Steps to configure an external credential vault in RPA Hub

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Steps to Configure an External Credential Vault in RPA Hub

    This guide outlines the necessary steps to configure an external credential vault in RPA Hub, ensuring proper integration and functionality. Follow the steps sequentially and complete all tasks before proceeding to the next.

    Show full answer Show less

    Key Features

    • Create a Subflow: Integrate your external credential vault by creating a subflow in Workflow Studio. Ensure the input type is JSON, formatted correctly with 'appID' and 'query'.
    • Subflow Output Validation: Ensure that the output of your subflow conforms to a specified JSON schema to avoid errors in the RPA GraphQL APIs.
    • Create an External Credential Vault Record: Set up a record for the external credential vault.
    • Establish Connections: Use ServiceNow Connections and Credentials to create an active connection, adhering to your organizational security requirements.
    • Utilize the External Credential Vault: For robot, application credentials, or TOTP authenticators, select the External Credential checkbox and provide a valid JSON object for credential retrieval.

    Key Outcomes

    By following these steps, you will ensure successful integration of an external credential vault with RPA Hub, enabling secure credential management for robotic processes. Proper configuration will enhance security and streamline operations, allowing for efficient access to sensitive credentials as needed.

    Use this list of steps to guide you through all the tasks of configuring an external credential vault in RPA Hub.

    Complete all the tasks for a step before moving on to the next step.

    Do the steps in the order that they’re presented.

    Table 1. Steps to configure an external credential vault in RPA Hub
    Task Reference
    1) Create a subflow to integrate your external credential vault. For more information, see Create a subflow in Workflow Studio. For reference, see the sample Demo CyberArk Subflow in your ServiceNow instance.
    1.A) Verify that the subflow that you’re creating to integrate with the External Credential Vault, must have an input type as JSON.

    This input takes the value from the Subflow Input field of the Robot Credential, Application Credential, or Time-based One-time Password (TOTP) Authenticator.

    For example, the robot credential or application credential or TOTP authenticators that are using the Demo CyberArk external credential vault, must align with the following JSON format:

    { 
"appID" : "",
"query" : ""
}
    Populate values for appID and query.
    1.B) You can use the REST Step in the subflow to connect with the external credential vault. You can also use other integration steps such as SOAP. For more information, see Workflow Studio steps.
    1.C) Verify that the output of your subflow must be aligned with the following JSON schema.
    {
    "$schema": "http://json-schema.org/draft-07/schema#",
    "type": "object",
    "properties": {
        "result": {
            "type": "object",
            "properties": {
                "status": {
                    "type": "string",
                    "enum": ["success", "failure"]
                },
                "data": {
                    "type": "object",
                    "properties": {
                        "username": {
                            "type": "string"
                        },
                        "sensitiveValue": {
                            "type": "string"
                        },
                        "additionalData": {
                            "type": "object"
                        }
                    },
                    "required": ["sensitiveValue"]
                },
                "error": {
                    "type": "object",
                    "properties": {
                        "errorType": {
                            "type": "string"
                        },
                        "errorMessage": {
                            "type": "string"
                        },
                        "additionalErrorData": {
                            "type": "object"
                        }
                    },
                    "required": ["errorMessage"]
                }
            },
            "required": ["status"]
        }
    },
    "required": ["result"]
};
    		 This schema is used by the Robotic Process Automation (RPA) GraphQL APIs to validate the subflow output. If the output isn’t aligned with this schema, an error is encountered.

    Error Message: The JSON received from the subflow deviates from the expected JSON schema. Rectify the JSON structure by aligning it with the specified schema in the documentation.
    1.D) You can align with the expected JSON schema (mentioned in 1C) by defining a JSON output with the name 'result' for the Subflow. For success status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and sensitiveValue keys are required.
    {
  "status": "success", //Mandatory
  "data": {
    "username": "",
    "sensitiveValue": "" //Mandatory
    "additionalData": {}
  }
}

    For failure status, this result output must be assigned with a JSON object of the following structure. Populate values for the keys defined in the JSON. The status and errorMessage keys are required.

    {
  "status": "failure", //Mandatory
  "error": {
    "errorType": "",
    "errorMessage": "", //Mandatory
     "additionalErrorData": {}
  }
}
    2) Create an external credential vault record. For more information, see Create an external credential vault record in RPA Hub. For reference, see the sample Demo CyberArk external credential vault in your ServiceNow instance.
    3) Establish a connection with an external credential vault by using the ServiceNow Connections and Credentials. For more information about creating an active connection, see Create an HTTP(s) connection.

    While configuring the connection record, verify to align with your organizational security requirements.

    		 For reference, see the sample Demo CyberArk Subflow that uses RPA CyberArk connection and credential alias.

    Create a connection record under this connection and credential alias to establish connection with your CyberArk external vault.
    4) To use the external credential vault record, that you created in step 2, navigate to either robot credential, application credential, or TOTP authenticator and select the External Credential check box.

    Also, select a record in the External Credential Vault field and populate the Subflow Input field with a valid JSON object. The JSON must contain the necessary information for retrieving credentials from the external credential vault.

    		 For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.