The MID Server integration with the CyberArk vault enables Orchestration, Discovery, and Service Mapping to run without storing any
credentials on the instance.
Introduction to CyberArk
CyberArk’s Application Identity Management (AIM) product uses the Privileged Account
Security solution to eliminate the need to store application passwords embedded in
applications, scripts or configuration files, and allows these highly-sensitive passwords to
be centrally stored, logged and managed within the CyberArk vault. This approach enables
organizations to comply with internal and regulatory requirements of periodic password
replacement and to monitor activities associated with all types of privileged identities,
whether on-premise or in the cloud.
The instance maintains a unique identifier for each credential, the credential type (such
as SSH, SNMP, or Windows), and any credential affinities. The MID Server obtains the
credential identifier, credential type, and IP address from the instance, and then uses the
CyberArk vault to resolve these elements into a usable credential.
The CyberArk integration requires the ServiceNow®
External Credential Storage plugin, which is available in . The MID Server and CyberArk AIM/API client must be installed on the same
machine.
Installed with CyberArk
- Business rule: The External Credential Storage business
rule performs the following tasks when an administrator makes any change to the external
credential storage property:
- Changes the view for the Credentials record list and form to the External Storage
view. This view enables users to see the Credential ID column in the list.
- Instructs the MID Server to refresh its non-external credentials cache in
preparation for a change in the way credentials are obtained.
- System property: A property called Enable External Credential
Storage [com.snc.use_external_credentials] enables or disables the External Credential
Storage plugin after it is activated. This property is located in and , and is enabled when you activate the plugin.
Note: If you disable
external credential storage with the system property, the system automatically sets
all the external credentials to inactive in the instance. If you re-enable the feature
with this property, the system does not reset the external credential records
to active. You must reactivate each credential record manually.
Supported credential types
The CyberArk integration supports these
ServiceNow credential types:
- CIM
- JMS
- SNMP forum
- SNMPv3
- SSH
- SSH Private Key (with key only)
- VMware
- Windows
Orchestration activities that use these network protocols support the use of credentials
stored on a CyberArk vault:
Important: You cannot manage credentials stored on a
CyberArk vault and a custom
external credential
storage system using the same MID Server. The MID Server and CyberArk AIM/API
client must be installed on the same machine.
How the MID Server handles Windows accounts
Credential lookup initially attempts to match the specified credential ID to an existing
value in the CyberArk vault Name field. If a match is found, that
credential is returned. If no match is found, the credential lookup attempts to find a match
using the IP address. If the IP address lookup matches more than one credential, such as
Windows and Tomcat on the same server, the lookup fails. To avoid this issue, set the
ext.cred.type_specifier parameter in the MID Server config.xml file
to true to force CyberArk to return credentials that match both the
credential type and the IP address. For example, if an IP address is shared by both Windows
and Tomcat, a credential type of Windows returns the Windows credential only.
