Splunk Enterprise Security

Splunkbase Add on ServiceNow

pslattery23
New Member

When trying to connect the "Splunk Add-on for ServiceNow" I am not able to connect to the ServiceNow instance.

ERROR: "unable to reach server at XXX. Check configurations and network settings.

An account has been configured in ServiceNow with the following roles
import_transformer, rest_api_explorer, sn_sec_splunk_v2.api_account_access, sn_si.analyst, sn_si.integration_user, soap
URL is the base url of the instance that I am trying to connect to.
Password has been verified with the ServiceNow team and reset to ensure its accuracy

alt text

0 Karma

grokdesigns
Explorer

This may be due to ServiceNow implementing TLSv1.2 and requiring SNI for connections to the server.

Try the following:

/bin/splunk cmd openssl s_client -connect yoursnowurl.service-now.com:443

If you receive an SSL handshake error, your ServiceNow instance has likely implemented TLSv1.2. You should also check the ServiceNow app's logs for "SSLEOFError: EOF occurred in violation of protocol" errors.

Next, run the following command. If it connects successfully, TLSv1.2 and SNI have been implemented.

/bin/splunk cmd openssl s_client -connect yoursnowurl.service-now.com:443 -servername yoursnowurl.service-now.com

The current version of the Splunk Add-on for ServiceNow app has an older version of the httplib2 library that does not work with SNI. Go to https://github.com/httplib2/httplib2/tree/master/python2 and download a copy of the httplib2 folder. Backup the httplib2 folder in the bin folder of the ServiceNow app and replace it with the version you downloaded. Try adding your ServiceNow account through the Splunk web interface again.

0 Karma

kpanchal_splunk
Splunk Employee
Splunk Employee

@pslattery23 Are you able to ping the ServiceNow server from your Splunk instance?
This error reflects the unreachability of the ServiceNow server from the Splunk instance.

Can you please verify it and revert back here.
You can use the ping command to check the server reachability
Eg: ping abc.service-now.com

FYI - @osasfrancis

0 Karma

osasfrancis
Path Finder

@kpanchal Apologies, how exactly do you ping from the splunk instance? The server in which i have the addon installed on can ping servicenow via cmd prompt.

0 Karma

kpanchal_splunk
Splunk Employee
Splunk Employee

@osasfrancis

I did some tests in order to reproduce the issue. What I did was:
1. Blocked my Splunk server to contact any URLs out of my network.
2. Tried to ping my ServiceNow instance (which is outside of my network) from the command prompt. As expected, ping was unsuccessful.
3. Installed the ServiceNow add-on on my Splunk server and tried to configure it.

As a result of the above test, I was successfully able to reproduce the issue which you are facing.

Hence I am pretty much sure that your Splunk server is somehow not able to reach your ServiceNow instance.

In order to get familiar with the Ping command, you follow this guide: https://iihelp.iinet.net.au/How_to_run_a_ping_test
The command that is mentioned in the above guide works similarly in Windows, Linux, and macOS command prompts.

0 Karma

osasfrancis
Path Finder

@kpanchal, thanks for your response with this. From the link, in my previous comment, i was able to ping my servicenow instance from my splunk server successfully using command prompt.

0 Karma

kpanchal_splunk
Splunk Employee
Splunk Employee

@osasfrancis
In order to know the issue in your local environment, I would suggest you file a ticket in Splunk JIRA, in order to further investigate the issue.

0 Karma

osasfrancis
Path Finder

Were you able to resolve this?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...