ClearPass and ServiceNow Integration

ServiceNow CMDB

Integration Guide
ClearPass

ClearPass and ServiceNow Integration 1

 ClearPass and ServiceNow Integration

Change Log
Ver s i on Date M od if i ed B y C o m men t s

v2020-01 August 2020 Anish Pansare First Published Version

v2021-02 January 2021 Anish Pansare Support for ServiceNow Paris release
v2023-01 May 2023 Marc Ibanez Updated Endpoint Sync Filtering Mechanisms
Support for ServiceNow Tokyo release
v2023-02 October 2023 Marc Ibanez New Extension Version Updates Table
New Endpoint Sync Filtering Mechanisms
Updated Configuration Parameters
Support for ServiceNow Utah and Vancouver releases
v2024-01 March 2024 Bikki Gupta Added support for OAuth

Copyright
© Copyright 2024 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under the GNU General Public License, the GNU Lesser General
Public License, and/or certain other open source licenses. A complete machine-readable copy of the
source code corresponding to such code is available upon request. This offer is valid to anyone in
receipt of this information and shall expire three years following the date of the final distribution of
this product version by Hewlett- Packard Company. To obtain such source code, send a check or
money order in the amount of US $10.00 to:
Hewlett-Packard Company
Attn: General Counsel
3000 Hanover Street
Palo Alto, CA 94304
USA
Please specify the product and version for which you are requesting source code. You may also
request a copy of this source code free of charge at HPE-Aruba-gplquery@hpe.com.

ClearPass and ServiceNow Integration 2

 ClearPass and ServiceNow Integration

Contents
Introduction and Overview ............................................................................................................................................ 4
Extension Version Updates ........................................................................................................................................ 4
Software Requirements .................................................................................................................................................. 5
ClearPass Installation and Deployment Guide ............................................................................................................ 5
ClearPass Extensions ...................................................................................................................................................... 5
Access to the extension store ........................................................................................................................................ 6
Pictorial View of the Integration .................................................................................................................................... 8
Use Cases ......................................................................................................................................................................... 8
New extension capabilities in ClearPass 6.7 ................................................................................................................ 9
Extensions and IP address configuration support .................................................................................................. 9
Configuration Values can be obfuscated in 6.7.2 or later. ..................................................................................... 9
Extensions and web proxy support .......................................................................................................................... 9
Direct Installation of Extension on Subscribers .................................................................................................... 10
ServiceNow CMDB Extension Installation .................................................................................................................. 11
Checking API Access Application Control restrictions ...................................................................................... 13
Checking ClearPass user access .......................................................................................................................... 14
ClearPass Extension and ServiceNow CMDB Configuration ................................................................................... 15
ServiceNow Extension Configuration Parameter .............................................................................................. 15
Endpoint Sync Filtering Mechanisms .................................................................................................................. 20
ServiceNow Configuration Requirements .......................................................................................................... 23
ClearPass Extension Configuration ..................................................................................................................... 23
Using ClearPass Policy Manager with ServiceNow ................................................................................................... 27
Endpoint ingestion from ServiceNow CMDB ..................................................................................................... 27
Push endpoint attributes from ClearPass to ServiceNow ................................................................................ 27
Push endpoint attributes from ClearPass to ServiceNow via push-queue.................................................... 28
Sync endpoint database from ClearPass into ServiceNow .............................................................................. 28
Extension API Endpoints .............................................................................................................................................. 29
Enforcement Profile .............................................................................................................................................. 31
Appendix A – Sample data from ServiceNow ............................................................................................................ 37
Appendix B – Additional Diagnostics and Support ................................................................................................... 39
Checking on the Extension Service ......................................................................................................................... 39
Extension Logs/Debugging....................................................................................................................................... 39
Accessing the extension logs using ‘Collect Logs’ system function .................................................................... 40

ClearPass and ServiceNow Integration 3

 Introduction and Overview
The ServiceNow v3 extension is a full featured extension enabling the pushing of ClearPass endpoints to
ServiceNow CMDB as well as the pulling of devices from ServiceNow into ClearPass. This extension requires
a ServiceNow application to be installed for custom APIs and data mapping. This Integration guide covers
how to deploy and configure the ClearPass extension to interface with ServiceNow Configuration
Management Database. In this guide we will cover the complete installation, configuration and integration
between the extension and ClearPass Policy Manager.

Extension Version Updates

S er v ice N o w Cl ea r P as s App S er v ice N o w Dat e N o te s

E xt e ns i on o n S er v ice N ow Re le a se
Ve rs i o n St or e Ve rs io n C er t if ica t i on

2.1.1 2.0.1 Tokyo May 2023 Updated Endpoint Sync Filtering

Mechanisms (refer to details in
subsection under Configuration)

3.1.3 2.2.0 Tokyo Oct 2023 New Endpoint Sync Filtering

Utah Mechanisms (refer to details in
Vancouver subsection under Configuration)

The ServiceNow Extension works in conjunction with the ClearPass App on ServiceNow Store. The version
numbers listed in the table correspond to how they need to be paired up.

Support for OAuth

Starting ServiceNow extension version 3.2.2 we now support OAuth for our communication with
ServiceNow. Version 3.1.3 and earlier only supported basic auth. Adding support for OAuth gives us
additional security with the integration in terms of password exposure.
This release does not change the ServiceNow release certification and the ServiceNow ClearPass App store
version. Therefore, the recommended ServiceNow ClearPass App version remains 2.2.0 with extension
version 3.2.2.

www.arubanetworks.com
3333 Scott Blvd
Santa Clara, CA 95054
Phone: 1-800-WIFI-LAN (+800-943-4526)
© 2024 Hewlett Packard Enterprise Development LP. All Rights Reserved. Fax 408.227.4500

ServiceNow Integration 4
 With OAuth support, we now have two additional fields in the extension configuration namely ClientId and
ClientSecret.
"serviceNowUser": "",
"serviceNowPassword": "********",
"clientId": "********",
"clientSecret": "********",
The ClientId and ClientSecret fields are set to work in conjunction with the existing serviceNowUser and
serviceNowPassword fields. ServiceNow does not support only clientID and clientSecret based
authentication, the username and password fields are still mandatory while the clientID and clientSecret
fields to support OAuth are optional. However, it is recommended to enable OAuth by configuring the
clientID and clientSecret fields by obtaining the values from ServiceNow system OAuth application registries.

Note: It is recommended to first update the ClearPass App on ServiceNow Store to version 2.2.0 and
then update the ServiceNow Extension on ClearPass to version 3.2.2.

Software Requirements
The minimum software version required for ClearPass is 6.9.0. At the time of writing, ClearPass 6.11.7 is the
latest available and recommended release. Any subsequent ClearPass software release will support this
integration. ClearPass runs on either hardware appliances with pre-installed software, or as a Virtual
Machine under the following hypervisors. Hypervisors that run on a client computer such as VMware Player
are not supported.

 VMware ESXi 6.0 6.5, 6.6, 6.7 or higher

 Microsoft Hyper-V Server 2012, 2016 R2 or 2019
 Hyper-V on Microsoft Windows Server 2012, 2016 R2 or 2019
 KVM on CentOS 7.5 or later

ClearPass Installation and Deployment Guide

This document assumes your ClearPass environment is already configured and operational. If you
require assistance with basic deployment, refer to the following deployment guide:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Default.htm

ClearPass Extensions
The integration between ClearPass Policy Manager and ServiceNow is driven through a ClearPass capability
known as Extensions, a sub-component of the ClearPass Exchange Integration framework. ClearPass
Extensions are micro-services running on top of the base ClearPass platform. These micro-services enable
Aruba to deliver new features outside of the main software release cycle and facilitate a faster time to

ClearPass and ServiceNow Integration 5

 market for specific features and integrations. Configuration and control of ClearPass Extensions is covered
later in this document.

Access to the extension store

Access to the Extension Store to download extensions is simplified starting in ClearPass 6.7. The ability to
download extensions from the store and to validate support entitlement for access to the Software Updates
Portal (e.g. Posture & Profile Data Updates, Software Updates, & Skins) now uses the HPE Passport account
credentials that are associated with the customers’ ClearPass licenses. This is configured where previously
the subscription-id was defined, under Administration > Agents and Software Updates > Software
Updates as shown below. Ensure you enter your HPE Passport credentials to enable Extension download
capabilities.

Figure 1: Entering HP Passport credentials

Failure to define Passport Credentials manifests itself as an error at installation time, you will still be
allowed to search for Extension but upon trying to install one the below message will be displayed.

ClearPass and ServiceNow Integration 6

ClearPass and ServiceNow Integration 7
 Pictorial View of the Integration
Figure 2: Pictorial view of the integration

Use Cases
 ClearPass Policy Manager integrates with ServiceNow in multiple ways:

 Perform a real-time lookup of the device attributes which can be leveraged for Authorization.

 Bulk import of all endpoints from ServiceNow to ClearPass Policy Manager leveraging flexible polling
definition based on cron based scheduling.

 Push individual endpoint attributes from ClearPass Policy Manager and map them in ServiceNow.

 Bulk export of all endpoints from ClearPass Policy Manager to ServiceNow.

The above use cases are covered as part of this integration and are documented in this integration guide.

ClearPass and ServiceNow Integration 8

 New extension capabilities in ClearPass 6.7
With the release of 6.7, several new features were added to enhance the functionality of the extension
framework. Previously, all extension installation and operation tasks required use of the API Explorer. This
functionality has been moved into the GUI. To manage extensions, use the Guest UI as shown below, access
it from Guest > Administration > Extensions.

Extensions and IP address configuration support

The other major additions in the 6.7 release is the ability to define a static IP address for an extension. This
being especially useful when deploying extensions across nodes within a cluster where there is the
requirement for a consistent IP address for the extension, e.g. in the situation where a HTTP authorization
source is configured, its mandatory the local Extension has the same IP address on all nodes in the cluster.

Configuration Values can be obfuscated in 6.7.2 or later.

Starting in 6.7.2 password and security sensitive configuration items are now obfuscated when presented in
both the Extension GUI or in the Explorer configuration.

Extensions and web proxy support

Prior to 6.7 support for web proxy was limited to just the installation of the extensions. Starting with 6.7,
extensions now support communications with 3rd parties via a web proxy. This adds incremental proxy
functionality. If a proxy is defined in ClearPass Policy Manager, then an extension will use that configuration.

The Policy Manger proxy configuration is ONLY read by the extension at installation time. If the web
proxy configuration is changed, then the extension must be re-installed to active the new settings.

Figure 3: Extension Framework GUI

ClearPass and ServiceNow Integration 9

 Configuring the base Extension IP subnet, this is defined within Policy Manager as shown below under
Administration > Server Manager > Server Configuration [chose your node] Service Parameters
[ClearPass system service]. The default is 172.17.0.1/16, this address is the non-routed address of the
ClearPass node itself. The IP addresses range for the extensions are based upon the network prefix used.

Note that the subnet defined here for the extension framework must fall within the following
subnet range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 as defined by RFC1918.

Figure 4: Defining the base IP SUBNET and LOCALHOST for the Extensions Framework

Note that changing the extension base IP address will require the extension service to be restarted.

Changing the “Extensions Network Address” range is necessary if either the MGMT or DATA interface are
using an IP address in the extension default range of 172.17.x.x/12. Set the new network address range as
needed and restart the extension service for this change to take effect.

Never set the DATA or MGMT IP address to use an address that matches the Extension Network

Direct Installation of Extension on Subscribers

In 6.7.2 support was added to allow a ClearPass subscriber to directly access the Extension store and install
an Extension thus simplifying the deployment process.

ClearPass and ServiceNow Integration 10

 ServiceNow CMDB Extension Installation
Starting in ClearPass 6.7, a Graphical User Interface (GUI) was introduced to make the process of interacting
with the extension framework easier. To manage extensions, go to Guest > Administration > Extension.

Figure 5: Extensions Framework GUI

From here, click on ‘Install Extension’, in the top RHS of the screen and the search box below appears.

Figure 6: GUI Extension Installation

Enter the name of the Extension required, in this case CMDB and click on ‘Search’. Be sure to install 2.0.0
version of ServiceNow Integration.

ClearPass and ServiceNow Integration 11

 Click on the extension and then the ‘Install’ option will appear.

Figure 7: Click on the Extension to reveal the 'Install' option

If necessary, be sure to set the IP address now.

Figure 8: GUI Extension Configuration at Install time

Do not choose to Start the extension as the configuration will need to be modified before it’s started, after
the extension has been installed, review the extension configuration as necessary and adjust as needed.

ClearPass and ServiceNow Integration 12

 Notice the options to Start, Delete, Reinstall or Show Logs and the option to review and set the extension
configuration.

Figure 9: Reviewing and Setting the Extension configuration, below is the default configuration

A copy of the default ServiceNow CMDB Extension is shown above, this will need to be modified. In the next
section we discuss the configuration values and how to use them and where to collect the configuration
items that are required.

Checking API Access Application Control restrictions

Within ClearPass additional controls can be leveraged to harden a ClearPass Policy Manager deployment, it’s
possible that at the time of the Extension deployment, these guidelines might have already been followed
and the result is that the Extension does not work. Reviewing Extension Log might show something like the
following after immediately starting the Extension, this likely indicates the ClearPass Application API’s are in
place.

[2020-03-16T15:42:21.083] [INFO] ServiceNow - Server listening on port 80.

[2020-03-16T15:42:21.243] [DEBUG] Trend Micro - Request "GET 'https://172.17.0.1/api/server/version'" took
51.91ms.
[2020-03-16T15:42:21.245] [DEBUG] Trend Micro - <!DOCTYPE html><html>
<head>
<title>
Error 403 (Forbidden)
</title>
<script language="javascript">
function reloadPage() {
var locHref = window.location.protocol + "//" + window.location.hostname;
window.location.href = locHref;
}
</script>

ClearPass and ServiceNow Integration 13

 </head>
<body onload="setTimeout(reloadPage, 5000);">
<table border=0 cellpadding=0 cellspacing=0 height=100% width=100%>

To resolve this, add the IP address of the Extension to the list of nodes permitted, for this reason its good
practice to fix the IP address of the extension at installation time such that it doesn’t change over time and
break the application controls. Access to the Policy Manager API can be controlled from Administration >
Server Manager > Server Configuration {choose your node} > Network

Figure 10: Locking down access to the Policy Manager API for extensions

Checking ClearPass user access

Within the extension configuration, there is a need to configure a CPPM user as detailed later on page 19, if
the correct level of account is not created, errors similar to the below we be seen in the Extension Log.

[2020-03-16T15:25:11.946] [DEBUG] Trend Micro - {"type":"http://www.w3.org/Proto-

cols/rfc2616/rfc2616-sec10.html","title":"Forbidden","status":403,"detail":"Forbid-
den"}
[2020-03-16T15:25:13.226] [DEBUG] Trend Micro - Attempting to update endpoint
00505699be29...
[2020-03-16T15:25:13.338] [ERROR] Trend Micro - Request failed with status code 403
[2020-03-16T15:25:13.338] [ERROR] Trend Micro - { type: 'http://www.w3.org/Proto-
cols/rfc2616/rfc2616-sec10.html',
title: 'Forbidden',
status: 403,
detail: 'Forbidden' }
[2020-03-16T15:25:13.340] [WARN] Trend Micro - Invalid repsonse from ClearPass API
while attmpting to add Endpoint with MAC Address 00505699be29.

ClearPass and ServiceNow Integration 14

 ClearPass Extension and ServiceNow CMDB Configuration
The ClearPass ServiceNow extension configuration necessitates that you set and/or collect a number of
items, some will have to be configured and collected based upon the configuration of your CMDB.
Deployment and Configuration of ServiceNow CMDB is beyond the scope of this document, we only cover
the necessary components required to enable the integration.

ServiceNow Extension Configuration Parameter

Figure 11: SNOW Configuration Parameters

Configuration Parameter Description Example/Values

logLevel Logging level for troubleshooting "INFO"

verifySSLCerts Should SSL certificates be validated when true or false

communicating with Defender ATP.

serviceNowUri The host and port (if other than 443) of ven00000.service-
your ServiceNow instance. now.com

serviceNowUser The user name you would like the

extension to use for accessing
ServiceNow.

serviceNowPassword The password of the user for accessing

ServiceNow.

clientId ClientID from OAuth Client in ServiceNow

System OAuth > Application registries.

clientSecret ClientSecret from OAuth Client in

ServiceNow System OAuth > Application
registries.

serviceNowOperationalStatus Ability to filter endpoints based on Refer to Endpoint Sync

Operational Status Filtering Mechanisms
section after table

ClearPass and ServiceNow Integration 15

 serviceNowInstallStatus Ability to filter endpoints based on Install Refer to Endpoint Sync
Status Filtering Mechanisms
section after table

serviceNowSysClassAllow Ability to filter endpoints based on Refer to Endpoint Sync

Allowlist of cmdb_ci tables Filtering Mechanisms
section after table

serviceNowSysClassDeny Ability to filter endpoints based on Refer to Endpoint Sync

Denylist of cmdb_ci tables Filtering Mechanisms
section after table

macAddressSeparator The MAC Address separator used in -

ServiceNow. The default value is a hyphen
"-". ClearPass stores MAC Addresses with
no separator, so if no seperator is
specified MAC Addresses will be sent to
ServiceNow as they are seen in ClearPass,
something that could result in duplicates.

enableEndpointCache Enable or disable the endpoint caching true or false

process. When enabled endpoints when
looked up using the MAC Address lookup
APIs will cache the ServiceNow results in
the endpoint database. Information will
only be refreshed by this process after the
Cache Time is elapsed.

endpointCacheTimeSeconds The time in minutes for endpoint lookup 300

API to use cached endpoint data from
ServiceNow.

enableQueue Enable or disable the endpoint processing true or false

queue for pushing endpoints to
ServiceNow. When enabled, you can add
MAC Addresses to the processing queue
using the queue related API endpoints.

queueSchedule The schedule used for the queue */30 * * * * *

processor. This is a CRON based schedule.

ClearPass and ServiceNow Integration 16

 queueRequireIdentity Should identity information be required to true or false
send data to ServiceNow. If set to true, a
mac address processed by the queue
processor will only be sent to ServiceNow
if the mac address is found in the identity
endpoint database.

queueRequireInsight Should insights information be required to true or false

send data to ServiceNow. If set to true, a
mac address processed by the queue
processor will only be sent to ServiceNow
if the mac address is found in the insight
endpoint database.

queueRetryCount The queue retry count is the number of 3

times a mac address will be looked up to
attempt to get information to send to
ServiceNow. This queue will take effect if
there is not information in ClearPass for
the MAC Address or if one of the queues
require rules comes into play.

cmdbDiscoverySourceName The CMDB Discovery source that is used “ClearPass”

when sending data to the CMDB. This
must be added to Service Now. Add a
choice list option for cmdb_ci ->
discovery_source named "ClearPass"

cmdbDefaultTarget The default table target mapping if no cmdb_ci_netgear

mappings can be found in the
cmdbTargetMap configuration.

cmdbTargetMap This map describes how CMDB table [ { "deviceCategory":

mappings are identified. For example, a "Computer", "target":
CPPM endpoint, profiled as a "Computer", "cmdb_ci_computer" },
will map to the CMDB cmdb_ci_computer
table. This base matching is done using { "deviceCategory":
the device category, optional device family "Server", "target":
mappings can also be used to further "cmdb_ci_server",
refine the mapping. "deviceFamilies":
[{ "deviceFamily": "win",
A default set of mappings is provided. "target":

ClearPass and ServiceNow Integration 17

 "cmdb_ci_win_server" },
{ "deviceFamily": "unix",
"target":
"cmdb_ci_unix_server" },
{ "deviceFamily":
"vmware", "target":
"cmdb_ci_vm_vmware" }] },

{ "deviceCategory":
["SmartDevice", "Network
Camera", "Access Points"],
"target":
"cmdb_ci_netgear" },

{ "deviceCategory":
"Printer", "target":
"cmdb_ci_printer" },

{ "deviceCategory":
"Switch", "target":
"cmdb_ci_switch" }

cmdbAttributeMap This is a list of endpoint attributes to send {

to ServiceNow and what fields they should
be mapped to in the CMDB. Each entry is a "Description":
key/value pair. The key is the CPPM "short_description"
attribute name, the value is the
}
ServiceNow CMDB table column name.
The names in the list should match up to
endpoint attributes. When a matching
attribute is found it will be pushed to
ServiceNow. When available, the insights
information of Device Category, Device
Family and Device Name are available
using the names CPPM-Device-Category,
CPPM-Device-Family, and CPPM-Device-
Name.

enableSyncAll Enable or disable pulling all endpoints true or false

from ServiceNow.

ClearPass and ServiceNow Integration 18

 syncAllSchedule The ServiceNow pull schedule. This is a 03***
CRON based schedule.

syncPageSize The number of ServiceNow cmdb items to 100

pull with each request. You can adjust this
based on the number of cmdb items you
have, the performance of your ClearPass
system, and the performance of your
network.

syncUpdatedOnly True or false to only pull cmdb_ci records true or false

that have been updated since the last
update.

syncAllOnStart Sync all endpoints from ServiceNow when true or false

the extension starts or restarts

enableEndpointPush Enable or disable pushing all identity true or false

endpoints from ClearPass to ServiceNow.

endpointPushSchedule The endpoint push schedule. This is a 03***

CRON based schedule.

endpointPushPageSize The number of ClearPass endpoints to 100

pull with each request. You may want to
adjust this based on the number of
endpoint attributes your endpoints
contain.

endpointPushRequireInsight Should insight information be required to true or false

send an endpoint to ServiceNow.

asyncOperationLimit The number of asynchronous operations 3

to run at one time. This controls how
many individual internal workers are
running at any given time for any one
process. For example, if this is set to 10,
and the queue processor and pull
processors are running at the same time,
this setting will limit each process to
processing at most 10 items at a time, so

ClearPass and ServiceNow Integration 19

 in the mentions situation there would be
20 works pushing and pulling information.

You can adjust this value based on your

ClearPass load. The lower the value the
longer it will take for items to be
processed.

bypassProxy Bypasses the configured system proxy true or false

enableStats Option to enable extension statistics true or false

statsUsername Create a username to access the Give any username you

extension statistics page want to use

statsPassword Create a password to access the extension Give any password you
statistics page want to use

Pay special attention to the values in the extension configuration. Where a configuration attribute is
a Boolean value {true/false}, it must not be enclosed with literals.

Endpoint Sync Filtering Mechanisms

The custom API built in the ClearPass Integration App is designed to work in conjunction with the
ServiceNow Extension to pull a set of attributes from endpoints in the ServiceNow CMDB and map them
into the ClearPass Endpoints DB.

When pulling a MAC address (or multiple MAC addresses) for an endpoint, it is based on network adapter
configuration item “cmdb_ci_network_adapter”. A default filter based on Operational Status is applied in
which only MAC addresses with “Operational Status = Operational” are pulled in. This continues to be the
default mode of operation.

The ServiceNow Extension v2.1.1 expanded to two filters that can be applied, and there is also more
flexibility in how these filters are applied. The two filters that can be applied are based on Operational
Status and Install Status as seen in the default configuration:

"serviceNowOperationalStatus": "1",

"serviceNowInstallStatus": "",

As can be seen, the default configuration has the default mode of operation. A value of “1” for Operational
Status is equivalent to Operational. An empty value for Install Status means this filter is not applied.

ClearPass and ServiceNow Integration 20

 Another option is to apply filter based on Install Status only rather than Operational Status. In this case, the
configuration is changed to the following:

"serviceNowOperationalStatus": "",

"serviceNowInstallStatus": "1",

Here a value of “1” for Install Status is equivalent to Installed. An empty value for Operational Status means
this filter is not applied.

For reference, the following tables list the possible values for Operational Status and Install Status.

Operational Status

Selection Value

Operational 1

Non-Operational 2

Repair in Progress 3

DR Standby 4

Ready 5

Retired 6

Install Status

Selection Value

Installed 1

On Order 2

In Maintenance 3

ClearPass and ServiceNow Integration 21

 Pending Install 4

Pending Repair 5

In Stock 6
For the case where no filter needs to be applied and
all MAC addresses are to be pulled in, the
Retired 7 configuration is changed to the following with
empty values:
Stolen 8 "serviceNowOperationalStatus": "",

"serviceNowInstallStatus": "",
Absent 100
The ServiceNow Extension v3.1.3 expands even
further with two new filters that can be applied. In order to optimize the syncing of large databases, now
either an Allowlist or Denylist can be configured to filter which “cmdb_ci” tables will be included or excluded
during the endpoint sync process.

Note: Only one of these filters (either Allowlist or Denylist) can be applied. Do not apply both filters
simultaneously.

By default, the configuration starts with empty values for both the Allowlist and Denylist:

"serviceNowSysClassAllow": "",

"serviceNowSysClassDeny": "",

Here is an example of an Allowlist that can be applied to only include “cmdb_ci” tables that contain MAC
addresses (the end customer to determine the “cmdb_ci” tables to be included pertaining to their
environment):

"serviceNowSysClassAllow":
"cmdb_ci_computer_list,cmdb_ci_printer_list,cmdb_ci_ip_phone_list,cmdb_ci_ups_list",

Here is an example of a Denylist that can be applied to exclude “cmdb_ci” tables that do not contain MAC
addresses (the end customer to determine the “cmdb_ci” tables to be excluded pertaining to their
environment):

"serviceNowSysClassDeny": "dscy_route_next_hop,cmdb_ci_ups_alarm",

ClearPass and ServiceNow Integration 22

 ServiceNow Configuration Requirements

Before the ClearPass application can be installed in ServiceNow, the following configuration changes are
required.

1. The plugin “Configuration Management For Scoped Apps (CMDB)” (com.snc.cmdb.scoped) must be
enabled.
2. The CI Identifier rule for MAC Address only lookups must be enabled. CI Identifiers > Hardware Rule >
Network Adapter [cmdb_ci_network_adapter] (mac_address) and enable the mac_address only rule.
3. You must add “ClearPass” to the discovery source choice list. Navigate to Choice Lists and add a
“ClearPass” record.

ClearPass Extension Configuration

Enter the ServiceNow tenant details such as serviceNowUri, serviceNowUser, serviceNowPassword into
the extension configuration. Depending upon the use case, adjust the other configuration switches as
necessary, pay attention to attributes related to push/pull queues and schedules.

Specific to the syncAllSchedule and endpointPushSchedule we use our standardized process of

scheduling within the Extension, it’s based on a slightly modified version of the CRON job scheduler found in
Unix-like operating systems. It can be used to schedule jobs to run periodically at fixed times, dates or
intervals.

Let’s break it down. A ‘cron’ is a job scheduler. Any task that is scheduled is called a ‘cron job’, this is useful
for any action that need scheduling. The syntax for a cron job schedule is as follows:

In our use of the cron scheduler, we’ve dropped the use of the last instruction ≤command to execute> and
use only the time/date functions, see below for a number of examples of scheduling a sync process.

 Schedule a sync to run at 2am daily: 0 2 * * *

 Schedule a sync to run twice a day at 5am and 5pm: 0 5,17 * * *

ClearPass and ServiceNow Integration 23

  Schedule a sync to run on every Sunday at 5pm: 0 17 * * sun
 Schedule a sync to run every 30 minutes: */30 * * * *
 Schedule a sync to run at 5pm on selected days: 0 17 * * sun,fri

You can see from the above that the scheduling process is extremely flexible.

Figure 12: setting the Extension configuration

"logLevel": "INFO",

"verifySSLCerts": true,

"serviceNowUri": "",

"serviceNowUser": "",

"serviceNowPassword": "********",

"serviceNowOperationalStatus": "1",

"serviceNowInstallStatus": "",

"serviceNowSysClassAllow": "",

"serviceNowSysClassDeny": "",

"macAddressSeparator": "-",

"enableEndpointCache": false,

"endpointCacheTimeSeconds": 300,

"enableQueue": false,

"queueSchedule": "*/30 * * * * *",

"queueRequireIdentity": true,

"queueRequireInsight": true,

"queueRetryCount": 3,

"cmdbDiscoverySourceName": "ClearPass",

"cmdbDefaultTarget": "cmdb_ci_netgear",

"cmdbTargetMap": [

ClearPass and ServiceNow Integration 24

 "deviceCategory": "Computer",

"target": "cmdb_ci_computer"

},

"deviceCategory": "Server",

"target": "cmdb_ci_server",

"deviceFamilies": [

"deviceFamily": "win",

"target": "cmdb_ci_win_server"

},

"deviceFamily": "unix",

"target": "cmdb_ci_unix_server"

},

"deviceFamily": "vmware",

"target": "cmdb_ci_vm_vmware"

},

"deviceCategory": [

"SmartDevice",

"Network Camera",

"Access Points"

],

ClearPass and ServiceNow Integration 25

 "target": "cmdb_ci_netgear"

},

"deviceCategory": "Printer",

"target": "cmdb_ci_printer"

},

"deviceCategory": "Switch",

"target": "cmdb_ci_switch"

],

"cmdbAttributeMap": {},

"enableSyncAll": false,

"syncAllSchedule": "0 3 * * *",

"syncPageSize": 500,

"syncUpdatedOnly": true,

"syncAllOnStart": false,

"enableEndpointPush": false,

"endpointPushSchedule": "0 3 * * *",

"endpointPushPageSize": 100,

"endpointPushRequireInsight": true,

"asyncOperationLimit": 3,

"bypassProxy": false,

"enableStats": false,

"statsUsername": "",

"statsPassword": "********"

ClearPass and ServiceNow Integration 26

 Using ClearPass Policy Manager with ServiceNow
Following the deployment and configuration of the ClearPass Extension, there are several options in how to
integrate with ServiceNow.

Endpoint ingestion from ServiceNow CMDB

Utilize enableSyncAll, enabling this will turn on the ingest polling, ensure that in conjunction with
syncAllSchedule (cron based scheduling) ingest works, all data is written to endpoint, if the endpoint does
not previously exist, its created and the endpoint attributes are added. Ensure the scheduling engine works,
test to ensure it can be scheduled as expected, E.g. one-hour repeat runs, daily repeat etc. also to be tested
in this use case.

Utilize the syncPageSize to ensure we adjust the size of the returned body, start with 100 records and try
perhaps 20.

Utilize the syncUpdatedOnly to only have the ingest process pull updated delta changes, for this you'll
need to make changes to endpoints in the CMDB tenant and check only those records with changed
records/attributes are retrieved, (based upon the last update).

Push endpoint attributes from ClearPass to ServiceNow

Use /push with a JSON body like below to allow you to determine what is sent in each field, ensure the
mapping in the I&R matches.

"mac": "000f7c0d5cd0",

"ip": "",

"device_category": "Network Camera",

"device_family": "",

"device_name": "",

"Owner": "snowuser@hpe.com",

"OS Version": "Unknown",

...

ClearPass and ServiceNow Integration 27

 Push endpoint attributes from ClearPass to ServiceNow via push-queue

Enable cmdbAttributeMap to add additional endpoint context be sent to SNOW, by default when available
we send Device Category, Device Family and Device Name, but this allows you to send additional endpoint
attributes, perhaps you want to send MDM or some EDR attributes. List them in the array like this [ "Owner
Email", "OS Version" ], ensure they are mapped however via the SNOW Identification and Reconciliation
engine (I&R) and that the proper mappings are made in the Aruba SNOW Application.

Enable enableQueue to start the overall sending feature, then utilize the queueSchedule to validate
scheduling and repetitive scheduling functions. Take use-case#2 and then enable and validate that only data
that exists inside endpointDb, with queueRequireIdentity is sent. Next the ability to ensure we have
profiling information, enable queueRequireInsight to ensure endpoint exists in InsightDb. To add endpoint
to the push-queue use the following.

Note: do not validate use of the GET /queue/:macAddress

When adding devices to the push queue, use a base URL of /queue with a JSON body, this takes the data
from CPPM using the cmdbAttributeMap configuration as well as as Device Category, Device Family and
Device Name (when available and configured via InsightsDB configuration).

"mac": "000f7c0d5cd0"

Sync endpoint database from ClearPass into ServiceNow

Utilize enableEndpointPush to sync all of the CPPM endpoints into ServiceNow CMDB in conjunction with
endpointPushSchedule. Optionally, configure endpointPushPageSize for endpoint being pushed into
ServiceNow.

For this use-case set the Extension config as required, in our example below we’ve set the schedule to run
every 2-hours, sync all endpoint when the extension starts/restarts and cache the results for 30 minutes
adjust as necessary for your environment.

"enableEndpointPush": true,
"enableEndpointPushSchedule": 0 3 * * *,
"endpointPushPageSize": 100,
"endpointPushRequireInsight": false

ClearPass and ServiceNow Integration 28

 Extension API Endpoints
ClearPass Policy Manager extension can call the ServiceNow APIs to trigger push and pull of the endpoint
data to and from ServiceNow. A push API example is shown below but depending on the use case, different
APIs can be leveraged and added as part of the Context Server Action.

The configuration includes 3 steps on ClearPass Policy Manager.

1. Define Endpoint Context Server

2. Add Context Server Action
3. Create an Enforcement Profile to trigger the action

Create a Context-Server as below point at the IP address of the extension, ensure you configure this as http.

Figure 14: Context-Server definition

ClearPass and ServiceNow Integration 29

 Next configure a Content-Server-Action, ensure you set the method as GET and the base URL is correct,
/push/%{Connection:Client-Mac-Address-NoDelim}

Figure 35: Context-Server-Action to push MAC to ServiceNow

This triggers a MAC Address's information to be pushed to ServiceNow using the Identity and Insights infor-
mation in ClearPass. Only the identity attributes mapped in the cmdbAttributeMap configuration are sent
to ServiceNow. If available, the insights data of device_category, device_family, and device_name are inter-
nally mapped to the properties CPPM-Device-Category, CPPM-Device-Family, and CPPM-Device-Name and
sent to ServiceNow.

This setting shares the use of the queueRequireIdentity and queueRequireInsight options to determine if
certain sets of information are required for sending to ServiceNow. If either of these options is set to true,
the corresponding set of data must be available in ClearPass for the data to be sent to ServiceNow.

This shares processes with the /queue processes, but runs immediately. If you need retry processes, use
below URL.

ClearPass and ServiceNow Integration 30

 Figure 16: Context-Server-Action to queue the MAC to be sent to ServiceNow

Enforcement Profile

The next step involves using the Context Server Action in the Enforcement Profile as below. The
Enforcement Profile to push an endpoint to ServiceNow is shown below:

Figure 17: Enforcement Profile to push endpoint to ServiceNow CSA

ClearPass and ServiceNow Integration 31

 Sample extension logs of the queue process:

[2020-04-21T16:10:04.798] [INFO] ServiceNow v2 - The MAC Address A85B7853DCD1 was added to

the queue.
[2020-04-21T16:12:00.048] [INFO] ServiceNow v2 - The next ServiceNow queue processor is set
to run at Tue Apr 21 2020 16:14:00 GMT-0700 (PDT).
[2020-04-21T16:12:00.049] [INFO] ServiceNow v2 - Starting MAC Address queue processor with 1
items.
[2020-04-21T16:12:00.052] [DEBUG] ServiceNow v2 - Processing MAC Address A85B7853DCD1...
[2020-04-21T16:12:00.373] [DEBUG] ServiceNow v2 - Request "GET 'https://172.17.0.1/api/in-
sight/endpoint/mac/a85b7853dcd1'" took 316 ms.
[2020-04-21T16:12:00.373] [DEBUG] ServiceNow v2 - A85B7853DCD1: Insight Response [object Ob-
ject]
[2020-04-21T16:12:00.460] [DEBUG] ServiceNow v2 - Request "GET 'https://172.17.0.1/api/end-
point/mac-address/a85b7853dcd1'" took 404 ms.
[2020-04-21T16:12:00.461] [DEBUG] ServiceNow v2 - A85B7853DCD1: Identity Response [object Ob-
ject]
[2020-04-21T16:12:00.463] [DEBUG] ServiceNow v2 - A85B7853DCD1: Mapped attributes {"OS Ver-
sion":"iOS 12.4.4","CPPM-Device-Category":"SmartDevice","CPPM-Device-Family":"Apple","CPPM-
Device-Name":"Apple iPhone"}
[2020-04-21T16:12:00.465] [INFO] ServiceNow v2 - MAC Address queue processor processed 0 de-
vices and finished in 415 ms.
[2020-04-21T16:12:00.466] [INFO] ServiceNow v2 - The MAC Address queue processor has com-
pleted in 417 ms.

ClearPass and ServiceNow Integration 32

 Please find below the rest of the extension API endpoints details:

URL Description Example Data

GET /:macAddress Making a get request to the ex- GET /000f7c0d5cd0
tension with a MAC Address in
the URL will return the details for {refer to appendix A for the data
the CMDB device in ServiceNow. retrieved from ServiceNow}
If enableEndpointCache is true, the
data may be cached for the dura-
tion of endpointCa-
cheTimeMinutes.

The attribute "Found In SNOW"

should always be returned by the
API and will be true or false.

From ServiceNow, the cmdb_ci

parent table as well as the asset,
location, owned_by, cpu_manufac-
turer, assigned_to, company and
department information will be
returned and prefixed with the
cmdb_ci reference field name fol-
lowed by the column name (e.g.
asset.display_name is the data
from joined cmdb_ci.asset).

GET /push/:macAddress This triggers a MAC Address's in- GET /push/000f7c0d5cd0

formation to be pushed to Ser-
viceNow using the Identity and
Insights information in ClearPass.
Only the identity attributes
mapped in the attributeMap con-
figuration are sent to Service-
Now. If available, the insights
data of device_category, de-
vice_family, and device_name are
internally mapped to the proper-
ties CPPM-Device-Category, CPPM-
Device-Family, and CPPM-Device-
Name and sent to ServiceNow.
This setting shares the use of the
queueRequireIdentity and

ClearPass and ServiceNow Integration 33

 queueRequireInsights options to
determine if certain sets of infor-
mation are required for sending
to ServiceNow. If either of these
options is set to true, the corre-
sponding set of data must be
available in ClearPass for the
data to be sent to ServiceNow.
This shares processes with the
/queue processes, but runs imme-
diately. If you need retry pro-
cesses, etc. see that method.
POST /push This process triggers a device {
send to ServiceNow using the "mac": "000f7c0d5cd0", "
data specified in the request ip": "",
body. The request body should "device_category": "Network
be a JSON object containing at Camera", "
least a MAC Address. This pro- device_family": "",
cess does not use internal end- "device_name": "",
point lookup information and "Owner": "user@hpe.com",
only sends the information sup- "OS Version": "Unknown", ...
plied. }

The properties mac, ip, device_cat-

egory, device_family, device_name
are internally mapped to the
properties CPPM-Device-Category,
CPPM-Device-Family, and CPPM-
Device-Name when being sent to
ServiceNow.
The other properties included in
the object should match to the
attributeMAP configuration.

POST /identifyreconcile This endpoint will send the body { "items": [ { "className":
to the ServiceNow identifyrecon- "cmdb_ci_computer", "inter-
cile API. nal_id":"comp", "values":
This simply relays the infor- { "mac_address": "01-01-01-01-
mation posted to it, giving the 01-01", "name": "Computer 2",
user full control over what the "os": "Windows", "os_version":
I&R engine does. "10", "short_description": "Test
Device" }, "lookup": [ { "class-
More information can be found Name": "cmdb_ci_net-
here, https://docs.service- work_adapter", "values":
now.com/bundle/paris-applica- { "mac_address": "01-01-01-01-
01-01", "install_status": 1 } } ] } ] }

ClearPass and ServiceNow Integration 34

 tion-development/page/inte-
grate/inbound-rest/con-
cept/c_IdentifyReconcileAPI.html

GET /queue/:macAddress Adds the specified MAC Address GET /queue/000f7c0d5cd0

to the processing queue to be
sent to ServiceNow. This queue
process runs based on the
queueSchedule and will look up
the endpoints identity and insight
information.

Only the identity attributes

mapped in the attributesToSend
configuration are sent to Service-
Now. If available, the insights
data of device_category, de-
vice_family, and device_name are
internally mapped to the proper-
ties CPPM-Device-Category, CPPM-
Device-Family, and CPPM-Device-
Name and sent to ServiceNow.

This setting uses the

queueRequireIdentity and
queueRequireInsight options to
determine if certain sets of infor-
mation are required for sending
to ServiceNow. If either of these
options is set to true, the corre-
sponding set of data must be
available in ClearPass for the
data to be sent to ServiceNow.

POST /queue Adds the specified MAC Address { "mac": "000f7c0d5cd0" }

to the processing queue to be
sent to ServiceNow. This queue
process runs based on the
queueSchedule and will look up
the endpoint’s identity and in-
sight information.

Only the identity attributes

mapped in the attributesToSend
configuration are sent to Service-
Now. If available, the insights

ClearPass and ServiceNow Integration 35

 data of device_category, de-
vice_family, and device_name are
internally mapped to the proper-
ties CPPM-Device-Category, CPPM-
Device-Family, and CPPM-Device-
Name and sent to ServiceNow.

This setting uses the

queueRequireIdentity and
queueRequireInsight options to
determine if certain sets of infor-
mation are required for sending
to ServiceNow. If either of these
options is set to true, the corre-
sponding set of data must be
available in ClearPass for the
data to be sent to ServiceNow.

GET /resetPullLastUpdate Resets the last updated date

saved by the ServiceNow pull
process when the serviceNow-
PullUpdatedOnly configuration
option is true.

ClearPass and ServiceNow Integration 36

 Appendix A – Sample data from ServiceNow

Following is the sample list of the default attributes fetched from ServiceNow using the default policy.

{
"source": "SNOW",
"network.skip_sync": "0",
"network.operational_status": "1",
"network.sys_updated_on": "2019-04-06 00:17:51",
"network.first_discovered": "2019-04-03 23:45:17",
"network.sys_created_on": "2019-04-03 23:45:17",
"network.dhcp_enabled": "0",
"network.install_status": "1",
"network.name": "NetworkAdapter@10.2.100.218",
"network.subcategory": "Network",
"network.virtual": "0",
"network.last_discovered": "2019-04-06 00:17:51",
"network.can_print": "0",
"network.sys_class_name": "cmdb_ci_network_adapter",
"network.sys_id": "b00ea29adb207f4061840bb6f496194a",
"network.netmask": "255.255.255.0",
"network.mac_address": "00-0f-7c-0d-5c-d0",
"network.monitor": "0",
"network.ip_address": "10.2.100.218",
"network.cost_cc": "USD",
"network.unverified": "0",
"network.category": "Hardware",
"network.fault_count": "0",
"cmdb_ci.can_switch": "0",
"cmdb_ci.skip_sync": "0",
"cmdb_ci.operational_status": "1",
"cmdb_ci.device_type": "Network Camera",
"cmdb_ci.sys_updated_on": "2019-04-06 00:17:51",
"cmdb_ci.discovery_source": "ClearPass",
"cmdb_ci.first_discovered": "2019-04-03 23:45:17",
"cmdb_ci.sys_created_on": "2019-04-03 23:45:17",
"cmdb_ci.can_partitionvlans": "0",
"cmdb_ci.hardware_status": "installed",
"cmdb_ci.install_status": "1",
"cmdb_ci.subcategory": "Network",
"cmdb_ci.last_discovered": "2019-04-06 00:17:51",
"cmdb_ci.can_print": "0",
"cmdb_ci.sys_class_name": "cmdb_ci_netgear",
"cmdb_ci.can_hub": "0",
"cmdb_ci.cpu_count": "1",
"cmdb_ci.sys_id": "fc0ea25adb207f4061840bb6f4961923",
"cmdb_ci.mac_address": "00-0f-7c-0d-5c-d0",
"cmdb_ci.can_route": "0",
"cmdb_ci.monitor": "0",
"cmdb_ci.ip_address": "10.2.100.218",
"cmdb_ci.cost_cc": "USD",
"cmdb_ci.unverified": "0",
"asset.skip_sync": "0",
"asset.residual": "0",
"asset.sys_updated_on": "2019-04-03 23:45:17",
"asset.sys_created_on": "2019-04-03 23:45:17",
"asset.depreciated_amount": "0",
"asset.pre_allocated": "0",
"asset.display_name": "Unknown",
"asset.install_status": "1",
"asset.sys_class_name": "alm_hardware",
"asset.sys_id": "f40ea25adb207f4061840bb6f4961924",
"asset.resale_price": "0",
"asset.cost": "0",

ClearPass and ServiceNow Integration 37

 "asset.quantity": "1",
"asset.active_to": "0",
"asset.salvage_value": "0",
"cmdb_ci.category": "Hardware",
"cmdb_ci.fault_count": "0",
"SNOW Last Update": "2019-04-06T00:18:57.201Z",
"Found In SNOW": true
}

ClearPass and ServiceNow Integration 38

 Appendix B – Additional Diagnostics and Support

Checking on the Extension Service

The ClearPass Extensions are supported by a new system service added in 6.6. This service must be running.

Note: Restarting this service will affect all deployed and running extensions.

To check on the state of the Extension Service, or to restart the service, go to Administration > Server
Manager > Server Configuration > [SERVER] > Service Control. By default this service is automatically
started.

Figure 18: Services Control

Extension Logs/Debugging
If you have a requirement to access and view the logs from the Extension, you can view or amend different
logging levels direct inside the extension configuration. It’s just a matter of updating the configuration and
restarting it. For example, the configuration below sets the logLevel to DEBUG.

{
"logLevel": "DEBUG",
…
"cppmUserName": "extension",
"cppmPassword": "********"
}

ClearPass and ServiceNow Integration 39

 Accessing the extension logs using ‘Collect Logs’ system function
In addition to viewing the logs as shown above, logs can also be collected and examined via the Policy
Manager Collect Logs system function (Administration > Server Manager > Server Configuration >
[Select SERVER] > Collect Logs). This is useful should you have a need to call for technical assistance.

If the support team needs to investigate a system issue, one of the items they regularly ask for is the system
logs to aid with their diagnostic investigation. By default the “logLevel” is set to INFO, but TRACE, DEBUG,
INFO, WARN, ERROR, FATAL can also be set as required. Locate the running extension-Id as in the below
graphic.

After the logs have been collected, downloaded and expanded, you can locate the extension logs in the
following location in the folder structure PolicyManagerLogs > extension > <your-extension-id>

ClearPass and ServiceNow Integration 40

 Figure 19: Locating the Extension logs from 'Collect Logs' diagnostic GZ file

Monitoring extension statistics

There is a way to monitor extension’s critical statistics with the configurable parameter added as part of the
extension’s configuration. To enable extension statistics set the “enableStats” parameter to true.

To navigate to statistics page, click Show Details.

Figure 4: Show Extension Details

Open extension statistics URL:

ClearPass and ServiceNow Integration 41

 Figure 5: Show Extension Statistics URL

This will show statistics similar to the following:

Figure 6: Extension Statistics

ClearPass and ServiceNow Integration 42

ClearPass and ServiceNow Integration 43