Steps to configure an external credential vault in RPA Hub

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Steps to Configure an External Credential Vault in RPA Hub

    This guide provides a comprehensive set of steps to configure an external credential vault in RPA Hub, enabling secure storage and retrieval of sensitive information. Following these steps in order ensures effective integration with external credential management systems like CyberArk.

    Show full answer Show less

    Key Features

    • Subflow Creation: Create a subflow with a JSON input type to integrate with the external credential vault.
    • REST Integration: Utilize REST or other integration steps to connect with the external vault.
    • JSON Output Validation: Ensure your subflow output aligns with a specified JSON schema to prevent errors.
    • Connection Configuration: Establish connections using ServiceNow's Connections and Credentials feature, adhering to security requirements.
    • Credential Usage: Enable the use of the external credential vault in credential sets, application credentials, or TOTP authenticators.

    Key Outcomes

    By following these steps, customers can successfully configure an external credential vault that enhances the security of sensitive data in RPA Hub. The process ensures robust integration with external systems, maintains compliance with organizational security standards, and facilitates the seamless use of credentials in automated processes.

    Use this list of steps to guide you through all the tasks of configuring an external credential vault in RPA Hub.

    Complete all the tasks for a step before moving on to the next step.

    Do the steps in the order that they’re presented.

    Table 1. Steps to configure an external credential vault in RPA Hub
    Task Reference
    1) Create a subflow to integrate your external credential vault. For more information, see Create a subflow in Flow Designer. For reference, see the sample Demo CyberArk Subflow in your ServiceNow instance.
    1.A) Verify that the subflow that you’re creating to integrate with the External Credential Vault, must have an input type as JSON.

    This input takes the value from the Subflow Input field of the Credential Set, Application Credential, or Time-based One-time Password (TOTP) Authenticator.

    For example, the credential set or application credential or TOTP authenticators that are using the Demo CyberArk external credential vault, must align with the following JSON format:

    { 
"appID" : "",
"query" : ""
}
    Populate values for appID and query.
    1.B) You can use the REST Step in the subflow to connect with the external credential vault. You can also use other integration steps such as SOAP. For more information, see Flow Designer steps.
    1.C) Verify that the output of your subflow must be aligned with the following JSON schema.
    {
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "properties": {
        "result": {
            "type": "object",
            "properties": {
                "status": {
                    "type": "string",
                    "enum": ["success", "failure"]
                },
                "data": {
                    "type": "object",
                    "properties": {
                        "username": {
                            "type": "string"
                        },
                        "sensitiveValue": {
                            "type": "string"
                        },
                        "additionalData": {
                            "type": "object"
                        }
                    },
                    "required": ["sensitiveValue"]
                },
                "error": {
                    "type": "object",
                    "properties": {
                        "errorType": {
                            "type": "string"
                        },
                        "errorMessage": {
                            "type": "string"
                        },
                        "additionalErrorData": {
                            "type": "object"
                        }
                    },
                    "required": ["errorMessage"]
                }
            },
            "required": ["status"]
        }
    },
    "required": ["result"]
};
    		 This schema is used by the Robotic Process Automation (RPA) GraphQL APIs to validate the subflow output. If the output isn’t aligned with this schema, an error is encountered.

    Error Message: The JSON received from the subflow deviates from the expected JSON schema. Rectify the JSON structure by aligning it with the specified schema in the documentation.
    1.D) You can align with the expected JSON schema (mentioned in 1C) by defining a JSON output with the name 'result' for the Subflow. For success status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and sensitiveValue keys are required.
    {
  "status": "success", //Mandatory
  "data": {
    "username": "",
    "sensitiveValue": "" //Mandatory
    "additionalData": {}
  }
}

    For failure status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and errorMessage keys are required.

    {
  "status": "failure", //Mandatory
  "error": {
    "errorType": "",
    "errorMessage": "", //Mandatory
     "additionalErrorData": {}
  }
}
    2) Create an external credential vault record. For more information, see Create an external credential vault record in RPA Hub. For reference, see the sample Demo CyberArk external credential vault in your ServiceNow instance.
    3) Establish a connection with an external credential vault by using the ServiceNow Connections and Credentials. For more information about creating an active connection, see Create an HTTP(s) connection.

    While configuring the connection record, verify to align with your organizational security requirements.

    		 For reference, see the sample Demo CyberArk Subflow that uses RPA CyberArk connection and credential alias.

    Create a connection record under this connection and credential alias to establish connection with your CyberArk external vault.
    4) To use the external credential vault record, that you created in step 2, navigate to either credential set, application credential, or TOTP authenticator and select the External Credential check box.

    Also, select a record in the External Credential Vault field and populate the Subflow Input field with a valid JSON object. The JSON must contain the necessary information for retrieving credentials from the external credential vault.

    		 For more information about configuring these fields, see Create a credential set within a bot process, Create an application credential set in RPA Hub, and Create a TOTP authenticator in RPA Hub.