ServiceNow OAuth Support
FlexDeploy now supports use of OAuth authentication for ServiceNow. You can follow the below steps for configuring OAuth for ServiceNow. This integration requires your ServiceNow instances with Rome Release or higher.
The following OAuth methods are currently supported:
Resource Owner
JWT User Assertion
Resource Owner
Application Registry
Navigate to System OAuth > Application Registry. Click New.
Select the highlighted option “Create an OAuth API endpoint for external clients”
Client ID and Client Secret will be auto generated.
The default Refresh Token Lifespan can be modified if needed. FlexDeploy will default this in the instance configuration screen.
FlexDeploy ServiceNow configuration
Lastly you need to create or update Change Management instance in FlexDeploy specifying your client application information as well as the certificate information.
ServiceNow Auth : OAuthResourceOwner
Client Id.
Client Secret
ServiceNow Refresh Token Lifespan : Default is 8640000, if you used a value as configured in the Application Registry, please use that value.
JWT User Assertion
JWT User Assertion requires an ssl certificate to be uploaded to ServiceNow and referenced in FlexDeploy. The key can be self signed or from a more trusted chain. Here is the link to the ServiceNow documentation
Generate certificate
Upload Java Key Store certificate
Upload the crt file
Configure a JWT signing key
Application Registry
Configure JWT Providers
Update FlexDeploy ServiceNow configuration
1. Generate certificate
If you already have a public/private key and their keystore location feel free to skip this step.
Refer this blog https://developer.servicenow.com/blog.do?p=/post/jwt-github/ for key generation
Below are the steps to generate the key
Creating a sample CA certificate
openssl req -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365Create a cert
openssl req -new -key ca-key.pem -days 365 -nodes -x509 -keyout fdsnow.key -out fdsnow.crtCombine PEM file and CRT to PKCS12
openssl pkcs12 -export -in fdsnow.crt -inkey ca-key.pem -certfile fdsnow.crt -out fdsnow.p12 -name fdsnowConvert PKCS12 to JKS
keytool -importkeystore -srckeystore fdsnow.p12 -srcstoretype pkcs12 -destkeystore fdsnow.jks -deststoretype JKS
2. Upload Java Key Store certificate
Follow the Step 1 under Procedure outlined in this blog: ServiceNow
Navigate to Multi-Provider SSO > x509 Certificate.
Please fill the details, Type should be Java Key Store, enter the keystore password given while generating the file and save. Make sure to attach the .jks file generated in step 1. - Lets name this as fdsnow_jks1
3. Upload the crt file
After saving the jks file, click new to Add the crt file. Type should be Trust Store Cert, copy the crt file (generated in step#1 ) content and paste it to PEM certificate field.
4. Configure a JWT signing key
Create a JSON Web Token (JWT) signing key to assign to your Java KeyStore (JKS) certificate.
Navigate to System OAuth > JWT Keys.
In the form, Signing Keystore should be the one keystore created in step#2. Signing Key should be shared secret or password associated with the signing key.
5. Application Registry
Add a JSON Web Token (JWT) provider to your ServiceNow instance.
Navigate to System OAuth > Application Registry. Click New.
Select the highlighted option “Create an OAuth JWT API endpoint for external clients”
We will be using “User ID” for User Field. Client Id and Client Secret will be auto generated.
Save the details. Now, client New to generate JWT Verifier Maps
Enter the details, the Sys certificate should be the cer key generated in step#3. Kid is auto generated and will use it later.
6. Configure JWT Providers
Add a JSON Web Token (JWT) provider to your ServiceNow instance.
Navigate to System OAuth > JWT Provider.
Signing Configuration should be the JWT Signing key created in step #4.
In the Standard Claims, for aud, iss enter the Client Id from step #5. sub will be the user id which will be used to integrate from FlexDeploy. (Ex admin)
7. FlexDeploy ServiceNow configuration
Lastly you need to create or update Change Management instance in FlexDeploy specifying your client application information as well as the certificate information.
ServiceNow Auth : OAuthJWTAssertion
Client Id: value from step #5.
Client Secret: value from step #5.
Keystore Path : jks file path in the flexdeploy server. step #1
Keystore passphrase : secrete or password used to generate the jks file.
Certificate Alias : alias name for the certificate.
Certificate passphrase : secrete or password used to generate the crt file.
JWT Verifier Map Key ID : The value of kid from step #5.
Certificate Algorithm : default is RS256, if you used a different algorithm, please use that.
- style