CyberArk Integration with ServiceNow for external credential storage

avinashrvn · ‎05-23-2017

Hi All, As part of discovery and Service Mapping effort we are trying to integrate CyberArk with ServiceNow for external credential storage. Gone through the documentation available at https://docs.servicenow.com/bundle/istanbul-it-operations-management/page/product/discovery/concept/..., But looking for a detailed process from CyberArk configuration perspective with a detailed process/best practices followed if any.

Also, Is there a necessity to create a credential resolver Jar(https://docs.servicenow.com/bundle/istanbul-it-operations-management/page/product/discovery/task/t_C...) for MID server to resolve the Credential ID obtained from the instance to match the objects from vault or will it come bundled with CyberArk AIM API.

Dave Ainsworth · ‎05-24-2017

Hi Avinash,

You don't need to create a Jar, just upload the JavaPasswordSDK.jar file to the MID jar files which you will find in the ApplicationPasswordSdk folder on the MID server (after you have installed the AIM agent). The MID server will pick this up and use this to make calls to CyberArk.

The documentation should be sufficient for configuration on the ServiceNow side and your CyberArk admin will usually configure CyberArk itself.

I would consider some level of caching in the AIM agent (memory or persistent) which will help reduce the number of calls to the CyberArk vault and therefore improve performance. The nature of discovery means that there will be quite a lot of requests for credentials. The CyberArk admin will probably have configured this already.

Also, when creating domain credentials within CyberArk, enter the domain into the 'Login to' field and the user into the 'user' field. The MID server will then use the credentials correctly when authenticating.

Regards,

Dave

View solution in original post

Dave Ainsworth · ‎05-24-2017

Hi Avinash,

You don't need to create a Jar, just upload the JavaPasswordSDK.jar file to the MID jar files which you will find in the ApplicationPasswordSdk folder on the MID server (after you have installed the AIM agent). The MID server will pick this up and use this to make calls to CyberArk.

The documentation should be sufficient for configuration on the ServiceNow side and your CyberArk admin will usually configure CyberArk itself.

I would consider some level of caching in the AIM agent (memory or persistent) which will help reduce the number of calls to the CyberArk vault and therefore improve performance. The nature of discovery means that there will be quite a lot of requests for credentials. The CyberArk admin will probably have configured this already.

Also, when creating domain credentials within CyberArk, enter the domain into the 'Login to' field and the user into the 'user' field. The MID server will then use the credentials correctly when authenticating.

Regards,

Dave

avinashrvn · ‎05-24-2017

Thanks Dave.

avinashrvn · ‎05-24-2017

I see CyberArk integration support only these credential types:

CIM
JMS
SNMP Community
SSH
SSH Private Key (with key only)
VMware
Windows

Is there a work around to support SNMPv3 type for network devices like switches and F5 BIG-IP. Thanks!

Dave Ainsworth · ‎05-24-2017

Unless it has changed recently, CyberArk can only store one password type field in a credential record but SNMP v3 requires 2 password type fields. CyberArk have something which will "chain" two records together to allow them to store SNMP v3 credentials but the CyberArk integration in ServiceNow does not support retrieving these at this time therefore these need to be stored directly in the instance.

With SNMP though, the credential can usually be configured to only have read access on the target devices and ACLs can be used to increase security further so perhaps there are fewer benefits to storing in CyberArk.

SNMP credentials are also required for each IP address when the MID server does shazzam so the extra calls required to the CyberArk agent could have a performance impact.