External credential vault in RPA Hub

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External Credential Vault in RPA Hub

    The external credential vault feature in RPA Hub allows users to securely retrieve robot and application credentials, as well as Time-based One-time Password (TOTP) seeds. This integration ensures that sensitive data, such as usernames and passwords, is handled securely during automation execution.

    Show full answer Show less

    Key Features

    • Integration with various external credential vaults (e.g., CyberArk, Azure Key Vault) for secure credential management.
    • GraphQL API calls to RPA Hub for credential retrieval based on user input in credential forms.
    • Configuration options to determine whether credentials are fetched from the external vault or stored locally in the ServiceNow instance.
    • Support for routing API calls via MID Server or direct connections, based on organizational needs.
    • Important settings to prevent sensitive data from being logged in the ServiceNow instance.

    Key Outcomes

    By configuring the external credential vault, customers can enhance security for sensitive data during automation processes, ensuring compliance with organizational requirements. Proper configuration prevents logging of sensitive information, allowing for safe and efficient automation execution. For further details, customers should refer to guides on creating credential sets and configuring external vault settings within RPA Hub.

    With the external credential vault feature, you can retrieve robot credentials, application credentials, or Time-based One-time Password (TOTP) seed.

    External credential vault integration with RPA Hub

    The following diagram shows the integration of an external credential vault with RPA Hub.

    A robot resides in the customers' environment. If the robot requires sensitive data during the automation execution, then the robot makes a GraphQL Application Programming Interface (API) call to the RPA Hub. An example of the sensitive data is user name and password details while logging in to an SAP application.

    Based on the input provided in the External Credential check box, either on a credential set form, an application credential form, or a TOTP authenticator form:
    • If the input is false (if the check box isn’t selected), the credentials are saved or retrieved from the instance.
    • If the input is true (if the check box is selected in the credential set form, an application credential form), the credentials are fetched from a configured external credential vault. If the check box is selected in the TOTP authenticator form, the seed is fetched from a configured external credential vault.
    For more information about configuring these fields, see Create a credential set within a bot process, Create an application credential set in RPA Hub, and Create a TOTP authenticator in RPA Hub.

    Examples of an external credential vault are CyberArk, Azure key Vault, and so on.

    If the External Credential check box isn’t enabled, the API returns the data stored in the Password2 field of the ServiceNow instance and then the robot uses the sensitive data for the automation execution.

    If the External Credential check box is enabled, the credentials are fetched from a configured external credential vault. In this scenario, the API internally triggers a subflow. This subflow makes a REST API call to the external credential vault. You can route this REST API call via MID Server. Or, you can directly establish a connection with the external credential vault. This implementation is dependent on your organizational requirements. The MID Server resides in the customers' environment. For more information about MID Server, see MID Server.

    After the REST API call fetches the credential from the vault, the credentials are sent to the robot.

    Figure 1. Integration of external credential vault with RPA Hub
    Integration of external credential vault with RPA Hub.

    Important information

    You must configure the external credential settings appropriately, so that the data isn’t stored or logged in the ServiceNow instance.

    Verify that the value of the Reporting field is set to Off for the subflow of your external credential vault, for example Demo CyberArk Subflow. This setting verifies that the sensitive data isn’t captured or logged. For more information about configuring this setting, see Activate flow reporting.

    To configure the external credential vault in RPA Hub, see Steps to configure an external credential vault in RPA Hub.

    Outbound request logging enables you to understand what third party services your instance accesses and the volume of outbound requests. Additionally, logging can provide valuable information when debugging outbound integrations. For more information about system logging or outbound logging, see Configure outbound logging and Outbound web service logging properties.