ServiceNow CyberArk Integration Steps to follow

The MID Server obtains the credential identifier from the instance, and then uses a customer-provided JAR file to resolve the identifier from the repository into a usable credential.

Note: Customer provided JAR file will be kept in MID Server

1. Activate external credential storage for Discovery and Orchestration
2. Configure the CyberArk vault and install the AIM API
   
   1. Install the CyberArk AIM API on the MID Server machine. API should be provided by client
      
   2. Configured CyberArk to allow the MID Server to access the vault by creating an App-ID in CyberArk called
      
   3. Every credential should be granted access to APP-ID ServiceNow_MID_Server.
3. Provision CyberArk accounts and set permissions for application access.
4. In the CyberArk Password Safe, create the privileged accounts required by Discovery, to access different devices and ensure that these accounts are members of the safes in which the necessary credentials are stored.
5. Import the CyberArk JAR file
   
   1. Import the CyberArk JavaPasswordSDK.jar file into the instance to make it accessible to the MID Server.
      
      1. Use this process even if the JavaPasswordSDK.jar file already exists on the MID Server.
         
   2. Navigate to MID Server > JAR Files.
      
   3. Click New. And complete the form
      
   4. Attach the JAR file to this record
      
      1. The AIM JavaPasswordSDK.jar file comes with the AIM SDK installation files and is typically located on the MID Server in the AIM installation directory at/CyberArk/ApplicationPasswordSdk.
         
   5. Restart the MID Server service.
6. Configure MID Server for CyberArk
   
   1. xmlfile to grant the MID Server access to the CyberArk vault
      
      1. We should have “JavaPasswordSDK.jar” inside MID Server
         
   2. Required configuration parameters
      
      1. ext.cred.safe_folder
         1. NameOfFolder : Folder to use for all credential lookups. For example, root.
         
      2. ext.cred.use_cyberark
         1. True : Boolean parameter indicating that this MID Server is integrated with CyberArk.
         
      3. Optional configuration parameters
         1. ext.cred.safe_timeout
         1. 5 Sec : Timeout of each credential lookup in the vault, specified in seconds.
         2. ext.cred.safe_name
         1. NameOfSafe : Default safe name used for all credential lookups. If parameters are in multiple safes, the credential ID may be specified in the format :.
7. ext.cred.app_id
   
   1. ServiceNow_MID_Server : Specifies the App-ID used to grant permission to the MID Server to access the CyberArk vault. The default value, ServiceNow_MID_Server, must be defined in the CyberArk vault.
8. ext.cred.type_specifier
   
   1. true : Forces an IP address lookup to return credentials that match both the CyberArk platform ID and the IP address.
9. ext.cred.check_ssh_type
   
   1. False : When set to true, requires that the type of SSH credential returned from CyberArk matches the type of credential requested.
10. Configure Cyber Ark for SNMP V2 Credential

Note: If the community string appears in the password field of the CyberArk credential, it is not necessary to perform this procedure.

1. If we have system that uses SNMPv2, we need to create a special file to map the attribute in a credential to the community string.
   
   1. In a text editor, create a file called CredMap.properties, containing this code:
      
   2. Save the file to the /agentdirectory of your MID Server installation
2. Configure The CyberArk Credential Identifier

Credential identifier configured:

1. Discovery > Credentials or Orchestration > Credentials.
   
   • Credential ID
     
     • Enter the unique key configured for external credentials in the JAR file uploaded to the MID Server for an external credential system. This is the ID passed to the Java class in the parameter map.
2. Select the External credential store check box.
   
   • The User name and Password fields disappear, and the Credential ID field appears.
3. In Credential ID, enter the unique key configured for these credentials in the external repository. This is the identifier defined in the JAR file.

In the Credential ID field, enter an expression using one of these formats:

1. * If all your credentials are in the same safe, configure this safe name in the MID Server config.xml file using the ext.cred.safe_name parameter, and then specify the credential ID by name only, as .
   
   • To name credentials for a given platform that reside is a specific safe, define the credential ID as ::.
     
   • If your credentials are in multiple safes, specify the credential ID in this format: :.
     
   • If you want CyberArk to look up the credential by IP address, using an alternate safe, specify the credential ID in this format: :.
     
   • If you want CyberArk to look up the credential for an alternate platform ID in the same safe, use this format: ::
     
   • If you want CyberArk to look up the credential in a configured safe by the IP address rather than the credential ID, leave this field blank. This is the best practice for handling installations in which each server has a unique credential. Without this type of lookup, you must create a credential ID record in your instance for every server in your environment.

Note: The credential ID must match the value in the Name field of the credential in the CyberArk vault. The Credential ID field has a limit of 40 characters.

Configure AWS Credential on CyberArk Vault

• Store the credentials as an SSH key on the CyberArk vault.
• When you configure access to the vault on your instance, the name you give to the SSH key must also be used as the credential ID.

Property: A property called Enable External Credential Storage

com.snc.use_external_credentials

• enables or disables the External Credential Storage plugin after it is activated
• The property is located
  
  • Discovery Definition > Properties and Orchestration > MID Server Properties,

JAR File to resolve Credentials:

JAR file to resolve credential identifiers sent from the MID Server into actual credentials from the repository

Template to create JAR file

Note: Customer would be providing JAR file to resolve credential.

Reference: https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/product/credentials/concept/c_Ext...

Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

Credential Process Flow:

Property: A property called Enable External Credential Storage

com.snc.use_external_credentials

• enables or disables the External Credential Storage plugin after it is activated
• The property is located
  
  • Discovery Definition > Properties and Orchestration > MID Server Properties,

Supported Credential Type:

The CyberArk integration supports these ServiceNow credential types:

• CIM
• JMS
• SNMP Community
• SSH
• SSH Private Key (with key only)
• VMware
• Windows

Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:

Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

Please hit like or mark as Bookmark if this article helps you.

Regards

Sandeep

Labels:

• Instance Configuration
• Integrations
• Scripting and Coding