IBM ® Security Verify Governance Adapter 10.0.7 for ServiceNow - Release Notes
IBM Security Verify Governance Adapter for ServiceNow 10.0.7 is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright International
Business Machines Corporation 2023, 2024 All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Table of Contents
· Preface
· Adapter Features and Purpose
· Installation and Configuration Notes
· Customizing or Extending Adapter Features
· Notices
Welcome to the IBM Security Verify Governance ServiceNow Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance Adapter manuals were printed:
§ IBM Security Verify Governance ServiceNow Adapter Installation and Configuration Guide
The ServiceNow Adapter is designed to create and manage accounts on ServiceNow portal. The adapter runs in "agentless" mode. The adapter uses the REST API to establish communication with the ServiceNow server.
The Verify Governance adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories Operations requested from the IBM Security Verify Governance or Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Verify Governance Adapters License prior to using this product. The license can be viewed from the "license" folder included in the product package.
|
Component |
Version |
|
|
Release Date |
2025 March 18 23.57.26 |
|
|
Adapter Version |
10.0.7 |
|
|
Component Versions |
Adapter build: 10.0.7.001 Profile 10.0.7 Connector: N/A (uses the HTTP Client connector from Security Directory Integrator) Dispatcher 7.1.39 (packaged separately) |
|
|
Documentation |
The following guides are available in the IBM Verify Governance Adapter Knowledge Center ServiceNow Adapter Installation and Configuration Guide |
|
|
Internal# |
Enhancement # (RFE) |
Description |
|
|
Items included in current 10.0.7 release |
|||
|
SVGAD-3854 |
ADAPT-157 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
|
Items included in 10.0.6 release |
|||
|
None |
|||
|
Items included in current 10.0.5 release |
|||
|
None |
|||
|
Items included in current 10.0.4 release |
|||
|
None |
|||
|
Items included in current 10.0.3 release |
|
||
|
None |
|
||
|
Items included in 10.0.2 release |
|
||
|
None |
|
||
|
Items included in 10.0.1 release |
|
||
|
None |
|
||
|
Items included in 7.1.10 release |
|
||
|
RTC 186616 |
Add support for HR attributes - Cost Center, Building, Business Unit, Employee type, Hire Date |
|
|
|
Items included in 7.1.9 release |
|
||
|
None |
|
||
|
Items included in 7.1.8 release |
|
||
|
RTC 185407 |
N/A |
Adapter must support private proxy |
|
|
Items included in 7.1.7 release |
|
||
|
RTC 184350 |
N/A |
Added “Do not return inherited roles� in service form |
|
|
RTC 184351 |
N/A |
Added Proxy Support |
|
|
Items included in 7.1.6 release |
|
||
|
None |
|
||
|
Items included in 7.1.5 release |
|
||
|
On-Premise Solution support. |
|
||
|
|
|
Items included in 7.1.4 release |
|
|
None |
|||
|
Items included in 7.1.3 release |
|
||
|
Add support for IGI 5.2.2 This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence. |
|||
|
Updated service form to include: company and manager. |
|||
|
Items included in 7.0.2 release |
|
||
|
Updated rdn and external attributes for ServiceGroups: ServiceNowGroup and ServiceNowRole |
|||
|
Updated service form to include: description, owner and prerequisite. |
|||
|
|
|
Items included in 7.0.1 release |
|
|
|
|
Initial release for ISIM |
|
Internal# |
Known Issue#/Case# |
Case# / Description |
|
|
Items included in current 10.0.7 release |
|||
|
SVGAD-3245 Bug 4432 |
DT398710 / TS017520786 |
Servicenow Stage Reconciliations are getting failed |
|
|
Items included in 10.0.6 release |
|||
|
SVGAD-1307 Bug 4189 |
DT243749​ TS014057097 |
All the Reference attributes on person like Company, Location are not correctly returned during reconciliation. |
|
|
SVGAD-1351 Bug 4215 |
TS014391573 |
The custom u_isim_location_code is not getting populated during account creation, but is reflected correctly during recon/modify operation. |
|
|
SVGAD-1368 |
Canonical values missing for erServiceNowCalendarIntegration in targetProfile.json |
||
|
Items included in current 10.0.4 release |
|||
|
RTC 190864 Bug 3891 |
IJ41362 TS009662527 |
Adapter OOM as it stores user accounts twice during reconciliation |
|
|
Items included in current 10.0.4 release |
|||
|
Bug 3944 RTC 190959 |
IJ42613 TSTS010439428 |
Not all data being returned for the choices (locations, costcenters, etc ) |
|
|
Items included in current 10.0.3 release |
|
||
|
Bug 3561 RTC 189894 |
IJ34946 |
TS005945547 / question about adding custom attributes to servicenow adapter for IGI Please refer ServiceNow CustomAttribute Documentation.pdf document from the link IBM Security Verify Governance Adapters v10.x |
|
|
Bug 3617 RTC 189897 |
IJ35104 |
TS006622099 / Adapter Reconciliation fails to return all 1M group memberships |
|
|
Items included in 10.0.2 release |
|
||
|
Bug 3445 RTC 188916
|
IJ31958 |
TS004967663 / Employee Type attribute management |
|
|
Bug 3285 RTC 188377 |
IJ28102 |
TS003893112 / ServiceNow: Modify/Add/Delete/Suspend/Restore do not work with proxy setting
|
|
|
|
|
Items closed in 7.1.10 release |
|
|
Bugz 3248 TS003746169 RTC 186898 |
IJ25288 |
ServiceNow password issue for modify/create user |
|
|
|
|
Items closed in 7.1.9 release |
|
|
Bugz 3136, Bugz 3125, RTC 185908 |
TS003240607 TS003162341 |
Handle null conditions for user object in ServiceNow adapter
|
|
|
Bugz 3117 RTC 185778 TS003116632 |
IJ19873 |
FILTERED RECON FOR SERVICENOW ADAPTER FAILS FOR (!(ERUID=ING_*)) |
|
|
|
|
Items closed in 7.1.8 release |
|
|
Bugz 3053 RTC 185238 |
IJ19873 |
ServiceNow filter of (!(eruid=iNG_*)) fails |
|
|
Bugz 3054 RTC 185247, TS002754323 |
IJ20667 |
ServiceNow 6.0.7.19 – recon is timing out / OOM, TS002754323 |
|
|
|
|
Items closed in 7.1.7 release |
|
|
RTC 184680 |
N/A |
Skip bad records during recon |
|
|
|
|
Items closed in 7.1.6 release |
|
|
RTC 182351 |
|
Fixed “Strange value in ServiceNow timezone supporting data� Known Limitation: Time zone attribute cannot be set to “system timezone� after been set to some other value. |
|
|
|
|
Items closed in 7.1.5 release |
|
|
181206 |
|
Internal - As an ServiceNow adapter developer, I must ensure that the dn target attribute should be mapped to dn governance attribute by default |
|
|
|
|
Items closed in 7.1.4 release |
|
|
|
IJ02613 |
Fixed incorrect setStatusWarning call in Als |
|
|
|
|
Items closed in 7.1.3 release |
|
|
|
42650,082,000 |
Updated searchAL to handle empty groups |
|
|
|
|
Items closed in 7.0.2 release |
|
|
|
|
NULL |
|
|
|
|
Items closed in 7.0.1 release |
|
|
|
|
Initial release for ISIM |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
|
Invalid attributes values might be ignored by ServiceNow If invalid attributes values are sent to ServiceNow and the attribute is not required, ServiceNow might ignore the attribute but return successfully instead of returning errors. |
|
|
|
|
Unable to set choice list field with empty value Due to API limitation, the adapter is unable to set a choice list with empty value(NULL). There is a workaround if the field value is integer: Overriding the "--None--" display value with NULL_OVERRIDE, as suggested in: Changing the --None-- Display Value Then set the "none" option value to NULL_OVERRIDE in "Design Form" in "Configuration System". "Calendar Integration" is an example of such fields. If the field value type is string and the null value is pointing at another choice, e.g. if null value is displaying System Default, then a possible workaround is to edit the choice label and mark which is the system default. So instead of selecting the null value, we can select the system default with the modified label. |
|
|
|
|
Unable to reflect data change that happened on ServiceNow If any modification done by the adapter triggered changes on the ServiceNow server, such as business rules or role inheritance, then these modification will lead to data inconsistency between server and ISIM/PIM/IGI. This is because the adapter is not aware of any modification happens on the server by ServiceNow until reconciliation. We recommend either turn off such business rule on ServiceNow or perform reconciliation after modify those attributes on ISIM/PIM/IGI. |
|
|
|
|
Only default attribute is included in current release The current release contains only default attributes. |
|
|
SVGAD-1364 |
In ISVG a lookup can’t reference an attribute in the account object class. A lookup to other users to get the manager value is not possible. |
i |
|
|
SVGAD-1403 |
Clearing a value for a reference/supporting data type attribute in ISVG doesn’t work. If you clear the value, the value does not get deleted from the attribute in ISVG and no event is send to the target . |
||
|
SVGAD-1406 |
To delete a value like phone or mobile phone, you have to specify a blank/space in ISVG. Clearing the value without replacing it with a blank will not result in the value being removed on the target |
||
|
SVGAD-40 |
|
The password used for a connect Test can’t contain the characters < or > If the he password for the ServiceNow account that is used to establish a connection with ServiceNow contains the characters < or > , this will result in the below error "exception": "java.lang.Exception: com.ibm.commons.util.io.json.parser.TokenMgrError: Lexical error at line 1, column 1. Encountered: "<" (60), after : """, |
|
We recommend verifying any issue encountered with the ServiceNow's REST API explorer first, to make sure it's not due to any setting or restriction related with your instance.
See the IBM Security Verify Governance ServiceNow Adapter Installation and Configuration Guide for detail instructions.
The ServiceNow Adapter Installation and Configuration Guide can be obtained from the IBM Documentation Website
No updates for the current release
No updates for the current release
Value that identifies the company
Value that identifies the department
Value that identifies the cost center
Value that identifies the business unit
Value that identifies the location
Value that identifies the building
The above values can be used to specify the source column/attribute in the ServiceNow table that should be used as display value.
As an example: specify code in the cost center value section if you want to use the code values from the cmn_cost_center table as display values to identify cost centers.
For Verify Governance target management, you can install an IBM Security Verify Governance Adapters or a custom adapter on the built-in Security Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance.
Procedure
1. Download the
adapter package from the IBM Passport Advantage.
For example, Adapter-<Adaptername>.zip.
The adapter package includes the following files:
|
Table 1. Adapter package contents |
|
|
Files |
Descriptions |
|
bundledefinition.json |
The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
|
Adapter JAR profile |
A Security Directory Integrator adapter always include a JAR profile which contains: · targetProfile.json o Service provider configuration o Resource type configuration o List of assembly lines · A set of assembly lines in XML files · A set of forms in XML files · Custom properties that include labels and messages for supported languages.
Use the Target Administration module to import the target profile. |
|
Additional adapter specific files |
Examples of adapter specific files: · Connector jar files · Configuration files · Script files · Properties files
The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
|
|
|
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3.
Select the instance of the Security Directory Integrator for which you want to
manage the adapters and click Manage > SDI Adapters
The SDI Adapters window is displayed with a table that list the name,
version, and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5.
On the File Upload window, click Browse to locate the adapter package
and then click OK.
For example, Adapter-<Adaptername>.zip.
6. Provide the missing 3rd party libraries when prompted.
a.
On the File Upload for Pre-requisite files window, click Select Files.
A new File Upload window is
displayed.
b. Browse and select all the missing libraries and files. For example, httpclient-4.0.1.jar
c.
Click Open.
The selected files are listed in the
File Upload for Pre-requisite files window.
d.
Click OK.
The missing files are uploaded and the adapter package is updated with the 3rd
party libraries.
7. Enable secure communication.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Edit.
c. Click the Enable SSL check box.
d. Click Save Configuration.
8. Import the SSL certificate to the IBM® Security Directory Integrator server.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Manage > Certificates.
c. Click the Signer tab.
d.
Click Import.
The Import Certificate window is displayed.
e. Browse for the certificate file.
f. Specify a label for the certificate. It can be any name.
g. Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService File ibm.com_IBM_Verify_Identity_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Verify_Identity_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Verify_Identity_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Verify_Identity_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Installing in an IBM Security Verify Directory Dispatcher Container
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:
. <path_to_starterkit>/bin/createConfigs.sh isvdi
. For OpenShift container: oc -n isvgim rollout restart deployment isvdi
. For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-<AdapterName> -*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter-<AdapterName>-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xx.x.x.swidtag
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
P12 file of Servicenow Apps
Copy this file to the <Persistent_Volume>/timsol/keystores directory
Copying 3rd party libraries:
Using Script
Use the below command to copy the 3rd party jars:
/path/to/adapterUtil.sh -copyToPatches "/path/to/<jarfile>.jar"
E.g. If you want to copy httpclient-10.0.14.jar then use below command, likely copy all other required external jars. List of all required jars with version mentioned in the Supported Configuration > Supported third-part client libraries. Refer to Installing > Installing third-party client libraries for more details.
/path/to/adapterUtil.sh -copyToPatches "/path/to/httpclient-*.jar"
This command will copy the 3rd party jars to the <Persistent_Volume>/jars/patches directory.
Manually copying files to the Persistent Volume
Copy required 3rd party jar files to the <Persistent_Volume>/jars/patches directory (List of all required jars with version mentioned in the Supported Configuration > Supported third-part client libraries. Refer to Installing > Installing third-party client libraries for more details.):
Configuring the SSL connection between the IBM Security Verify Directory Integrator Container and the ServiceNow Apps Target
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.
To add a trusted-certificates element (if it doesn't exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, download the Entrust_Root_Certification_Authority-G2 certificates in DER/PEM/CRT format (read instruction in installing > Configuring the SSL connection between the Dispatcher and the ServiceNow Apps server) and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.
Provide this path of the certificate in config.yaml file as shown in the example below:
keyfile:
trusted-certificates:
- '@/opt/IBM/dispatcher/config/certs/Entrust_Root_Certification_Authority-G2.pem’
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don't exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don't exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-<AdapterName>
Manually copying / removing files to / from the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xx.x.x.swidtag
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
3rd party jars
Remove the appropriate version of the 3rd party jar files used by this adapter as listed in the Supported Configuration > Supported third-part client libraries from the <Persistent_Volume>/jars/patches directory.
P12 file of ServiceNow Apps
Remove this file from the <Persistent_Volume>/timsol/keystores directory
Remove following lines:
For attribute with supporting data, such as erServiceNowDepartment:
Set the Assignment in searchUser's Input Map as conn.departmentValue. In the Override GetNext, search for
if(usersList[currentUser].department)
{usersList[currentUser].departmentValue
= usersList[currentUser].department.value; }
Add the custom attribute. This piece of script is to retrieve the department.value, which is the SYSID. Assign it to departmentValue which is used in the Input mapping. In the searchChoice, add the Input Map for supporting data attributes:
erServiceNowDepartmentName maps to conn.erServiceNowDepartmentName,
erServiceNowDepartmentSysID maps to conn.erServiceNowDepartmentSysID
In After Initialize, add the following line for your custom attribute:
addToChoiceMap(supporting data object class anme, titleName,
attribute name, attribute SYSID, url for the table supporting data referred to)
For example, the code for department is:
addToChoiceMap(“erServiceNowDepartmentClass�,�name�,�erServiceNowDepartmentName�,“erServiceNowDepartmentSysID�,�/api/now/v1/table/cmn_department�)
Add Following Lines :
Adding Custom Attributes
ServiceNow support custom fields for user object. The adapters supports only the standard set of attributes but you can customize the adapter to support custom attributes.
1. Procedure to add a custom attribute u_cpf to sys_user Table:
Extracting Profile jar file :
Copy the adapter profile JAR file and extract the files.
a. Download the adapter package from the IBM® Passport Advantage® website.
b. Copy the ServiceNowProfile.jar file, which is included in the adapter package, into a temporary directory.
c. Run the following command to extract the contents of the ServiceNowProfile.jar file:
cd c:\temp
jar -xvf ServiceNowProfile.jar
The jar command creates the c:\temp\ServiceNowProfile directory.
The JAR file contains a ServiceNowProfile folder with the following files:
• CustomLabels.properties
• erServiceNowAccount.xml
• erServiceNowService.xml
• schema.dsml
• service.def
• ServicenowAL.xml
• targetProfile.json
Updating Schema.dsml :
Update the schema.dsml file, which identifies all of the standard user account attributes. Modify the file to identify new custom attributes.
a. Open schema.dsml in a text editor.
b. Add the custom attribute at the end of attributes.
For example:
<attribute-type single-value="true">
<name>erServiceNowCpf</name>
<object-identifier>1.3.6.1.4.1.6054.3.177.2.1005</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type>
Note:
• In the attribute-type, use single-value to indicate whether the attribute is single-value or multi-value.
• The attribute name must start with a prefix erServiceNow to easily identify the attributes that are used with IBM® Security Identity Manager.
• The Object Identifier (OID) is increased by 1. Start a new range of number for custom attribute to avoid OID conflicts with future version of adapters. For example, you can start your attribute OID from 1.3.6.1.4.1.6054.3.177.2.1000, so the first attribute OID is 1.3.6.1.4.1.6054.3.177.2.1001. An error message is displayed if there is any conflict in the OID.
c. Add the Account attributes under Account Objectclass Section
For Example:
<attribute ref="erServiceNowCpf" required="false"/>
Updating CustomLabels.properties :
Add the attribute and its label in the CustomLabels.properties file to show the correct label on Adapter account form.Use the format attribute=label.
For Example:
erServiceNowCpf=Cpf
Updating Assembly Lines:
Modify the assembly lines to add new mappings for the custom attributes. The Assembly Lines in servicenowAl.xml contain mapping instructions from IBM Security Identity Manager request to ServiceNow.
a. Launch the Security Directory Integrator Configuration Editor.
b. Select File > Open Security Directory Integrator Configuration File to open the servicenowAL.xml.
c. Select snAdd > addUser, which contains the mapping for the Add user operation.
d. In the OutputMap, add the name of the custom field exactly as the API Name on ServiceNow.
e. Change the default value of work.[custom field name] to work.[custom attribute name].
For Example:
Add the Work Attribute as work.erServiceNowCpf and Assignment as u_cpf
f. Add the attribute to snModify > Output Map.
For Example:
Add the Work Attribute as work.erServiceNowCpf and Assignment as u_cpf
g. Add the attribute to snRecon. Select searchUser and add the custom attribute.
For Example:
In the Input Map,Set the Work Attribute as erServiceNowCpf and Assignment as conn.u_cpf
Modifying erservicenowaccount.xml:
Modify the adapter form to view or edit the new custom attribute. Otherwise, the attribute is not displayed even if the Assembly Lines work.You can set the attribute value type according to the field type on ServiceNow.
For Example:
<formElement direction="inherit" label="$erServiceNowCpf" name="data.erServiceNowCpf" required="false">
<input name="data.erServiceNowCpf" type="text"/>
</formElement>
Updating the targetprofile.json file
The Servicenow targetprofile.json file identifies all of the supported service account attributes for the IBM Security Verify Governance.
About this task
Modify the targetprofile.json to identify the new extended attributes.
Procedure
1.Change to the \servicenowprofile directory, where the targetProfile.json file has been created.
2.Open the targetProfile.json file in a text editor.
3.Find the attributes section under userExtension section.
For example:
"user Extension": {
"schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:ServiceNowAccount:2.0:User",
"definition": {
"id":"urn:ibm:idbrokerage:params:scim:schemas:extension:ServiceNowAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
The attributes section contains an array of attribute definitions. Each definition is separated by a comma.
4.Add your extended attributes to this attributes section. An attribute object contains the following fields:
Field
Description
Name
Attributes name.
Type
data type (string integer, boolean, binary)
multiValued
True, if attribute can have multiple values.
required
true, if required attribute.
caseExact
true, if value is case-sensitive.
mutability
immutable, read, write, readwrite
returned
Use "default".
uniqueness
User "server".
specialFlags
User "none".
canonicalValues
Optional list of valid values for this attribute as a json array
The attribute object is enclosed in braces ({}). Each field has the name in quotes followed by a colon and the value. Each field is separated by a comma.
For example:
{
"name": "erServiceNowCpf",
"type": "string",
"multiValued": false,
"description": "Cpf",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none"
},
Ensure that you separate each attribute definition with a comma. After you update the file, it is suggested that you verify that the syntax is correct by using one of the freely available json lint sites.
Generating Jar:
Create a JAR file and install the new adapter profile.
a. Create a JAR file using the files in the \temp directory. Run the following commands:
cd c:\temp
jar -cvf ServiceNowProfile.jar ServiceNowProfile
b. Import the ServiceNowProfile.jar file into the IBM Security Identity server.
c. Restart the dispatcher.
Note: See the LDAP and trace logs if there is a problem loading the profile.
Note:
If the custom field references another table, define the field as supporting data.
Suppressing password in clear text
While you are executing the user add and password change operations, the REST API shows the password in clear text.
About this task
To suppress the password in clear text, perform the following steps:
Procedure
Add the following property to the log4j properties file:
log4j.logger.org.apache.http=ERROR, Default
Note: The property must be added after the following property:
log4j.rootCategory=DEBUG, Default
Restart the dispatcher.
Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There is ServiceNowProfile.jar included in the ServiceNow Workspace Adapter distribution package.
Note: Restart the Dispatcher service after importing the profile. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop
the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Logs are not getting printed in FP13 in Windows OS:
To fix this issue copy log4j2.xml file from <SDI_Home_Dir>/etc and add to the <SDI_Solution_Dir>/etc (which was missing there). Then configure <SDI_Solution_Dir>/ibmdiservice.props with
jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
No updates for the current release
Please add the below information in a new paragraph “ServiceNow API tables�
user tables
/api/now/v1/table/sys_user/
/api/now/v1/table/sys_user_grmember
/api/now/v1/table/sys_user_has_role
/api/now/v1/table/sys_user_group
/api/now/v1/table/sys_user_role
/api/now/v1/table/sys_user_costcenter
/api/now/v1/table/sys_user_location
memberships
/api/now/v1/table/sys_group_has_role
/api/now/v1/table/sys_user_role_contains
locations
/api/now/v1/table/cmn_cost_center
/api/now/v1/table/cmn_location
/api/now/v1/table/core_company
/api/now/v1/table/business_unit
/api/now/v1/table/cmn_department
/api/now/v1/table/cmn_building
HR : /api/now/v1/table/sn_hr_core_profile
Choices: /api/now/v1/table/sys_choice
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the IBM Security Verify Governance Adapter Development and Customization Guide
Support for Customized Adapters
The integration to the IBM Security Verify Server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.
Installation Platform
The IBM Security Verify Governance Adapter for was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to
your IBM Security Verify Governance server and IBM Security Verify Governance
Identity Manager server, the following SDI releases are the officially
supported versions:
- Security Directory
Integrator 7.2 + FP14
- Security Verify Directory
Integrator 10.0.0 + LA0002** The
Dispatcher version 10.0.2 doesn't support installation using LA0002, please
install the Dispatcher10 prior to installing LA0002.
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs
Managed Resource:
ServiceNow Portal (user accounts only) - Vancouver
ServiceNow On-Premise Solution
Supported IBM Security Verify Governance servers:
· IBM Verify Identity Governance v11.0
· IBM Security Verify Governance Identity Manager v10.0*
· IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services,
or features discussed in this document in other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it
is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering
subject matter described in this document. The furnishing
of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your
country or send inquiries, in writing, to:
Intellectual Property
Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein; these changes
will be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s) described
in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be
available, subject to appropriate terms and conditions, including in some
cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes