CyberArk credential storage integration
Summarize
Summary of CyberArk credential storage integration
The CyberArk credential storage integration enables ServiceNow® Orchestration, Discovery, and Service Mapping to operate without storing any credentials directly on the ServiceNow instance. This integration uses the CyberArk Application Identity Management (AIM) product to centrally manage and secure privileged credentials, allowing organizations to comply with password policies and monitor privileged access activities effectively.
Show less
The integration requires the ServiceNow External Credential Storage plugin and mandates that the MID Server and CyberArk AIM/API client be installed on the same machine. This setup ensures credentials are resolved securely from the CyberArk vault during runtime instead of being stored on the instance.
Key Features
- Centralized Credential Management: CyberArk stores passwords centrally, eliminating the need to embed them in applications or scripts.
- MID Server Credential Resolution: The MID Server retrieves credential identifiers and types from the instance, then resolves them via CyberArk using IP address, hostname, or reverse DNS lookups.
- External Credential Storage Plugin: Includes a business rule to adjust views and refresh MID Server credential caches when external credential properties change.
- System Property Control: The
Enable External Credential Storagesystem property enables or disables the integration and manages the activation state of external credentials. - Supported Credential Types: Integration supports various credential types including SSH, SNMP, Windows, VMware, Azure, GCP (with customization), CIM, JMS, and Basic Auth.
- Workflow and Orchestration Support: Credentials stored in CyberArk can be used with ServiceNow Workflow Studio activities such as SOAP, REST, JDBC, SSH, PowerShell, SFTP, and JMS.
- Windows Account Handling: Credential lookup matches credential ID or IP address, with configuration options to avoid conflicts when multiple credentials share an IP address.
- CyberArk Library Upgrade: Provides a process for upgrading the CyberArk client library on the MID Server to support secured configuration parameters.
Practical Considerations for ServiceNow Customers
- Ensure the External Credential Storage plugin is activated and configured through Discovery and MID Server properties.
- Install the MID Server and CyberArk AIM/API client on the same machine to enable proper credential resolution.
- Use the system property
com.snc.useexternalcredentialsto toggle external credential storage; remember that reactivation of credentials after disabling requires manual action. - Modify the external credential storage jar to support GCP credential type if used.
- Do not attempt to manage credentials stored in CyberArk and any custom external credential storage system simultaneously with the same MID Server.
- Follow CyberArk and ServiceNow documentation closely to complete configuration and maintain security best practices.
The MID Server integration with the CyberArk vault enables ServiceNow® Orchestration, ServiceNow® Discovery, and ServiceNow® Service Mapping to run without storing any credentials on the instance.
Introduction to CyberArk
CyberArk Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly sensitive passwords to be centrally stored, logged, and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.
The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential. The credential resolver can also look up the hostname, fqdn, and use reverse DNS lookup to get fqdn.
The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available in . The MID Server and CyberArk AIM/API client must be installed on the same machine. CyberArk Application Access Manager (AAM) Credential Providers version 12.0.1 and later is supported.
Installed with CyberArk
- Business rule: The External Credential Storage business
rule performs the following tasks when an administrator makes any change to the external
credential storage property:
- Changes the view for the Credentials record list and form to the External Storage view. This view enables users to see the Credential ID column in the list.
- Instructs the MID Server to refresh its non-external credentials cache in preparation for a change in the way that credentials are obtained.
- System property: A property called Enable External Credential
Storage [com.snc.use_external_credentials] enables or disables the External Credential
Storage plugin after it is activated. This property is located in and , and is enabled when you activate the plugin.Note:If you disable external credential storage with the system property, the system automatically sets all the external credentials to inactive in the instance. If you re-enable the feature with this property, the system does not reset the external credential records to active. You must reactivate each credential record manually.
Supported credential types
- GCP
- Azure
- CIM
- JMS
- SNMP forum
- SNMPv3
- Basic Auth
- SSH Key Pair
- SSH Private Key (with key, pass phrase, and password)
- VMware
- Windows
- Applicative Credentials
ServiceNow AI Platform features that use these network protocols also support the use of credentials stored on a CyberArk vault.
| Network protocol | ServiceNow® Workflow Studio support | Orchestration support |
|---|---|---|
| SOAP | SOAP Step | Create a SOAP web service activity with basic authentication overrides |
| REST | REST Step | Create a REST web service activity with basic authentication overrides |
| JDBC | JDBC Step | JDBC activity |
| SSH | SSH Step | SSH activity |
| PowerShell | PowerShell Step | PowerShell activity |
| SFTP | SFTP Step | SFTP activity |
| JMS | JMS activity |
CyberArk architecture
How the MID Server handles Windows accounts
Credential lookup initially attempts to match the specified credential ID to an existing value in the CyberArk vault Name field. If a match is found, that credential is returned. If no match is found, the credential lookup attempts to find a match using the IP address. If the IP address lookup matches more than one credential, such as Windows and Tomcat on the same server, the lookup fails. To avoid this issue, set the ext.cred.type_specifier parameter in the MID Server config.xml file to true to force CyberArk to return credentials that match both the credential type and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential type of Windows returns the Windows credential only.
Upgrade the CyberArk library
You can upgrade the CyberArk library if a secured configuration parameter is needed.
Check the following configuration parameter in the config.xml: <parameter name="mid.secure_config.provider"
value="com.service_now.mid.services.config.CyberArkSecuredConfigProvider"/>
- Rename the CyberArk client version to
JavaPasswordSDK_MajorVersion_minorVersion_patchNum.jar. - Create a new jar entry in the
ecc_agenttable where the rename jar can be attached. This new entry downloads to the MID Server. This step results in two jar (Passworsdk.jar and JavaPasswordSDK _12_X_X.jar). - Delete old ecc_agent entry from instance. This step deletes Passworsdk.jar from the MID Server, and the JavaPasswordSDK _12_X_X.jar remains in the system.