Skip to main content

ServiceNow

Preparation

What you will need to prepare before implementing SGC for 1E in your network. Typically, these are tasks that may take some time to organize, depending on how your organization works. A more complete checklist of tasks is provided in Requirements.

Preparation for Basic Authentication

Below, given are the steps to be followed to configure your ServiceNow instance for Basic Authentication:

  1. Installing 1E

  2. Installing and configuring 1E Core

  3. Adding a 1E user account for SGC for 1E

Installing 1E

For information on installing Tachyon 8.1 (on-premises), please refer to Planning for 1E 9.0.

Installing and configuring 1E Core for Basic Authentication

Please refer to the 1E Core 2.1 - Preparation page for more details on preparing the 1E Core application. In that documentation, you will need to follow the instructions for the following:

  1. Disable 1E Two-factor Authentication.

  2. Check your 1E License.

  3. Enable basic authentication for the Consumer node of the 1E website.

  4. Add the 1EServiceNowCore Consumer.

  5. Bypass approval for the 1EServiceNowCore Consumer in the 1E database.

Adding a 1E user account for SGC for 1E

To configure a 1E user:

  1. Logon to the Settings app using a 1E user account that at least has the Permission Administrator role.

  2. Navigate to PermissionsUsers

  3. Click on the Add button available on the right side.

  4. A pop-up window opens up as shown in the picture.

  5. In the Select AD user field, type the name, or part of the name, for the Active Directory user or security group that you want to add. A list of matching names will be retrieved from Active Directory and displayed as you type, these are filtered so that users or groups that have already been added do not appear.

    Here in our example, user has typed in cmdb as this 1E has returned CMDB User [LAB1\CMDBUser].

    233277459.png

  6. Select the user you want to add from the list. In our example it is CMDB User [LAB1\CMDBUser].

  7. Now click on Add button to add the user.

    233277460.png

  8. You can see that the user has been added. Click on Edit button given on the right side of the panel.

    233277461.png

  9. A pop-up window opens up that allows to edit roles assigned to user.

  10. Select the role you want to assign to the user. In our example we have selected Global Actioners role as we want the user should be able to perform action on all 1E instructions.

    233277462.png

  11. Once the roles have been selected, click on Save. You should see the Global Actioners in the role list.

    233277463.png
Preparation for Modern Authentication

Below, given are the steps to be followed to configure your ServiceNow instance for Modern Authentication:

  1. Upgrading SGC for 1E

  2. Prerequisite

  3. Configure Azure AD/Okta and 1E

  4. Preparing the certificates for ServiceNow

  5. Upload PEM and JKS certificates

  6. ServiceNow OAuth steps

    • Upload PEM and JKS certificates

    • Configure a JWT signing key

    • Create a JWT provider

Microsoft Entra ID IdP

For more information on how to configure, please refer to Provisioning and Upgrading Guide for 23.7.

Upgrading SGC for 1E

Before upgrading, ensure that the following tables have been backed up:

  1. Triggered Instructions

  2. Instruction definitions

Now perform the following steps to upgrade the application:

  1. In ServiceNow, navigate to My Company Applications. This opens up an Application Manager page as shown in the picture below.

    Note

    In case the application is not listed under My Company Applications, then navigate to Plugins and look for the application there.

  2. Click on the Installed tab on Application Manager page to see the list of installed applications.

  3. Look for Service Graph Connector for 1E from the list, select the latest version from the dropdown menu as shown in the picture below, and click Update.

    SGC_3_0.png

  4. You now have the latest version of SGC for 1E available.

Prerequisite

The following information is required for the preparation of certificates:

  1. .pfx certificate (containing a private key, client authentication and 2048 key)

    This .pfx certificate is given either by your internal PKI team, sometimes by a third party, or you can generate a self-signed certificate by yourself.

    To create your own self-signed certificate, use the New-SelfSignedCertificate PowerShell cmdlet. This would create a certificate in the local machine personal certificate store on the device you have run the cmdlet. You can then export this certificate as a .pfx file, which includes the private key, using the CERTLM.MSC utility.

  2. The client assertion Application ID (also known as Kid) from Microsoft Entra ID, as shown in the picture below.

    App_ID.png

You need the following tools:

  1. OpenSSL

  2. KeyTool

  3. 1E PowerShell toolkit (available on 1E Support Portal)

Configure Microsoft Entra ID and 1E
Create certificate/principal mapping in 1E

  1. Install the certificate with private key locally to the local machine personal certificate store. Ensure that you have the required permissions to access the private key.

  2. Login to your 1E instance using Set-1E Server as shown below.

    Set-_1E_Server.png

  3. Get the AppID (also called as Kid) of the certificate using:

    Get-1ECertificateThumbprint -StoreName localmachine\my | fl *

    The AppID value of a certificate is a base 64 encoding of the certificate thumbprint.

    App_ID.png

  4. Now make a note of the AppID and then create a mapping using:

    Add-1EJwtPrincipalMapping -Identifier <Certificate AppID> -Principal 1EUser@domain.com

    Note that 1EUser@domain.com should be a principal with appropriate permissions in 1E.

    API_permissions.png
Upload the public key PEM file in Microsoft Entra ID

  1. Export the certificate that you have imported in the above steps in .CER format.

  2. Login with the administrator principal role.

  3. Navigate to Azure Active Directory → App Registrations → 1E Client Assertion → Certificates and upload the certificate.

    Cert_Upload.PNG
Preparing the certificates for ServiceNow

Follow the below given steps to prepare the certificates:

  1. The .pfx certificate has to be converted into .PEM and .JKS file types.

  2. To convert the .pfx certificate, you need to first install OpenSSL and keytool applications on your machine.

  3. After installing the applications, copy the .pfx certificate in the same directory where these applications reside.

  4. Copy the entire content of the bin folder of OpenSSL into the bin folder of Java.

  5. Now open the PowerShell/CMD where the .pfx certificate resides and run the following commands:

    • To generate the .PEM file:

      openssl pkcs12 -in <filename>.pfx -out <filename>.pem

    • To generate the .JKS file:

      openssl pkcs12 -export -in <filename>.pem -out <filename>.p12 -name MyCert

      keytool -importkeystore -srckeystore <filename>.p12 -destkeystore <filename>.jks -srcstoretype pkcs12 -deststoretype JKS

    Generate_certificates.png

  6. Take a note of the JKS keystore password for future use.

  7. Upload both PEM and JKS certificates into certificates table (sys_certificate) in ServiceNow.

ServiceNow OAuth steps

Now on your ServiceNow instance, configure the following OAuth steps:

  1. Upload PEM and JKS certificates

  2. Configure a JWT signing key

  3. Configure a JWT provider

Upload PEM and JKS certificates

To upload the certificates, navigate to System DefinitionsCertificates and create a new record as shown in the picture below.

Certificates_New.png
To upload the PEM certificate in your ServiceNow instance-
PEM_Certificate.png

  1. Provide the required details and attach the PEM certificate so that the identity provider can verify communications with the service provider.

  2. Select Type as Trust Store Cert.

  3. Copy the content of the PEM file and paste it into the PEM certificate field.

  4. Now click on the Submit button to save the record.

  5. Click on Validate Stores/Certificates link to validate the certificate.

  6. Take a note of the SysID of the PEM certificate for future use.

To upload the JKS certificate in your ServiceNow instance-
JKS_cert.png

  1. Provide the required details.

  2. Select Type as Java Key Store.

  3. Attach the JKS certificate generated in the above step to enable the JWT client authentication.

  4. Enter the Key store password.

  5. Now click on the Submit button to save the record.

  6. Click on Validate Stores/Certificates link to validate the certificate.

You can see that the certificates are now added to the Certificates table as shown in the picture below.

Certs.png
Configure a JWT signing key

To configure JWT signing key on your ServiceNow instance, follow the below steps:

JWT_Key.png

  1. Navigate to System OAuth → JWT Keys.

  2. Create a new record for JWT Keys.

  3. Provide a descriptive Name.

  4. Select the JKS certificate uploaded earlier using the lookup list into the Signing Keystore field.

  5. Enter the Keystore password saved earlier into the Signing Key field and click on Submit to save the record.

Create a JWT provider

To configure JWT provider on your ServiceNow instance, follow the below steps:

JWT_Provider.png

  1. Navigate to System OAuthJWT Providers.

  2. Create a new record for JWT Providers and fill in the claim values as shown in the picture above.

  3. Ensure that you have the required permissions.

  4. Provide a descriptive Name.

  5. Select the JWT Key created earlier using the lookup list into the Signing Configuration field.

    JWTP.png

  6. Copy the SysID of the JWT Provider's record for future use. This SysID is passed to retrieve JWT Token.

    JKS_sys_Id.png
Okta IdP

For more information on how to configure, please refer to Provisioning and Upgrading Guide for 23.7.

Upgrading SGC for 1E

Before upgrading, ensure that the following tables have been backed up:

  1. Triggered Instructions

  2. Instruction definitions

Now perform the following steps to upgrade the application:

  1. In ServiceNow, navigate to My Company Applications. This opens up an Application Manager page as shown in the picture below.

    Note

    In case the application is not listed under My Company Applications, then navigate to Plugins and look for the application there.

  2. Click on the Installed tab on Application Manager page to see the list of installed applications.

  3. Look for Service Graph Connector for 1E from the list, select the latest version from the dropdown menu as shown in the picture below, and click Update.

    SGC_3_0.png

  4. You now have the latest version of SGC for 1E available.

Prerequisite

The following information is required for the preparation of certificates:

  1. .pfx certificate containing a private key

  2. The Client ID from Okta, as shown in the picture below.

    Okta.png

You need the following tools:

  1. OpenSSL

  2. KeyTool

  3. 1E PowerShell toolkit (available on 1E Support Portal)

Configure Okta and 1E
Create certificate/principal mapping in 1E

  1. Install the certificate with private key locally to the local machine personal certificate store. Ensure that you have the required permissions to access the private key.

  2. Navigate to 1E PowerShell toolkit and import it to the PowerShell window using:

    PS c:\Users\administrator\Downloads\1.2.3> Import-Module .\ps1etoolkit.psd1 - force

  3. Login to your 1E instance using Set-1E Server as

    PS C:\Users\administrator\Download\1.2.3> Set-1EServer Platformtest.appteam.cloud.1e.com

    You would be redirected to Okta login page and enter your credentials.

  4. Get the AppID (also called as Kid) of the certificate using:

    Get-1ECertificateThumbprint-StoreName localmachine\my|fl*.

    Alternatively you can also find the AppID from the Okta portal as shown below:

    Okta.png

  5. Now make a note of the AppID and then create a mapping using:

    Add-1EJwtPrincipalMapping-Identifier&lt;Certificate AppID&gt;-Principal 1EUser@domain.com

    Note that 1EUser@domain.com should be a principal with appropriate permissions in 1E.

    Okta_Permissions.png
Upload the public key PEM file in Okta

  1. Export the certificate that you have imported in the above steps in .CER format.

  2. Login with the administrator principal and upload the certificate in your Okta instance.

Preparing the certificates for ServiceNow

Follow the below given steps to prepare the certificates:

  1. The .pfx certificate has to be converted into .PEM and .JKS file types.

  2. To convert the .pfx certificate, you need to first install OpenSSL and keytool applications on your machine.

  3. After installing the applications, copy the .pfx certificate in the same directory where these applications reside.

  4. Copy the entire content of the bin folder of OpenSSL into the bin folder of Java.

  5. Now open the PowerShell/CMD where the .pfx certificate resides and run the following commands:

    • To generate the .PEM file:

      openssl pkcs12 -in <filename>.pfx -out <filename>.pem

    • To generate the .JKS file:

      openssl pkcs12 -export -in <filename>.pem -out <filename>.p12 -name MyCert

      keytool -importkeystore -srckeystore <filename>.p12 -destkeystore <filename>.jks -srcstoretype pkcs12 -deststoretype JKS

    Generate_certificates.png

  6. Take a note of the JKS keystore password for future use.

  7. Upload both PEM and JKS certificates into certificates table (sys_certificate) in ServiceNow.

ServiceNow OAuth steps

Now on your ServiceNow instance, configure the following OAuth steps:

  1. Upload PEM and JKS certificates

  2. Configure a JWT signing key

  3. Configure a JWT provider

Upload PEM and JKS certificates

To upload the certificates, navigate to System DefinitionsCertificates and create a new record as shown in the picture below.

Certificates_New.png
To upload the PEM certificate in your ServiceNow instance-
PEM_Certificate.png

  1. Provide the required details and attach the PEM certificate so that the identity provider can verify communications with the service provider.

  2. Select Type as Trust Store Cert.

  3. Copy the content of the PEM file and paste it into the PEM certificate field.

  4. Now click on the Submit button to save the record.

  5. Click on Validate Stores/Certificates link to validate the certificate.

  6. Take a note of the SysID of the PEM certificate for future use.

To upload the JKS certificate in your ServiceNow instance-
JKS_cert.png

  1. Provide the required details.

  2. Select Type as Java Key Store.

  3. Attach the JKS certificate generated in the above step to enable the JWT client authentication.

  4. Enter the Key store password.

  5. Now click on the Submit button to save the record.

  6. Click on Validate Stores/Certificates link to validate the certificate.

You can see that the certificates are now added to the Certificates table as shown in the picture below.

Certs.png
Configure a JWT signing key

To configure JWT signing key on your ServiceNow instance, follow the below steps:

JWT_Key.png

  1. Navigate to System OAuth → JWT Keys.

  2. Create a new record for JWT Keys.

  3. Provide a descriptive Name.

  4. Select the JKS certificate uploaded earlier using the lookup list into the Signing Keystore field.

  5. Enter the Keystore password saved earlier into the Signing Key field and click on Submit to save the record.

Create a JWT provider

To configure JWT provider on your ServiceNow instance, follow the below steps:

JWT_Provider.png

  1. Navigate to System OAuthJWT Providers.

  2. Create a new record for JWT Providers and fill in the claim values as shown in the picture above.

  3. Ensure that you have the required permissions.

  4. Provide a descriptive Name.

  5. Select the JWT Key created earlier using the lookup list into the Signing Configuration field.

    JWTP.png

  6. Copy the SysID of the JWT Provider's record for future use. This SysID is passed to retrieve JWT Token.

    JKS_sys_Id.png
Settings for Modern Authentication

There are few more settings that are required by SGC for 1E application for it to work on Modern Authentication.

For Single Tenant

The following system properties have to be configured as SGC for 1E application works only on a single tenant mode.

System property

Value

x_1e_cmdb_connect.pem_certificate

The SysID of the PEM Certificate record created in the sys_certificate table.

x_1e_cmdb_connect.jwt_provider

The SysID of the JWT Provider record created in the jwt_provider table.

x_1e_cmdb_connect.key_id

The Key identifier (also known as App ID) generated by the resource server and is used to sign the JWT token as a kid claim.

x_1e_cmdb_connect.oauth_access_token

A two-way encrypted access token received from IdP. This value is autopopulated.

x_1e_cmdb_connect.access_token_expiry_time

It is the minimum time left against the total lifespan of the access token to get renewed. The default value assigned is 100 (in seconds).

To view and configure the values of the system properties, follow the below steps:

  1. Login to your ServiceNow instance.

  2. To open System Properties table, type sys_properties.LIST in the filter navigator and press enter.

  3. The System Properties table opens up into a new page, and now look for the details of the above listed properties in the table as shown below.

    system_Properties.png

  4. You can edit the values of the desired system property as per the details given in the above table.

In this section: