I figured I would walk through how you can setup the out of the box CyberArk + ServiceNow ticket integration with examples. Deploying this integration is key to ensure privileged users require a valid ServiceNow ticket in order to pull or utilize their privilege accounts within CyberArk. Your internal or external auditors, and compliance personnel will love you for this.
The out of the box plugin is limited as CyberArk hasn’t updated it since 2018. Yeah, 2018. Please CyberArk, I beg you, allow additional ServiceNow types to be validated against out of the box! Check out this existing CyberArk Enhancement Request and UPVOTE if you haven’t already! https://cyberark.my.site.com/s/article/ServiceNow-Integration-with-ALL-Ticket-Types-dQAI
Anyways, Let’s get started.
If you already have your own company ServiceNow non-prod environment, you can skip the “Setup ServiceNow Dev instance” section below.
Prerequisites —
- Required ServiceNow and CyberArk Licenses
- PVWA v9.8+ preferably
- An already deployed, configured, and operational CyberArk environment
- Admin/RDP access to your PVWA server
- PVWA server access to ServiceNow API URL
- Only required for older CyberArk versions (under 9.8) — CyberArk ServiceNow Ticket integration downloaded from CyberArk marketplace — https://cyberark.my.site.com/mplace/s/#a3550000000EiXKAA0-a3950000000jjb0AAA
- Your internal ServiceNow IT support team to perform the steps below if you don’t have access to create and provision the read only svc account for your ticket integration use.
Setup ServiceNow Dev instance:
A while back I discovered that ServiceNow Dev instances are free. Really. It’s amazing. We’ll utilize this to configure our CyberArk Ticket Integration with ServiceNow.
Head over here — https://developer.servicenow.com/
- Sign up for a ServiceNow Developer ID
- Click on Request an instance from the menu. Choose Utah or whichever latest version you want to test against.
- Activate whatever ServiceNow plugins you want to play with for your instance
- Wait a bit for it to create and spin up (~10 minutes, if that)
- Log into the Dev instance with the l/pw it provides.
Create your ServiceNow read-only svc account to utilize:
- Log onto your ServiceNow dev instance with the admin l/pw provided
- Click All>User Administration>Users
- On the top right, click new.
- Name the internal account cyberark_svc_acct, checkbox for active, and a checkbox for web service access only.
*Note: You can utilize a domain user service account for this as well if you like, however for demonstration purposes I’m just using an internal ServiceNow user.
*The Web service access only check box to designate this user as a non-interactive user. This field is available with Non-Interactive Sessions. - Click Submit to create the account.
- Click Set Password
- Click the Generate button.
- Click the copy password button next to generate. Keep that safe for now until we get to the next steps.
- Click Save Password. Click Close.
- Scroll down and click the Roles tab. Click Edit
- Search the collection for sn_change_read, click it, then click the > button to add the role. Do the same for the sn_incident_read role. See below. Click Save.
- The ServiceNow read only roles have been added to our svc account for use.
Onboard your ServiceNow cyberark_svc_acct to your CyberArk Vault:
- Log on to your PVWA site as an admin.
- Click Accounts>Add Account. Fill out the related items. I use the classic interface as my preferred method. See below for an example. Place the “cyberark_svc_acct” account under the PVWATicketingSystem safe as it has the required permissions by default. Note that I’m setting the object name the same as the username just so it’s easier to reference on another step.
- Click Save.
- Ok, now delete the temp notepad/text file you had with that massive password string for the ServiceNow svc acct. Only keep it in the vault, not cleartext!
Configure your PVWA server:
- In newer CyberArk PVWA versions (v9.8 and higher) this step isn’t necessary since the files exist already “out of the box” under C:\inetpub\wwwroot\PasswordVault\Bin .
- If you don’t have these files listed in that folder, extract the downloaded CyberArk ServiceNow Ticket integration zip file from the marketplace.
- Stage the 2 dll files onto your PVWA server, under C:\inetpub\wwwroot\PasswordVault\Bin .
*Note - this will cause IIS to reset.
- Check to make sure IIS is back up.
Configure ServiceNow Ticket Integration within PVWA:
- Log onto PVWA site as an admin
- Navigate to Administration>Options>Ticketing Systems>ServiceNow.
- Expand Ticketing Parameters>SystemConfiguration
- Click on SystemURL. Update this to your ServiceNow Dev instance URL. Click apply.
- If you need a ticketing bypass code configured, click on the FailsafeBypassCode and enter in whatever bypass code value you want to use. In the example below, I used bypass, but this can be multiple bypass words. If you need multiple, separate them by | . Click apply. The codes are case-sensitive.
- Click on the Connection Details item. Populate the details of where your cyberark_svc_acct is stored. Remember that it’s within the “PVWATicketingSystem” safe, and we named the object the same as the username.
- Click apply.
Configure your related platform to enable ServiceNow Ticket Integration within PVWA:
- Navigate to Administration>Platform Management. Find the related platform you want to enable ticket integration for. In this example, we’ll enable it for the Windows Domain Account — Ticket Integration platform I previously created.
- Click Edit
- Expand UI & Workflows. Click on Ticketing System.
- Set EnterTicketingInfo to Yes.
- Set ValidateTicketNumber to Yes.
- Right click on Ticketing System> click Add ActiveTicketingSystems.
- Right click on ActiveTicketingSystems, click Add TicketingSystem.
- Set the value of TicketingSystem to be ServiceNow, which is the same name referenced under Options that we configured previously.
- Click Apply.
Let’s test it out!:
- Adjust whichever Windows Domain Accounts you have that you require Ticket Integration to utilize the Windows Domain Account — Ticket Integration platform.
- We’ll select the test.priv account on acme.com to test with. Click on Show, Copy, or Connect, and it will default to utilize the ServiceNow TicketingSystem we set on the platform, and will now show a Ticketing Id field.
- Populate the Reason and related TicketID (INC or CHG).
- If the ticket ID (CHG or INC ) exists, you’ll be able to show or use the password.
- If the TicketID doesn’t exist, it will fail.
- If the TicketID format is invalid, it will fail.
- Now lets try that bypass code in case ServiceNow is down.
- The super basic pieces worked!
“I have more requirements though!!! Auditors need us to do this, and this!”:
- Okay, okay! So if you need to configure things like validating the INC or CHG state, Approval Status, Ticketing TimeFrame, or Requesting User… then there are additional settings you can configure.
- Check out the additional settings under Administration>Options>Ticketing Systems>ServiceNow>IncidentTicketValidation, and ChangeTicketValidation.
- Here’s the official documentation you can review: https://docs.cyberark.com/PAS/Latest/en/Content/PASIMP/TicketingIntegrationServiceNow.htm?tocpath=Administrator%7CComponents%7CPVWA%7CConfigure%20the%20PVWA%7CIntegrate%20with%20Enterprise%20Ticketing%20Systems%7C_____2
- See the image below related to the settings you can adjust as needed per your requirements.
Troubleshooting — “It isn’t working for me still. What did I miss!?” :
- Check out the PVWA logs that are under C:\Windows\Temp\PVWA\ for clues as to the issue(s) you’re having.
- See below related to the specific PVWA WebSession log which indicated my PVWA server was able to reach the ServiceNow Dev instance and query for the CHG I provided.
- Check the CyberArk Support site for your related error(s).
- Ask a co-worker to look at it as well for a second set of eyes to determine the cause.
- Create a CyberArk Support Case.
Looking for a partner in your Privileged Access Management rollout?
Check out my site here — https://www.keyvaultsolutions.com/pages/contact-us
Recommended items:
- Document your ticket integration! Yes, I know, no one will read it…. but do it anyways for your own benefit. It’s good to practice writing, and being able to refer back makes your life easier. Trust me.
- Configure and enable password rotations for your ServiceNow service account.
- If your ServiceNow environment allows for using a domain service account, you could utilize that instead for the integration and use the out of box windows domain account rotations platform.
- Explore the CyberArk marketplace for other ServiceNow integrations.
- Discuss internally if you want to remove requiring a reason field entry for your ticket integrated platforms. Since the TicketID field references the ticket, a reason isn’t needed and most times provides little actual value, aside from seeing what people enter in; “letmein!”,
- I recommend that you adjust the ticket integration errors to be more helpful for your users — look under Administration>Options>Ticketing Systems>ServiceNow. See the image below and the related documentation at the bottom of this blog.
Related CyberArk & ServiceNow Documentation —
- https://docs.cyberark.com/PAS/Latest/en/Content/PASIMP/TicketingIntegrationServiceNow.htm
- https://cyberark.my.site.com/mplace/s/#a3550000000EiXKAA0-a3950000000jjb0AAA
- https://developer.servicenow.com/dev.do
- https://www.reddit.com/r/CyberARk/comments/x46590/platform_naming_convention/
- https://docs.cyberark.com/PAS/Latest/en/Content/PASIMP/TicketingIntegrationServiceNow.htm?tocpath=Administrator%7CComponents%7CPVWA%7CConfigure%20the%20PVWA%7CIntegrate%20with%20Enterprise%20Ticketing%20Systems%7C_____2
- https://cyberark.my.site.com/s/article/ServiceNow-Integration-with-ALL-Ticket-Types-dQAI
- https://cyberark.my.site.com/s/article/Validate-Target-Machine-with-ServiceNow-Ticketing-Integration-nQAI
- https://cyberark.my.site.com/s/article/ServiceNow-and-EPM-integration-ticket-number-varia-58a6-66e
- https://docs.servicenow.com/bundle/vancouver-platform-administration/page/administer/users-and-groups/task/t_CreateAUser.html