Setup
This setup must be completed before running the setup utility on each MID Server. For more information, see Running the Setup Utility on Each MID Server.
Step 1: Install the MID Server Plugin
To obtain the required setup utility and integration files, install the Delinea Credential Resolver plugin from the ServiceNow Store.
Installing the Integration Plugin via the ServiceNow Store
To install the plugin automatically:
-
Sign in to your ServiceNow Store account.
-
Search for Delinea Credential Resolver.
-
Select Install.
-
Follow the prompts to deploy the plugin into your ServiceNow instance.
This plugin contains both the platform-side resolver logic and the utility JAR archive used for MID Server setup.
Installing the Integration Plugin via Manual XML Import
To manually install via XML Import:
XML installation is mandatory starting from the Xanadu version when the application is not installed through the ServiceNow Store.
If you are unable to use the ServiceNow Store for installation or prefer a manual setup, you can import the necessary XML files into ServiceNow.
Download the most recent version of the integration from this location.
To import an XML file into ServiceNow using the Mid Server integration:
Unzip the downloaded file.
The extracted file should contain the following files:
-
DelineaCredentialResolver_xml.xml
-
DelineaCredentialResolver-<version number>.jar
-
DelineaMidServerSetupUtility.jar
-
Release Notes
Uploading the XML file will also install the required JAR files when performing a manual installation. If you are using any version before Xanadu, you may continue to install the application by simply adding the required JAR files and skipping the XML installation process.
Step 2: Locate and Extract the Setup Utility
After installing the plugin, locate the JAR archive deployed to the MID Server file system.
To extract the setup utility:
-
On your MID Server host machine, navigate to the plugin’s installed directory:
-
<MID Server Root>\agent\extlib
-
-
Locate the archive that includes:
-
DelineaCredentialResolver.jar
-
DelineaMidServerSetupUtility.jar
-
-
Extract the archive using a ZIP utility.
-
Move
DelineaMidServerSetupUtility.jarto a known location for running in the next step.
Step 3 (Optional) Enable Grant File Mode
If you plan to use Grant File Mode, you must run a separate PowerShell script on the MID Server to generate the required oauth2_grant.json file.
The PowerShell script required for Grant File Mode is not included in the plugin or setup utility archive.
To use Grant File Mode, you must create or obtain one of the following Power Shell scripts:
-
refresh-oauth2.ps1 – uses direct REST API call to get a token
-
refresh-oauth2_useSDK.ps1 – uses the Delinea Secret Server SDK to get a token
These scripts are essential for generating the oauth2_grant.json file, which is used by the MID Server during credential resolution in Grant File Mode.
Additional Setup Notes for Grant File Mode
To enable Grant file mode using refresh-oauth2.ps1, use the following setup:
-
Run the following PowerShell command to create a secure password file:
-
Create a PowerShell script named refresh-oauth2.ps1 with the following script:
-
Create a run.bat file and add the following script inside it:
Copy-NoProfile -ExecutionPolicy Bypass -Command "C:\\Delinea\\refresh-oauth2.ps1 -Path C:\\ServiceNow\\prod\\agent\\oauth2_grant.json –SecretServerUrl
'https://enterprisevault.com/SecretServer' -User midapp -PasswordFile
'C:\\Delinea\\passfile.xml' -
Double-click the recently created run.bat file. This will securely create the oauth2_grant.json file used by the Delinea MID Server.
-
Copy and paste the path of the oauth2_grant.json file.
This is required when running Delinea Mid Server Setup Utility.
-
'replace-with-your-password' | ConvertTo-SecureString -AsPlainText -Force | Export-Clixml -Path C:\Delinea\passfile.XML
Replace the placeholder with your actual password. This file will be used by refresh-oauth2.ps1 to fetch tokens securely.
param(
[string]$SecretServerUrl,
[string]$User,
[string]$PasswordFile,
[string]$Path
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$password = Import-Clixml -Path $PasswordFile
$plainTextPwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$body = @{
"grant_type" = "password"
"username" = $User
"password" = $plainTextPwd
}
$value = Invoke-RestMethod -Method POST -Uri "$SecretServerUrl/oauth2/token" -Body $body | Select-Object -Expandproperty access_token
Set-Content -Path $Path -Encoding Ascii -Force -Value $value -NoNewlineTo enable Grant file mode using refresh-oauth2_useSDK.ps1, use the following setup:
-
Create a refresh-oauth2_useSDK.ps1 file and copy the following script inside it:
Copy[cmdletbinding()]
param(
[string]\$Path,
[string]\$SdkPath
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
if (Test-Path \$SdkPath) {
Set-Location \$SdkPath
} else {
throw "Unable to find SDK Path: \$SdkPath"}
if (Test-Path '.\\tss.exe') {
try {
\$value = .\\tss.exe token
} catch {
throw "Unable to obtain token: \$(\$_.Exception.Message)"}
}
Set-Content -Path \$Path -Encoding Ascii -Force -Value \$value -NoNewline -
Download secretserver-sdk-1.5.9-win-x64. The sdk client can be downloaded as follows:
-
Linux x64 (including RHEL 7 to 9)
-
Unzip the sdk file, open a Command Prompt and navigate to the directory where secretserver-sdk-1.x.x-win-x64 is located. Use the SDK to connect to Secret Server using the onboarding key.
-
The rule name and onboarding key will be required. Go here to see how to create the SDK client rule.
-
Create a run.bat file and add the following script inside it:
- Double-click the recently created run.bat file. This will securely create the oauth2_grant.json file used by the Delinea MID Server
-NoProfile -ExecutionPolicy Bypass -Command "C:\\Delinea\\refresh-oauth2_useSDK.ps1 -Path C:\\ServiceNow\\prod\\agent\\oauth2_grant.json -SdkPath C:\\Delinea\\secretserver-sdk-1.5.0-win-x64"passfile.XML —Stores the encrypted password securely .
Run.bat —Triggers the PowerShell script.
refresh-oauth2_useSDK.ps1— Fetches token using the SDK and outputs JSON token.
