Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

CyberArk integration configuration

Log in to subscribe to topics and get notified when content changes.

CyberArk integration configuration

These procedures include both CyberArk and ServiceNow configuration tasks, including references to the appropriate CyberArk documentation.

The credential identifier configured in the ServiceNow instance must be mapped to the credential name in the CyberArk vault. When looking up a credential, the MID Server first tries to find the credential by matching by name, which must be unique, and then by IP address. For credential lookups in versions at London Patch 4 and later, the MID Server finds the credential by matching the credential identifier to a name in vault, which must be unique. If the Credential identifier field is blank, then the MID Server finds the credential by IP address. To identify the credential by IP address, the system looks at the credential type to ensure that there is only one credential of that type at that address. An example of this might be when a Windows server and vCenter are both running on the same IP address. To support strict credential requirements like this in an SSH environment, a MID Server configuration parameter allows you to require that the credential type requested matches the type returned by CyberArk.

To configure your instance to obtain credentials from a CyberArk vault, complete these tasks in the order in which they appear below.

Configure the CyberArk vault and install the AIM API

Configure the CyberArk vault to allow MID Server access and install the CyberArk AIM API on the MID Server machine.

Before you begin

Role required: admin

Before starting this procedure, ensure that the External Credential Storage plugin is activated.

Procedure

  1. Configure the CyberArk vault with the application ID and authentication details that all MID Servers requesting credentials will use.
    For details, refer to the CyberArk Credential Provider and ASCP Implementation Guide.
    1. Ensure that CyberArk is configured to allow the MID Server to access the vault by creating an App-ID in CyberArk called ServiceNow_MID_Server.
    2. Make sure that every credential the MID Server needs is granted access to the ServiceNow_MID_Server App-ID.
      Note: You can override the default ServiceNow_MID_Server App-ID in the MID Server config.xml file using the ext.cred.app_id parameter. If you change the value in this parameter, make sure to configure a matching value in the vault.
  2. Install the CyberArk Credential Provider, including the AIM API, on each machine that hosts a MID Server service that is used to access the credential store.
  3. Provision CyberArk accounts and set permissions for application access.
    For details, refer to the CyberArk Privileged Account Security Implementation Guide.
    1. In the CyberArk Password Safe, create the privileged accounts required by Discovery, Orchestration, or Service Mapping to access different devices and ensure that these accounts are members of the safes in which the necessary credentials are stored.
    2. Add the Credential Provider and application users as members of the Password Safes where the application passwords are stored.

Import the CyberArk JAR file

Import the CyberArk JavaPasswordSDK.jar file into the instance to make it accessible to the MID Server.

Before you begin

Role required: agent_admin or admin

Before starting this procedure, ensure that CyberArk is configured to allow the MID Server access to credentials. Ensure that the CyberArk AIM API is installed on each server hosting a MID Server that is used to access the vault.

About this task

Use this process even if the JavaPasswordSDK.jar file already exists on the MID Server.

Procedure

  1. Navigate to MID Server > JAR Files.
  2. Click New.
  3. Complete the form using the fields in the table.
    Table 1. JAR File form fields
    Field Description
    Name Unique and descriptive name for identifying the file in the instance.
    Version Optional version number for the file, if one is available.
    Source Provider of the JAR file. Source information is not used by the system.
    Description Optional short description of the JAR file and its purpose in the instance.
  4. Attach the JAR file to this record.
    The AIM JavaPasswordSDK.jar file comes with the AIM SDK installation files and is typically located on the MID Server in the AIM installation directory at <install_dir>/CyberArk/ApplicationPasswordSdk.
  5. Click Submit.
  6. Restart the MID Server service.
    The platform makes the JAR file available to any MID Server configured to communicate with the instance.

Configure the MID Server for CyberArk

Configure the config.xml file to grant the MID Server access to the CyberArk vault.

Before you begin

Role required: admin

Before starting this procedure, import the JavaPasswordSDK.jar file into the instance.

Procedure

Manually configure the MID Server config.xml file with these parameters.

This configuration cannot be done from the instance.

Table 2. Required configuration parameters
Parameter Value Description
ext.cred.safe_folder NameOfFolder Folder to use for all credential lookups. For example, root.
ext.cred.use_cyberark true Boolean parameter indicating that this MID Server is integrated with CyberArk.
Table 3. Optional configuration parameters
Parameter Value Description
ext.cred.safe_timeout 5 (sec) Timeout of each credential lookup in the vault, specified in seconds.
ext.cred.safe_name NameOfSafe Default safe name used for all credential lookups. If parameters are in multiple safes, the credential ID may be specified in the format <safeName>:<CredentialID>. When configured like this, the NameOfSafe field is ignored. If all external credentials have their credential IDs specified in this format, then leave out the NameOfSafe field.
Note: By default the separator character in this format is a colon. To assign any character you want as a separator, add this line to the CredMap.properties file: safe.cred.split.string=<string>.
ext.cred.app_id ServiceNow_MID_Server Specifies the App-ID used to grant permission to the MID Server to access the CyberArk vault. The default value, ServiceNow_MID_Server, must be defined in the CyberArk vault. You can use this parameter to override the default and specify your own App-ID. If you edit the App-ID in this parameter, make sure to configure CyberArk to match.
ext.cred.type_specifier true Forces an IP address lookup to return credentials that match both the CyberArk platform ID and the IP address. For example, if an IP address is shared by both Windows and Tomcat, a credential with a platform ID starting with Win returns the Windows credential only. When this parameter is set to true, CyberArk looks for platform IDs that begin with:
  • Win: Windows
  • Unix: SSH
  • VMWare: VMware
ext.cred.check_ssh_type false When set to true, requires that the type of SSH credential returned from CyberArk matches the type of credential requested. For example, if a normal SSH username/password credential is requested and only SSH keys are available, the credential lookup fails.

Configure CyberArk for SNMPv2 credentials

If your system uses SNMPv2, you can create a special file to map the attribute in a credential to the community string.

Before you begin

Role required: admin

Before starting this procedure, configure the MID Server to have access to the CyberArk vault.

About this task

Note: If the community string appears in the password field of the CyberArk credential, it is not necessary to perform this procedure.

SNMPv2 is not natively supported in CyberArk. If your organization has created custom SNMPv2 credentials in which the community string does not appear in the password field of the credential, use this procedure to map the attribute in the credential to the community string.

Procedure

  1. In a text editor, create a file called CredMap.properties, containing this code:
    SNMPv2.Community=attribute_name
  2. Save the file to the /agent directory of your MID Server installation.
    On credential lookup, the MID Server attempts to find this attribute for the credential. If the attribute is not found, the MID Server then looks in the password field. If the password field is empty, the credential lookup fails.

Configure the CyberArk credential identifier

Create the unique key that CyberArk can use to identify specific credentials in the external repository.

Before you begin

Role required: admin

Before starting this procedure, ensure that the External Credential Storage plugin is activated, and the com.snc.use_external_credentials system property is set to true.

Procedure

  1. Navigate to Discovery > Credentials or Orchestration > Credentials.
  2. Click New.
  3. From the list of credential types, select a type that supports CyberArk external storage.
  4. Complete the form using the fields from your credential type.
  5. Select the External credential storage check box.
    The User name and Password fields are replaced with the Credential ID field.
  6. In the Credential ID field, enter an expression using one of these formats:
    • If all your credentials are in the same safe, configure this safe name in the MID Server config.xml file using the ext.cred.safe_name parameter, and then specify the credential ID by name only, as <credential ID>.
    • To name credentials for a given platform that reside is a specific safe, define the credential ID as <safe>:<credential ID>:<platform ID>.
    • If your credentials are in multiple safes, specify the credential ID in this format: <safe>:<credential ID>.
    • If you want CyberArk to look up the credential by IP address, using an alternate safe, specify the credential ID in this format: <safe>:.
    • If you want CyberArk to look up the credential for an alternate platform ID in the same safe, use this format: ::<platform ID>
    • If you want CyberArk to look up the credential in a configured safe by the IP address rather than the credential ID, leave this field blank. This is the best practice for handling installations in which each server has a unique credential. Without this type of lookup, you must create a credential ID record in your instance for every server in your environment.
    Note: The credential ID must match the value in the Name field of the credential in the CyberArk vault. The Credential ID field has a limit of 40 characters.
  7. Click Submit.

Configure AWS credentials on a CyberArk vault

Configure your CyberArk vault with the AWS credentials to be retrieved for use by your instance.

About this task

Store the credentials as an SSH key on the CyberArk vault. When you configure access to the vault on your instance, the name you give to the SSH key must also be used as the credential ID.

Procedure

  1. In CyberArk, go to Accounts > Add SSH Key.
  2. Enter the following information:
    Table 4. CyberArk credentials
    Field Value
    Device Type Select Cloud Service.
    Platform Name Select Amazon Web Services - AWS - Access Keys.
    AWS Access Key ID Enter the AWS Access Key, as provided by AWS.
    Password Enter the AWS Secret Access Key, as provided by AWS.
    Name Enter a name for this key.
  3. Choose Save.

What to do next

If you have not done so already, create a credential identifier on your instance to configure access to the CyberArk vault. For more details, see Configure access to external credential storage for AWS.

Feedback