open-vault/website/content/docs/platform/servicenow/configuration.mdx

86 lines
3.1 KiB
Plaintext
Raw Normal View History

---
layout: docs
page_title: Configure Vault ServiceNow Credential Resolver
description: This section documents the configurables for the Vault ServiceNow Credential Resolver.
---
# Configuring the Vault Credential Resolver
## MID server properties
The following [properties] are supported by the Vault Credential Resolver:
- `mid.external_credentials.vault.address` `(string: "")` - Address of Vault Agent as resolveable by the MID server.
For example, if Vault Agent is on the same server as the MID server it could be `https://127.0.0.1:8200`.
- `mid.external_credentials.vault.ca` `(string: "")` - The CA certificate to trust for TLS in PEM format. If unset,
the system's trusted CAs will be used.
- `mid.external_credentials.vault.tls_skip_verify` `(string: "")` - When set to true, skips verification of the Vault server
TLS certificiate. Setting this to true is not recommended for production.
[properties]: https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/product/mid-server/reference/r_MIDServerProperties.html#t_SetMIDServerProperties
## Configuring discovery credentials
To consume Vault credentials from your MID server, you will need to:
* Create a secret in Vault
* Configure the resolver to use that secret
### Creating a secret in Vault
The credential resolver supports reading credentials from the following secret engines:
* [Active Directory](/docs/secrets/ad)
* [AWS](/docs/secrets/aws)
* [K/V v1](/docs/secrets/kv/kv-v1)
* [K/V v2](/docs/secrets/kv/kv-v2)
When creating K/V secrets, you must use the following keys for each component
to ensure it is correctly mapped to ServiceNow's credential fields:
Key | Description | Supported aliases
------------|----------------------------------------|------------------
username | The username | access_key
password | The password | secret_key, current_password
private_key | The private SSH key |
passphrase | The passphrase for the private SSH key |
Most ServiceNow credential types will expect at least a username and either
a password or a private key. To help surface errors early, the credential
resolver validates that a username and password are present for:
* aws
* basic
* jdbc
* jms
* ssh_password
* vmware
* windows
And the credential resolver expects the following types to specify at least
a username and a private key:
* api_key
* cfg_chef_credentials
* infoblox
* sn_cfg_ansible
* sn_disco_certmgmt_certificate_ca
* ssh_private_key
### Configuring the resolver to use a secret
In the ServiceNow UI:
* Navigate to "Discovery - Credentials" -> New
* Select a type from the list
* Tick "External credential store"
* Fill in a meaningful name
* Set "Credential ID" to the path in Vault where your secret is located, e.g.
for a KV v2 secret engine mounted at "secret", you might have a secret stored
under "ssh": `secret/data/ssh`. Check the [API docs](/api-docs/secret/) for
your secret engine if you are unsure of the path to use
* **Optional:** Click "Test credential" and select a MID server and a target
to test against to test everything is working