Setup

This setup must be completed before running the setup utility on each MID Server. For more information, see Running the Setup Utility on Each MID Server.

Supported Credential Types

The following credential types are supported and can be validated as part of the integration:

  • Windows

  • JDBC

  • Kubernetes

  • Azure Service Principle

  • SSH

  • SSH PrivateKey

  • SNMPv3

  • SNMP Community

  • JMS

  • VMware

  • Active Directory Account

  • AWS Credentials

  • API Key Credentials

  • Google API Credentials (GCP)

  • Google Cloud Credentials

  • OAuth2.0 Credentials

  • IBM Credentials

Step 1: Install the MID Server Plugin

To obtain the required setup utility and integration files, install the Delinea Credential Resolver plugin from the ServiceNow Store.

Option A: Installing the Integration Plugin via the ServiceNow Store

To install the plugin automatically:

  1. Go to ServiceNow Store.

  2. Search for Delinea Credential Resolver.

  3. Select Install.

  4. Follow the prompts to deploy the plugin into your ServiceNow instance.

    Once the plugin is downloaded you should have the following files:

    • DelineaCredentialResolver-5.2.0

  5. Download the utilities from this location and then locate and extract the utility.

This plugin contains both the platform-side resolver logic and the utility JAR archive used for MID Server setup.

Option B: Installing the Integration Plugin via Manual XML Import

To manually install via XML Import:

XML installation is mandatory starting from the Xanadu version when the application is not installed through the ServiceNow Store.

If you are unable to use the ServiceNow Store for installation or prefer a manual setup, you can import the necessary XML files into ServiceNow.

Download the most recent Delinea Credential Resolver version from this location.

To import an XML file into ServiceNow using the Mid Server integration:

Unzip the downloaded file.

The extracted file should contain the following files:

  • DelineaCredentialResolver-5.2.0.jar

  • DelineaMidServerCLIUtility-5.2.0.jar

  • DelineaMidServerUIUtility-5.2.0.jar

Uploading the XML file will also install the required JAR files when performing a manual installation. If you are using any version before Xanadu, you may continue to install the application by simply adding the required JAR files and skipping the XML installation process.

Steps to Import an XML File

  1. Log in to ServiceNow.

  2. Go to the All tab and select Retrieved Update Sets.

  3. Select Import Update Set from XML.

  4. Choose the unzipped XML file, then select Upload.

  5. After the import, locate the file under Retrieved Update Sets.

  6. Open the uploaded file and select Preview Update Set.

    7. If you see an error after the preview, select it and then select Accept the Remote Set from the dropdown. Accepting those errors won’t affect integration functionality.

  7. Verify that the state is changed to Previewed.

  8. Select Commit Update Set.

  9. Once committed, the state changes to Committed, indicating the integration installation is complete.

    10. When the Credential Resolver installation is complete, proceed to configure the corresponding product:

Step 2: (Optional) Add an SSL Certificate to the MID Server

If the Secret Server uses a certificate published from an internal Active Directory Certificate Authority (CA) or an internal self-generated certificate, that certificate must be added to the MID Server agent's local Java keystore.

How SSL Trust Works

The MID Server (and the credential resolver JAR) relies on the Java truststore (cacerts) to validate the HTTPS certificate presented by the Delinea Secret Server. During initial setup, there is typically no need to manually import certificates, as long as the certificate chain presented by the server is trusted by the default Java truststore.

If the Secret Server is updated to use a certificate chain that includes a new intermediate certificate not present in the MID Server's Java truststore, SSL validation fails.

There are no automatic updates to the MID Server truststore. Any new or missing intermediate certificates must be added manually.

Certificate Chain Rotation and Intermediate Expiry

If the integration was working previously and starts failing, the cause is typically a certificate expiration or a change in the certificate chain. For example, Sectigo intermediate certificates rotated in April 2025 may cause trust failures if the new intermediate is not present in the MID Server's truststore.

If everything was working previously, it typically indicates that:

  • The truststore already contained the required root and intermediate certificates, or

  • The server was presenting a certificate chain compatible with the existing truststore.

In such cases, the new intermediate certificate must be imported into the MID Server's Java truststore to reestablish trust.

Diagnostic Checklist

Before importing a certificate, administrators should confirm the following:

  • Whether the SSL certificate or certificate chain was recently updated on the Secret Server.

  • The exact error message observed (for example, PKIX or certificate path errors) to validate that this is a trust-related issue.

For detailed troubleshooting of PKIX errors, see PKIX Path Building Failed (Certificate Issue).

Import the SSL Certificate

  1. Download the SSL certificate for the Secret Server to the machine where the MID Server is installed:

    1. Navigate to the Secret Server URL in a browser.

    2. Click the site icon in the address bar.

    3. Select CertificateDetailsExport and save the certificate in DER-encoded binary (.cer) format.

  2. Open a terminal and navigate to the Java bin directory:

    MID_Server\agent\jre\bin

  3. Run the following command, replacing the alias name and file path with the appropriate values for the environment:

    keytool -import -alias certificateAliasName -file "full path to\example.cer" -keystore "MID_Server\agent\jre\lib\security\cacerts"

    • -alias — A meaningful name for the certificate alias.

    • -file — The path of the exported .cer certificate.

  4. When prompted, enter the keystore password. The default password is changeit.

  5. When prompted to trust the certificate, select Yes. The certificate is imported into the truststore.

  6. (Optional) List all certificates and verify the alias name:

    keytool -list -keystore "MID_Server\agent\jre\lib\security\cacerts"

  7. Restart the MID Server service.

Step 3: Locate and Extract the Setup Utility

After installing the plugin, locate the JAR archive deployed to the MID Server file system.

JAR File Installation

  1. Go to MID Server > JAR files and select New.

  2. In the Name and Version fields, provide details of the DelineaCredentialResolver.jar file.

  3. In the Source field, provide the location of the file.

  4. Select Submit or Update.

  5. Restart the MID Server service

To extract the setup utility:

  1. On your MID Server host machine, navigate to the plugin’s installed directory:

    • <MID Server Root>\agent\extlib

  2. Locate the archive that includes:

    • DelineaCredentialResolver-5.2.0

    • DelineaMidServerCLIUtility-5.2.0.jar

    • DelineaMidServerUIUtility-5.2.0.jar

  3. Extract the archive using a ZIP utility.

  4. Move DelineaMidServerCLIUtility-5.2.0.jar and DelineaMidServerUIUtility-5.2.0.jar to a known location for running in the next step.

Step 4: Run the Setup Utility on Each MID Server

The DelineaMidServerUIUtility-5.2.0.jar supports both UI mode (version 5.0+). For headless Linux systems without a graphical environment, use the DelineaMidServerCLIUtility-5.2.0.jar for command-line mode as described in the manual configuration section.