External credential vault in RPA Hub

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External credential vault in RPA Hub

    The external credential vault feature in RPA Hub enables secure retrieval of sensitive credentials such as robot credentials, application credentials, or Time-based One-time Password (TOTP) seeds during automation execution. This functionality allows robots, which operate in the customer’s environment, to request sensitive data via GraphQL API calls to RPA Hub, ensuring credentials are securely managed.

    Show full answer Show less

    Integration and Operation

    When the External Credential checkbox is selected on robot credential forms, application credential forms, or TOTP authenticator forms, credentials are fetched from a configured external vault (e.g., CyberArk, Azure Key Vault). If the checkbox is not selected, credentials are stored and retrieved from the ServiceNow instance’s Password2 field.

    Upon enabling the external credential option, RPA Hub internally triggers a subflow that makes a REST API call to the external vault. This call can be routed via a MID Server residing in the customer’s environment or connected directly to the vault, depending on organizational requirements. The MID Server facilitates secure communication between ServiceNow and external systems.

    Security and Configuration Guidelines

    • Ensure external credential settings are configured so that sensitive data is not stored or logged within the ServiceNow instance.
    • Set the Reporting field to Off for the external credential subflow (e.g., Demo CyberArk Subflow) to prevent logging of sensitive information.
    • Use outbound request logging to monitor third-party service access and assist in debugging outbound integrations.
    • Follow the documented steps to properly configure the external credential vault integration in RPA Hub.

    Key Benefits for ServiceNow Customers

    • Enhanced security by centralizing credential storage in trusted external vaults rather than within ServiceNow.
    • Flexibility to integrate with various external vault solutions aligned with organizational policies.
    • Reduced risk of sensitive data exposure through controlled API calls and logging configurations.
    • Improved automation reliability by securely supplying needed credentials at runtime.

    With the external credential vault feature, you can retrieve robot credentials, application credentials, or Time-based One-time Password (TOTP) seed.

    External credential vault integration with RPA Hub

    The following diagram shows the integration of an external credential vault with RPA Hub.

    A robot resides in the customers' environment. If the robot requires sensitive data during the automation execution, then the robot makes a GraphQL Application Programming Interface (API) call to the RPA Hub. An example of the sensitive data is user name and password details while logging in to an SAP application.

    Based on the input provided in the External Credential check box, either on a robot credential form, an application credential form, or a TOTP authenticator form:
    • If the input is false (if the check box isn’t selected), the credentials are saved or retrieved from the instance.
    • If the input is true (if the check box is selected in the robot credential form, an application credential form), the credentials are fetched from a configured external credential vault. If the check box is selected in the TOTP authenticator form, the seed is fetched from a configured external credential vault.
    For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.

    Examples of an external credential vault are CyberArk, Azure key Vault, and so on.

    If the External Credential check box isn’t enabled, the API returns the data stored in the Password2 field of the ServiceNow instance and then the robot uses the sensitive data for the automation execution.

    If the External Credential check box is enabled, the credentials are fetched from a configured external credential vault. In this scenario, the API internally triggers a subflow. This subflow makes a REST API call to the external credential vault. You can route this REST API call via MID Server. Or, you can directly establish a connection with the external credential vault. This implementation is dependent on your organizational requirements. The MID Server resides in the customers' environment. For more information about MID Server, see MID Server.

    After the REST API call fetches the credential from the vault, the credentials are sent to the robot.

    Figure 1. Integration of external credential vault with RPA Hub
    Integration of external credential vault with RPA Hub.

    Important information

    You must configure the external credential settings appropriately, so that the data isn’t stored or logged in the ServiceNow instance.

    Verify that the value of the Reporting field is set to Off for the subflow of your external credential vault, for example Demo CyberArk Subflow. This setting verifies that the sensitive data isn’t captured or logged. For more information about configuring this setting, see Activate flow reporting.

    To configure the external credential vault in RPA Hub, see Steps to configure an external credential vault in RPA Hub.

    Outbound request logging enables you to understand what third party services your instance accesses and the volume of outbound requests. Additionally, logging can provide valuable information when debugging outbound integrations. For more information about system logging or outbound logging, see Configure outbound logging and Outbound web service logging properties.