Running Delinea MidServer Setup Utility for Secret Server

After establishing the basic requirements for creating a service account and a discovery secret, you need to run the Delinea MidServer Setup Utility. This utility is designed to generate all necessary parameters while providing a secure and reliable method for storing user credentials, avoiding the use of plain text in the MidServer configuration file. It facilitates the configuration of the connection between your MID Server and Secret Server.

To run the Delinea MidServer Setup Utility:

  1. Open a command prompt or terminal and navigate to the location of the DelineaMidServerSetupUtility jar JAR file.

  2. Run the command Java -jar DelineaMidServerSetupUtility.jar.

    You can use bundled Java to run the DelineaMIDServerSetupUtility.jar without any extra setup if using built-in Java.

    Open Command Prompt, go to the following folder:

    C:\servicenow\agent\jre\bin

    Then run this command:

    java -jar C:\servicenow\agent\extlib\DelineaMidServerSetupUtility.jar

    This uses the same Java that the MID Server runs on, so it is compatible and no separate Java installation is needed for Delinea integration.

  3. For additional information, enter the command --help for each question.

It is important to run this utility on each MID Server and ensure the Java version is at least 11. If not done correctly, the encryption and decryption process may not work as intended.

To set the complete configuration, enter the following information:

  1. Do you want to setup the complete configuration ?(y/n)

    1. Yes – Complete configuration setup (All parameters)

    2. No – Only encrypts the credentials

  2. Enter vault type (SS (Secret Server) or PAS (Privileged Access Service)): SS

  3. Enter Secret Server or Platform URL: Provide SS URL

  4. Using oauth2 grant file for token ?(y/n)

    1. Yes – Provide the oauth2 grant file path in next question

    2. No – Provide SS credentials in next questions

  5. Enter the Secret Server or Platform username: Provide the SS username.

  6. Enter the Secret Server or Platform password: Provide the SS password.

  7. Do you want to use proxy ?(y/n)

    1. Yes – Provide proxy details in the next questions.

    2. No – Parameters generated without Proxy.

Find and copy the generated parameters from a configuration.txt file within the same folder and paste it into the config.xml file of the ServiceNow MID Server (Go to Mid Server path> agent folder and look for the file named config.xml).

DelineaMidServerSetupUtility validates Secret Server credentials at runtime. If the credentials are not validated, the process will stop.

Updating MidServer config.xml

The config.xml file contains the necessary configuration settings to establish the communication between the MID Server and Secret Server. Update the config.xml with the correct server URLs, authentication details, and any relevant settings for your credential storage.

(Optional) Running Delinea MidServer SetupUtility with Command Line Arguments

This is not needed when running the setup utility manually.

It is also possible to run the MidServer SetupUtility using command line arguments for automation.

To run the Delinea MidServer Setup Utility using command line arguments:

  1. Open the command prompt.

  2. Run the java -jar DelineaMidServerSetupUtility.jar vault_type ss_or_platform_url username password proxy_host proxy_port proxy_username proxy_password command.

  3. Specify the following parameters:

    Argument Description
    vault_type Use SS or PAS.
    ss_or_platform_url Secret Server or Platform URL.
    username Secret Server username.
    password Secret Server password (no spaces allowed).
    proxy_host (Optional) Proxy server IP.
    proxy_port (Optional) Proxy port.
    proxy_username (Optional) Proxy auth username.
    proxy_password (Optional) Proxy auth password.

The command will only generate the ss_auth_str and proxy_auth_str parameters. You need to copy the remaining parameters manually into the config.xml file.

The Delinea MidServer Setup Utility.jar can only be run from the command line if the usernames and passwords contain no spaces. The password will be visible after you enter it in the command line.

Editing the Configuration File

The config.xml file will be modified to add additional elements for the credential resolver’s parameters. These are added at the end of the file just before the closing tag . To update the config file, follow the steps below:

  1. Open the config.xml file located in the MID Server installation directory (<Mid Server path>\agent\config.xml) using a text editor.

  2. Copy the relevant parameters generated by the setup utility from the configuration.txt file.

  3. Paste these parameters just before the closing </parameters> tag at the end of the config.xml file.

  4. Adjust any placeholder values as needed (for example, URLs or usernames).

  5. Save the config.xml file and close your editor.

  6. In the ServiceNow portal, navigate to MID Server > Servers, locate the MID Server you updated, and restart it to apply the new configuration.

Authentication Modes for Connecting Secret Server to ServiceNow

When integrating Secret Server with ServiceNow, there are two supported authentication methods:

  • Username and Password (Just-in-Time Mode)

  • OAuth2 Token File (Grant File Mode)

The table below outlines the parameters used in each mode:

Parameter Name Usage in Authentication Modes
ss_or_platform_url For both Just-in-Time and Grant File modes use the URL of your Secret Server or Delinea Platform instance.
ss_or_platform_auth_str

  • For Just-in-Time mode, provide the encrypted string containing username and password generated by the setup utility.

  • For Grant File mode, this parameter is not used.
oauth2_grant_file

  • For Grant File mode, provide the path to the oauth2_grant.json file used for tokenbased authentication.

  • For Just-in-Time mode, this parameter is not used.
allow_self_signed_certificate For both Just-in-Time and Grant File modes, set to true to accept self-signed SSL certificates if applicable; otherwise, set to false.
vault_type For both Just-in-Time and Grant File modes, set to ss to indicate Secret Server and pas to indicate PAS.
is_logging For both Just-in-Time and Grant File modes, set to true or false to enable or disable verbose logging If not specified, defaults to true.
log_level
    For both Just-in-Time and Grant File modes, set to 1 (Info), 2 (Debug), 3 (Error), or 4 (All) to control log verbosity:
    Log Level 1 (Logs Info): logs Information
    Log Level 2 (Logs Debug): logs for developer
    Log Level 3 (Logs Error): if any error logs will get printedLog
    Level 4 (Logs all): all above three logs type will get printed
proxy_host For both Just-in-Time and Grant File modes, specify proxy host if required. Leave blank if no proxy is needed.
proxy_port For both Just-in-Time and Grant File modes, specify proxy port if required. Leave blank if no proxy is needed.
proxy_auth_str For both Just-in-Time and Grant File modes, provide encrypted proxy credentials generated by the setup utility if a proxy requires authentication, otherwise leave blank
search_secret_by_name For both Just-in-Time and Grant File modes set to true to validate credentials using secret name instead of secret ID, otherwise, set to false.
auto_comment

For both Just-in-Time and Grant File modes provide a string to include an auto comment when accessing secrets if Require comment is enabled in Secret Server, leave empty if not used.
cache_url For both Just-in-Time and Grant File modes provide the Delinea Credentials Cache URL in format https://host:port if credential caching is enabled. Leave blank if not used.

Example: Just-in-Time (JIT) Authentication Configuration

Copy/paste this information into the config.xml file:

Copy 
\<parameter name="ss_or_platform_url" value="\<replace\>"/>

\<parameter name=" ss_or_platform_auth_str" value="\<replace\>"/>

\<parameter name="allow_self_signed_certificates" value="false"/>

\<parameter name="vault_type" value="ss"/>

\<parameter name="is_logging" value="true/false"/> 

\<parameter name="log_level" value="1/2/3/4"/>

<parameter name="proxy_port" value=""/>

<parameter name="proxy_host" value=""/>

<parameter name=" proxy_auth_str" value=""/>

<parameter name="search_secret_by_name" value="true/false"/>

<parameter name="auto_comment" value=""/>

<parameter name="cache_url" value=""/>

If you do not include the is_logging and log_level parameters in the configuration file, the plugin uses these defaults: is_logging: true, log_level: 3 (Error level).

Example: Grant File (OAuth2) Authentication Configuration

Copy/paste this information into the config.xml file:

Copy 
\<parameter name="ss_or_platform_url" value="\<replace\>"/>

\<parameter name="oauth2_grant_file" value="oauth2_grant.json"/>

\<parameter name="allow_self_signed_certificates" value="false"/>

\<parameter name="vault_type" value="ss"/>

\<parameter name="is_logging" value="\<replace\>"/> 

\<parameter name="log_level" value="1/2/3/4"/> 

<parameter name="proxy_port" value=""/>

<parameter name="proxy_host" value=""/>

<parameter name=" proxy_auth_str" value=""/>

<parameter name="search_secret_by_name" value="true/false"/>

<parameter name="auto_comment" value=""/>

<parameter name="cache_url" value=""/>

If you do not include the is_logging and log_level parameters in the configuration file, the plugin uses these defaults: is_logging: true, log_level: 3 (Error level).

If you leave any of the proxy-related parameters blank, the plugin does not use a proxy server.

Enabling the Search Secret by Name

  1. Set the following parameter as true in the MID Server config.xml file to enable secret search by name.

    \<parameter name="**search_secret_by_name**" value="true"/\>

  2. Pass the secret name from the ServiceNow MID Server in the Credential ID field.

  3. Provide a complete name of the secret because a partial name will not work.

    Searching for the secret by name is not recommended because Secret Server can have the same name for two different secrets. This functionality will not work correctly if multiple secrets have the same name.

Enabling Auto Comment on Secrets

  1. In Secret Server, select your secret.

  2. Go to the Security tab.

  3. In the Other security section, select the edit pencil icon and select the Require comment checkbox. Select Save.

  4. The Require comment field is now set to Yes.

  5. In the Mid Server config.xml file, set the following parameter as a string as follows: <parameter name="auto_comment " value="Enter your comment"/>.

If the auto_comment parameter is empty, it will not provide any comment while viewing the secret.

Enabling Delinea Credentials Cache

To enable Delinea Credentials Cache, open the Mid Server config.xml file and set the cache URL (URL format should be url:port) parameter as follows: <parameter name="cache_url" value="https://10.XX.XX.XXX:80XX"/>. For more details, see Delinea Credentials Cache.

The Delinea Cred Cache does not support validating credentials using a secret name. Users can only validate the credentials using the secret ID. Also, it does not support SSH private key credentials.