- Due to some recent changes in ServiceNow, previously installed HashiCorp Vault Credential Resolver plugins may no longer be configured properly or the prior way to install is no longer available for Rome instances of ServiceNow. These changes involve CyberArk being the default Credential Storage Vault.
Solution for Upgraded Instances:
- Ensure "Discovery" and "External Credential Storage" plugins have been activated on the instance as these may have been deactivated. If not, activate again and wait for those to finish.
- Navigate to "Credentials" in Discovery section of ServiceNow. *Note: The proper permissions need to be in the role being used to achieve this.
- Click the credential previously setup storing your vault MID credentials.
- Make sure to check the field "Applies to" to confirm if this is for all MID servers or only Specific MID Servers. If only specific, ensure to click the lock and search for the MID server this update should apply to.
- Make sure "External Credential Store" is checked.
- Click the dropdown for "Credential Storage Vault" where CyberArk is listed.
- Select "None" in the dropdown.
- Click "Update".
- Test the connection to your MID server to ensure that your credentials are working as expected.
- If not, go through and confirm Vault Agent configuration file is correct along with the path being utilized. Then check the AppRole config that the Vault Agent is configured to use ensuring that "secret_id" and "role_id" are still valid. Finally, double check that the correct path is being set in the Credential ID field in ServiceNow for the credential being used.
- If yes, the setup is ready to go again.
Solution for New ServiceNow Rome instances:
- The steps found in Installing the Vault Credential Resolver should still be followed to install properly and configure the Vault Agent that will be used along with the AppRole setup needed.
- Activate "Discovery" and "External Credential Storage" plugins for ServiceNow.
- Click "Credentials".
- Select the type of credentials from the list provided.
- Once the "External Credential Store" box is ticked, new fields will populate and CyberArk will become the default.
- As mentioned in Configuring the Resolver to Use a Secret, set "Credential ID" to the secret path. If utilizing namespaces, the namespace will be at the front of the path as such:
- Click on "CyberArk" and change to "None" where the "Lookup key" field will disappear and the rest of the configuration for the credential can be set, tested, and submitted.