• IBM Guardium version 12.x, 11.5 + Patch 525, or 11.4 + Patch 441 (available in August 2022).
  • Patch v11.4-460 (or greater) adds ability to query the Central Manager for version information.
  • Patch v11.5-525 (or greater) contains several performance fixes.
• IBM Guardium "service" user with Guardium vulnerability-access role (or Guardium admin role) so that the ServiceNow app can use the Guardium REST-API to import data
• (Optional) Apply vulnerability-access role to all existing Guardium data sources to permit the ServiceNow app the ability to update and delete existing data sources which result from changes to ServiceNow CMDB

• Tested on ServiceNow releases: Rome, San Diego, Tokyo, Utah, Vancouver, Washington
• ServiceNow Vulnerability Response module
• (Optional) ServiceNow Vulnerability Response Integration with NVD module
• (Optional) ServiceNow Configuration Compliance module

• The IBM Guardium Data Protection central manager and managed units are typically installed behind a firewall
• Many companies choose to block all incoming traffic but allow outgoind traffic
• ServiceNow created the MID server application for outbound-only communication. You install the MID server inside the firewall, within the same data center as your IBM Guardium central manager. This allows a ServiceNow app the ability to communicate with Guardium without punching an inbound hole in your firewall.
• Do these steps in the following order:
  1. Create a user with MID server role
  2. Install MID server
  3. Install ServiceNow Vulnerability Response
  4. Install ServiceNow Vulnerability Response Integration with NVD
  5. Run ServiceNow Vulnerability Response Integration with NVD
  6. (Optional) Install ServiceNow Configuration Compliance
  7. Install IBM Guardium app from the ServiceNow store or from Update Set
  8. Install SSL certificate on your Guardium central manager, if necessary
  9. Trust the Guardium central manager SSL certificate
  10. Set ServiceNow system-wide timeout

• When you install the MID server, you will need a ServiceNow user and password
• System Security > Users > New
• Fill in details then click the context menu (three bars) and click button Save
• After saving the user, edit roles, apply "mid_server" role, save
• Set a password
• Log out and log back in as the MID server user to update and change the password
• ServiceNow MID server user setup

• Install and configure MID server to allow communication from ServiceNow to the Guardium Central Manager within your firewall
• ServiceNow MID server overview
• ServiceNow MID server installation
• ServiceNow MID server certificate import

• System Applications > ServiceNow Products > Security Operations > Vulnerability Response
• Manage
• Install/Update All (4)

• System Applications > All Available Applications > All
• Search for "NVD"
• Install "Vulnerability Response Integration with NVD"

• Vulnerability Response > Administration > Integrations
• Open "NIST National Vulnerability Database Integration - API (CVE and CPE)"
• Click button Execute Now
• This will import all known CVE, CWE, and CPE entries for use in vulnerability risk assessment
• NOTE: if you only see "NIST National Vulnerability Database Integration - API (CVE)", open and execute that

• System Applications > ServiceNow Products > Security Operations > Configuration Compliance
• Manage
• Install/Update All (4)

• Choose one, not both!
  • The certified app in the ServiceNow store
  • The published Update Set

• This is free to install on your paid ServiceNow instance
  • Go to System Applications > All Available Applications > All
  • Search for Guardium
  • Click button Install
• If installing on a personal developer instance
  • Go to System Applications > All Available Applications > Available To Obtain From Store
  • Search for Guardium
  • Open IBM Guardium app
  • Click button Request install
  • A notification will be sent to IBM, IBM will approve your PDI, and you will be able to install on your PDI
  • You may need to log out and log back in to ServiceNow to see Get or Install button instead of Request install

• ONLY DO THIS IF NOT INSTALLING THE CERTIFIED APP ABOVE !!
• Download the latest stable Update Set
• Login to your ServiceNow personal developer instance
• Navigate to System Update Sets > Retrieved Update Sets > Import Update Set from XML
• Browse > Select the "Update Set" XML file > Upload
• Open the IBM Guardium Data Protection entry
• Click link Preview Update Set
• Approve errors by selecting all problems and clicking Actions on selected rows > Accept remote update
• When there are no more problems, click "Commit Update Set"
• Click button Close when complete
• Verify that the IBM Guardium menu has been added to the Navigation Menu by typing "Guardium" in the navigation menu
• Run Fix Scripts
  • ServiceNow > System Definition > Fix Scripts
  • Open filter and set to: Name | contains | Guardium
  • Run the filter
  • Open and run both scripts. Order does not matter.
  • These scripts are run automatically if you install the certified app

It is always best to use a certificate, signed by a certification authority, that is trusted by Java. But if cost is an issue, use a script that can generate a self-signed certificate.

The certificate Common Name value must be equivalent to the fully qualified host name.

• Below is a bash script that can generate a self-signed certificate and private key valid for 10 years. Change the -subj to suit your needs.
• Run on any Mac, Linux, or Unix machine or Cygwin interpreter for Windows
• Open a command window and run the script like this (use your central manager host value): bash ./gen-cert.sh my.central.manager.com

#!/bin/bash

FQDN=$(echo ${1} | xargs)
HOSTNAME=$(echo ${FQDN} | cut -d"." -f1)
if [ "$HOSTNAME" == "" ] || [ "$HOSTNAME" == "$FQDN" ]; then
    echo "ERROR: must provide fully qualified host name like: my.host.com"
    exit 1
fi

echo "Generating certificate for: ${FQDN}"
openssl req -batch -newkey rsa:2048 -nodes -subj "/C=US/ST=MA/L=Boston/ORG=IBM/OU=Guardium/CN=${FQDN}/emailAddress=${HOSTNAME}@mailinator.com" -keyout ${HOSTNAME}.key -out ${HOSTNAME}.csr
openssl x509 -signkey ${HOSTNAME}.key -in ${HOSTNAME}.csr -req -days 3650 -out ${HOSTNAME}.crt

echo " "
echo "Private Key - for prompt: private key"
cat ${HOSTNAME}.key

echo " "
echo "Public Certificate - for prompts: End-Entity and Trusted"
cat ${HOSTNAME}.crt

• If the certificate Common Name value is not equivalent to the fully qualified host name, you must replace the Guardium certificate with a valid SSL certificate like one generated by the script above

• Copy and paste information echoed by the above script into this Guardium CLI command

store certificate gui console

• After completing, Guardium GUI will restart to use the new SSL certificate

• Java does not trust self-signed certificates by default
• You must add a self-signed certificate to the ServiceNow MID server Java keystore to build trust
• SSH onto the MID server and perform these commands, again using my.central.manager.com as an example:

# cd to mid-server agent folder
cd /path/to/mid_server/agent

# get the certificate installed on Guardium and store in a file
echo -n | openssl s_client -connect my.central.manager.com:8443 | openssl x509 > ./my-central-manager.crt

# import that public crt file into the Java keystore
keytool -import -alias "my-central-manager" -file "./my-central-manager.crt" -keystore ./jre/lib/security/cacerts

• ServiceNow HTTP connection properties
• glide.http.outbound.max_timeout=60
• glide.http.outbound.max_timeout.enabled=false

• Do this first! Be sure the IBM Guardium SSL certificate is trusted. Follow instructions here
• The authenticated ServiceNow user must have ServiceNow roles: x_ibmrt_gdpva.admin (IBM Guardium), agent_admin (MID server)
• Optional ServiceNow roles: itil, sn_vul.admin, sn_vulc.admin
• Create a new IBM Guardium Security > Central Manager record - Fill in name, host, client ID, client secret, user, password, and MID server fields
• Open the new Central Manager record and click link Validate configuration (or Verify configuration for v1.3.19 and above)

• Open IBM Guardium Security > Data Import > Integrations > Daily Import
• Click button Execute Now

• Create a Guardium user that ServiceNow can use to communicate with Guardium over REST-API. The Guardium user must have role: vulnerability-assess or admin.
• You may wish to apply vulnerability-access role to all existing Guardium data sources. This allows the ServiceNow plug-in access to update and delete existing data sources.

• The ServiceNow user you use configure IBM Guardium must have these roles applied: x_ibmrt_gdpva.admin and agent_admin (or admin)
• You may also wish to apply roles needed for CMDB, vulnerability Response, and Configuration Compliance modules (sn_vul.admin, sn_vulc.admin, itil)
• Verify ServiceNow can communicate with a Guardium central manager or stand-alone machine by examining the IBM Guardium Security > Application Log
• Verify that Guardium data sources, vulnerability tests, and test results are all imported from Guardium into ServiceNow (may take a few hours depending on number of test results -- you can minimize the number of days imported from IBM Guardium Security > Settings)
• As x_ibmrt_gdpva.admin, verify that an assessment test can be started from ServiceNow UI

Project License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.