Installing and configuring the Centrify External Credential Storage Plugin

The following documentation details how to install and configure the Centrify External Credential Storage Plugin as instructed in the following sections:

Where to download

To download the plugin, navigate to the Centrify Download Center: www.centrify.com > Support > Downloads and click on the Tools and Plugins > ServiceNow Integration.

Prerequisites

You need the following components to install and configure the Centrify External Credential Storage Plugin:

  • ServiceNow Instance.
  • ServiceNow MID Server (a virtual machine configuration provided by ServiceNow).
  • Centrify External Credential Storage Plugin.
  • Centrify Privileged Access Request (a plugin available from the ServiceNow Store).
  • Privileged Access Service.
  • Centrify-provided JAR file.
  • Centrify provided properties file (that you’ll modify).

Setting up the Centrify Privileged Access Service instance

To set up Centrify PAS, perform the steps below.

Create a user

  1. Install the Centrify Privileged Access Request application from the ServiceNow Store first.
  2. Set up credentials and permissions for the various servers.
  3. Create a user:
    1. In the Admin Portal, navigate to Users and click Add User and enter information as follows:
    • Enter a login name and select a suffix.
    • Enter an e-mail address.
    • Enter a display name.
    • Set a password for the user.
    • Under Status check Is OAuth confidential client.

    Note:   Protect, harden, and review access to the MID Server and the properties file. The MID Server and properties file grants you the ability to use the credentials and perform API calls against the tenant. While this restricts you from logging into the portal interactively, you can perform API calls to "RedRock/Query" and "ServerManage/CheckoutPassword."

    1. Click Create User.

Set up an OAuth client application

Set up an OAuth Client Application. OAuth allows for authenticating a token that will time out eventually (five hours is the default, configured in the Web Applications settings page of the management portal). It can, however, be used without additional authentication until then and does not require an account password after that. Setup as follows:

Note:   If and/or when the token expires, it is still the default authentication mechanism for the profile or configuration.

  1. Once the user is created, navigate to Apps > Web Apps. Click Add Web Apps.
  2. Select Custom and add OAuthClient.
  1. Update the settings of the OAuth Client Application. Click Apps > Web Apps again and click the OAuth Client row you just created. Under the Settings tab enter as follows:
  • Application ID: set to "oauth_2_client."
  • Name: “OAuth Client.”
  • For Description enter “Use this template to set up an application that is making OAuth secured REST calls to the Centrify Platform.”
  1. Click Scope and create a new Scope Definition with the properties below.

Note:   You will add a scope named "snowmidserver." That is the only scope the application will look for. The "REST Regex" is the pattern to enable for the ServiceNow Plugin (documentation can be reviewed at https://developer.centrify.com/reference). For example, a scope that is defined to allow REST API calls ".*" will enable all API calls, while 'UserMgmt/.' would restrict calls to just the User Management section. Security best practice recommends this setting be the minimal set of APIs needed. The scope of the ServiceNow plugin should must be set to to "RedRock/Query" and "ServerManage/CheckoutPassword."

  • Name: "passwordCheckout."
  • Description: "Allows ServiceNow MID Server plugin to checkout account password from PAS."
  • Under Allowed REST APIs, click Add:
  1. Enter "RedRock/Query" and click Save.
  2. Under Allowed REST APIs, click Add and enter "ServerManage/CheckoutPassword."
  3. Click Save.
  1. Click on Permissions, then click Add. Search for and select the user and add that user.

Note:   This user is restricted to the permissions View and Run.

  1. Under General Usage tab:
  • Issuer: default.
  • Client ID Type: Confidential.
  • Uncheck the checkbox 'Must be OAuth Client.'

Note:   You created a special cloud OAuth user (above) just for this purpose.

  1. Under Tokens tab:
  • Under 'Auth Methods,' check 'Client Credentials.' You can uncheck other 'Auth Methods' if desired.
  • You can accept the defaults or change the token lifetime. To reduce re-authentication, you may prefer a longer token lifetime.
  1. Click Save.

Setting up the ServiceNow and ServiceNow MID Server instances

To set up ServiceNow and ServiceNow MID Server instances, perform the following steps:

  1. Install a ServiceNow MID Server if you don’t already have one setup. To do this, follow the instructions detailed for the ServiceNow MID Server Installation.
  2. Request an external credential storage for discovery and orchestration by following the steps detailed by ServiceNow.
  3. Once it’s available to you, install the External Credential Storage Plugin.
  4. Create a new Mid Server JAR File record and name it snowjar.jar. Attach snowjar.jar by doing as follows:
    1. From the left navigation, navigate to MID Server > JAR Files.
    2. Click New.
    3. Set the name field and use the paperclip icon on the right to attach the JAR file.
  5. Using RDP or a similar tool, remote into the MID Server.
  6. Place a properties file called cred_resolver.properties:

in the same location as the JAR file on the MID Server:

  1. Update the properties file as follows:

Note:   Protect, harden, and review access to the MID Server and the properties file. The MID Server and properties file grants you the ability to use the credentials and perform API calls against the tenant. While this restricts you from logging into the portal interactively, you can perform API calls to "RedRock/Query" and "ServerManage/CheckoutPassword."

  • basic_auth_str = a base 64 encoded string in the format of “username:password” – this should be the username (login name + suffix) and password for the user you created in Centrify PAS.
  • host = the URL you use to access Centrify PAS.
  • application_id = "oauth_2_client."
  • grant_type = "client_credentials."
  • scope = "snowmidserver."
  • proxy_host= (likely blank, unless you know a proxy to be used to get to the internet from your MID Server).
  • proxy_port= (likely blank, unless you know a proxy to be used to get to the internet from your MID Server).
  • credential_lookup_type=narrow (ideally narrow, but if Centrify PAS does not have all IP Addresses for all servers, must be set to wide)
  • attempt_hostname_lookup=false (not yet implemented, leave to false)
  1. Create new MID Server JAR file record, name it “cred_resolver.properties,”

  1. Restart the MID Server by:
    1. Navigate to Discovery > MID Servers.
    2. Open the relevant MID Server record and click Restart MID.
  2. Set property com.snc.use_external_credentials to true by doing the following:
    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property com.snc.use_external_credentials. Set its value to true.
  3. Set property x_cenr3_priv_acces.centrify.external.enable_credential_population to true by doing the following:

    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property x_cenr3_priv_acces.centrify.external.enable_credential_population. Set its value to true.
  4. Set property x_cenr3_priv_acces.centrify.external.credential_lookup_type to the same value you set in the Properties file by doing the following:

    1. On the left navigation panel, enter: sys_properties.list.
    2. Find the property x_cenr3_priv_acces.centrify.external. credential_lookup_type. Set its value to true.
  5. Discovery Credentials should be created or removed automatically.
  6. Create a new Discovery Schedule.
  7. Add the appropriate Discovery IP ranges or use the Quick ranges link to add a comma-separated list of your target IP addresses.
  8. Click Discover Now to run discovery and automatically update the CMDB.
  9. Navigate to Service Catalog > Catalog Definitions > Maintain Categories.
    1. Click the category Centrify.
    2. Set a value for the Catalog field.