Configure BeyondTrust PRA for the ServiceNow Integration

 

You must purchase this integration separately from your BeyondTrust Privileged Remote Access solution. For more information, contact BeyondTrust sales.

All of the steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your B Series Appliance followed by /login, for example: https://access.example.com/login.

Verify the API is Enabled

Screenshot of the Enable XML API option on the API Configuration page in /login.

The BeyondTrust Integration requires the BeyondTrust XML API to be enabled. This feature is used from within the integrating software to communicate with the BeyondTrust APIs.

In /login, navigate to Management > API Configuration and verify that Enable XML API is checked.

Create an OAuth API Account

The ServiceNow API account is used from within ServiceNow to make Privileged Remote Access Command API calls to Privileged Remote Access.

Screenshot of the Add Button on the API Configuration page in Privileged Remote Access /login.

  1. In /login, navigate to Management > API Configuration.
  2. Click Add.

 

Screenshot of the Add an API Account page in Privileged Remote Access /login.

  1. Check Enabled.
  2. Enter a name for the account.
  3. OAuth Client ID and OAuth Client Secret is used during the OAuth configuration step in ServiceNow.
  4. Under Permissions, check Allow Access for the Endpoint Credential Manager API.
  5. If ECM groups are enabled on the site, select which ECM group to use. ECMs that are not associated with a group come under Default.
This feature is only present if enabled when your site is built. If it is not present, please contact your site administrator.
  1. Click Save at the top of the page to create the account.

 

Add Outbound Events

Outbound events are used to notify ServiceNow that a BeyondTrust Session has finished and is ready to be imported into ServiceNow.

  1. In /login, navigate to Management > Outbound Events.
  2. Click Add.

Outbound Events - Add HTTP Recipient for ServiceNow Integration

  1. Provide a name of ServiceNow Integration or something similar, depending on your ServiceNow instance.
  1. Set the URL to https://access.example.com/x_bmgr_bomgar_pa_bomgar_post.do, where support.example.com is the ServiceNow instance name.
  2. If using the an outbound event token for added security, append outbound_event_token=YOUR-TOKEN to the end of the URL, so that the entire URL resembles https://support.example.com/x_bmgr_bomgar_pam_bomgar_post.do?outbound_event_token=YOUR-TOKEN. You must also store this token with the B Series Appliance record in ServiceNow.
  3. For Events to Send, check Access Session End.
  4. Click Save.

Create Custom Fields

BeyondTrust custom fields are used to map ServiceNow Tasks (incidents, change requests, problem records, and service catalog requests) and Configuration Items to BeyondTrust access sessions.

Configuration > Custom Fields > Add

  1. In /login, navigate to Configuration > Custom Fields.
  2. Click Add.

 

  1. Enter the following values:
    • Display Name: ServiceNow Task ID
    • Code Name: snow_task_id
  2. Check the Show in Access Console option.
  3. Click Save to save the new field.
  4. Repeat the steps above for the following custom field values:
    • Display Name: ServiceNow Configuration Item ID
    • Code Name: snow_cmdb_ci_id
    • Show in Access Console: checked

Set Up the Custom Link

BeyondTrust custom links can be configured to allow users to quickly access the ServiceNow Incident that is associated with the session.

  1. In /login, navigate to Access Console > Custom Links.
  2. Click Add.

Add a Custom Link

  1. Enter a name for the link, and then set the URL to https://access.example.com/nav_to.do?uri=task.do?sys_id=%SESSION.CUSTOM.SNOW_TASK_ID% where access.example.com is the ServiceNow instance name. If needed, you can use any of the available macros to customize the link according to your specifications.
  2. Click Save to save the new link.

Set Up Change Management Workflow

BeyondTrust change management workflow can be configured to require approval through an ITSM system before allowing access to BeyondTrust Jump Clients.

  1. In /login, navigate to Jump > Jump Policies.

Jump Policies - Ticket System section in /login where you can configure change management workflow for ServiceNow.

  1. Under Ticket System, enter an appropriate Ticket System URL similar to https://example.service-now.com/x_bmgr_bomgar_pam_bomgar_endpoint_approval.do.
  2. Upload the CA certificate from the ServiceNow instance.
  3. Enter the desired User Prompt.
  4. Click Save.

 

Jump Policies

  1. Next, under the Jump Policies section, click Add, or click Edit next to an existing Jump Policy.

 

Screenshot of the Require a Ticket ID option on the Jump Policies page in /login.

  1. Under Ticket System, check Require a ticket ID before a session starts.