Harneet Sital
Mega Sage
Mega Sage

HashiCorp Vault is a credential store that handles the security and compliance layer by storing credentials. Standardization and consistency are the key benefits that customers get from using vault in general and together with ServiceNow ITOM Applications.

The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier from the instance, and then uses a “Credential Resolver” to resolve the identifier from the repository into a usable credential.

Vault can now integrate with ServiceNow for credential management with the Vault Credential Resolver integration now available in the ServiceNow App Store OOTB, more details are below –
https://www.hashicorp.com/blog/hashicorp-vault-integrates-with-servicenow-for-credential-management


There is an amazing video available on youtube which explains the integration step by step and might just answer any query you may have at this moment -
Video - Product Demo of vault working with ServiceNow

 

Prerequisites

  • ServiceNow version Quebec+ (untested on previous versions)
  • MID server version Quebec+ (untested on previous versions)
  • Discovery and external credential plugins activated on ServiceNow
  • Working Vault deployment accessible from the MID server

 

HashiCorp team to follow these steps to configure the vault -

  • Select your desired auth method from Agent's supported auth methods and set it up in Vault

For example, to set up AppRole auth and a role called role1 with the demo policy attached:

vault auth enable approle

vault write auth/approle/role/role1 bind_secret_id=true token_policies=demo

To get the files required for the example Agent config below, you can then run:

echo -n $(vault read -format json auth/approle/role/role1/role-id | jq -r '.data.role_id') > /path/to/roleID

echo -n $(vault write -format json -f auth/approle/role/role1/secret-id | jq -r '.data.secret_id') > /path/to/secretID

 

  • Create an agent.hcl config file. Your exact configuration may vary, but you must set use_auto_auth_token = true, and the listener, vault, and auto_auth blocks are also required to set up a working Agent, e.g.:
listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = false
  tls_cert_file = "/path/to/cert.pem"
  tls_key_file = "/path/to/key.pem"
}

cache {
  use_auto_auth_token = true
}

vault {
  address = "http://vault.example.com:8200"
}
auto_auth {

    method {
        type = "approle"
        config = {
            role_id_file_path = "/path/to/roleID"
            secret_id_file_path = "/path/to/secretID"
            remove_secret_id_file_after_reading = false
        }
    }
}

 

  • Install Vault Agent as a service running vault agent -config=/path/to/agent.hcl
    Documentation for Windows service installation here

 

ServiceNow to configure the following –

  • Install the application from the SN store

https://store.servicenow.com/sn_appstore_store.do#!/store/application/3ee1c80c1b257010c216ebd56e4bcb...

  • Uploading JAR file to MID server
  1. Download the latest version of the Vault Credential Resolver JAR file from releases.hashicorp.com
  2. In ServiceNow, navigate to "MID server - JAR files" -> New
  3. Manage Attachments -> upload Vault Credential Resolver JAR
  4. Fill in name, version, etc as desired
  5. Click Submit
  6. Navigate to "MID server - Properties" -> New
  7. Set Name: external_credentials.vault.address, Value: Address of Vault Agent listener from previous step, e.g. http://127.0.0.1:8200
  8. Optional: Set the property mid.external_credentials.vault.ca to the trusted CA in PEM format if using TLS between the MID Server and Vault Agent with a self-signed certificate.

 

Vault Agent Auto-Auth Methods

To setup credentials in HashiCorp which can be referred by ServiceNow, the HashiCorp team needs to follow these steps based on the credential type -
https://www.vaultproject.io/docs/agent/autoauth


Architecture

 find_real_file.png

 

If the article has helped you, please bookmark it or mark the answer as helpful. Also please share your feedback in the comments. 

Thank you
Harneet

Comments
Harneet Sital
Mega Sage
Mega Sage

Hi @veeresh22 

 

Have you already looked at the below documentation? 

https://developer.hashicorp.com/vault/docs/agent/winsvc

 

Thanks,
Harneet

VaranAwesomenow
Mega Sage

@Harneet Sital 

Thanks for documenting this, its very helpful.

I looking for some help on how to achieve following usecase.
Implement basic authentication to authenticate against a REST API, credentials will be stored in external credential store. Have you ever come across this use case and is it possible to achieve this using external credential store setup via midserver ?

In your diagram I dont see basic auth, is that even allowed using above setup.

VaranAwesomenow
Mega Sage

I figured it out, It was the properties file having incorrect credential format.

I made a recording of the solution.

https://youtu.be/7E23wu5J6rs

 
Version history
Last update:
‎04-22-2022 08:54 AM
Updated by: