Installing and configuring the Centrify External Credential Storage Plugin

The following documentation details how to install and configure the Centrify External Credential Storage Plugin as instructed in the following sections:

Where to download

To download the plugin, navigate to the Centrify Download Center: www.Centrify.com > Support > Downloads and click on the Tools and Plugins > ServiceNow Integration.

Prerequisites

You need the following components to install and configure the Centrify External Credential Storage Plugin:

  • ServiceNow Instance.
  • ServiceNow MID Server (a virtual machine configuration provided by ServiceNow).
  • Centrify External Credential Storage Plugin.
  • Centrify Privileged Access Request (a plugin available from the ServiceNow Store).
  • Privileged Access Service.
  • Centrify-provided JAR file.
  • Centrify provided properties file (that you’ll modify).

Setting up the Centrify Privileged Access Service instance

To set up Centrify PAS, perform the steps below.

Create a user

  1. Install the Centrify Privileged Access Request application from the ServiceNow Store first.
  2. Set up credentials and permissions for the various servers.
  3. Create a user:
    1. In the Admin Portal, navigate to Users and click Add User and enter information as follows:
    • Enter a login name and select a suffix.
    • Enter an e-mail address.
    • Enter a display name.
    • Set a password for the user.
    • Under Status check Is OAuth confidential client.

    Note:   Protect, harden, and review access to the MID Server and the properties file. The MID Server and properties file grants you the ability to use the credentials and perform API calls against the tenant. While this restricts you from logging into the portal interactively, you can perform API calls to "RedRock/Query" and "ServerManage/CheckoutPassword."

    1. Click Create User.

Set up an OAuth client application

Set up an OAuth Client Application. OAuth allows for authenticating a token that will time out eventually (five hours is the default, configured in the Web Applications settings page of the management portal). It can, however, be used without additional authentication until then and does not require an account password after that. Setup as follows:

Note:   If and/or when the token expires, it is still the default authentication mechanism for the profile or configuration.

  1. Once the user is created, navigate to Apps > Web Apps. Click Add Web Apps.
  2. Select Custom and add OAuthClient.
  1. Update the settings of the OAuth Client Application. Click Apps > Web Apps again and click the OAuth Client row you just created. Under the Settings tab enter as follows:
  • Application ID: set to "oauth_2_client."
  • Name: “OAuth Client.”
  • For Description enter “Use this template to set up an application that is making OAuth secured REST calls to the Centrify Platform.”
  1. Click Scope and create a new Scope Definition with the properties below.

    You will add a scope named "snowmidserver." That is the only scope the application will look for. The "REST Regex" is the pattern to enable for the ServiceNow Plugin (documentation can be reviewed at https://developer.centrify.com/reference). For example, a scope that is defined to allow REST API calls ".*" will enable all API calls, while 'UserMgmt/.' would restrict calls to just the User Management section. Security best practice recommends this setting be the minimal set of APIs needed. The scope of the ServiceNow plugin should must be set to to "RedRock/Query" and "ServerManage/CheckoutPassword."

    • Name: "passwordCheckout."
    • Description: "Allows ServiceNow MID Server plugin to checkout account password from PAS."
    • Under Allowed REST APIs, click Add:
  1. Enter RedRock/Query and click Save.
  2. Under Allowed REST APIs, click Add and enter ServerManage/CheckoutPassword.
  3. Click Save.
  1. Click Permissions > Add. Search for and select the user and add that user.

Note:   This user is restricted to the permissions View and Run.

  1. Under General Usage tab:
  • Issuer: default.
  • Client ID Type: Confidential.
  • Uncheck Must be OAuth Client.

Note:   You created a special cloud OAuth user (above) for this purpose.

  1. Under Tokens tab:
  • Under Auth Methods, check Client Credentials. You can uncheck other Auth Methods if desired.
  • You can accept the defaults or change the token lifetime. To reduce re-authentication, you may prefer a longer token lifetime.
  1. Click Save.

Setting up the ServiceNow and ServiceNow MID Server instances

To set up ServiceNow and ServiceNow MID Server instances, perform the following steps:

  1. Install a ServiceNow MID Server if you don’t already have one setup. To do this, follow the instructions detailed for the ServiceNow MID Server Installation.
  2. Request an external credential storage for discovery and orchestration by following the steps detailed by ServiceNow.
  3. Once it’s available to you, install the External Credential Storage Plugin.
  4. Create a new Mid Server JAR File record and name it snowjar.jar. Attach snowjar.jar:
    1. From the left navigation, navigate to MID Server > JAR Files.
    2. Click New.
    3. Set the name field and use the paperclip icon on the right to attach the JAR file.
  5. Using RDP or a similar tool, remote into the MID Server.
  6. Place a properties file called cred_resolver.properties in the same location as the JAR file on the MID Server:

  1. Update the properties file as follows:

Note:   Protect, harden, and review access to the MID Server and the properties file. The MID Server and properties file grants you the ability to use the credentials and perform API calls against the tenant. While this restricts you from logging into the portal interactively, you can perform API calls to "RedRock/Query" and "ServerManage/CheckoutPassword."

  • basic_auth_str = A base 64 encoded string in the format of “username:password”. This should be the username (login name + suffix) and password for the user you created in Centrify PAS.
  • host = the URL you use to access Centrify PAS.
  • application_id = oauth_2_client.
  • grant_type = client_credentials.
  • scope = passwordCheckout.
  • proxy_host = This field will likely be blank, unless you know a proxy needs to be used to get out to the internet from your MID Server.
  • proxy_port = This field will likely be blank, unless you know a proxy needs to be used to get out to the internet from your MID Server.
  • credential_lookup_type = narrow.

    Note:   The value is ideally narrow, but if Centrify PAS does not have all IP Addresses for all your servers, you must set this to wide.

  • attempt_hostname_lookup = This is not yet implemented, therefore use the false value.
  1. Create new MID Server JAR file record with the name cred_resolver.properties and attach the cred_resolver.properties file.
    1. From the left navigation, go to MID Server > JAR Files.
    2. Click New.
    3. Set the name field and use the paperclip icon on the ht to attach the text file.

  2. Restart the MID Server:
    1. Navigate to Discovery > MID Servers.
    2. Open the relevant MID Server record and click Restart MID.
  3. Set property com.snc.use_external_credentials to true by doing the following:
    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property com.snc.use_external_credentials and set its value to true.
  4. Set property x_cenr3_priv_acces.centrify.external.enable_credential_population to true by doing the following:

    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property x_cenr3_priv_acces.Centrify.external.enable_credential_population and set its value to true.
  5. Set property x_cenr3_priv_acces.Centrify.external.credential_lookup_type to the same value you set in the Properties file by doing the following:

    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property x_cenr3_priv_acces.Centrify.external. credential_lookup_type. Set its value to true.
  6. Go to Centrify Privileged Access Request > Accounts, and click Sync Now. This will create all the Discovery Credential records to match the Centrify Account and Resource records.
    Discovery Credentials will be created or removed automatically going forward after this action is taken the first time.

    Note:   Any time you change the credential_lookup_type, you’ll need to click the Sync Now button.

  7. Create a new Discovery Schedule.
  8. Add the appropriate Discovery IP ranges or use the Quick ranges link to add a comma-separated list of your target IP addresses.
  9. Click Discover Now to run discovery and automatically update the CMDB.
  10. Navigate to Service Catalog > Catalog Definitions > Maintain Categories.
  11. Click the category Centrify.
  12. Set a value for the Catalog field.