Configure ServiceNow for Integration with BeyondTrust PRA

 

You must purchase this integration separately from both your BeyondTrust Privileged Remote Access and Privileged Identity solutions. For more information, contact BeyondTrust sales.

Unless otherwise noted, all of the steps in this section take place in the ServiceNow interface. The development and/or test instances of ServiceNow should be used initially so that the integration can be thoroughly tested before installation in the production instance.

Install BeyondTrust Integration

Customers have two options for installing the BeyondTrust ServiceNow Integration. The first option involves importing the BeyondTrust ServiceNow Integration Update Set. The second option involves requesting the BeyondTrust ServiceNow Integration from the ServiceNow Store.

Install Using Update Set

Update Set Retrieved

  1. Log into ServiceNow with an administrative user account and select System Update Sets > Retrieved Update Sets.
  2. Click Import Update Set from XML at the bottom of the page. In some instances, it may be necessary to right-click the header column of the update sets table and select Import Update Set from XML from the resulting menu.
  3. Click Browse, locate the update set XML file, and click Upload. BeyondTrust Technical Support normally sends the necessary update set XML file via email after the ServiceNow integration has been purchased through BeyondTrust's Sales team. If you have not yet received a copy, please contact BeyondTrust Technical Support.
  1. Find the update set you just imported in the list of retrieved update sets and click it. The name should be similar to BeyondTrust PRA Integration 1.0.11 Full, and its Loaded date should be the most recent in the list.
  2. Click Preview Update Set to check for errors. Look through each update set.
  3. If the preview is satisfactory, return to the main page of the update set and click Commit Update Set.

Due to some limitations in the ServiceNow platform, you might get some errors while previewing the Update Set. Please ignore all errors that have the description "Could not find a record in sys_rest_message_fn for column rest_message_function referenced in this update".

Install via App Store

ServiceNow Certified Apps - BeyondTrust PRA Integration

Please see ServiceNow's FAQ regarding app installation via the ServiceNow App Store.

 

Create Local Update Set

Local Update Set

Local update sets are used in ServiceNow to capture configuration changes. They can be used to quickly transfer these configuration changes to other environments.

  1. Select System Update Sets > Local Update Sets, and click the New button above the list of update sets to create a new local update set.
  2. In the Name field, enter BeyondTrust - ServiceNow Integration Configuration (or an equivalent).
  3. Click Submit and Make Current. This update set will capture any changes you make during the configuration process. Just make sure that the BeyondTrust - ServiceNow Integration Configuration update set is selected in ServiceNow's update set dropdown for the following steps.
  1. Make sure the Application is set to BeyondTrust PRA Integration. If it is not, use the settings cog in the upper right of the screen to switch to the aforementioned scope.
  2. After configuration is complete and tested, the local update set can be imported or promoted to new instances of ServiceNow (e.g., the production instance) to quickly replicate the integration. This must be done after transferring the BeyondTrust - ServiceNow retrieved update set.

For more information on transferring update sets, please see Transfer the BeyondTrust PRA-ServiceNow Integration Update Sets.

Update BeyondTrust PRA Session Event Types

Event Types are used to control which BeyondTrust events are processed with a BeyondTrust Session import. This step updates the database with all the available event types.

Update Event Types

  1. Select BeyondTrust PRA > Update Event Types.
  2. This loads all the available BeyondTrust Session Event Types into the database, so that unwanted events can be filtered out in a subsequent step when setting up your appliance(s).

Set Up BeyondTrust OAuth Application Registry

ServiceNow System OAuth

BeyondTrust OAuth is used for communication between the ServiceNow instance and the Secure Remote Access Appliance.

  1. Select System OAuth and click Application Registry.
  2. In the list of registered applications, click BeyondTrust API OAuth and enter the following values:
    1. Client ID: The OAuth client ID obtained from the API account created in BeyondTrust in Configure BeyondTrust PRA for the ServiceNow Integration.
    2. Client Secret: The OAuth client secret obtained from the API account created in BeyondTrust in Configure BeyondTrust PRA for the ServiceNow Integration.
    3. Token URL: The URL used to obtain a token from the Secure Remote Access Appliance, for example: https://support.example.com/oauth2/token.
    4. Default Grant type: Authorization Code
    5. Redirect URL: Set this value to empty. You should have to do this only during the initial setup.
  3. Click the Update button.

Set Up BeyondTrust Secure Remote Access Appliance

Secure Remote Access Appliances are set up in ServiceNow to connect ServiceNow with a Secure Remote Access Appliance.

Appliance Setup

  1. Select BeyondTrust PRA > Appliances.
  2.  

  1. Click New to add a new Secure Remote Access Appliance and enter the following values:
    1. Name: Must be Default.
    2. Hostname: Hostname of the Secure Remote Access Appliance.
    3. OAuth Client: The name of the OAuth client that should be used to authenticate to the Secure Remote Access Appliance. For the Default appliance, this value is always BeyondTrust API OAuth.
    4. Outbound Event Token: The token that is used as an added security measure to confirm outbound events are coming from the appliance that is sending the same token. If left blank, this outbound event token process is ignored. However, if a value is provided, the same value must be sent from all outbound events coming from BeyondTrust as a parameter named outbound_event_token.
    5. Integration Enabled: Turns the integration on and off.
    6. Import External Sessions: If checked, session reports for sessions that are started external to ServiceNow are imported into ServiceNow.
    7. Accepted IP Addresses: A comma-separated list of IP addresses from which this integration accepts outbound events.
    8. Auto Associate With User: If checked, when the session report is imported, the integration attempts to associate a ServiceNow User with the session. The lookup is based on the session's primary user's username.
    9. Auto Associate With Config Item: If checked, when the session report is imported, the integration attempts to associate a ServiceNow Config Item with the session.
    10. Events to Import: A list of BeyondTrust session events to process when importing a BeyondTrust session.

You will not be able to configure this setting until after the appliance has been saved.

Configure Events to Import

Event Types are used to control which BeyondTrust events are processed with a BeyondTrust session import. This step defines which events are processed for each BeyondTrust session import.

Event Type Setup

Event Type Setup

Event Type Setup

  1. Select BeyondTrust PRA > Appliances.
  2. Click the name of your appliance.
  1. Click the Edit Events to Import button (the lock icon).
  2. Click the Add/Remove multiple button (the group of people icon) located on the right side of the field.
  3. Select the events you want from the Collection field on the left and use the arrows to move the events to the List field on the right.

You can use CTRL+A to select all events.

  1. Click the Save button when you are finished.

 

Configure BeyondTrust Session Related Lists

Task Related List

Related lists are used to provide a list of BeyondTrust Sessions that are associated with a Task (incident, change request, or service catalog request), Call Record, or Configuration Item.

Task Configuration

  1. Select Incident.
  2. Click Open to see a list of open incidents.
  3. Select an incident by clicking the Incident Number.
  4. Right-click the Incident title bar and select Configure > Related Lists.
  1. Ensure that Access Session > Task has been moved to the Selected column.
  2. Click the Save button.
  3. The BeyondTrust Sessions list should appear towards the bottom the incident form once these steps are complete.

CMDB Configuration

  1. Select Configuration > Servers.
  2. Click All to see a list of servers.
  3. Select a server by clicking the Name of a server.
  4. Right-click the Incident title bar and select Configure > Related Lists.
  1. Ensure that Access Session > Configuration Item has been moved to the Selected column.
  2. Click the Save button.
  3. The BeyondTrust Sessions list should appear towards the bottom the configuration item form once these steps are complete.

Configure Incident CMDB Jump Macros

BeyondTrust Jump technology can be used for unattended access to devices through the Secure Remote Access Appliance.

Configure CMDB Dictionary

  1. Select Incident.
  2. Click Open to see a list of open incidents.
  3. Select an incident by clicking the Incident Number.
  4. Populate the Configuration Item field by clicking the magnifying glass icon, then selecting an item in the list.
  5. Once the Configuration Item is populated, click the Update button on the Incident title bar. This takes you back to the Incident list.
  6. Click the name of the incident you just updated.
  7. Right-click the Configuration Item Label and then click Configure Dictionary.
  8. Locate the Attributes field and take note of the part of the value that reads ref_contributions=task_show_ci_map;show_related_records.
  1. Add the Jump To value of x_bmgr_bomgar_ pam_bomgar_ pam_jump_to or x_bmgr_bomgar_ pam_bomgar_ pam_jump_to_webas a semicolon-separated item in ref_contributions (e.g., ref_contributions=x_bmgr_bomgar_ pam_bomgar_ pam_jump_to;task_show_ci;show_related_records).
  2. Click the Update button to save your changes.

Configure BeyondTrust Username and Authentication

Configure User Form

  1. Log into your BeyondTrust /login interface with the same credentials as a ServiceNow user who is expected to be using BeyondTrust.

 

  1. Download and install a BeyondTrust access console from the /login > My Account tab.
  • Make sure that BeyondTrust and ServiceNow are checking credentials against the same LDAP server(s), if appropriate. Check the LDAP server in the BeyondTrust interface under /login > Users & Security > Security Providers.

To check the LDAP server for ServiceNow, please see the LDAP Integration Setup article at docs.servicenow.com/bundle/jakarta-platform-administration/page/integrate/ldap/concept/c_LDAPIntegrationSetup.html.

  • If LDAP authentication is not being used, log into ServiceNow. Select User Administration > Users, and then select the user to be used for testing, and focus on the BeyondTrust Username field.
  • If this field does not exist while viewing a user, hover over the icon next to User on the title bar, and then select Configure > Form Layout, and move the BeyondTrust Username field from the Available list to the Selected list. Once done, enter the name of a known-working BeyondTrust user account in this field and save.

Assign Users Appropriate Roles

ITIL users who provide technical support using this integration should be given the x_bmgr_bomgar_ pam.user role.

You must elevate the admin's role in order to make the following change.

Elevate Roles

  1. Select User Administration > Users.
  2. Select a user.
  3. Find the Roles tab and click the Edit button.

 

Edit User

  1. Add the x_bmgr_bomgar_ pam.user role from the Collection list to the Roles list
  2. Click Save.

 

ServiceNow MID Server Option

MID Server

It is possible to avoid direct connection between ServiceNow and BeyondTrust by using a MID server for internal BeyondTrust deployments.

 

For more information on MID servers, please see docs.servicenow.com/bundle/jakarta-servicenow-platform/page/product/mid-server/concept/c_MIDServerConfiguration.html.

 

Set Up Change Management Workflow

BeyondTrust Endpoint Approval

BeyondTrust change management workflow works out of the box with a default Servicenow configuration. It can be customized if necessary.

The Default Approval Processing list includes the checks that are made when a ticket approval request is processed in ServiceNow.

  1. Find the Ticket (aka Task): Searches for the task based on task number. If not found by number, searches by task sys_id. If the task is not found, a failure response is sent back to BeyondTrust.
  2. Match the Rep: Checks to make sure the rep username matches the task assigned_to field user's user_name (User Id) or BeyondTrust PRA username field. If the reps do not match, a failure response is sent back to BeyondTrust.
  3. Match the Computer Name: Ensures the task's cmdb_ci name matches the computer name being Jumped to in BeyondTrust. If the computer names do not match, a failure response is sent back to BeyondTrust.
  4. Ensure Task Approval: Ensures the task's approval field is approved. If the task is not approved, a failure response is sent back to BeyondTrust.
  5. Ensure Field State: Ensures the task's state field is not closed, cancelled, or resolved (value is less than 3). If the state is not less than 3, a failure response is sent back to BeyondTrust.

A developer can provide Customized Approval Processing by taking the following steps:

  1. Select System UI > UI Pages.
  2. Open the page named bomgar_ endpoint_approval that lives in the BeyondTrust PRA Integration application.
  3. Locate the section of code that pertains to custom endpoint approval and comment the standard call: (new x_bmgr_bomgar_ pam.BomgarPAM()).handleEndpointApproval(endpointApproval);
  4. Uncomment the custom call: (new x_bmgr_bomgar_ pam.BomgarEndpontApproval()).handleEndpointApproval(endpointApproval);
  5. Select System UI > Script Includes.
  6. Open the script include named BeyondTrustEndpointApproval that lives in the BeyondTrust PRA Integration application.
  7. Put your custom approval code in the designated area in the handleEndpointApproval function.