IntegrationHub - Ansible Tower Spoke Setup

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2021 08:21 PM
Hello,
This is a very long post however is filled with a significant level of detail to aid in finding a solution.
We are in the process of setting up our ServiceNow Instance to connect to an On-Prem Ansible Tower Instance to aid us in automation within our environment through IntegrationHub. First things first the documentation we found on the docs.service-now.com website and the ansible.com website ate completely different.
and needless to say neither of them worked. and i'm not 100% sure why.
The Setup
Docs.servicenow.com - Register Ansible Tower as OAuth Provider
- Navigate to System OAuth > Application Registry.
- Open for the record for Ansible.
- On the form, fill in the fields.
Field Value required Name Name to uniquely identify the record. For example, enter Ansible Tower OAuth profile. Client ID Client ID of the application in Ansible Tower. Client Secret Client Secret of the application in Ansible Tower. OAuth API Script Optional script to customize the request and response. Logo URL URL that contains an image to use as the application logo. Default Grant type Grant type used to establish the token. Select Authorization Code. Refresh Token Lifespan Time, in seconds, that the refresh token is valid. The default time is 8,640,0000 seconds. PKCE required Option to enable public clients to require PKCE for an authorization. Note: You can use only Authorization Code as the Default Grant type when PKCE is enabled.Application Application scope that contains this record. Select Ansible Tower Spoke. Accessible from Application scope that this registry is accessible from. Active Option to actively use the application registry. Authorization URL OAuth authorization code endpoint. For example, https://<Ansible-Tower-Instance>.com/api/o/authorize/. Token URL OAuth server token endpoint. For example, https:// <Ansible-Tower-Instance>.com/api/o/token/. Token Revocation URL OAuth server token revocation endpoint. Redirect URL OAuth callback endpoint in this format, https://<instance-name>.service-now.com/api/sn_ansible_ spoke/ansible_oauth_redirect. Use mutual authentication Option to use mutual authentication for token request and revocation. This option requires a mutual authentication profile to be specified. - Right-click the form header, and click Save.
- Paste the Redirect URL value into the Redirect URI for your custom Ansible Tower application. For example, paste https://<instance-name>.service-now.com/api/sn_ansible_ spoke/ansible_oauth_redirect.
Docs.servicenow.com - Create Credential Record for Ansible Spoke
- Navigate to Connections & Credentials > Connection & Credential Aliases.
- Open for the record for Ansible.
- From the Credentials tab, click New.
Problem Number 1, Credentials tab does not exist in the Ansible Record created by the spoke. It is hidden through a rule specifying that the type must be credential not connection and credential.
Ignoring this for the moment, I went to the related lists and added OAuth 2.0 Credentials, Click on New, populate the record and Click Submit.
Problem Number 2, you cannot create a credential associated to the credential alias developed by the tower spoke due to it not being a type of Credential.
To completely get around this, I went to IntegrationHub > Credentials and click New and selected OAuth 2.0 Credential
It's setup as follows:
Docs.servicenow.com - Create Connection Record for Ansible Spoke
- Navigate to Connections & Credentials > Connection & Credential Aliases.
- Open the record for Ansible.
- From the Connections tab, click New.
- On the form, fill these values.
Field Value required Name Name to uniquely identify the connection record. For example, enter Ansible Connection. Credential Credential record you created for Ansible Tower. For example, select Ansible Credentials. Connection URL URL of the Ansible Tower instance. - Click Submit.
Ansible.com - Preparing ServiceNow
- Navigate to System Definition > Certificates
- Name: Descriptive name of the certificate
- Format: PEM
- Type: Trust Store Cert
- PEM Certificate: The certificate to authenticate against Ansible Tower with. You can use the built-in certificate on your Tower server, located at /etc/tower/tower.cert. Copy the contents of this file into the field in ServiceNow.
- Navigate to System OAuth->Application Registry
- Select Connect to a third party Oauth Provider
-
On the new application screen, fill in these details:
- Name: Descriptive Application Name
- Client ID: The Client ID you got from Ansible Tower
- Client Secret: The Client Secret you got from Ansible Tower
- Default Grant Type: Authorization Code
- Authorization URL: https://<tower_url>/api/o/authorize/
- Token URL: https://<tower_url>/api/o/token/
- Redirect URL: https://<snow_instance_id>.service-now.com/oauth_redirect.do
- At the bottom, there should be two tabs: Click on the tab Oauth Entity Scopes. Under here, there is a section called Insert a new row…. Double click here, and fill in the field to say Writing Scope. Click on the green check mark to confirm this change.
- click the Oauth Entity Profiles tab. There should be an entity profile populated - click into it.
- You will be taken to the Oauth Entity Profile Window. At the bottom, Type Writing Scope into the Oauth Entity Scope field. Click the green check mark and update.
-
Navigate to System Web Services-> REST Messages. Click the blue New button. In the resulting dialog window, fill in the following fields:
- Name: Descriptive REST Message Name
- Endpoint: The url endpoint of the Ansible Tower action you wish to do. This can be taken from the browsable API at https://<tower_url>/api
- Authentication Type: Oauth 2.0
- Oauth Profile: Select the Oauth profile you created
-
Under the HTTP Methods section at the bottom, click the blue New button. At the new dialog window that appears, fill in the following fields:
- HTTP Method: POST
- Name: Descriptive HTTP Method Name
- Endpoint: The url endpoint of the Ansible Tower action you wish to do. This can be taken from the browsable API at https://<tower_url>/api
- HTTP Headers (under the HTTP Request tab)
- The only HTTP Header that should be required is Content-Type: application/json
-
Under the HTTP Methods section at the bottom, click the blue New button. At the new dialog window that appears, fill in the following fields:
- HTTP Method: GET
- Name: Descriptive HTTP Method Name
- Endpoint: The url endpoint of the Ansible Tower action you wish to do. This can be taken from the browsable API at https://<tower_url>/api
- HTTP Headers (under the HTTP Request tab)
- The only HTTP Header that should be required is Content-Type: application/json
Testing
Something to take into consideration is that in both scenarios the same result / error occurs.
Testing from:
- IntegrationHub > Credentials > Ansible
- System Web Services > Outbound > REST Messages > Ansible Tower
Click on the Related Link
Get OAuth Token
First I am prompted with a long screen to ansible tower (This is unexpected as we have setup an oauth connection between applications)
I Login, and them am prompted to Authorise service-now-application to write to Ansible Tower. I Click on the Authorize button.
Following this I am prompted to login to my ServiceNow Instance, i do so with the system administrator credentials.
Immediately after logging in i get an error telling me the Token URL is incorrect even though it matches exactly to both sets of documentation.
Does Anyone who has setup this spoke have any guidance / suggestions on what may be causing this to fail?
Kind Regards
Nic Nagtzaam
- Labels:
-
Orchestration (ITOM)
- 3,934 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2021 01:07 AM
Hello Nic,
I understand that OAuth2 is not supported. I am using Basic Authentication with a Service Account and it works perfectly using scripts.
But the spoke also works but I have issues in passing extra arguments as it throws an error.
Let me know whether this helps.
Regards,
Sriram.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2022 08:37 AM
Had the same issue, followed this and it worked.
https://community.servicenow.com/community?id=community_question&sys_id=80bb7d82db308110bb4a474d13961977&view_source=searchResult
also covered here
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1002854
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2024 06:22 AM
we are doing same. could you please tell if port opening was required for this integration separately or
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2024 08:46 AM
Hi, was this solved?
I'm facing a similar issue 😞