Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform capabilities
Table of Contents
Choose your release version
    Home London Platform Capabilities Now Platform capabilities Credentials and connection information Getting started with credentials External credential storage CyberArk credential storage integration

    CyberArk credential storage integration

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    CyberArk credential storage integration

    The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.

    Introduction to CyberArk

    CyberArk’s Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.

    The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential.

    The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available by request.

    Installed with CyberArk

    • Business rule: The External Credential Storage business rule performs the following tasks when an administrator makes any change to the external credential storage property:
      • Changes the view for the Credentials record list and form to the External Storage view. This view enables users to to see the Credential ID column in the list.
      • Instructs the MID Server to refresh its credentials cache in preparation for a change in the way credentials are obtained.
    • System property: A property called Enable External Credential Storage [com.snc.use_external_credentials] enables or disables the External Credential Storage plugin after it is activated. This property is located in Discovery Definition > Properties and Orchestration > MID Server Properties, and is enabled when you activate the plugin.
      Note: If you disable external credential storage with the system property, the system automatically sets all the external credentials to inactive in the instance. If you re-enable the feature with this property, the system does not reset the external credential records to active. You must reactivate each credential record manually.

    Supported credential types

    The CyberArk integration supports these ServiceNow credential types:
    • CIM
    • JMS
    • SNMP Community
    • SSH
    • SSH Private Key (with key only)
    • VMware
    • Windows
    Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:
    • SOAP (with basic authentication overrides)
    • REST (with basic authentication overrides)
    • JDBC
    • SSH
    • PowerShell
    • JMS
    • SFTP
    Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

    CyberArk architecture

    CyberArk storage architecture

    How the MID Server handles Windows accounts

    Credential lookup initially attempts to match the specified credential ID to an existing value in the CyberArk vault Name field. If a match is found, that credential is returned. If no match is found, the credential lookup attempts to find a match using the IP address. If the IP address lookup matches more than one credential, such as Windows and Tomcat on the same server, the lookup fails. To avoid this issue, set the ext.cred.type_specifier parameter in the MID Server config.xml file to true to force CyberArk to return credentials that match both the credential type and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential type of Windows returns the Windows credential only.

    • CyberArk integration configuration

      These procedures include both CyberArk and ServiceNow configuration tasks, including references to the appropriate CyberArk documentation.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      CyberArk credential storage integration

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      CyberArk credential storage integration

      The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any credentials on the instance.

      Introduction to CyberArk

      CyberArk’s Application Identity Management (AIM) product uses the Privileged Account Security solution to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and allows these highly-sensitive passwords to be centrally stored, logged and managed within the CyberArk vault. This approach enables organizations to comply with internal and regulatory requirements of periodic password replacement and to monitor activities associated with all types of privileged identities, whether on-premise or in the cloud.

      The instance maintains a unique identifier for each credential, the credential type (such as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the credential identifier, credential type, and IP address from the instance, and then uses the CyberArk vault to resolve these elements into a usable credential.

      The CyberArk integration requires the ServiceNow® External Credential Storage plugin, which is available by request.

      Installed with CyberArk

      • Business rule: The External Credential Storage business rule performs the following tasks when an administrator makes any change to the external credential storage property:
        • Changes the view for the Credentials record list and form to the External Storage view. This view enables users to to see the Credential ID column in the list.
        • Instructs the MID Server to refresh its credentials cache in preparation for a change in the way credentials are obtained.
      • System property: A property called Enable External Credential Storage [com.snc.use_external_credentials] enables or disables the External Credential Storage plugin after it is activated. This property is located in Discovery Definition > Properties and Orchestration > MID Server Properties, and is enabled when you activate the plugin.
        Note: If you disable external credential storage with the system property, the system automatically sets all the external credentials to inactive in the instance. If you re-enable the feature with this property, the system does not reset the external credential records to active. You must reactivate each credential record manually.

      Supported credential types

      The CyberArk integration supports these ServiceNow credential types:
      • CIM
      • JMS
      • SNMP Community
      • SSH
      • SSH Private Key (with key only)
      • VMware
      • Windows
      Orchestration activities that use these network protocols support the use of credentials stored on a CyberArk vault:
      • SOAP (with basic authentication overrides)
      • REST (with basic authentication overrides)
      • JDBC
      • SSH
      • PowerShell
      • JMS
      • SFTP
      Important: You cannot manage credentials stored on a CyberArk vault and a custom external credential storage system using the same MID Server. To use both types of external storage, install and configure a dedicated MID Server for each. The MID Server must be installed on the same machine as the CyberArk AIM API/client

      CyberArk architecture

      CyberArk storage architecture

      How the MID Server handles Windows accounts

      Credential lookup initially attempts to match the specified credential ID to an existing value in the CyberArk vault Name field. If a match is found, that credential is returned. If no match is found, the credential lookup attempts to find a match using the IP address. If the IP address lookup matches more than one credential, such as Windows and Tomcat on the same server, the lookup fails. To avoid this issue, set the ext.cred.type_specifier parameter in the MID Server config.xml file to true to force CyberArk to return credentials that match both the credential type and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential type of Windows returns the Windows credential only.

      • CyberArk integration configuration

        These procedures include both CyberArk and ServiceNow configuration tasks, including references to the appropriate CyberArk documentation.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login