Configuring ServiceNow - AWS Service Catalog

Configuring ServiceNow

After completing the IAM and AWS Service Catalog configurations, the next configuration area to set up is ServiceNow. Installation tasks within ServiceNow include:

  • Clear the ServiceNow platform cache.

  • Clear the web browser cache.

  • Activate two ServiceNow plugins.

  • Install the ServiceNow Connector scoped application, and upload and commit the ServiceNow Connector Update Set.

  • Configure ServiceNow platform system admin components.

  • Configure AWS Service Management Connector scoped application, including accounts, scheduled jobs sync, and permissions.

  • Validate connectivity to AWS Regions.

  • Manually sync scheduled jobs.

  • Configure the AWS Service Catalog Product Widget Components and Assignment Group for Closed Change Records.

  • Grant access to AWS Service Catalog portfolios.

  • Configure AWS Tags For provisioned products.

  • Configure synchronization of AWS Config data using an Aggregator into ServiceNow CMDB.

  • Configure available ServiceNow tables to sync with AWS Config.

  • Configure AWS Security Hub integration.

Clearing the ServiceNow Platform Cache

Before installing the AWS Service Management scoped app, we recommend you clear the ServiceNow platform cache. To do so, enter this URL https://[InsertServiceNowInstanceNameHere]/cache.do.

Note

Ensure that you install the update set in a non-production/sandbox environment. Consult a ServiceNow system administrator if you need approval to clear the ServiceNow platform cache.

Clearing the Web Browser Cache

Clear the web browser cache to remove previous rendered product forms.

Activating Two ServiceNow Plugins (User Criteria Scoped API and Discovery, and Service Mappings Patterns)

Activate the User Criteria Scoped API Plugin

  1. From your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the Name dropdown, search for User criteria.

  3. Choose User Criteria Scoped API and then choose Activate.

Activate the Discovery and Service Mappings Patterns Plugin

  1. From your ServiceNow dashboard, enter plugins into the navigation panel in the upper left.

  2. When the System Plugins page populates, next to the Name dropdown, search for Discovery.

  3. Choose Discovery and Service Mapping Patterns and then choose Activate.

Note

This plugin is free and is needed to align to CMDB tables available outside of ServiceNow’s family release CMDB updates.

Installing ServiceNow Connector Scoped Application

The AWS Service Management Connector for ServiceNow is released as a conventional ServiceNow scoped application through a ServiceNow Update Set.

ServiceNow update sets are code changes to the out-of-the-box platform and enable developers to move code across ServiceNow instance environments. The Connector for ServiceNow update set is available to download in the ServiceNow store.

We provide the code for Connector for ServiceNow version 3.5.2 for users who install the update set on a ServiceNow Personal Developer Instance (PDI).

You can apply the Connector for ServiceNow version 3.5.2 update set to a "Paris", "Madrid," "New York," or "Orlando" platform release of ServiceNow.

If you do not already have a ServiceNow instance, start with the first step below. If you already have a ServiceNow instance, proceed to the instructions below on how to install the update set.

To obtain a ServiceNow instance

  1. Go to Obtaining a Personal Developer Instance.

  2. Create ServiceNow developer program credentials.

  3. Follow the instructions for requesting a ServiceNow instance.

  4. Capture your instance details, including URL, administrative ID, and temporary password credentials.

To install the update set

  1. From your ServiceNow dashboard, enter update sets into the navigation panel in the upper left.

  2. Choose Retrieved Update Sets from the results.

  3. Select Import Update Set from XML and upload the release XML file.

  4. Select the AWS Service Management Connector for ServiceNow update set.

  5. Choose Preview Update Set, which makes ServiceNow validate the connector update set.

  6. Choose Update.

  7. Choose Commit Update Set to apply the update set and create the application. This procedure should complete 100%.

. Platform System Admin Components

To enable the AWS Service Management Connector for ServiceNow scoped application named AWS Service Management, the system admin must create a discovery source, and configure specific platform tables, forms, and views.

Create a discovery source AWS Service Management Connector entry

To allow AWS to report discovered CIs into your CMDB you must create a new discovery data source called AWS Service Management Connector. Perform the following steps:

  1. Choose System Definition. Then select Choice Lists.

  2. Choose New.

  3. Create a new entry with the following details:

    • Table: Configuration Item [cmdb_ci]

    • Element: discovery_source

    • Label: AWS Service Management Connector

    • Value: AWS Service Management Connector

Note

Make sure you are in Global mode in ServiceNow System Settings to modify System Definitions.

Enable permissions on ServiceNow Platform table (Catalog Item Category)

For AWS products to display under AWS portfolios as sub-categories in the ServiceNow Service Catalog, you need to modify the Application Access form for Catalog Item Category tables. This action is necessary because a ServiceNow scoped API is not available for the Catalog Item Category table.

  1. Enter Tables in the Navigator and choose System Definition, then choose Tables.

  2. In the list of tables, search for a table with label Catalog Item Category (or with the name "sc_cat_item_category"). The list of tables displays. Choose Category to view the form defining the table.

  3. Choose the Application Access tab on the form and choose the Can Create, Can Update, and Can delete checkboxes on the form. Then choose Update.

ServiceNow Permissions for Administrators of the Connector Scoped App

The AWS Service Management scoped app comes with two ServiceNow roles that enable access to configure the application. This feature enables system admins to grant one or more users privileges to administer the application, without having to open up full sysadmin access to them. System admins can assign these roles to either individual users or to one administrator user.

To set up Connector application administrator privileges

  1. Enter Users in the navigator and select System Security – Users.

  2. Select a user to grant one or both previous roles (such as admin) to. You can also Create a User.

  3. Choose Edit on the Roles tab of the form.

  4. Filter the collection of roles by the prefix “x_”.

  5. Choose one or both of the following and add them to the user: x_126749_aws_sc_account_admin,x_126749_aws_sc_portfolio_manager, x_126749_ aws_sc.automation_manager and x_126749_aws_sc.finding_manager.

  6. Choose Save.

To add AWS Service Catalog to ServiceNow Service Catalog categories

  1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Service Catalog Product entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

To add AWS Systems Manager automation documents to ServiceNow Service Catalog categories

  1. Choose Self Service | Service Catalog and select the Add content icon in the upper right.

  2. Select the AWS Systems Manager entry. To add it to your catalog home page, choose the first Add Here link on the second row of the selection panel at the bottom of the page.

Note

This Connector release displays all AWS Systems Manager documents available in the AWS account that has AWS Systems Manager selected.

System administrators can deactivate AWS Systems Manager documents requests. To deactivate requests, choose AWS Systems Manager, Automation Documents, and deselect the Active button. After deactivation of the document, end users no longer see the document in the ServiceNow Service Catalog.

The Connector creates closed change requests on post provision actions (such as update, terminate and self-service) for AWS Service Catalog products visible in ServiceNow.

To achieve a closed change request from post provisioned actions, add a change request type and configure the sys_id for the group assigned to the closed change records in the Connector AWS Service Catalog system properties.

To add a change request type

  1. If you are upgrading from a previous version of the AWS Service Management scoped app, you must remove the AWS Product Termination change request type before you create a new change request type.

  2. You must add a new change request type called AWS Provisioned Product Event for the scoped application to trigger an automated change request in Change Management. For instructions, see Add a new change request type.

  3. Open an existing change request.

  4. Open the context (right-click) menu for Type and then choose Show Choice List.

  5. Choose New and fill in the following fields:

    • Table: Change Request

    • Label: AWS Provisioned Product Event

    • Value: AWSProvisionedProductEvent

    • Sequence: pick the next unused value

  6. Submit the form.

Note

For details on how to associate the Change Assignment group, see Configuring the AWS Service Catalog Product Widget Components and Assignment Group for Closed Change Records.

Configuring AWS Service Management Connector Scoped Application

After installing and configuring the AWS Service Management Connector for ServiceNow, you must configure the scoped application and applicable roles.

To configure the AWS Service Management Connector scoped application permissions

  1. In your ServiceNow instance, create a user group called Order_AWS_Products. Members of this group can order AWS Service Catalog products. For instructions, see Create a user group.

  2. Grant ServiceNow permissions to the following users:

    • System Administrator (admin): For simplicity in this example, user admin is the administrator of the AWS Service Management scoped application. Grant this user both of the administrative permissions from the adapter: x_126749_aws_sc_portfolio_manager, x_126749_aws_sc_account_admin, x_126749_ aws_sc.automation_manager, and x_126749_aws_sc.finding_manager.

      Add System Administrator to the new ServiceNow group Order_AWS_Products. In a real scenario, these roles would likely be granted to different users or groups. In a real scenario, these roles would likely be granted to different users or groups.

    • Abel Tuter: The user abel.tuter is chosen as an illustrative end user. Grant Abel the new role Order_AWS_Products. This allows him to order products from AWS.

ServiceNow Permissions Recap
ServiceNow Persona Scoped App Permissions ServiceNow Permission Type
Admin

x_126749_aws_sc_portfolio_manager

x_126749_aws_sc_account_admin

x_126749_aws_sc.automation_manager

x_126749_aws_sc.finding_manager

Role (scoped app)

Role (scoped app)

Group Role (scoped app)

Role (scoped app)

End User (i.e., Abel Tuter) Order_AWS_Products Group

Configuring AWS Accounts to Synchronize in the Connector

  1. Log in as the system administrator.

  2. Enter AWS in the navigator. Choose the AWS Service Management scoped app.

  3. In the AWS Service Management scoped app Accounts menu, create one entry for every AWS account. You need to use the keys and secret keys from the users you created in AWS.

To create account entry

  1. Enter the name as an account entry identifier, such as Connector_Demo (for Commercial region), or Connector_Demo_GovCloud (for GovCloud region).

  2. Enter AWS access key and secret access key from the AWS account sync user IAM configurations.

  3. Enter AWS access key and secret access key from the AWS account end user IAM configurations.

  4. Select AWS service integrations that you want visible for this AWS account. The choices include:

    • Integrate with AWS Service Catalog

    • Integrate with AWS Config

      • Select AWS Config if you plan to integrate AWS Config cloud resources per each AWS account or through the latest AWS Config Aggregator integration feature. Version 3.5.2 of the Connector for ServiceNow includes an AWS Config aggregator feature that enables ServiceNow administrators to align aggregated AWS Config details into one AWS account.

      • If you plan to use the Config Aggregator feature, proceed with configuring the AWS account in this section. For more information on the Config Aggregator steps, see Configuring synchronization of AWS Config data using an Aggregator into ServiceNow CMDB.

    • Integrate with AWS Systems Manager

    • Integrate with AWS Security Hub

  5. Choose Account Regions. Select the Commercial or GovCloud Region. To see the AWS account regions, choose Insert a new row….

  6. Repeat the step above to insert additional regions.

  7. Save or update the account entries.

  8. Validate AWS account connectivity by following the steps in Validating Connectivity to AWS Regions. Note that in this Connector for ServiceNow version 3.5.2 and going forward, the Validate Accounts button only appears once after the account entry is submitted or updated.

Validating Connectivity to AWS Regions

You can now validate connectivity to AWS accounts between the ServiceNow Connector_Demo account and the AWS IAM SMSyncUser and SMEndUser.

To validate connectivity to AWS account

  1. In the AWS Service Management scoped app, choose Setup, then AWS Accounts.

  2. Select Connector_Demo and choose Validate Account.

  3. A successful connection result in the message, “Successfully validating AWS account in each referenced Region.”

If the AWS IAM access key or secret access key are incorrect, you will receive an error message.

Manually Syncing Scheduled Jobs

During the initial setup, manually execute the sync instead of waiting for Scheduled Jobs to run. The default sync schedule is every 31 minutes.

To sync the accounts manually

  1. Log in as system administrator.

  2. Find Scheduled Jobs in the navigator panel.

  3. Search for job Sync all Accounts, select it, and choose Execute Now.

    Note

    If you do not see Execute Now in the upper left corner, choose Configure Job Definition. Execute Now will be visible.

Data is visible in the AWS Service Management scoped app menus after the adapter’s scheduled synchronization job has run.

Configuring the AWS Service Catalog Product Widget Components and Assignment Group for Closed Change Records

To address the varying personas of end users requesting AWS products, the Connector for ServiceNow includes a scoped app setting to enable or disable components of the AWS product widget. By default, all AWS product components are enabled.

To modify the AWS product view

  1. In the navigator, enter System Properties and select AWS Service Catalog.

    Note

    Make sure you are in the AWS Service Management Connector scoped application mode.

  2. Deselect any AWS product component such as:

    • Enable editing of the AWS Service Catalog Product name.

    • Enable selection of launch options for AWS Service Catalog Products. (Note that this component is only visible if the AWS product has more than one launch path.)

    • Enable selection of product versions for AWS Service Catalog. (Note that this component is only visible if the AWS product has more than one product version.)

    • Enable tags for AWS Service Catalog Products.

    • Enable plans (ChangeSet) creation for product. (Note that if set to false the plan section is hidden.)

  3. Choose Save.

The AWS Service Catalog system properties also includes a section to identify an assignment group to associate with closed change records that are generated from post provision actions of products (terminate, update, self-service actions).

To associate the assignment group for change records created by AWS Service Catalog post provision actions

  1. In the navigator, enter System Properties and select AWS Service Catalog. Make sure you are in the AWS Service Management Connector scoped application mode.

  2. Choose the section Set the ‘assignment group’ sys_id or name that the connector will use when creating change requests.

  3. Enter the Assignment group sys_id.

  4. If you need to find the group sys_id, enter System Security in the left navigator.

  5. Select Groups module.

  6. Search for the Group name.

  7. Choose the group that you want to associate to close changed records and select Copy sys_id. You are now able to paste the copied sys_id into the AWS Service Catalog System Properties for the Connector under Set the ‘assignment group’ sys_id or name that the connector will use when creating change requests.

    If the sys_id is left blank, the change record sends a message that no assignment group exists for the record, which causes change requests created from the Connector to be in an open state.

Granting Access to AWS Service Catalog Portfolios

This release of the Connector removes the need to link AWS identities to ServiceNow roles. To grant access to AWS Service Catalog products in ServiceNow, you must establish a link between the AWS Service Catalog portfolios and the ServiceNow group (for example, Order_AWS_Products created earlier in the instructions as an installation example).

To grant access to AWS Service Catalog portfolios in ServiceNow

  1. In the AWS Service Management scoped app, choose AWS Service Catalog, then Portfolios module.

  2. Select the desired Portfolio ARN. You can double-click the AWS Service Catalog portfolio name.

  3. Select the Allowed Groups tab.

  4. Choose New and enter the Group named Order_AWS_Products.

  5. Choose Submit.

Configuring AWS Tags for provisioned products

The AWS Service Management Connector v3.5.2 enables ServiceNow administrators to add tags (metadata) to provisioned products globally across the scoped app or granularly at the portfolio level. These tags are not visible to end users.

Three tag types are available in this release:

  • Generic tags in which the administrator can enter the key and value.

  • ServiceNow Request Item tags in which the admin can enter the following syntax for key and value.

  • ServiceNow table(s) values that are selectable by end users as tags for provisioned AWS resources. This release now enables administrators to identify any ServiceNow tables such as Cost center or Department and make values from that table selectable by end users.

    Note

    Generic tags (from administrators) and ServiceNow Request Item tags are not viewable by end users.

    Key Value
    Requested Item Number ${REQUEST_NUMBER}
    User ${USERNAME}
    Requested for ${REQUESTED_FOR}
    Opened by ${OPENED_BY}

To add generic AWS tags to AWS Service Catalog provisioned products in ServiceNow

  1. In the AWS Service Management scoped app, choose Setup, then the Automated Tags module.

  2. Choose New.

  3. For Global tags, enter the Key and Value entries and choose Submit.

  4. For Portfolio tags, deselect Global check. The Portfolio field becomes available. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose Submit.

To add in-scope ServiceNow request item AWS tags to AWS Service Catalog provisioned products derived from ServiceNow

  1. In the AWS Service Management scoped app, choose Setup, then the Automated Tags module.

  2. Choose New.

  3. For Global tags, enter the specific Key and Value entries for either User or Request Item Number, and choose Submit.

  4. For Portfolio tags, deselect Global check. The Portfolio field becomes available. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose Submit.

To add tags to AWS provisioned products from ServiceNow tables and fields that are selectable by end users

  1. In the AWS Service Management scoped app, choose Setup, then the Automated Tags module.

  2. Choose New.

  3. Choose Selectable by End User.

  4. Select a table from the dropdown list Table Name.

  5. Select a field from the dropdown list Table Field.

  6. For Global tags, enter the Key and Value entries and choose Submit.

  7. For Portfolio tags, deselect Global check. The Portfolio field becomes available. Select the AWS Service Catalog portfolio, enter the Key and Value entries, and choose Submit.

    The ServiceNow Table and field value will appear on the AWS Product (ServiceNow catalog item) and is a required value prior to ordering. Once products are provisioned, you can see in the AWS console that these tags are associated to the resource.

Configuring synchronization of AWS Config data using an Aggregator into ServiceNow CMDB

Prerequisite: You need to opt-in and configure the AWS account that contains the aggregated AWS Config resources details prior to performing the steps below. For more information, see the Configuring AWS Accounts to Synchronize in the Connector.

To configure the Connector to use an Aggregator to synchronize AWS Config data

  1. In the AWS Service Management scoped app, choose the Setup module.

  2. Select Aggregators for AWS Config.

  3. Choose New.

  4. Enter the name of the new Config Aggregator.

  5. Select the region the new Config Aggregator was created.

  6. Select the AWS account that should use the new Aggregator. Only AWS accounts opted into the Connector for ServiceNow that have Integrate with AWS Config will be viewable.

  7. Select Submit.

    If an Aggregator is defined for a given AWS account and region, the Aggregator integration becomes the only AWS Config to ServiceNow CMDB synchronization mechanism for that AWS Account.

Configuring available ServiceNow tables to sync with AWS Config

In this Connector for ServiceNow release, you can now sync a set of ServiceNow tables in the CMDB to AWS Config as custom resources.

The ServiceNow tables and AWS Config custom resource mapping are as follows:

ServiceNow CMDB table AWS custom resource
cmdb_ci_apache_web_server Apache Web Server
cmdb_ci_app_server Application Server
cmdb_ci_app_server_java Java Server
cmdb_ci_app_server_tomcat Tomcat Server
cmdb_ci_app_server_tomcat_war Tomcat Web Application
cmdb_ci_app_server_websphere IBM Websphere Application
cmdb_ci_app_server_ws_ear Websphere Enterprise Archive
cmdb_ci_appl Application
cmdb_ci_appl_dot_net A .Net Application
cmdb_ci_appl_now_app_comp ServiceNow Application Component
cmdb_ci_appl_sap Sap Application
cmdb_ci_appl_sap_hana_db SAP Hana Database
cmdb_ci_appl_sap_system SAP System
cmdb_ci_appl_sharepoint Microsoft Sharepoint Application
cmdb_ci_application_cluster Application Cluster
cmdb_ci_application_server_resource Application Server Resource
cmdb_ci_application_software Application Software
cmdb_ci_db_mssql_database MySql Database
cmdb_ci_db_mysql_instance MySql Instance
cmdb_ci_kubernetes_cluster Kubernetes Cluster

To configure select ServiceNow tables as AWS Config custom resources

  1. In the navigator, enter AWS Service Management.

  2. Choose Setup, then Tables Sync to AWS Config.

  3. Choose New.

  4. Select an in scope ServiceNow table.

  5. Select an account and region for the new resource type. Any supported region can be selected, not just those the account is configured for.

  6. Click Submit.

  7. Repeat steps above to include additional ServiceNow tables available to sync as AWS Config custom resources.

    Creation of the new AWS Config resources takes time depending on the number of ServiceNow tables selected. The Schema version field will be populated when the creation is successful. The new AWS Config custom resource type will be automatically included in the period synchronization of resources. Thus, as details in the ServiceNow table are updated, this information will sync to AWS Config custom resource.

Configuring AWS Security Hub integration

To configure AWS SecurityHub synchronization behavior to the Connector in ServiceNow

  1. In the navigator, enter AWS Service Management.

  2. Select System Properties, then AWS Security Hub.

  3. Configuration items:

    • Select types of AWS Security Hub Findings to sync in ServiceNow: CRITICAL, HIGH, MEDIUM, LOW, and INFORMATIONAL.

    • Select the action to take when a new finding is synced to the connector in ServiceNow:

      • Do Nothing. This action only imports Security Finding types that are selected into the scoped app. Users with scoped app permissions can view and choose to create incident or problem. Do Nothing is the default value in the Connector.

      • Create Incident. This action automatically creates incidents based on Security Findings and syncs updates in ServiceNow to AWS Security Hub.

      • Create Problem. This action automatically creates incidents based on Security Findings and syncs updates in ServiceNow to AWS Security Hub.

      • Create Incident and Problem. This action automatically creates incidents and problems based on Security Findings and syncs updates in ServiceNow to AWS Security Hub.

    • Adjust the maximum number of messages to fetch from the SQS queue per sync, account, or region (default 50). By default, the sync process runs every 5 minutes.

    • Change the SQS Queue name if not using the default created by the Connector supplied CloudFormation template.

      Note

      We recommend the SQS name in the ServiceNow scoped app (AwsServiceManagementConnectorForSecurityHubQueue) is not changed unless the SQS name is changed within the AWS account.

  4. Select Save after any changes.

    Fields synchronized from AWS Security Hub Findings to the ServiceNow scoped app AWS Security Hub Findings module in ServiceNow

Region The region in which the Finding was generated.
Account Id The account in which the Finding was generated.
Company Name The company which generated the finding (e.g. AWS).
Compliance Whether a resource passes the configured compliance criteria. Contains status (PASSED, WARNING, FAILED, NOT_AVAILABLE) and if the resource does not pass will contain some information regarding the reason for this.
Created At When the Finding was generated.
Description A description of the Finding.
Criticality The level of importance assigned to the resource associated with the Finding.
First Observed At When any potential security issues captured by the Finding were first observed.
Last Observed at The most recent time any potential security issues were captured by the Finding.
Product Name The name of the product that generated the Finding (e.g. Security Hub).
Product Arn The arn of the product that generated the Finding.
Record State Either ACTIVE or ARCHIVED.
Severity (normalized) A value from 0 to 100 indicating the severity of the problem associated with the Finding.
Status PASSED, WARNING, FAILED, or NOT AVAILABLE.
Title The title of the Finding.
Updated At When the Finding provider last updated the record.
Workflow Status NEW, ASSIGNED, IN PROGRESS, RESOLVED, DEFERRED, or DUPLICATE.
Remediation Text A description of suggested action to resolve the discovered issue.
Remediation Url A link to a resource that may resolve the discovered issue.

Adding the My AWS Products Widget to the Service Portal View

We recommend ServiceNow administrators add the My AWS Products widget to the ServiceNow Portal view. The widget enables users to view their AWS product requests, view outputs, and perform post-operational actions such as update, terminate, and service actions (AWS Systems Manager documents).

To include the My AWS Products widget on the Service Portal view

  1. Log in as system administrator in the ServiceNow standard user interface (Fulfiller view).

  2. In the navigator panel, find Service Portal.

  3. Select Service Portal Configuration.

  4. Select Designer.

  5. Search for Service Portal in the filter.

  6. Select the Service Portal box with a house image and the word Index in the lower right corner.

  7. On the Widgets section in the left panel, type My AWS Products in the Filter Widget.

  8. Drag the widget onto the Service Portal edit view to your desired location.

  9. Preview your changes.

Viewing Budgets Related to AWS Service Catalog Portfolios and Products

ServiceNow administrators can view budgets and actual costs related to AWS Service Catalog portfolios and products in the ServiceNow standard user interface.

To view portfolio budgets

  1. Log in as system administrator.

  2. In the navigator panel, search for AWS Service Catalog.

  3. Select the Portfolios module.

  4. Select the AWS Service Catalog portfolio that contains an associated budget.

  5. Choose the Budget tab.

To view product budgets

  1. Log in as system administrator.

  2. In the navigator panel, search for AWS Service Catalog.

  3. Select the Products module.

  4. Select the AWS Service Catalog product that contains an associated budget.

  5. Choose the Budget tab.

Syncing Updated Keys Programmatically in ServiceNow

AWS Service Management Connector for ServiceNow allows synchronization of updated keys by any automation or integration, through a new REST endpoint.

You can send requests to synch updated keys for one or more AWS accounts registered within the AWS Service Management Connector, for either the sync or end user.

For details to the Syncing updated keys syntax and instructions, see Syncing Updated Keys Programmatically in ServiceNow.