Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

CyberArk credential storage integration

CyberArk credential storage integration

The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.

Introduction to CyberArk

CyberArk’s Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.

The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential.

The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available by request.

Installed with CyberArk

  • Business rule: The External Credential Storage business rule performs the following tasks when an administrator makes any change to the external credential storage property:
    • Changes the view for the Credentials record list and form to the External Storage view. This view enables users to to see the Credential ID column in the list.
    • Instructs the MID Server to refresh its credentials cache in preparation for a change in the way credentials are obtained.
  • System property: A property called Enable External Credential Storage [com.snc.use_external_credentials] enables or disables the External Credential Storage plugin after it is activated. This property is located in Discovery Definition > Properties and Orchestration > MID Server Properties, and is enabled when you activate the plugin.
    Note: If you disable external credential storage with the system property, the system automatically sets all the external credentials to inactive in the instance. If you re-enable the feature with this property, the system does not reset the external credential records to active. You must reactivate each credential record manually.

Supported credential types

The CyberArk integration supports these ServiceNow credential types:
  • CIM
  • JMS
  • SNMP Community
  • SSH
  • SSH Private Key (with key only)
  • VMware
  • Windows
Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:
Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

CyberArk architecture

How the MID Server handles Windows accounts

Credential lookup initially attempts to match the specified credential ID to an existing value in the CyberArk vault Name field. If a match is found, that credential is returned. If no match is found, the credential lookup attempts to find a match using the IP address. If the IP address lookup matches more than one credential, such as Windows and Tomcat on the same server, the lookup fails. To avoid this issue, set the ext.cred.type_specifier parameter in the MID Server config.xml file to true to force CyberArk to return credentials that match both the credential type and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential type of Windows returns the Windows credential only.