Integrating Secret Server with MidServer Credential Resolver
Integrating the Secret Server with the MidServer Credential Resolver allows for secure credential storage and enables the MidServer in your ServiceNow instance to dynamically retrieve these credentials during automation tasks.
Known Constraints and Limitations
-
On the ServiceNow side, there is no Domain field mapping. The Active Directory secret requires the Username field to be formatted as user@domain or domain\user.
-
If the Secret Server is utilizing an SSL certificate issued from an Active Directory Certificate Authority (internal CA), the SSL for the site must be imported into the Keystore for the MID Server agent. See the Configuration instructions for more details.
Secret Server Implementation Modes
Secret Server offers the following two implementation modes.
-
Just-In-Time mode
In this mode, the MID Server agent configuration file is modified to include the Secret Server API account’s credential in encrypted format. The MID Server agent handles authenticating to the REST API and requesting the needed OAuth2 token to retrieve secrets.
You must provide credentials (for example, username and password) in encrypted format within the configuration file. If this method is used to ensure access to the MID Server, the agent’s folder is restricted.
-
Grant File Mode
In this mode, the MID Server agent configuration file is modified to include the path to an oauth2_grant. json file. This file contains the access token the agent will use to authenticate API calls. It requires an external source to write the OAuth2 token to the file.
The external source requires execution on a regular schedule based on the Web Services configuration of your Secret Service instance. The Windows Task Scheduler is the recommended mechanism.
