mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-23 15:41:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/platform/servicenow/configuration.mdx
Sarah Chavis 4383f5bb9c
make AD secrets plugin EOL (#29923)
2025-03-13 15:14:36 -07:00

112 lines
4.3 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Configure the Vault ServiceNow Credential Resolver
description: Configurable properties for the Vault ServiceNow Credential Resolver.
---
# Configure the Vault ServiceNow Credential Resolver
## MID server properties
The following [properties] are supported by the Vault Credential Resolver:
- `mid.external_credentials.vault.address` `(string: "")` - Address of Vault Agent as resolveable by the MID server.
For example, if Vault Agent is on the same server as the MID server it could be `https://127.0.0.1:8200`.
- `mid.external_credentials.vault.ca` `(string: "")` - The CA certificate to trust for TLS in PEM format. If unset,
the system's trusted CAs will be used.
- `mid.external_credentials.vault.tls_skip_verify` `(string: "")` - When set to true, skips verification of the Vault server
TLS certificiate. Setting this to true is not recommended for production.
[properties]: https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/mid-server/reference/r_MIDServerProperties.html#t_SetMIDServerProperties
## Configuring discovery credentials
To consume Vault credentials from your MID server, you will need to:
* Create a secret in Vault
* Configure the resolver to use that secret
### Creating a secret in Vault
The credential resolver supports reading credentials from the following secret engines:
* [AD/OpenLDAP](/vault/docs/secrets/ldap)
* [AWS](/vault/docs/secrets/aws)
* [KV v1](/vault/docs/secrets/kv/kv-v1)
* [KV v2](/vault/docs/secrets/kv/kv-v2)
When creating KV secrets, you must use the following keys for each component
to ensure it is correctly mapped to ServiceNow's credential fields:
Key | Description | Supported aliases
------------|----------------------------------------|------------------
username | The username | access_key
password | The password | secret_key, current_password
private_key | The private SSH key |
passphrase | The passphrase for the private SSH key |
Most ServiceNow credential types will expect at least a username and either
a password or a private key. To help surface errors early, the credential
resolver validates that a username and password are present for:
* aws
* basic
* jdbc
* jms
* ssh_password
* vmware
* windows
The credential resolver expects the following types to specify at least
a username and a private key:
* api_key
* cfg_chef_credentials
* infoblox
* sn_cfg_ansible
* sn_disco_certmgmt_certificate_ca
* ssh_private_key
For SNMPv3 credentials, the credential resolver can accept up to five values:
* username
* auth-protocol
* auth-key
* privacy-protocol
* privacy-key
Depending on the configuration of the SNMP endpoint, the username at least will always be required. See below for different SNMP endpoint configurations:
Level | Authentication | Encryption | What Happens
--------------|----------------|------------|------------------------
noAuthNoPriv | Username | None | Username match for auth
authNoPriv | MD5 or SHA | None | Auth based on HMAC-MD5 or HMAC-SHA algorithms
authPriv | MD5 or SHA | DES | Auth based on HMAC-MD5 or HMAC-SHA algorithms; provides DES 56-bit encryption based on (CBC)-DES (DES-56)
### Configuring the resolver to use a secret
<ImageConfig hideBorder caption="Vault credential resolver">
![Partial screenshot of the ServiceNow UI showing the search dialog for adding a Vault configuration by name](/img/service-now/vault-credential-resolver-fqcn.png)
</ImageConfig>
In the ServiceNow UI:
1. Navigate to "Discovery - Credentials &rarr; New".
1. Choose a type from the list.
1. Select "External credential store".
1. Provide a fully qualified collection name (FQCN):
- **Xanadu (Q4-2024) or newer**: use `com.snc.discovery.CredentialResolver`
- **Versions prior to Xanadu (Q4-2024)**: leave blank or use "None"
1. Provide a meaningful name for the resolver.
1. Set "Credential ID" to the
[ReadSecretVersion endpoint](/vault/api-docs/secret/kv/kv-v2#read-secret-version)
of your secrets plugin and credential. For example, the endpoint
for a secret stored on the path `ssh` under a KV v2 secret engine mounted at
`secret` is `/secret/data/ssh`.
1. Click "Test credential" then select a MID server and target to test your
configuration.
Reference in New Issue View Git Blame Copy Permalink