ServiceNow SaltStack Integration OpenVPN REST Part 2

Part 2 of 2 (http://edwardjamesmathison.com/2018/06/08/servicenow-saltstack-integration-openvpn-rest/)

Following up on my previous post I will be covering the SaltStack side of the Integration.

The first thing to do was figure out a way to capture the username from the end user in Snow and send that to SaltStack.

I used a REST API to do this.

I installed Salt-API and put in the following settings into the master config file.

rest_cherrypy:
port: pick a port number
host: hostname
ssl_crt: /etc/ssl/private/cert.pem #path to ssl key
ssl_key: /etc/ssl/private/key.pem
webhook_disable_auth: True #set this to false if you want auth enabled
webhook_url: /hook . # allows a webhook

Then the next step is to create a reactor file. This tells salt what to do when something is sent to webhook via a REST api.
Place the following config at this path /etc/salt/master.d/reactor.conf

It will look something like this:

reactor:

– salt/netapi/hook/open_vpn_reset:
– /srv/reactor/open_vpn_phone_reset.sls

When something is sent to link of ipofsaltserver:portnumber/webhooklink it will render the sls of open_vpn_reset.sls

Now you need to create the open vpn rest sls file. The one I created is below.

{% set postdata = data.get(‘post’,{}) %} # This allows you to receive the data sent to salt api and use it
open_vpn_phone_reset:
local.cmd.run:
– tgt: ‘connect’
– args:
– cmd: ./sacli –user {{postdata.username}} –lock 0 GoogleAuthLock
– cwd: /usr/local/openvpn_as/scripts

The trick to this sls is that when the data is sent to the webhook you pass a var called user with username. Salt will take this var and place it in postdata.username and the it will render.

This will allow end users to run this script without contacting operations to run the script for them.

ServiceNow SaltStack Integration with OpenVPN with REST

This part 1 of 2 articles to view the second article click the following link (http://edwardjamesmathison.com/2018/06/13/servicenow-saltstack-integration-openvpn-rest-part-2/)

We use SaltStack to manage various things on our servers. Also use OpenVpn with Google Authenticator for two factor on login. We use ServiceNow for our ticketing system.

This works pretty well. Until someone gets a new phone and they need a new QR code. We have quick script that resets this.

The old workflow was end user submits a ticket asking for the account to be reset. I run the script and then tell them to re join the phone.

This is fine but do I really need to run the script myself? This gave me the idea of using self service in ServiceNow to automate this task.

The first thing I did was to create a very simple record producer that has the caller’s name and a username variable.  For caller it is a reference variable to sys_user table. If you put the following default value in it will auto sync the caller with the user who is viewing the record.

javascript:gs.getUserID();

More info regarding record producers can be found at the link below:

https://docs.servicenow.com/bundle/kingston-it-service-management/page/product/service-catalog-management/concept/c_RecordProducer.html

So once I decided that I wanted to do this, I need to figure out how to build it.

Both ServiceNow and SaltStack have REST API’s. This is how I will integrate both services.

ServiceNow Rest API documentation: https://developer.servicenow.com/app.do#!/rest_api_doc?v=kingston&id=c_TableAPI

SaltStack REST API documentation: https://developer.servicenow.com/app.do#!/rest_api_doc?v=kingston&id=c_TableAPI

After that I needed a way to get ServiceNow which is hosted in AWS to talk with the SaltStack server that is hosted behind firewalls in our VMware stack.

For this ServiceNow provides a MID server to help with this. Refer to my other blog post link below regarding the MID server.

ServiceNow MID Server in Docker

The I had to create a scripted REST API in ServiceNow. I set the URL endpoint to webhook url I created in SaltStack. (I will show the SaltStack side of things in my next post). Then set the HTTP headers and query parameters using the outbound rest message in ServiceNow.

https://docs.servicenow.com/bundle/kingston-application-development/page/integrate/outbound-rest/concept/c_OutboundRESTWebService.html

Once this is created I need to add the code to my record producer to send out the username variable to SaltStack via the REST API.

The Record Producer code  is below. Feel free to use or edit to your liking.

var username1 = producer.username + ” “;

try {

var r = new sn_ws.RESTMessageV2(‘Salt Open VPN’, ‘OpenVPn’);
r.setStringParameterNoEscape(‘var’, ”);
var body = {‘username’: username1};
var bodyText = JSON.stringify(body);
//override authentication profile
//authentication type =’basic’/ ‘oauth2’
//r.setAuthentication(authentication type, profile name);

//set a MID server name if one wants to run the message on MID
r.setMIDServer(‘dev mid’);

//if the message is configured to communicate through ECC queue, either
//by setting a MID server or calling executeAsync, one needs to set skip_sensor
//to true. Otherwise, one may get an intermittent error that the response body is null
//r.setEccParameter(‘skip_sensor’, true);

r.setRequestBody(bodyText);
var response = r.execute();
var httpStatus = response.getStatusCode();
}
catch(ex) {
var message = ex.getMessage();
}



ServiceNow MID Server in Docker

ServiceNow requires a MID server when you want to interact with resources behind firewalls. I wanted to allow my end users to reset there Open VPN Google Auth code using self service. Due to this I needed to install a MID server to reach our servers. I put this Docker to make things easier.

Below is a link for a quick explanation of SN Mid server:

https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/product/mid-server/concept/c_MIDServer.html

It is a simple Java application. I did not want to install it on bare metal. We use docker here at work. So a good reason to use docker.

I found the following git repo that had mid server in Docker. Only problem was that it was out of date and using Ubuntu for it is base image.

https://github.com/tools-proservia/sn-mid-server

So I tweaked a few things changed base image to Centos.

The next issue is that the download file for the installation changes for each ServiceNow update.

So I created a dockerhub account and created a build linked to my repo. When I update the Wget url and push the code to master, a job in docker cloud is fired off via webhook. This auto builds the docker image.

This was very helpful but I still had one more issue.  My prod SN instance is usually a version or two behind dev. I would need to use a different docker image for Prod.

My solution was to create another git branch and create a separate docker cloud build. This way I could have prod and dev branch. Depending on which branch I update it will build a different docker image.

My github and docker image links are below. Feel free to use it, fork it whatever:

https://github.com/tkojames24/SNMidServer

https://hub.docker.com/r/tkojames/snmidserver/