This weekend I worked on a way to get ServiceNow to easily talk to an OpsCode Chef Server using the Chef Server REST based API. The REST API looks innocent enough at first. However, upon further inspection, we found out that the Authentication mechanism involves some pretty serious SHA Digesting of HTTP Headers as well as signing several headers with a Private Key using the RSA algorithm. After a little research on finding out all of the parts that needed signed and digested, I developed some instructions and a Script Include library that should kick start anyone else hoping to do an integration between ServiceNow and Chef.

Storing the key in ServiceNow

When you create a client record or user within Chef, it will generate a private and public key for you. In order to use the API, you must save the private key to a file. The private key is in PEM format. For us to use it with my library in ServiceNow, we need to save the file in DER format and attach it to a certificate record.

To convert the PEM private key file to DER format, simply use the following openssl command:

openssl pkcs8 -topk8 -in {PEM_FILE} -inform PEM -out {DESIRED_OUTPUT_FILE_NAME} -outform DER -nocrypt

In this example, I took admin.pem and created admin.der:

openssl pkcs8 -topk8 -inform PEM -outform DER -in admin.pem -out admin.der -nocrypt

Now we need to store the file in ServiceNow. To do this, we are going to browse to System Definition > Certificates.

Click New.

Set the following values on the record:

Name: ChefPrivateKey
Type: Java Key Store

Please note, while we are creating a Key Store record, we are in fact storing a key instead, but ServiceNow doesn’t differentiate at this point, so there is no harm done.

Now attach your DER key file to this record by clicking on the attachment icon and uploading the file.

Right click on the title bar of the Certificate record and click Save

Now get the sys_id to this certificate record by clicking on the title bar of the record and click on Copy sys_id.

Copy the sys_id.

Now, create a system property named: com.snc.integration.chef.privateKeySysId

Paste the sys_id you copied earlier into the value field of your system property that you created.

Set up Server and Client Properties

The library will call a couple of other system properties when it makes its web service calls. For this you work, you will need to create the following properties:

Server URL
Name: com.snc.integration.chef.server
Value: YOUR_SERVER_URL
Don’t put a trailing slash on the Server URL.

Client Name
Name: com.snc.integration.chef.clientName
Value: YOUR_CLIENT_OR_USER_ID
This client name or user id must match the private key that we stored in the instance.

Install the Script Include

Browse to System Definition > Script Includes

Click New

Set the Name to be “ChefHelper”.

Then copy and paste the following script into the Script field:

/** * Helper class for Chef Server API calls * @class */ var ChefHelper = Class.create(); /** * @lends ChefHelper# */ ChefHelper.prototype = { /** * Creates an instance of ChefHelper */ initialize: function() { this._setupRestMessageRecord(); }, /** * Take a string object and encrypt it using a binary SHA1 Digest * and then encode it with base64 encoding with a specified line length. * * @param {string} subject The string that will be digested and then encoded * @return {JavaString} the resulting string */ sha1DigestAndEncode: function( subject ){ var MessageDigest = Packages.java.security.MessageDigest; var String = Packages.java.lang.String; var Base64 = Packages.org.apache.commons.codec.binary.Base64; var sha1 = MessageDigest.getInstance("SHA1"); sha1 = sha1.clone(); subject = new String(subject); gs.log("subject to Encode: " + subject); var encryptedRaw = sha1.digest(subject.getBytes()); var encoded = Base64.encodeBase64(encryptedRaw); var enc = new String(encoded, "UTF-8"); gs.log("enc: " + enc); return enc; }, /** * Returns the current date/time in ISO format YYYY-MM-DDTHH:MM:SSZ * * @function * @return {JavaString} the formatted timestamp */ getDateTimeNowISOFormat: function(){ var SimpleDateFormat = Packages.java.text.SimpleDateFormat; var Date = Packages.java.util.Date; var TimeZone = Packages.java.util.TimeZone; var df = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); df.setTimeZone(TimeZone.getTimeZone("GMT")); return df.format(new Date())+"Z"; }, /** * Alternative string signing method that requires the private key to exist in a Java Keystore * Not likely to be used much since Chef gives you only the private key PEM. You would have to * generate your own certificate and load both the key and certificate into the keystore. * * @function * @param {string} subject The string that will be signed * @param {string} keystoreRecordName The name of the certificate record of the Java Keystore * @param {string} alias The alias to use inside the keystore * @param {string} ksPassword the password for the keystore * * @return {JavaString} the signature of the signed string */ signStringAlt: function(subject, keystoreRecordName, alias, ksPassword){ gs.log("Signing: " + subject); gs.log("Getting KeyStore Record: " + keystoreRecordName); var Signature = Packages.java.security.Signature; var Base64 = Packages.org.apache.commons.codec.binary.Base64; var dbk = new DBKeyStore(); dbk.loadByName(keystoreRecordName); var key = dbk.getKey(alias, ksPassword); var pem = dbk.getKeyPEM(alias, ksPassword); var subject = new Packages.java.lang.String(subject); var sigInst = Signature.getInstance("NONEwithRSA"); sigInst.initSign(key); sigInst['update(byte[])'](subject.getBytes()); var sig = sigInst.sign(); var encoded = Base64.encodeBase64String(sig); gs.log("encoded: " + encoded); //Break into 60 character chunks var enc = encoded.match(/.{1,60}/g); return enc; }, /** * String signing method that requires the private key to exist as an attachment * in DER format to a sys_certificate record. There is no method for doing this OOB * in ServiceNow currently, but if you create an empty PEM certificate record, and * attached the DER key file to that record, it will give you warning messages in the UI, * but the function will be able to read the file. You will need to set the * Property: com.snc.integration.chef.privateKeySysId to contain the sys_id of the * sys_certificate record that has this attachment. * * @function * @param {string} subject The string that will be signed * * @return {JavaString} the signature of the signed string */ signString: function(subject){ gs.log("Signing: " + subject); var key = this._getPrivateKey(); var Signature = Packages.java.security.Signature; var Base64 = Packages.org.apache.commons.codec.binary.Base64; var subject = new Packages.java.lang.String(subject); var sigInst = Signature.getInstance("NONEwithRSA"); sigInst.initSign(key); sigInst['update(byte[])'](subject.getBytes()); var sig = sigInst.sign(); var encoded = Base64.encodeBase64String(sig); gs.log("encoded: " + encoded); //Break into 60 character chunks var enc = encoded.match(/.{1,60}/g); return enc; }, _getPrivateKey: function(){ var BufferedInputStream = Packages.java.io.BufferedInputStream; var KeyFactory = Packages.java.security.KeyFactory; var PKCS8EncodedKeySpec = Packages.java.security.spec.PKCS8EncodedKeySpec; var SysAttachment = Packages.com.glide.ui.SysAttachment; var certID = gs.getProperty("com.snc.integration.chef.privateKeySysId"); var sa = new SysAttachment(); var privKeyBytes = sa.getBytes("sys_certificate", certID); var keyFactory = KeyFactory.getInstance("RSA"); var ks = new PKCS8EncodedKeySpec(privKeyBytes); var privKey = keyFactory.generatePrivate(ks); return privKey; }, /** * Signs the canonical request headers and breaks the signture up into * 60 character strings and sets them in the X-Ops-Authorization headers * * @private * @function * * @param {RestMessage} restMessage The RestMessage record being configured * @param {string} subject The canonical request headers to be signed */ _setAuthHeaders: function(restMessage, subject){ var parts = this.signString(subject); var counter = 1; for(var key in parts){ restMessage.setStringParameter("auth"+counter, parts[key]); counter++; } }, /** * Prepares the REST Message and submits the request * * @function * @param {string} method The REST method that will be used (eg. GET, POST, PUT, DELETE) * @param {string} endpoint The REST endpoint/resource to be used (eg. /clients) * @param {string} body The HTTP Request Body that will be submitted * * @return {JavaString} body of the HTTP Response */ sendRESTRequest: function(method, endpoint, body){ var clientName = gs.getProperty("com.snc.integration.chef.clientName"); method = method.toUpperCase(); var restMethod = method.toLowerCase(); var hashedPath = this.sha1DigestAndEncode(endpoint); var hashedBody = this.sha1DigestAndEncode(body); var timestamp = this.getDateTimeNowISOFormat(); var canonicalRequest = "Method:"+method+"\n"; canonicalRequest += "Hashed Path:"+hashedPath+"\n"; canonicalRequest += "X-Ops-Content-Hash:"+hashedBody+"\n"; canonicalRequest += "X-Ops-Timestamp:"+timestamp+"\n"; canonicalRequest += "X-Ops-UserId:"+clientName; var r = new RESTMessage('ChefAPI', restMethod); r.setStringParameter('chefServer', gs.getProperty("com.snc.integration.chef.server")); r.setStringParameter('endpoint', endpoint); r.setStringParameter('timestamp', timestamp); r.setStringParameter('clientName', clientName); r.setStringParameter('hashedPath', hashedPath); r.setStringParameter('hashedBody', hashedBody); r.setStringParameter('body', body); this._setAuthHeaders(r, canonicalRequest); var response = r.execute(); //gs.log(response.getBody()); //gs.log(response.getHeaders()); return response.getBody(); }, /** * If a RESTMessage record does not exist for the Chef Server, * this function will create it. * @private */ _setupRestMessageRecord: function(){ var gr = new GlideRecord("sys_rest_message"); gr.addQuery("name", "ChefAPI"); gr.query(); gs.log("Looking for ChefAPI Rest Message"); if(!gr.next()){ gs.log("Did not find ChefAPI Rest Message...creating it"); gr.initialize(); gr.name="ChefAPI"; gr.rest_endpoint = "${chefServer}${endpoint}"; gr.insert(); var funcs = ['get','post','put','delete']; for(var key in funcs){ var fn = new GlideRecord("sys_rest_message_fn"); fn.addQuery("function_name", funcs[key]); fn.addQuery("rest_message", gr.sys_id); fn.query(); if(!fn.next()){ gs.log("Did not find function: " + funcs[key] + ". Creating it."); fn.initialize(); fn.function_name = funcs[key]; fn.rest_message = gr.sys_id; fn.rest_endpoint = "${chefServer}${endpoint}"; fn.insert(); } fn.content = "${body}"; fn.update(); var header = [ ["Accept","application/json"], ["X-Chef-Version","0.10.4"], ["X-Ops-Authorization-1","${auth1}"], ["X-Ops-Authorization-2","${auth2}"], ["X-Ops-Authorization-3","${auth3}"], ["X-Ops-Authorization-4","${auth4}"], ["X-Ops-Authorization-5","${auth5}"], ["X-Ops-Authorization-6","${auth6}"], ["X-Ops-Content-Hash","${hashedBody}"], ["X-Ops-Sign","algorithm=sha1;version=1.0;"], ["X-Ops-Timestamp","${timestamp}"], ["X-Ops-UserId","${clientName}"], ]; for(var hkey in header){ var h = new GlideRecord("sys_rest_message_fn_headers"); h.initialize(); h.name = header[hkey][0]; h.value = header[hkey][1]; h.rest_message_function = fn.sys_id; h.insert(); } } } }, type: 'ChefHelper' }

Using the script

With this library, you should not have to build the REST Message record for the API. The library should automatically detect whether the REST Message record is set up. If it is not, it will create it for you and leverage it automatically.

To use this library, simply tailor the following example to your needs:

1
2
3
4
5
6
7
8

//
//Get a list of Clients on the Chef Server
//
var c = new ChefHelper();
var endpoint = "/clients";
var body = "";
res = c.sendRESTRequest("GET", endpoint, body);
gs.log(res);

2 Comments

vandna on May 14, 2015 at 11:11 pm

Hi John,

I am trying to integrate chef with service-now. I am trying to convert admin.pem file to admin.der command using command you mentioned in this post but, it’s giving error that can’t open admin.der file, please help me.
vandna on May 15, 2015 at 2:48 am

Hi John,

Regarding the last comment, now Error that we previously got is resolved.

But we are getting Error in script include that you provide.
Error:Security restricted: Attempted access to restricted class name java.security.KeyFactory
Evaluator: java.lang.SecurityException: Illegal attempt to access class ‘java.security.KeyFactory’ via script
Caused by error in Script Include: ‘ChefHelper’ at line 260

Please help…

Opscode Chef Integration Library for ServiceNow

Storing the key in ServiceNow

Set up Server and Client Properties

Install the Script Include

Using the script

About The Author

John Andersen

2 Comments

Leave a reply

Search

Recent Blog Posts

Subscribe to My ServiceNow Blog

Opscode Chef Integration Library for ServiceNow

Storing the key in ServiceNow

Set up Server and Client Properties

Install the Script Include

Using the script

About The Author

John Andersen

Related Posts

Submit XML to ServiceNow via HTTP Post

Digest Authentication with Service-now

Angular Service for manipulating User_Image fields on ServiceNow forms

Supporting Kerberos Authentication with ADFS in ServiceNow

2 Comments

Leave a reply

Search

Recent Blog Posts

Subscribe to My ServiceNow Blog