Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

SSH step

Log in to subscribe to topics and get notified when content changes.

SSH step

The SSH step executes SSH commands on an external *nix system through a ServiceNow® MID Server. The step also stores scripts and commands for the *nix systems.

Note:
  • The SSH step is not available in the base system. The step requires the subscription to ServiceNow® IntegrationHub and activation of IntegrationHub Professional Pack Installer (com.glide.hub.integrations.professional) or later. For more information about the IntegrationHub subscription packages, see IntegrationHub usage and subscription. After you activate the required plugin, the step is visible under Integrations.
  • IntegrationHub supports ServiceNow SSH only.

Roles and availability

The SSH step is available as an Action Designer action step. Users with the action_designer role can create a custom action with one or more action steps.

Sanitizing arguments using the escape class and function

Escape all user inputs to eliminate the possibility of a malicious user executing arbitrary commands on your target server. Escape and validate data pills before the command field uses them by sanitizing arguments using a preprocessing Script step. Precede the SSH step with a Script step, which takes the arguments that are used to construct a command in the SSH step.

In the Script step, use the escape class, GlideShellEscapeUtils and escape function, escapeBashShellArg. The escaped arguments are the output of the Script step. Use this escaped output as the arguments of the commands used in the SSH step. The escaped values should contain arguments of a command.
Table 1. Escape APIs
Escape class/function Description
GlideShellEscapeUtils Provides scripted APIs to escape the shell arguments. For example, var escapedArgument = SNC.GlideShellEscapeUtils.escapeBashShellArg("/etc && cat myfile.txt");. The escaped argument is, '/etc && cat myfile.txt'.
escapeBashShellArg
  • Adds single quotes around a string.
  • Escapes any existing single quotes within a string enabling you to pass the string directly to a shell function and treat the string as a single safe argument.

Fields

Field Description
Connection Details
Connection Type of connection to use.
  • Define Connection Inline: Define connection information within the action step.
  • Use Connection Alias: Define connection information using the Connection Alias table. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using an action in multiple environments. Likewise, if the connection information changes, you don't need to update your custom action.

To learn more about connections and credentials, see credentials, connections, and aliases.

Connection Alias Connection & Credential alias record the system uses to run the action step. Users with the flow_designer or admin role can create or select an associated Connection record. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using an action in multiple environments. Likewise, if the connection information changes, you don't need to update your custom action. To learn more about connections and credentials, see credentials, connections, and aliases. The credential value is displayed as a Password (2 Way Encrypted) data pill on the data pane. This field is available when Use Connection Alias is selected from the Connection list.
Credential Alias Credential alias the system uses to run the action step. Users with the flow_designer or admin role can create or select an associated Connection record. Using an alias eliminates the need to configure multiple credentials when using an action in multiple environments. Likewise, if the credential information changes, you don't need to update your custom action. To learn more about connections and credentials, see credentials, connections, and aliases. The credential value is displayed as a Password (2 Way Encrypted) data pill on the data pane. This field is available when Define Connection Inline is selected from the Connection list.
Host Host name or IP address of the target server. This field is available when Define Connection Inline is selected from the Connection list.
MID Application Option to use a MID Server to run the SSH step. This field is available when Define Connection Inline is selected from the Connection list.
Capabilities Capability of the MID Server. Select SSH. This field is available when Define Connection Inline is selected from the Connection list.
SSH Configuration
Working Directory Optional target directory on the target host where the command is run.
Command Command that runs on the target directory. The command can also include MID Serverscripts. See Advanced SSH script options for more information.
Note: Escape and validate data pills before the command field uses them by sanitizing arguments using a preprocessing Script step. For more information, see Sanitizing arguments using the escape class and function.
Long Running Option to disable the SSH connection timeout for commands that might take longer than the default time of 120 seconds to run. When selected, the engine detaches from the execution thread until completion.
Sudo Mode Option to elevate privileges to execute the script.
For more information, see SSH credentials.

Advanced SSH script options

To run a MID Server script on the target host, specify the script type and pass the name of the script into the ${syncFile()}parameter. The system uses this parameter to locate the named script in the MID Server Script File [ecc_agent_script_file] table and run it on the target host. For example, a bash script can be expressed as:
bash ${syncFile("<MID script name>")} argument1 argument2 argument3
A base script (main_script.bash) can reference another script (my_include.bash) as well as a separate file (.my_profile) located on the target host. Both scripts and the file referenced must be synced to the MID Server, using the ${syncFile()} parameter, to execute properly.
source ${syncFile(".my_profile")}
cp ${syncFile("my_include.bash")} /usr/ssmith/my_include.bash
bash ${syncFile("main_script.bash")} one two three four five six 
rm /usr/ssmith/my_include.bash
A Python example with inline comments might look like this:
set $LIB_DIR=/usr/bin;. 
# Sync a file that is referenced inside myF5CreateLBPool.py 
cp ${syncFile("specialFunctions.py")} ~/specialFunctions.py 
# set up environment variables 
source ${syncFile(".python_profile")} 
# call script that sets up dependencies on the box from remote package repos 
python ${syncFile("setupPythonDependencies.py")} pycontrol 
# call a script that requires functions from the package as well as a function from myIncludedFile 
python ${syncFile("myF5CreateLBPool.py")} snow_pool myActualValue 
# user is responsible for their own cleanup 
rm ~/specialFunctions.py 

To see the list of available MID Server scripts, navigate to MID Server > Script Files.

Feedback