opscode_chef_html_logo

This weekend I worked on a way to get ServiceNow to easily talk to an OpsCode Chef Server using the Chef Server REST based API. The REST API looks innocent enough at first. However, upon further inspection, we found out that the Authentication mechanism involves some pretty serious SHA Digesting of HTTP Headers as well as signing several headers with a Private Key using the RSA algorithm. After a little research on finding out all of the parts that needed signed and digested, I developed some instructions and a Script Include library that should kick start anyone else hoping to do an integration between ServiceNow and Chef.

Storing the key in ServiceNow

When you create a client record or user within Chef, it will generate a private and public key for you. In order to use the API, you must save the private key to a file. The private key is in PEM format. For us to use it with my library in ServiceNow, we need to save the file in DER format and attach it to a certificate record.

To convert the PEM private key file to DER format, simply use the following openssl command:

openssl pkcs8 -topk8 -in {PEM_FILE} -inform PEM -out {DESIRED_OUTPUT_FILE_NAME} -outform DER -nocrypt

In this example, I took admin.pem and created admin.der:

openssl pkcs8 -topk8 -inform PEM -outform DER -in admin.pem -out admin.der -nocrypt

Now we need to store the file in ServiceNow. To do this, we are going to browse to System Definition > Certificates.

Click New.

Set the following values on the record:

  • Name: ChefPrivateKey
  • Type: Java Key Store

Please note, while we are creating a Key Store record, we are in fact storing a key instead, but ServiceNow doesn’t differentiate at this point, so there is no harm done.

Now attach your DER key file to this record by clicking on the attachment icon and uploading the file.

Right click on the title bar of the Certificate record and click Save

Now get the sys_id to this certificate record by clicking on the title bar of the record and click on Copy sys_id.

Copy the sys_id.

Now, create a system property named: com.snc.integration.chef.privateKeySysId

Paste the sys_id you copied earlier into the value field of your system property that you created.

Set up Server and Client Properties

The library will call a couple of other system properties when it makes its web service calls. For this you work, you will need to create the following properties:

Server URL
Name: com.snc.integration.chef.server
Value: YOUR_SERVER_URL
Don’t put a trailing slash on the Server URL.

Client Name
Name: com.snc.integration.chef.clientName
Value: YOUR_CLIENT_OR_USER_ID
This client name or user id must match the private key that we stored in the instance.

Install the Script Include

Browse to System Definition > Script Includes

Click New

Set the Name to be “ChefHelper”.

Then copy and paste the following script into the Script field:

Using the script

With this library, you should not have to build the REST Message record for the API. The library should automatically detect whether the REST Message record is set up. If it is not, it will create it for you and leverage it automatically.

To use this library, simply tailor the following example to your needs:

1
2
3
4
5
6
7
8
//
//Get a list of Clients on the Chef Server
//
var c = new ChefHelper();
var endpoint = "/clients";
var body = "";
res = c.sendRESTRequest("GET", endpoint, body);
gs.log(res);