Integrate with enterprise ticketing system

This topic describes how to integrate with the enterprise ticketing system and the possible validations you can configure when applying this method.

The enterprise ticketing system module

The enterprise ticketing system module enables communication between the Privilege Cloud Portal and the enterprise ticketing system.

Out of the box, the Privilege Cloud Portal supports the following ticketing systems:

ServiceNow Ticketing System

BMC Remedy Ticketing System

Overview

Integrating with a ticketing system provides an extra layer of control for accessing privileged accounts. This means that when Privilege Cloud users attempt to connect to a target machine, they are prompted to provide a valid enterprise ticket ID.

Privilege Cloud validates the ticket ID with enterprise ticketing system.

Integration modes

You can integrate an enterprise ticketing system in one of the following ways:

  • Privilege Cloud Portal

  • Both the Privilege Cloud Portal and PSM for SSH.

This topic provides separate procedures for each of these modes.

 

Ticket validation is supported only when connecting through the Privilege Cloud portal or through PSM for SSH. It is not supported when connecting using RDP, as described in Connect using RDP.

Before you begin

PSM for SSH requires network access to connect to the Privilege Cloud Portal using HTTPS protocol.

Collect the following information:

Connection details (mandatory)

Parameter

Description

SystemURL

Specify the URL of the Ticketing System’s web services.

If your organization uses a non-default port, you can append it to the URL. For example: https://<ticketing system Rest API address>:8443

Validation methods (optional)

Apply advanced validations to the ticket.

Parameter

Description

Ticket type

Validate ticket format

Provide a regular expression to determine how the ticketing system module validates the ticket format.

Incident Management and Change Management

Validate ticket by state

Provide the valid ticket states.

Possible values: New, Assigned, In Progress, Pending, Resolved, Closed, and Cancelled.

Incident Management and Change Management

Validate approval status

Provide the valid approval statuses.

Possible values: Approved, Not Yet Requested, Requested, and Rejected.

Change Management

Validate ticket by operation time

Specify whether to validate the operation time defined the ticket.

Possible values: Yes/No.

Change Management

Validate requesting user name

Specify whether to validate that the requesting user in the ticket is the same as the Privilege Cloud user.

Possible values: Yes/No.

Incident Management and Change Management

Failsafe bypass (optional)

Add a list of codes that can be used to bypass the ticket ID requirement, when necessary. Users with access to these codes will be able to use them instead of a ticket ID, when they are prompted for one.

Parameter

Description
FailsafeBypassCode A list of codes.

Integrate enterprise tickets systems with the Privilege Cloud Portal

The minimal requirement for the integration to work, you need to have at least the" “itil” role (which is explained in this link).

Perform the following steps:

Step 1: Create an account for connecting to an enterprise ticketing system

To enable Privilege Cloud to connect to an enterprise ticketing system, create a logon account for a dedicated user that can log on to an enterprise ticketing system. For details, see Add individual accounts manually.

Store the account in a new or existing safe, and add the PVWAAppUsers group (one of the default Privilege Cloud groups that comes out-of-the-box) as an owner of this safe. For details, see Add Safe members.

Step 2: Enable and configure enterprise ticketing system in the Privilege Cloud Portal

  1. Sign into Privilege Cloud Portal with an admin account.

  2. Go to Administration> Configuration Options.

  3. In the Options pane, expand Configurations > Ticketing Systems > [ticket system name] > Ticketing Parameters > System Configuration, and click SystemURL.

    Where [ticket system name] is either ServiceNow or BMC Remedy

  4. In the Properties pane, enter the enterprise ticketing system'sIntegrate with enterprise ticketing systemURL that you prepared in advance.

  5. In the Options pane, click Connection Details, and then enter the following information:

    Property Description
    Safe The Safe where the account used to connect to the ticketing system is stored.
    Folder The folder where the account used to connect to the ticketing system is stored.
    File The name of the account used to connect to the ticketing system. This is found under Account name in the details tab of the onboarded ticketing system account, for example ServiceNow.

  6. Click OK.

Step 3: Set validation methods (optional)

Step 4: Enable ticket validation on a platform

Identify and configure the platform for which you want to apply ticket validation. All accounts associated with this platform will include ticket validation when a user tries to access their credentials.

  1. In the Privilege Cloud Portal, click Administration button, and then click Platform Management.

  2. On the Platform Management page, select the relevant platform, and then click Edit.

  3. In the left pane, expand UI & Workflows, and then click Ticketing System.

    If the platform does not have a Ticketing System section, right-click UI & Workflows, and then click Add Ticketing System.

  4. Set the following properties, and then click Apply:

    • EnterTicketingInfo. Set this to Yes to enable ticketing validation.
    • ValidateTicketNumber. Set this to Yes to validate the ticket number against ServiceNow.

Configure communication between PSM for SSH and the Privilege Cloud Portal

Perform the following steps to configure ticketing support for PSM for SSH connections.

Step 1:  Configure the Privilege Cloud Portal gateway user

You need the assistance of CyberArk support to perform this task.

Step 2: Edit the PSM for SSH configuration file

Edit the basic_psmpserver.conf file to add a parameter to establish a connection between PSM for SSH and the Privilege Cloud Portal.

Key

Value

FetchCredentialsThroughPVWA

Add this parameter to the basic_psmpserver.conf and set it to Yes.

For example: FetchCredentialsThroughPVWA="Yes"

Step 3: Install a Privilege Cloud Portal certificate authority on PSM for SSH

Configure secure HTTPS communication between PSM for SSH and the Privilege Cloud Portal server.

The PSM for SSH server must trust the Certificate Authority that issued the SSL certificate used by Privilege Cloud Portal.

 

All certificate authorities in the chain should be trusted by PSM for SSH. If the certificate authority that issued the certificate for Privilege Cloud Portal is not a root CA, complete the following procedure for all intermediate certificates in the chain.

To add a Certificate Authority to the trusted certificate authorities list on PSM for SSH

  1. Export the SSL certificate of the CA t to a *.cer file as DER encoded binary x.509.

    Do not export the private key if given this option during the export process.

  2. On the PSM for SSH machine, create a copy of the /etc/pki/tls/certs/ca-bundle.crt file. For example:

      
    cp /etc/pki/tls/certs/ca-bundle.crt /etc/tlsbackup/ca-bundle.crt.backup

    You can run the following command to restore the backup at any time:

      
    cat "backup file path" > /etc/pki/tls/certs/ca-bundle.crt

    For example:

      
    cat /etc/tlsbackup/ca-bundle.crt.backup > /etc/pki/tls/certs/ca-bundle.crt

    Be aware that restoring the backup will undo all changes made to the trusted certificate authorities list.

  3. If the PSM for SSH machine's OS is RHEL 7.x or 8.x:

    1. Verify that the update-ca-trust utility included in the ca-certificates package is installed on the PSM for SSH machine. You can install the utility by running the yum install ca-certificates .

       

      Installing the ca-certificates package will reset the trusted CA certificate bundle currently configured on the PSM for SSH machine, undoing any custom changes.

      If you do not want to install the update-ca-trust utility included in the ca-certificates skip to the net step.

    2. Copy the exported certificate *.cer file to the directory:

        
      /etc/pki/ca-trust/source/anchors on the PSM for SSH machine

    3. Run the following commands:

        
      update-ca-trust enable
        
      update-ca-trust extract

  4. If you do not want to install or use the update-ca-trust utility:

    1. Copy the exported certificate *.cer file to a directory on the PSM for SSH machine, for example to /var/tmp

    2. Navigate to that directory on the PSM for SSH server, for example: cd /var/tmp.

    3. Run the following command:

        
      openssl x509 -inform DER -outform PEM -in <exported-certificate-filename>.cer -out <exported-certificate-filename>.pem

      For example, if the exported certificate file was called cert_ca.cer:

        
      openssl x509 -inform DER -outform PEM -in cert_ca.cer -out cert_ca.pem

    4. Append the contents of the *.pem file created on step c to the end of ca-bundle.crt:

      cat ca-sample.pem >> /etc/pki/tls/certs/ca-bundle.crt
       

      Make sure you type ">>" and not ">", otherwise the contents of the ca-bundle.crt file will be entirely overwritten.

Enable ticket validation and dual control

Ticketing system integration and dual control are configured separately, and can be enforced independently of each other. However, you may want to apply both controls.

For details, see Enable ticket validation and dual control.

Limitations

If an end user is connected to the Privilege Cloud Portal and he tries to establish a connection with PSM for SSH, the Privilege Cloud Portal session is disconnected.

Set up dual control for connecting to a target device

Ticketing system properties