Installation and Configuration from MID
Server Plugin
PAS Configuration
Overview
Set Up the Delinea Privileged Access Service Instance
Follow the steps below to set up Delinea PAS.
Create User
1. In the Admin Portal, go to Users and click Add User and enter the following
information:
o login name and select a suffix
o e-mail address
o display name
o password
2. Under Status, select Is OAuth confidential client.
Note: Protect, harden, and review access to the MID Server and the properties
file. The MID Server and properties file grants you the ability to use the
credentials and perform API calls against the tenant. While this restricts you from
logging into the portal interactively, you can perform API calls to
“RedRock/Query”, “ServerManage/CheckoutPassword”
“ServerManage/RetrieveSshKey”, “ServerManage/CheckinPassword”.
3. Click Create User.
Set Up OAuth Client Application
OAuth allows you to authenticate a token that will time out (five hours is the default). It
can be used without additional authentication within that time and will not require an
account password. Setup as follows:
Note: If and/or when the token expires, it is still the default authentication mechanism
for the profile or configuration.
1. Once the user is created, go to Apps > Web Apps and click Add Web Apps.
1
� 2. Select Custom and add OAuthClient.
3. Update the settings of the OAuth Client application.
4. Click Apps > Web Apps again and click the OAuth Client row you just created.
o Under the Settings tab enter as follows:
▪ Application ID: set to oauth_2_client
▪ Name: OAuth Client
▪ Description enter: “Use this template to set up an application that is
making OAuth secured REST calls to the PAS Platform”
5. Click Scope and create a new Scope Definition using the following properties.
o Add a scope named snowmidserver. This is the scope the application will
look for.
o The REST Regex is the pattern to enable for the ServiceNow plugin. The
documentation can be reviewed here. For example, a scope that is defined
to allow REST API calls “.*” will enable all API calls, while ‘UserMgmt/.’
would restrict calls to just the User Management section. Security best
practice recommends this setting be the minimal set of APIs needed.
o The scope of the ServiceNow plugin must be set to: “RedRock/Query”,
“ServerManage/CheckoutPassword”, “ServerManage/RetrieveSshKey” and
“ServerManage/CheckinPassword”.
▪ Name: passwordCheckout
▪ Description: “Allows ServiceNow MID Server plugin to checkout account
password from PAS.”
o Under Allowed REST APIs, click Add
o Enter RedRock/Query
o Click Add and enter ServerManage/CheckoutPassword
o Click Add and enter ServerManage/RetrieveSshKey
o Click Add and enter ServerManage/CheckinPassword
o Click Save
Set Up ServiceNow and ServiceNow MID Server Instances
To set up ServiceNow and ServiceNow MID Server instances, follow these steps.
JAR File
1. Install ServiceNow MID Server if it’s not already set up. To do this, follow the
ServiceNow MID Server Installation instructions.
2. Request external credential storage for discovery and orchestration by following
the steps detailed by ServiceNow.
3. When this is done, install the External Credential Storage Plugin.
4. Get a JAR file (location mentioned in the above section) and attach it.
5. Go to MID Server > JAR files and click New.
2
� 6. Set the Name field and select the Paperclip icon to attach the JAR file.
MID Server Configurations
1. The config.xml file will be modified to add additional parameters required for
the External Credential Store plugin to communicate.
2. Login to MID Server.
3. Go to <Mid Server path>/ agent folder and look for file named config.xml.
4. Modify the file to add the parameters below. These are added at the end of the
file just before the closing tag <parameters>.
o basic_auth_str = A base 64 encoded string in the format
of username:password. This should be the username (login name + suffix)
and password for the user you created in PAS
o host = the URL you use to access PAS
o application_id = oauth_2_client
o grant_type = client_credentials
o scope = passwordCheckout
o proxy_host = This field will likely be blank, unless you know a proxy needs
to be used to get out to the internet from your MID Server
o proxy_port = This field will likely be blank, unless you know a proxy needs
to be used to get out to the internet from your MID Server
o vault_type = This parameter should set to PAS as the credentials are to be
validated with Privileged Access Service.
o credential_lookup_type = narrow
3
� Note: Add the dummy parameters of PAS when using vault type Secret
Server and vice versa. The plugin requires you to define the configuration
parameters of both vaults.
Note: The value is ideally narrow, but if PAS does not have all IP addresses
for all your servers, you must set this to wide.
o is_logging = This parameter can be set to either true or false to enable
additional logging other than the default one. Along with this parameter
we have to set the LogLevel.
o log_level = This parameter allows user to log based on the requirement.
Value can be either 1, 2, 3 or 4.
▪ Log Level 1: (Logs Info) logs Information
▪ Log Level 2: (Logs Debug) logs for developer
▪ Log Level 3: (Logs Error) error logs are printed
▪ Log Level 4: (Logs all) all 3 logs types are printed
o allow_self_signed_certificates = This parameter can be set to
either true or false to allow self-signed certificates for getting a token. By
default the plugin does not allow self-signed certificate so if a PAS is using
a self-signed Certificate then we need to add this parameter and set it
to true.
o password_checkin_interval = An optional parameter to delay the password
check-in. It can be beneficial when a configuration to rotate a password
after check-in is set to true in PAS. User will get some period to perform
required task at ServiceNow before the password is rotated.
o value for this parameter is 60000 (in milliseconds). Users can set it to
another value as per the requirement.
o use_reverse_dns_lookup = This parameter allows the plugin to perform a
reverse DNS lookup. This can be set to either true or false. It is optional
and the default value is false, if undefined.
o use_fqdn_lookup = This parameter allows the plugin to perform an FQDN
lookup. This can be set to either true or false. It is optional and the default
value is false, if undefined.
o look_up_order = This parameter is a list of three values IP, DNS ,
and FQDN. User to enter at least one of the three values. It is an optional
parameter and the default value is IP, if undefined. Refer to Performing
Lookups to identify the resources in PAS Server section for more details
about lookups.
o allow_fqdn_based_on_localhost = In some networks, the remote machine
does not return the FQDN, so this parameter will be useful to increase the
4
� success rate to identify the systems having FQDN configured in PAS. This
parameter allows a plugin to form an FQDN by identifying the domain
name of its localhost/MID Server and append it with the FQDN of a
remote machine. This can be set to either true or false.
o retry_attempts = This is an optional parameter to set custom retry
attempts to handle request failures. The value should be a number
between 0 and 5.
o If the parameter is not defined, then the default retry attempt is 3.
o If the value is 0 then no retries will be attempted.
o The maximum supported retries are 5. Any value greater than 5 will be
ignored and considered to be the max value (5).
o Retry attempts are performed if there are failures in fetching systems from
the PAS.
o When lookup parameters are defined, then the lookUpOrder items will be
executed sequentially in each retry attempt considering the failure in
fetching the details.
o retry_interval = This is an optional parameter to set a custom retry interval
for each retry attempt.
o The default value is 3000 (in milliseconds) when this parameter is not
defined.
o The minimum value should be 1000 and the maximum should be 10000.
o If the value is less than 1000 then it will be considered as 1000 and if the
value provided is greater than 10000 then it will be considered as 10000.
o use_cred_cache = This is an optional parameter and can be set to either
true or false. Setting it to true enables the caching and saves the credential
in the encrypted format in the DelineaCredCache.properties file.
o secret_key = A key name to store the password in the Windows Credential
Manager. This value must be matched with the value present in the field
“Internet or network address” field of the Windows Credential Manager.
This must be set if the “use_cred_cache” parameter is true.
Example:
5
�5. Click Save.
6. Restart MID Server.
o Go to Discovery > MID Servers.
o Open the relevant MID Server record and click Restart MID.
6. Click Permissions > Add. Search for, select, and add that user.
Note: This user is restricted to the permissions View and Run.
7. Under the General Usage tab:
o Issuer: default
o Client ID Type: Confidential
o Uncheck Must be OAuth Client
Note: You created a special cloud OAuth user (above) for this purpose.
8. Go to Tokens > Auth Methods tab and select Client Credentials.
Note: Deselect the other Auth Methods if desired.
9. You can accept the defaults or change the token lifetime. To reduce re-
authentication, you may prefer a longer token lifetime.
10. Click Save.
6
�Add PAS SSL Certificate to MID Server
If the certificate for the PAS site is published from an internal Active Directory Certificate
Authority (CA) or an internal self-generated certificate, that certificate needs to be
added to the MID Server Agent’s local Keystore for Java.
ServiceNow has documented the method for adding the certificate which can be
found here.
The following provides a few details that are not included in the ServiceNow
documentation.
1. Download your SSL certificate for PAS to the MID Server.
2. One way to get the certificate is to go to a PAS website.
3. Click the Site icon on the address bar.
4. Select Certificate > Details > Copy to File > Export and save in format Der-
encoded binary (.cer).
5. Copy the certificate file to MID Server.
6. Go to MID Server, open a PowerShell prompt, and set the location to the Java bin
directory: <JavaDirectoryPath>\jre\bin.
7. Run the following command, replacing with your environment specifics:
exe -import -alias -file -keystore
Example:
keytool -import -alias myAlias -file myCertificate.cer -keystore
"C:\Program Files\Java\jre1.8.XXXX\lib\security\cacerts"
8. You will be prompted to provide the password for the Keystore. The password
should have been changed within your environment. If not, the default password
is change it.
9. You will get another prompt that asks if you trust the self-signed certificate.
Select Yes and the certificate will be imported into the trust store.
Caching in Plugin
Mid Server discovery does the checkout and check-in of the password multiple times for
a single server. To bypass this issue the user can enable the caching functionality.
How it Works
7
� • Passwords are saved in the DelineaCredCache.properties file in an encrypted
format.
• To encrypt the data, it fetches the secret key from the Windows credential
manager.
• When the password is checked-in, the entry from the cache file is deleted.
• If the password is not able to be cached, it will still work without caching.
How to Enable the Cache in the Plugin
1. Go to Windows Credentials and create the credential in Generic Credentials.
2. Add any name in the Internet or network address field
3. Leave the User name field blank and provide the password (password must be
provided or the caching functionality will not work).
4. Set the following parameters in the Mid Server config.xml file to enable caching.
o use_cred_cache = true
o secret_key = value of the field “Internet or network address” in the
Windows Credential Manager
5. End the Mid Server service and right click the service and select the properties.
6. Select Log On > Browse.
8
� 7. Provide the credentials of the current user.
8. Click Apply > Ok.
9. Restart the service.
Note: Mid Server service runs by default under the Local System account and
this account can’t access the credentials created by another user in the Windows
Credential Store. Mid Server service must run with the same account that the
password was created in the Windows Credential Store.
How to Perform Lookups to Identify the Resources in PAS
When system resources are registered or discovered in PAS, the value for the DNS
Name/IP Address field is updated with the IP address, DNS name or FQDN.
There are no independent fields in PAS to store each separately. ServiceNow usually
fetches the details of resources using IP addresses to perform a test credential and a
Discovery.
When a request containing an IP address is raised from ServiceNow, a reverse DNS or
FQDN lookup is required to find the matching system stored in Delinea PAS.
9
�Lookup Conditions
The user is required to set parameters in the configuration file to allow certain lookups.
For more details, refer to the following:
• use_reverse_dns_lookup: true/false (default false)
• use_fqdn_lookup: true/false (default false)
• look_up_order : “IP”, “DNS”, “FQDN” (default “IP”)
With the configuration example above, the plugin will do the following:
• Look up the credentials using the requested value (for an IP, DNS or FQDN).
• Look up the credentials using the IP address.
• Look up the credentials using the results from a reverse DNS look up.
• Look up the credentials using the results from a FQDN look up.
• Or, a failure message will display.
If the results are successful, no further searches are needed.
Changing the lookup order or removing options will change the above logic
accordingly.
The option from the lookup order will be ignored if the corresponding lookup
parameter (use _reverse_dns_lookup or use_fqdn_lookup) is set to false.
This assumes that the MID Server plugin has a valid IP address and the IP address
matches one of the IP addresses on the current machine.
Note: If the IP address is not reachable from the MID Server, the DNS and FQDN lookup
will fail and the search will be performed with the requested IP address.
If none of the parameters are defined in the configuration, no lookups will be performed
and the value (IP, DNS Name, or FQDN) requested by the ServiceNow instance will be
searched in the PAS. For example, if the ServiceNow request contains an IP address, then
only that IP address will be searched in PAS.
10
�Secret Server Configuration
Configuration
Known Constraints and Limitations
• On the ServiceNow side, there is no Domain field mapping. The Active Directory
secret requires the Username field to be formatted as user@domain or
domain\user.
• If Secret Server is utilizing an SSL certificate issued from an Active Directory
Certificate Authority (internal CA), the SSL for the site must be imported into the
Keystore for the MID Server agent. See the Configuration instructions for more
details.
Configure JAR File
1. Access your Service Now portal.
2. Download the JAR file from the Service Now App store.
3. Upload the JAR file in MID Server JAR file > click MID Server JAR file >
click New.
4. Go to the JAR file, click Choose file and select the JAR file.
5. Provide the Name and Version and in Source provide the location of
the JAR file.
6. Click Submit or Update.
Verify Agent Download
Once you have submitted the JAR file through ServiceNow, your MID Servers will pull
the file. To verify that the file has been downloaded, check the extlib directory within
your agent’s root path.
Note: To update the file, verify that the modified date changes to the current day’s
timestamp.
11
�Create a Secret in Secret Server
1. Create a secret in Secret Server. The Secret ID will display in the URL. The
following is an example of a Windows Credential.
2. Create the User in Secret Server and add them to the sharing option of the
Secret.
3. Create the role and give the permission to View Secret and View Launcher
Password and assign this role to the User.
12
�Edit Agent Config
The config.xml file will be modified to add additional elements for the credential
resolver’s parameters. These are added at the end of the file just before the closing tag .
To update the config file, follow the steps below:
1. Edit the config.xml configuration file for your MID Server.
2. Copy and paste the associated contents (based on the mode chosen) just before
the </parameter> tag at the end of the file.
3. Adjust the values accordingly.
4. Save the config.xml and close your editor.
5. Go to MID Server > Servers in the ServiceNow portal.
6. Restart the recently updated MID Server.
Note: Add the dummy parameters of PAS when using vault type Secret Server and vice
versa. The plugin requires you to define the configuration parameters of both vaults.
Authenticate Secret Server with ServiceNow
When authenticating Secret Server with ServiceNow there are two ways to establish a
connection. You can use your Secret Server username and password to authenticate or
generate a token in the file.
Choose from the following modes.
Just-In-Time Mode
13
� Attribute Value Description
ss_url URL for your Secret Server
oauth2_username Secret Server User Account for API access
oauth2_password Secret Server User Account password
Set to true if you are using a self-signed cert for Secret Server
allow_self_signed_certificate
instance
This parameter should be set to SS as the credentials are to be
vault_type
validated with Secret Server
This parameter can be set to either true or false to enable
is_logging
additional logging other than the default one
Log Level 1 (Logs Info) logs Information Log Level 2 (Logs
Debug) logs for developer Log Level 3 (Logs Error) if any error
log_level
logs will get printed Log Level 4 (Logs all) all above three logs
types will get printed
This field will be blank unless a proxy is known that needs to be
proxy_host
used to get out to the internet from your MID Server.
This field will be blank unless you know a proxy that needs to be
proxy_port
used to get out to the internet from your MID Server.
This field can be set as true/false. If the user wants to validate
search_secret_by_name
credentials using a secret name, this field must be set as true.
Copy/paste this information into the config.xml file:
\<parameter name="ss_url" value="\<replace\>"/\>
\<parameter name="oauth2_username" value="\<replace\>"/\>
14
�\<parameter name="oauth2_password" value="\\\<replace\\\>"/\>
\<parameter name="allow_self_signed_certificates" value="false"/\>
\<parameter name="vault_type" value="ss"/\>
\<parameter name="is_logging" value="true/false"/\>
\<parameter name="log_level" value="1/2/3/4"/\>
\<parameter name="proxy_port" value=""/\>
\<parameter name="proxy_host" value=""/\>
\<parameter name="search_secret_by_name" value="true/false"/\>
Note: If the user does not provide an is_logging and log_level parameter in the config
file, the default value will be true and 3.
Grant File Mode
Attribute Value Description
ss_url URL for your Secret Server
oauth2_grant_file Path of oauth2_grant.json file
Set to true if you are using a self-signed cert for Secret Server
allow_self_signed_certificate
instance
This parameter should be set to SS as the credentials are to be
vault_type
validated with Secret Server
This parameter can be set to either true or false to enable
is_logging
additional logging other than the default one.
Log Level 1 (Logs Info) logs Information Log Level 2 (Logs
Debug) logs for developer Log Level 3 (Logs Error) if any error
log_level
logs will get printed Log Level 4 (Logs all) all above three log
types will get printed
15
� Attribute Value Description
This field will be blank unless you know a proxy needs to be
proxy_host
used to get out to the internet from your MID Server.
This field will be blank unless you know a proxy needs to be
proxy_port
used to get out to the internet from your MID Server
This field can be set as true/false. If the user wants to validate
search_secret_by_name
credentials using a secret name, this field must be set as true.
Copy/paste this information into the config.xml file:
\<parameter name="ss_url" value="\<replace\>"/\>
\<parameter name="oauth2_grant_file" value="oauth2_grant.json"/\>
\<parameter name="allow_self_signed_certificates" value="false"/\>
\<parameter name="vault_type" value="ss"/\>
\<parameter name="is_logging" value="\<replace\>"/\>
\<parameter name="log_level" value="1/2/3/4"/\>
\<parameter name="proxy_port" value=""/\>
\<parameter name="proxy_host" value=""/\>
\<parameter name="search_secret_by_name" value="true/false"/\>
Note: If the user does not provide is_logging and log_level parameters in the config file,
the default value will be true and 3.
Note: If any of the proxy-related settings are blank, the plugin will not use the proxy
server.
Scheduled Task
• The recommended method for generating the grant file is using a Scheduled
Task. A task can be used to run a PowerShell script that requests a token using
the oauth2/token endpoint or using the ss utility with the Secret Server Client
SDK.
• Save one of the scripts below to a desired location on the Agent server and
configure a task to call each one. The frequency that each one will be triggered
16
� should be based on the Web services session timeout value for Secret Server (for
example, set to 20 minutes and trigger the task every 19 minutes).
• refresh-oauth2.ps1
Note: To provide a secure method for the username/password required for the OAuth2
endpoint, a password file is used where the value is encrypted. This process is unique to
MID Server and must be created individually on each MID Server.
Issue this command to create the password file:
'replace with the password' \| ConvertTo-SecureString -AsPlainText -
Force \|
Export-Clixml -Path c:\\Delinea\\passfile.XML`
refresh-oauth2.ps1
param(
[string]$SecretServerUrl,
[string]$User,
[string]$PasswordFile,
[string]$Path
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
\$password = Import-Clixml -Path \$PasswordFile
\$plainTextPwd =
17
�[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropSer
vices.Marshal]::SecureStringToBSTR(\$password))
\$body = @{
"grant_type" = "password"
"username" = $User
"password" = $plainTextPwd
$value = Invoke-RestMethod -Method POST -Uri
"$SecretServerUrl/oauth2/token"
-Body \$body | Select-Object -Expandproperty access_token
Set-Content -Path $Path -Encoding Ascii -Force -Value $value -
NoNewline
Argument Task Example:
\-NoProfile -ExecutionPolicy Bypass -Command "C:\\Delinea\\refresh-
oauth2.ps1\-Path C:\\ServiceNow\prod\agent\\oauth2_grant.json –
SecretServerUrl
'https://enterprisevault.com/SecretServer' -User midapp -PasswordFile
'C:\\Delinea\\passfile.xml'"
refresh-oauth2_useSDK.ps1
[cmdletbinding()]
param(
[string]\$Path,
18
�[string]\$SdkPath
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
if (Test-Path \$SdkPath) {
Set-Location \$SdkPath
} else {
throw "Unable to find SDK Path: \$SdkPath"
if (Test-Path '.\\tss.exe') {
try {
\$value = .\\tss.exe token
} catch {
throw "Unable to obtain token: \$(\$_.Exception.Message)"
19
�Set-Content -Path \$Path -Encoding Ascii -Force -Value \$value -
NoNewline
Argument Task Example:
\-NoProfile -ExecutionPolicy Bypass -Command
"C:\\Delinea\\refresh-oauth2_useSDK.ps1 -Path
C:\\ServiceNow\\prod\\agent\\oauth2_grant.json -SdkPath
C:\\Delinea\\secretserver-sdk-1.4.1-win-x64"
Secret Server SSL
The following information is for on-premises Secret Server installations.
• If your certificate for the Secret Server site is published from an internal Active
Directory Certificate Authority (CA), it needs to be added to the MID Server
Agent’s local Keystore for Java.
• ServiceNow has documented the method to add the certificate found here.
The following are instructions that are not included by ServiceNow.
1. Download your SSL certificate for Secret Server to the MID Server.
2. Open a PowerShell prompt and set the location to the Java bin
directory: <fullAgentPath\>\jre\bin
3. Run the following command and replace with your environment specifics:
.\\keytool.exe -import -alias \<cert alias\> -file \<full path to \*.cer
file\>\-keystore '\<fullAgentPath\>\\jre\\bin\\security\\cacerts'
Note: You will be prompted to provide the password for the Keystore. Change the
password if it hasn’t been changed previously. The second prompt will ask if you trust
the certificate being imported.
How to Enable the Search Secret by Name
1. Set the following parameter as true in the Mid Server config.xml file to enable
secret search by name.
\<parameter name="**search_secret_by_name**" value="true"/\>
2. Pass the secret name from the SNOW MID server in the Credential ID field.
20
�3. Provide a complete name of the secret because a partial name will not work.
Note: Searching for the secret by name is not recommended because Secret
Server can have the same name for two different secrets. This functionality will
not work correctly if multiple secrets have the same name.
21
