Skip to content

Latest commit

 

History

History
102 lines (76 loc) · 3.94 KB

configuration.mdx

File metadata and controls

102 lines (76 loc) · 3.94 KB
Raw
layout page_title description
docs
Configure Vault ServiceNow Credential Resolver
This section documents the configurables for the Vault ServiceNow Credential Resolver.

Configuring the Vault credential resolver

MID server properties

The following properties are supported by the Vault Credential Resolver:

  • mid.external_credentials.vault.address (string: "") - Address of Vault Agent as resolveable by the MID server. For example, if Vault Agent is on the same server as the MID server it could be https://127.0.0.1:8200.

  • mid.external_credentials.vault.ca (string: "") - The CA certificate to trust for TLS in PEM format. If unset, the system's trusted CAs will be used.

  • mid.external_credentials.vault.tls_skip_verify (string: "") - When set to true, skips verification of the Vault server TLS certificiate. Setting this to true is not recommended for production.

Configuring discovery credentials

To consume Vault credentials from your MID server, you will need to:

  • Create a secret in Vault
  • Configure the resolver to use that secret

Creating a secret in Vault

The credential resolver supports reading credentials from the following secret engines:

When creating KV secrets, you must use the following keys for each component to ensure it is correctly mapped to ServiceNow's credential fields:

Key Description Supported aliases
username The username access_key
password The password secret_key, current_password
private_key The private SSH key
passphrase The passphrase for the private SSH key

Most ServiceNow credential types will expect at least a username and either a password or a private key. To help surface errors early, the credential resolver validates that a username and password are present for:

  • aws
  • basic
  • jdbc
  • jms
  • ssh_password
  • vmware
  • windows

The credential resolver expects the following types to specify at least a username and a private key:

  • api_key
  • cfg_chef_credentials
  • infoblox
  • sn_cfg_ansible
  • sn_disco_certmgmt_certificate_ca
  • ssh_private_key

For SNMPv3 credentials, the credential resolver can accept up to five values:

  • username
  • auth-protocol
  • auth-key
  • privacy-protocol
  • privacy-key

Depending on the configuration of the SNMP endpoint, the username at least will always be required. See below for different SNMP endpoint configurations:

Level Authentication Encryption What Happens
noAuthNoPriv Username None Username match for auth
authNoPriv MD5 or SHA None Auth based on HMAC-MD5 or HMAC-SHA algorithms
authPriv MD5 or SHA DES Auth based on HMAC-MD5 or HMAC-SHA algorithms; provides DES 56-bit encryption based on (CBC)-DES (DES-56)

Configuring the resolver to use a secret

In the ServiceNow UI:

  • Navigate to "Discovery - Credentials" -> New
    • Select a type from the list
    • Tick "External credential store"
    • Fill in a meaningful name
    • Set "Credential ID" to the path in Vault where your secret is located, e.g. for a KV v2 secret engine mounted at "secret", you might have a secret stored under "ssh": secret/data/ssh. Check the API docs for your secret engine if you are unsure of the path to use
    • Optional: Click "Test credential" and select a MID server and a target to test against to test everything is working