com.snc.core_automation_common.logging.Logger;
import com.snc.core_automation_common.logging.LoggerFactory;

/** **/
private static final Logger fLogger = LoggerFactory.getLogger(CredentialResolver.class);

/** **/
public void logInfo(String message){
fLogger.info(message);
}

 

Creation of the custom connector

 

Note : Here is an example, of course you can use any procedure or tools

Note 2 : In order to test directly without deploying in ServiceNow each time, it might be interesting to have access to the vault from the computer of developer, or to develop directly on the VM that is containing the MID.

 

Steps :

  • Step 1 : Create a new Java project
  • Step 2 : Import external librairies and base java classe
  • Step 3 : Develop and Test
  • Step 4 : Deploy in ServiceNow

 

 Step 1 : Create a new Java project

 

  • You can use Eclipse IDE, that is free
    • New Java Project
  • For compiler version, best is to align to MID Server JRE version

 

Step 2 : Import external libraries and base java class

 

  • Set the "\lib" folder of a MID Server, and import it as external Libraries to your project
    • If working without of a MID Server, you will need to get the files from a deployed MID
    • If you have a MID Server deployed, no need to copy the files, you can reference it directly
  • Import the sample CredentialResolver.java file from ServiceNow in src (source) folder

 

Step 3 : Develop and Test

 

  • It is possible to test with or without ServiceNow
    • To test with ServiceNow, export the JAR and please refer to the dedicated article
    • If you are able to reach the vault API from your computer, it is easier to test directly from your Java IDE
      • It is possible to reuse the following custom code to trigger the call

 

Example of function to simulate a call that I developed :

package com.snc.discovery_test;

import java.util.HashMap;
import java.util.Map;
import com.snc.discovery.CredentialResolver;

public class CredentialResolverTest {

	public static void main(String args[]) {
		System.out.println("testing the custom vault");
		
		Map<String, String> args2 = new HashMap<String, String>();
		args2.put("type", "windows");
		args2.put("id", "myVaultID");
		args2.put("ip", "10.0.0.18");
		
		CredentialResolver helper = new CredentialResolver();
		
		try {
			helper.resolve(args2);
		} catch (Exception e) {
			System.out.println("It failed...");
			e.printStackTrace();
		}	
	}
}

 

More advanced Example setting MID parameters :

ackage com.snc.discovery_test;

import java.util.HashMap;
import java.util.Map;
import com.service_now.mid.services.Config;
import com.snc.discovery.CredentialResolver;

public class CredentialResolverTest {

	public static void main(String args[]) {
		System.out.println("testing connector");
		
		Config.get().setProperty("mid.property.credential_resolver.azure_vault_token_mode", "service_principal");
		Config.get().setProperty("mid.property.credential_resolver.azure_vault_mapping_mode", "dynamic");
		
		Map<String, String> args2 = new HashMap<String, String>();
		args2.put("type", "azure");
		args2.put("id", "azkv.myServicePrincipal");
		
		CredentialResolver helper = new CredentialResolver();
		
		try {
			helper.resolve(args2);
		} catch (Exception e) {
			System.out.println("custom connector failed");
			e.printStackTrace();
		}
	}	
}

 

Step 4 : Deploy and test in ServiceNow

 

  • In Eclipse, you can use export option to generate the JAR file
  • To deploy and test in ServiceNow, please refer to my dedicated article

 

Version history
Last update:
‎02-07-2024 06:50 AM
Updated by:
Contributors