ServiceNow GCP Credential Resolver using CyberArk

Sree32
ServiceNow Employee
ServiceNow Employee
‎10-07-2020 11:32 PM

CredentialResolver JAR file is used to resolve credential identifiers sent from the MID Server into actual credentials in the repository. CredentialResolver class is responsible for communicating with the external credential store like CyberArk and the resolve method in the class is expected to return the map of credentials.

The credential map returned from the resolve method is expected to have keys matching with the column names in discovery_credential table i.e., for GCP we expect the resolve method to return a map with two keys email and secret_key.

 

To use CyberArk with GCP :

Procedure

 

1. Configure the CyberArk vault with the application ID and authentication details that all MID Servers requesting credentials will use. Please ensure newline characters ("\n") are removed in the secret_key before adding it to the CyberArk.

a. Ensure that CyberArk is configured to allow the MID Server to access the vault by creating an App-ID in CyberArk called ServiceNow_MID_Server.
b. Make sure that every credential the MID Server needs is granted access to the ServiceNow_MID_Server App-ID.

2. Install the CyberArk Credential Provider, including the AIM API, on each machine that hosts a MID Server service that is used to access the credential store

3. Create CredentialResolver.jar file as per the template code below

4. Find the JavaPasswordSDK.jar file. The AIM JavaPasswordSDK.jar file comes with the AIM SDK installation files and is typically located on the MID Server in the AIM installation directory at <install_dir>/CyberArk/ApplicationPasswordSdk.

5. Import CredentialResolver.jar and JavaPasswordSDK.jar to the instance [ MID Server > JAR Files ]

6. Create a GCP schedule with external credential store selected for credentials.

 

Use this sample Java file as a template:

1.	package com.snc.discovery;  
2.	  
3.	import java.util.*;  
4.	import java.util.regex.Pattern;  
5.	  
6.	// import com.glide.util.StringUtil;  
7.	import javapasswordsdk.*;  
8.	import javapasswordsdk.exceptions.*;  
9.	  
10.	/** 
11.	 * Basic implementation of a CredentialResolver that uses a properties file. 
12.	 */  
13.	  
14.	public class CredentialResolver {  
15.	  
16.	    // These are the permissible names of arguments passed INTO the resolve()  
17.	    // method.  
18.	  
19.	    // the string identifier as configured on the ServiceNow instance...  
20.	    public static final String ARG_ID = "id";  
21.	  
22.	    // a dotted-form string IPv4 address (like "10.22.231.12") of the target  
23.	    // system...  
24.	    public static final String ARG_IP = "ip";  
25.	  
26.	    // the string type (ssh, snmp, etc.) of credential as configured on the  
27.	    // instance...  
28.	    public static final String ARG_TYPE = "type";  
29.	  
30.	    // the string MID server making the request, as configured on the  
31.	    // instance...  
32.	    public static final String ARG_MID = "mid";  
33.	  
34.	    public static final String GCP_TYPE = "gcp";  
35.	    public static final String GCP_EMAIL = "email";  
36.	    public static final String GCP_SECRET_KEY = "secret_key";  
37.	      
38.	  
39.	    // Configurations for CyberArk  
40.	  
41.	    private String fSafeFolder = ""; // * REQUIRED - Folder Name in CyberArk  
42.	  
43.	    private String fSafeName = ""; // Safe Name in CyberArk  
44.	  
45.	    private String fPolicyId = ""; // Policy Id in CyberArk  
46.	  
47.	    private String fAppID = "ServiceNow_MID_Server"; // The App-ID used when connecting to CyberArk  
48.	  
49.	    private String fRequestTimeOut = "5"; //Timeout for the request  
50.	  
51.	  
52.	    public CredentialResolver() {  
53.	    }  
54.	  
55.	    /** 
56.	     * Resolve a credential. 
57.	     */  
58.	    public Map resolve(Map args) {  
59.	  
60.	        String credId = (String) args.get(ARG_ID);  
61.	        String type = (String) args.get(ARG_TYPE);  
62.	        String safeName = fSafeName;  
63.	        String policyId = fPolicyId;  
64.	        Map<String, String> result = new HashMap<>();  
65.	  
66.	        PSDKPassword pass = passwordResolve(credId, safeName, fSafeFolder, policyId);  
67.	  
68.	        String secretValue = pass.getContent();  
69.	        String email = pass.getUserName();  
70.	  
71.	        if (GCP_TYPE.equals(type)) {  
72.	            result.put(GCP_EMAIL, email);  
73.	            result.put(GCP_SECRET_KEY, secretValue);  
74.	            return result;  
75.	  
76.	        } //Other credentials can be chained here  
77.	  
78.	        return result;  
79.	    }  
80.	  
81.	    private String formatObjQuery(String credId, String safeName, String safeFolder, String policyId) {  
82.	        return "safe=" + safeName + ";folder=" + safeFolder + ";object=" + credId +  
83.	                ((policyId != null && !policyId.isEmpty()) ? "" : ";policyid=" + policyId);  
84.	    }  
85.	  
86.	    private PSDKPassword passwordResolve(String credId, String safeName, String safeFolder, String policyId) {  
87.	        PSDKPassword pass = null; // The password object we are looking for  
88.	        try {  
89.	            PSDKPasswordRequest passRequest = new PSDKPasswordRequest();  
90.	            passRequest.setAppID(fAppID);  
91.	            passRequest.setConnectionTimeout(fRequestTimeOut);  
92.	            passRequest.setQueryFormat(PasswordQueryFormat.EXACT);  
93.	  
94.	            String query = formatObjQuery(credId, safeName, fSafeFolder, policyId);  
95.	            passRequest.setQuery(query);  
96.	            pass = javapasswordsdk.PasswordSDK.getPassword(passRequest);  
97.	        } catch (PSDKException ex) {  
98.	            ex.printStackTrace();  
99.	        }  
100.	        return pass;  
101.	    }  
102.	  
103.	    /** 
104.	     * Return the API version supported by this class. 
105.	     */  
106.	    public String getVersion() {  
107.	        return "1.0";  
108.	    }  
109.	  
110.	    //To test the credential resolver  
111.	    public static void main(String[] args) {  
112.	        HashMap<String, String> input = new HashMap<>();  
113.	        input.put("id", "");  
114.	        input.put("type", "gcp");  
115.	        CredentialResolver obj = new CredentialResolver();  
116.	        Map<String, String> result = obj.resolve(input);  
117.	        System.out.println("Result Map Returned : " + result);  
118.	  
119.	    }  
120.	  
121.	}

 

Note: This sample is intended as a template only. Do NOT use this code in production without modifying it for your environment.

Note: GCP External Credential Support is available from Orlando Patch 8 and Paris Patch 2.

 

Configuration:

In the configuration part of the code add the following details

 

ParameterValueDescription
fSafeFolderNameOfFolderFolder to use for all credential lookups. For example, root.
fSafeNameNameOfSafeDefault safe name used for all credential lookups.
fPolicyIdPolicyIdThe unique name/ID of the platform.
fAppIdServiceNow_MID_ServerSpecifies the App-ID used to grant permission to the MID Server to access the CyberArk vault. The default value, ServiceNow_MID_Server, must be defined in the CyberArk vault. You can use this parameter to override the default and specify your own App-ID. If you edit the App-ID in this parameter, make sure to configure CyberArk to match.
fRequestTimeOut5 (sec)Timeout of each credential lookup in the vault, specified in seconds.

 

Best Practices:

Instead of storing the configurations directly in the CredentialResolver class, the configurations can be stored in either a file or environment variables on the mid server and then retrieved and initialized in the constructor of the class. This provides a safe way of storing confidential data.

 
Labels:
  • 3,231 Views
Popular Blog Posts