1. SnowMirror Requirements
SnowMirror is a Java-based application which mirrors data from ServiceNow into your local database. It mirrors data using ServiceNow API: either SOAP web services or REST API.
Moreover, the SnowMirror application comes with SnowMirror Monitor which provides insight into SnowMirror directly from ServiceNow.
What you need:
- ServiceNow Instance
- ServiceNow User with sufficient Rights
- Server with one of supported operating systems - Operating System
- Database into which all mirrored data will be stored
1.1. ServiceNow
SnowMirror can download data using SOAP API or REST API. Generally, it does not matter which one you choose.
For ideal communication between ServiceNow and SnowMirror we recommend you to activate some plugins and set up authentication credentials with sufficient rights.
1.1.1. SOAP API vs REST API
Generally, it does not matter which API you use. Most users use SOAP API because SnowMirror has supported it longer than REST API. For the largest customers, we created a custom-made Performance API - see details below or in Performance API documentation.
SOAP API | REST API | Performance API | |
---|---|---|---|
Performance |
Most of the time, the performance of SOAP and REST APIs is roughly the same. However, some customers reported that SOAP performs better, and some customers reported that REST performs better. You would have to test both APIs to see if you can observe any differences on your instance. |
A custom-made API which provides the best performance because it is able to bypass ACL checks. It is mostly suitable for the largest customer with the largest amounts of data. |
|
Timeout |
Generous. ServiceNow provides a lot of time to process requests. Therefore, SOAP is usually preferred by customers with really large tables. |
Limited. By default, ServiceNow provides up to 60 seconds to process a request. From time to time, this is not enough. Therefore, you have to increase Transaction Quota. |
Generous. Configurable from SnowMirror. By default, a transaction can run for up to 10 minutes. |
ServiceNow Plugins |
You should activate Aggregate Web Service plugin so that SnowMirror is able to count records. See Plugins chapter for details. |
It does not require any plugin. |
It is a custom-made API. You have to install it to your ServiceNow instance via an update set. |
Encryption |
Communication between SnowMirror and ServiceNow is encrypted using standard TLS protocol. |
||
Authentication |
|||
Non-active Columns |
It can download only active columns. |
It can download active columns and optionally non-active columns. |
It can download active columns and optionally non-active columns. |
Empty Integer Fields |
When an integer field is empty in ServiceNow, SOAP API returns 0. It does not return an empty value. There is nothing SnowMirror can do about it, that is how ServiceNow SOAP API works. |
Works as anyone would expect: it sends an empty value when an integer field is empty. |
Works as anyone would expect: it sends an empty value when an integer field is empty. |
Emojis |
Ignores 4-byte characters like emojis (smileys). |
Supports 4-byte characters like emojis (smileys). |
Supports 4-byte characters like emojis (smileys). |
1.1.2. Plugins
SnowMirror uses aggregate functions (counting records, finding out max. value, ….) to provide the best user experience and to provide the best performance possible.
These functions are built in into REST API. If you use SOAP API, you have to activate Aggregate Web Service plugin to make them available. SnowMirror works even without this plugin. For the best performance, we recommend you to activate the plugin before running SnowMirror.
Plugin Activation
-
To activate the plugin, open ServiceNow instance as an administrator.
-
Search for Plugin application in menu bar and open application.
-
On the top of the page type plugin name "aggregate" in search box and hit ENTER.
-
Check if the plugin Status is ACTIVE otherwise open the plugin.
-
On the plugin page click on Activate/Upgrade link in Related Links section and activate the plugin.
For more information please follow the official documentation on activating ServiceNow plugins.
1.1.3. User Access Rights
The communications with ServiceNow API is secured. SnowMirror uses basic HTTP authentication to secure both SOAP and REST API calls.
SnowMirror requires a user account with a read access to some system tables and to all mirrored tables. You can use an account with admin role. It is easy to set up and is suitable for evaluation. If you don’t want to use admin account, please see Security chapter for detailed description of all needed rights.
1.2. Application Requirements
SnowMirror is a Java web application, meaning it runs centrally on a server, and users interact with it throughout web browser from any computer.
1.2.1. Hardware
SnowMirror runs on any reasonably fast PC. See the minimal recommended hardware configuration.
-
Dual-core CPU (Intel or AMD)
-
2 GB RAM
-
1 GB HDD for installation
-
Additional 5 GB for log files
These requirements expect that only SnowMirror runs on that machine. You will need to run separate database server for mirror database. Of course, you may use your existing infrastructure for that database.
Estimating required storage space
SnowMirror keeps a log of all activities - the estimated storage required for these logs is around 80 MB per year.
SnowMirror also creates separate activity log for each synchronization run. The storage required for these logs vary depending on how many synchronizations you have, how often you synchronize them and how many records are being synchronized. Naturally, the longer you use SnowMirror more space for logs is required. See the examples below.
Amount of data | Estimated storage required per year |
---|---|
Big (~150,000 updated records) synchronization every day |
~ 45 MB per year |
Big (~150,000 updated records) synchronization every hour |
~ 1 GB per year |
Smaller (~10,000 updated records) synchronization every day |
~ 3 MB per year |
Smaller (~10,000 updated records) synchronization every day |
~ 72 MB per year |
Then the total storage required per year can be calculated as:
Storage per year = 80 MB + (number of big daily synchronizations * 45 MB + (number of small daily synchronizations * 3 MB + (number of big hourly synchronizations * 1000) MB + (number of small hourly synchronizations * 72) MB
1.2.2. Java
Java is a piece of software that has to be installed on your computer. SnowMirror does not work without it. Currently, we support Eclipse Temurin 22.
On Windows, an up-to-date version of Java is included in the installation package. On Linux or Mac, you have to install it yourself. Please use Eclipse Temurin - package type JDK, architecture x64, version 22.
Java Is Provided Free Of Charge
Eclipse Temurin JDK is provided free of charge. Please, avoid releases of Oracle JDK. These are paid and come with Oracle’s commercial support.
1.2.3. Application server
SnowMirror runs on Apache Tomcat web server which is included in the installation package. We upgrade the Tomcat to the latest version on a regular basis.
1.2.4. Databases Or Cloud Storage
SnowMirror uses two databases.
-
Configuration database - stores metadata, i.e. what to synchronize, when to synchronize, etc.
-
Mirror database - stores data mirrored from ServiceNow
Configuration DB and mirror DB may use different database servers. However, the best practice is to have one database server containing two databases. For more information see Database Configuration section. You can install and maintain the database server yourself, or you can create the database in cloud services like Amazon RDS and Azure Databases.
Alternatively, you can store data into cloud storage as CSV files.
Database | Version | On-Premise | AWS RDS | Azure | Comments |
---|---|---|---|---|---|
All versions |
✓ |
N/A |
N/A |
It can be used as a mirror database. It cannot be used as a configuration database. |
|
All versions |
✓ |
N/A |
N/A |
It can be used as a mirror database. It cannot be used as a configuration database. |
|
2008, 2008 R2, 2012, 2014, 2016, 2017, 2019, 2022 |
✓ |
||||
5.5, 5.6, 5.7, 8.0 |
✓ |
We also support AWS Aurora. |
|||
5.5, 10.x |
✓ |
||||
11g, 12c, 18c, 19c, 21c, 23c |
✓ |
N/A |
|||
9.2, 9.3, 9.4, 9.5, 9.6, 10, 11, 12, 13, 14, 15, 16 |
✓ |
We also support AWS Aurora. |
|||
All versions |
✓ |
N/A |
N/A |
It can be used as a mirror database. It cannot be used as a configuration database. |
|
>= 2.0.0, 1.4.199 |
✓ |
N/A |
N/A |
Embedded file-based database. Suitable only for evaluation. |
Cloud Storage | Supported | Comments |
---|---|---|
Amazon S3since 5.0.0 |
✓ |
It can be used as a mirror database. It cannot be used as a configuration database. |
Azure Storagesince 5.0.0 |
✓ |
It can be used as a mirror database. It cannot be used as a configuration database. |
Google Cloud Storagesince 5.0.0 |
✓ |
It can be used as a mirror database. It cannot be used as a configuration database. |
1.2.5. Browser
SnowMirror runs on all modern web browsers such as Microsoft Edge, Google Chrome and Mozilla Firefox.
Internet Explorer is not supported. The last SnowMirror that supported IE was 5.1.15.
1.2.6. Operating System
SnowMirror is operating system agnostic. It can run on any system which supports Java.
Operating System | Version |
---|---|
Microsoft Windows Server |
2003 32 bit, 2008 R2 64 bit, 2012 R2 64 bit, 2016, 2019, 2022 |
Microsoft Windows |
XP 32/64 bit, 7 32/64 bit, 10 32/64 bit, 11 |
Linux |
2. Installing SnowMirror
SnowMirror can be installed either using Windows Installer or manually from a ZIP package. Using the Windows Installer is the easiest and and most straightforward way to install and configure SnowMirror. On Linux you have to do the installation and configuration manually.
You can download SnowMirror from our website.
Direct links look like:
-
https://snow-mirror.com/downloads-enterprise/snow-mirror-VERSION.exe
-
https://snow-mirror.com/downloads-enterprise/snow-mirror-VERSION.zip
If you need checksum files, you can find them at https://snow-mirror.com/downloads-enterprise/checksum/snow-mirror-VERSION.exeOrZip.CHECKSUM-TYPE. Checksums available: md5, sha1, sha256, sha512
2.1. Prerequisites
You need two databases on your database server - configuration database and mirror database. See Database Configuration chapter.
If you don’t have the databases yet, you can use H2 database which is embedded into SnowMirror. This will give you an opportunity to test SnowMirror even before your database administrators create the databases for you. Just note, that H2 is not suitable for production environment.
2.2. Windows Installer
2.2.1. Express installation
Express installation installs SnowMirror with default settings and uses embedded H2 database to store configuration data. This is not recommended on production environments. On production environments, use Custom installation and choose a different database server.
-
Run the Installer - Go to a location to where you downloaded SnowMirror installation file and run it.
-
First Step - Simply click next.
-
License Agreement - Please go through a license agreement and then confirm by clicking on "I agree".
-
Selecting the action - Select "Express Install" option and click next.
-
Summary - Here you can see summary. It shows installation location, used ports, Windows service and such.
-
Installing - Window with a progress bar.
-
Finish - Final screen. After clicking on "Finish", your default browser will be opened and application itself will load.
2.2.2. Custom installation
-
Run the Installer - Go to a location to where you downloaded SnowMirror installation file and run it.
-
First Step - Simply click next.
-
License Agreement - Please go through a license agreement and then confirm by clicking on "I agree".
-
Selecting the action - Select "Custom Install" option and click next.
-
Selecting the Location - If you would like to install SnowMirror into a location different to default one, feel free to click "Browse" and select your desired location. Once you are done selecting a location, just click "Next".
-
Configuring Ports and Host - This screen is here for you to change host name and ports.
-
HTTP Port Number - this is the port where you can access SnowMirror through your browser
-
Control Port Number - this is the port that receives shutdown requests
-
Host Name - together with HTTP port you will use this to access your SnowMirror from a browser
-
Installation Name - name of this SnowMirror installation. If you are installing SnowMirror in a cluster you have to choose a different name for each installation. The name is used for distinguishing the installations.
-
Installation Id - related to a cluster. Leave it empty if you are not using a cluster. If you are installing a first installation in a cluster, leave this empty. For any subsequent installation copy contents of "snow-mirror/data/installationId" file to this field.
-
-
Selecting the Database - Here you choose can which database you are going to use
Now you can input information necessary to correctly set mirror database.
-
Database Type: Choose a database you are going to use
-
Server: Address of a server where the database is running
-
Port: A port on which the database is running
-
Database: Database name, SID etc.
-
Username: username of a database user through which the SnowMirror is going to access the database
-
Password: password for that user
Postgres, SQL Server - If you wish to use different schema than public, it is possible too. Just fill the field Schema with the name of your desired schema.
-
-
Setting the Service - If you want to run SnowMirror as a service, leave the checkbox checked. Windows service is good if you want to run SnowMirror automatically after the operating system starts up. You can change the service name. This is useful if you need to install multiple instances of SnowMirror.
You can also change the system account under which the service will be running, e.g. if you create a special account on server just for running a SnowMirror. -
Summary - Here you can see summary. It shows installation location, used ports, Windows service and such.
-
Installing - Window with a progress bar.
-
Finish - Final screen. After clicking on "Finish", your default browser will be opened and application itself will load.
2.3. Windows Silent Installation
since 4.8.0 A silent installer allows you to automate SnowMirror installation. It does not have a user interface. Instead, you run it from a command line.
To run the installation in a silent mode, you have to provide "/S" parameter. Here is how you run it:
start /wait snow-mirror-1.2.3.exe /S
Silent Installer Parameters
Parameter | Description |
---|---|
LicenseAccept* |
Do you accept the license agreement? Values: Y |
Action |
What do you want to do? Values: install, upgrade
Default value: install |
Dir |
Absolute path where to install SnowMirror? Default value: C:\Program Files\SnowMirror |
ServiceInstallation |
Do you want to install SnowMirror as a Windows service?
|
ServiceName |
Name of the service. Default value: SnowMirror |
ServiceAccountUser |
Name of the account to run the service. Default value: LocalSystem |
ServiceAccountPassword |
Password of the account to run the service. If you are using the default LocalSystem, you must not provide any password. |
ConfigDbType* |
What kind of database server do you want to use? Values: mysql, mssql, oracle, postgres, h2 |
ConfigDbDriver |
On SQL Server, you can choose which JDBC driver to use to connect to your DB. Values: jtds, microsoft. Default value: microsoft |
ConfigDbServer |
Network name of your database server. |
ConfigDbName |
Name of your database. |
ConfigDbPort |
Port number where you can reach the database server. Values: 0 - 65535 |
ConfigDbSchema |
Name of your database schema. Default value on SQL Server: dbo |
ConfigDbInstance |
Name of your SQL Server instance. |
ConfigDbSid |
SID of your Oracle database. |
ConfigDbService |
Service name to use to connect to your Oracle DB. |
ConfigDbUsername |
A username to use to log in to your database. |
ConfigDbPassword |
A password to use to log in to your database. |
ConfigDbSsl |
Do you want to use encrypted SSL connection? Available for SQL Server, MySQL, MariaDb and PostgreSQL. Values:
Default value: IGNORE |
Scheme |
Protocol to use to connect to SnowMirror. Values: http, https Default value: http |
Host |
Hostname on which SnowMirror will be accessible. Default value: name of your computer |
Port |
Port number on which SnowMirror is accessible. Default value: 9090 |
ControlPort |
Port number on which SnowMirror receives shutdown requests. Default value: 8005 |
InstallationName |
Name of this SnowMirror installation. Useful only if you want to utilize HA cluster. Default value: SnowMirror |
InstallationId |
Identifies SnowMirror installation. In HA cluster, all nodes share the same Installation Id. If you do not use HA cluster, you can leave the field empty. Default value is empty. |
JvmMs |
Memory allocated by SnowMirror after it starts in MB. |
JvmMx |
Maximum memory that SnowMirror can allocate in MB. |
2.4. Installation On Linux
-
Create SnowMirror directory /opt/SnowMirror. You are free to choose a different directory.
mkdir /opt/SnowMirror
-
Download Java Runtime Environment (JRE) and SnowMirror and put them to the /opt/SnowMirror/tmp folder.
Java is available on https://adoptium.net/temurin/releases/ page - download "Linux x64" package. Use OpenJDK 17.
SnowMirror ZIP package is available on our website.In the scripts below, we use upper-case text CURRENT_JRE_VERSION and CURRENT_SNOW_MIRROR_VERSION. Please replace it with an actual version of Java and SnowMirror. -
Unpack both JRE and SnowMirror:
cd /opt/SnowMirror/tmp tar zxvf jre-CURRENT_JRE_VERSION-linux-x64.tar.gz unzip snow-mirror-CURRENT_SNOW_MIRROR_VERSION.zip
-
Copy the content of JRE to /opt/SnowMirror/jre and the content of SnowMirror to /opt/SnowMirror.
cp -r /opt/SnowMirror/tmp/jreCURRENT_JRE_VERSION/. /opt/SnowMirror/jre cp -r /opt/SnowMirror/tmp/snow-mirror-CURRENT_SNOW_MIRROR_VERSION/. /opt/SnowMirror
-
Remove temporary folder
cd /opt/SnowMirror rm -rf /opt/SnowMirror/tmp
-
-
Edit snowMirror.properties
-
snowMirror.host property - by default, it is set to "localhost". That means, you can access SnowMirror only from the machine where you installed it. If you want to be able to access SnowMirror from outside this machine, set the property to its network name. See Application URL Configuration for details on how to change the host name.
-
Provide a connection to your configuration database:
Database Server config.db.type config.jdbc.url mssql
jdbc:jtds:sqlserver://SERVER:PORT/snowmirror;instance=INSTANCE-NAME
oracle
jdbc:oracle:thin:@SERVER:PORT:SID
jdbc:oracle:thin:@SERVER:PORT/SERVICE-NAMEmysql
jdbc:mysql://SERVER:PORT/snowmirror
postgres
jdbc:postgresql://SERVER:PORT/snowmirror
h2
jdbc:h2:~/h2/snowmirror
Please, replace the bold parts in "config.jdbc.url" with actual values.
Also, provide username (config.jdbc.username) and password (config.jdbc.username).
-
-
Start SnowMirror.
/opt/SnowMirror/run.sh
-
Open SnowMirror in your favorite web browser on the following URL: http://VALUE-OF-snowMirror.host-PROPERTY:VALUE-OF-snowMirror.port-PROPERTY
The default value is http://localhost:9090.
2.4.1. Service Installation
Optionally, you can install SnowMirror as a service. The service will automatically start when operating system starts.
-
Open Terminal
-
Copy a script responsible for starting and stopping SnowMirror init.d directory.
sudo cp /opt/SnowMirror/bin/init.d/snowmirror.sh /etc/init.d/snowmirror
-
Make the init script executable:
sudo chmod a+x /etc/init.d/snowmirror
-
Place symlinks in the run-level directories to start and stop this script automatically.
-
For Debian based systems:
update-rc.d snowmirror defaults
-
For RedHat based systems:
chkconfig --add snowmirror
The snowmirror.sh script contains chkconfig settings
-
2.5. What Is Installed
We have described the installation process on both Windows and Linux server. Let’s have a look at files we installed.
File & Directory | Description |
---|---|
/snowMirror.properties |
Main configuration file. Contains a connection to the configuration database and SnowMirror base URL. If you want to know more about setting a different base url or changing port, please see chapter Deployment URL |
/snowMirror-https.jks |
Contains a certificate and a private key. Used when you configure SnowMirror to use HTTPS protocol. |
/run.bat |
Starts SnowMirror on Windows. Used only if a service is not installed. |
/run.sh |
Starts SnowMirror on Linux. |
/shutdown.bat |
Stops SnowMirror on Windows. Used only if a service is not installed. |
/shutdown.sh |
Stops SnowMirror on Linux. |
/Uninstall.exe |
Uninstalls SnowMirror from Windows. |
/Uninstall.info |
Stores data needed for uninstallation. |
/bin |
Contains Apache Tomcat web server. |
/conf |
Apache Tomcat configuration files. |
/jre |
Java runtime environment binaries. |
/lib |
Apache Tomcat classes and libraries. |
/license |
License files. |
/logs |
Folder used for both SnowMirror and Tomcat logs. |
/logs/activityLogs |
Folder used for synchronizations logs. Each synchronization run has its own log file. The files are located by this pattern: <synchronizationId>/<yyyy-MM>/<logId>.log. |
/snow-mirror |
Contains all SnowMirror specific application files like configurations, WAR file, documentation and data directory for embedded H2 database and a folder for mirrored attachments. |
/snow-mirror/data |
When embedded H2 database is used, this folder stores database files. |
/snow-mirror/docs |
Folder contains SnowMirror documentation. |
/snow-mirror/conf |
SnowMirror configuration files. Do not modify. If you need no make a change, modify the main configuration file /snowMirror.properties. |
/snow-mirror/monitor |
Installation files for SnowMirror Monitor. |
/snow-mirror/role |
Update sets which create SnowMirrorAgent role and SnowMirrorRestApiAgent role. |
/snow-mirror/webapp |
SnowMirror war archive. |
/webapps |
Used by Apache Tomcat. |
/work |
Used by Apache Tomcat. |
If you want to make sure no directory is missing or you are not sure how SnowMirror installation should look like, please checkout the following directory structure. We omitted directories nested too deep and all files.
. ├── bin │ ├── experimental │ └── init.d ├── conf │ └── Catalina ├── jre │ ├── bin │ ├── lib │ ├── man │ └── plugin ├── lib ├── logs │ └── activityLogs ├── snow-mirror │ ├── conf │ ├── data │ ├── docs │ ├── license │ ├── monitor │ ├── trusted-certificates │ └── webapp ├── temp │ └── attachment ├── webapps │ └── ROOT └── work └── Catalina
2.6. Uninstall SnowMirror
2.6.1. Windows
-
Go to installation folder.
-
Open Uninstall.exe and follow the instructions.
2.6.2. Windows Silent
-
Open cmd.exe as an Administrator
-
Run "C:\Program Files\SnowMirror\uninstall.bat" I_Agree
(Do you see the I_Agree parameter? That is to confirm that you really want to uninstall SnowMirror.)
2.6.3. Linux
If you have installed SnowMirror manually from an archive file, just follow these steps.
-
Stop SnowMirror
-
Delete "/opt/SnowMirror" directory.
2.6.3.1. Uninstall Linux Service
-
Open a Terminal.
-
Log in as root user.
-
Remove Service:
-
For Debian based systems:
update-rc.d -f snow-mirror remove
-
For RedHat based systems:
chkconfig --del snow-mirror
-
2.7. Post-Installation Steps
Especially in corporate environment, you may be concerned about security. To increase the security of SnowMirror installation, please follow the step below before you go through Configuration Wizard.
-
Enable communication via HTTPS.
-
SnowMirror uses Java. You can upgrade to the latest version and manage updates yourself.
-
SnowMirror uses Apache Tomcat. You can upgrade to the latest version and manage updates yourself.
-
Turn off advanced properties. See details of what they do in another chapter.
2.7.1. Java Upgrade
We upgrade Java regularly. However, we don’t upgrade with every new version. In case you decide to upgrade Java to the latest version yourself, please follow the steps below.
-
Download the latest Java 17 from https://adoptium.net/temurin/releases/?version=17
On Linux, download tar.gz package. On Windows, download ZIP package (not "msi" package).
Download only JDK, not JRE. Use only the latest "11" version. -
Stop SnowMirror
-
Rename "jre" folder to "jre-bak"
-
Unpack the new Java "jre" folder.
-
Import certificates into "cacerts" files:
Linux:
cd /opt/SnowMirror if [ -f "snowMirror.jks" ]; then jre/bin/keytool -importkeystore -srckeystore snowMirror.jks -destkeystore jre/lib/security/cacerts -storepass changeit -srcstorepass changeit -noprompt; fi
Windows:
cd "C:\Program Files\SnowMirror" IF EXIST "snowMirror.jks" jre\bin\keytool -importkeystore -srckeystore snowMirror.jks -destkeystore jre/lib/security/cacerts -storepass changeit -srcstorepass changeit -noprompt
-
Start SnowMirror
2.7.2. Apache Tomcat Upgrade
We upgrade Apache Tomcat regularly. However, we don’t upgrade with every new version. In case you decide to upgrade Apache Tomcat to the latest version yourself, please follow the steps below.
-
Download the latest ZIP package of Tomcat 9: https://tomcat.apache.org/download-90.cgi
-
Stop SnowMirror
-
Rename folders:
-
"bin" → "bin-bak"
-
"conf" → "conf-bak"
-
"lib" → "lib-bak".
-
-
Unpack "bin", "conf" and "lib" folders from the latest Tomcat package.
-
Copy:
-
"bin-bak/setenv.bat" → "bin/setenv.bat"
-
"bin-bak/setenv.sh" → "bin/setenv.sh"
-
"conf-bak/web.xml" → "conf/web.xml"
-
"conf-bak/server.xml" → "conf/server.xml"
-
"lib-bak/tomcat-jasperlistener.jar" → "lib/tomcat-jasperlistener.jar"
-
-
Start SM
3. Running the Setup Wizard
When you access SnowMirror for the first time, you will be redirected to the configuration wizard. It will walk you through basic SnowMirror configuration. Once you finish the Configuration Wizard data will be stored to the database and SnowMirror will be immediately ready to use.
3.1. License
On this page you can provide a license which you received to your mailbox.
3.2. ServiceNow
This page allows you to enter information which SnowMirror uses to create connections to ServiceNow. You can see the most important settings right away. To see the less widely used settings you have to click the Advanced Settings checkbox.
After making changes you should click "Test Connection" button to verify the settings. The button tests whether SnowMirror can create a connection to ServiceNow and whether is is able to access the data it needs. If the tester complains about not having enough privileges to access data you will have to grant us the access directly in your ServiceNow instance.
3.3. Database
Allows you to configure connection to your mirror database where we store data from ServiceNow. We are able to store data into tables in relational database or into files in cloud storage
-
Database:
-
Built-in database (evaluation only) - we store data into a file-based database. Useful only for quick evaluation.
-
My own database server - allows you to connect to your database or cloud storage.
-
-
Database Type: Choose your database vendor or cloud storage. Click on your database vendor to see how to configure it.
-
Relation databases: Amazon Redshift, Azure Synapse, MySQL, Oracle, PostgreSQL, Snowflake, SQL Server
-
Cloud storages: Amazon S3, Azure Storage, Google Storage
-
-
Test Connection button: Click this button to check, whether we can reach the database or cloud storage, authenticate, read and write data.
3.4. SMTP Server
Application allows users to subscribe to synchronization notifications. To deliver email to these users the SMTP server must be configured. If you want to enable notifications please specify URL of SMTP server and credentials. You can test the configuration using Test Connection button.
3.5. Security Realm
SnowMirror provides two authentication options.
-
Internal Database - Users and their credentials are stored in configuration database. You manage the users, their credentials and permissions using Settings page.
-
LDAP - Users and their credentials are stored outside SnowMirror in your company’s LDAP (most usually Active Directory). You manage the users, their credentials and permission in your LDAP.
3.5.1. Internal Database
If you choose an internal database as a security realm you have to create administrator account. You will use these credentials to login into SnowMirror. The account will have all permissions granted.
You can also choose timezone in which all dates will be presented to you. It is a setting of the user interface and does not affect how date are stored in database.
3.5.2. LDAP
If you choose LDAP as a security realm you have to:
-
configure a connection to your LDAP server on this page
-
create SnowMirror roles in your LDAP (see LDAP Groups chapter and LDAP Sample Configuration chapters).
The meaning of all the field is explained in LDAP chapter.
Always use Test connection button to verify your configuration. If you enter an invalid connection information, you lock yourself out, and you will not be able to login and change settings. Look at the screenshot above. We clicked the "Test connection" button, and we were able to login, and the user has a role assigned to him. |
3.6. Summary
Here you can see a summary of all settings. If you want to change the configuration, you can do so by clicking on "Change *" in a particular section.
3.7. Finish
After clicking the "Finish" button SnowMirror stores and processes all the settings. The Login page shows up and SnowMirror is ready to use.
4. Upgrading SnowMirror
If you need to upgrade your ServiceNow instance, you should also upgrade SnowMirror. We always update SnowMirror so that it is compatible with new ServiceNow releases. We announce support for a new ServiceNow release in Release Notes chapter an in our newsletter. For details, see our ServiceNow Upgrade Documentation.
4.1. Windows Installer
If you installed SnowMirror using Windows installer, you can upgrade to a new version using a new version of Windows installer. Before opening the installer, we recommend you to stop SnowMirror. The installer will guide you through the upgrade process, see below.
-
Download the latest SnowMirror Windows Installer and open it. Then simply click Next.
-
License Agreement - to continue with the installation you have to accept license agreement by clicking on "I agree".
-
Selecting the action - select "Upgrade an existing SnowMirror installation" option. The installer automatically fills a folder with SnowMirror installation.
In case you installed SnowMirror to a different location you have to find the folder manually. Click "…" button and "Browse For Folder" window pops up. Navigate to SnowMirror installation folder and click Ok. Once you are back in the original window, just click Next.
-
Summary & Upgrade - review the folder you chose and click Install. When you click Install, the upgrade process begins, and you can’t revert it back.
-
Installing - wait for SnowMirror to upgrade. Progress bar shows you how much work has already been done and how much work is remaining.
-
Finish - when Final screen shows up it means SnowMirror has been upgraded. After clicking on "Finish", SnowMirror is opened in your default web browser.
Are you upgrading from SnowMirror older than 3.6.0 and you have a firewall rule bound to "tomcat7.exe" binary? Then you will have to change the firewall rule - the binary was renamed to "tomcat8" because we upgraded the embedded webserver to the latest version. |
Are you upgrading from SnowMirror older than 4.3.0 and you have a firewall rule bound to "tomcat8.exe" binary? Then you will have to change the firewall rule - the binary was renamed to "tomcat9" because we upgraded the embedded webserver to the latest version. |
Are you upgrading from SnowMirror older than 5.0.0 and you have a firewall rule bound to "tomcat9.exe" binary? Then you will have to change the firewall rule - the binary was renamed to "tomcat10" because we upgraded the embedded webserver to the latest version. |
4.2. Windows Silent Upgrade
If you want to automate SnowMirror upgrade, you can use a silent installer. A silent installer does not have a user interface. Instead, you run it from command line.
To run the upgrade in a silent mode, you have to provide "/S" parameter. Here is how you run it:
start /wait snow-mirror-1.2.3.exe /S /SD IDOK /LicenseAccept=Y /Action=upgrade /Dir="C:\Program Files\SnowMirror"
4.3. Linux
-
Upgrade Java to the latest 17 version. We store Java into /opt/SnowMirror/jre dictionary. If the directory does not exist, we try to use system-default java.
snowMirrorDir="/opt/SnowMirror" jdkUrl="https://api.adoptium.net/v3/binary/latest/17/ga/linux/x64/jdk/hotspot/normal/eclipse" curl "$jdkUrl" -L -o "$snowMirrorDir/temp/jdk.tar.gz" rm -rf "$snowMirrorDir/jre" mkdir "$snowMirrorDir/jre" tar -xvzf "$snowMirrorDir/temp/jdk.tar.gz" -C "$snowMirrorDir/jre" --strip-components=1
-
Download the latest SnowMirror, unpack it and call upgrade.jar.
snowMirrorDir="/opt/SnowMirror" latestSnowMirrorUrl="https://snow-mirror.com/downloads-enterprise/snow-mirror-latest.zip" curl "$latestSnowMirrorUrl" -L -o "$snowMirrorDir/snow-mirror-latest.zip" rm -rf "$snowMirrorDir/temp/new" unzip "$snowMirrorDir/snow-mirror-latest.zip" -d "$snowMirrorDir/temp/new" mv `ls -d "$snowMirrorDir/temp/new/*"` "$snowMirrorDir/temp/new/sm" "$snowMirrorDir/jre/bin/java" -jar "$snowMirrorDir/temp/new/sm/snow-mirror/installation/upgrade.jar" "$snowMirrorDir"
-
If you installed SnowMirror as a service:
Copy a script responsible for starting and stopping SnowMirror init.d directory. Then, make the init script executable.sudo cp /opt/SnowMirror/bin/init.d/snowmirror.sh /etc/init.d/snowmirror sudo chmod a+x /etc/init.d/snowmirror
-
Start SnowMirror
Are you upgrading from SnowMirror older than 3.6.0 and you have changed memory settings in run.sh? Please move your memory settings to snowMirror.properties file. By default, SnowMirror is allowed to use up to 2 gigabytes of memory. |
4.4. Upgrading Java And Tomcat
We upgrade Java (on Windows) and Apache Tomcat (on Windows and Linux) regularly. However, we don’t upgrade with every new Java or Tomcat version. In case that is an issue for you, you can upgrade Java and Tomcat yourself.
In case you decided to upgrade Java and Tomcat to the latest versions yourself, please follow the steps below.
5. SnowMirror High Availability Cluster
License: Trial: ✓, Lite: N/A, Enterprise: N/A, Cluster: ✓
Every server (including applications running on that server) faces the potential threat of failure. SnowMirror understands how important it is for customers to have their data up-to-date without interruptions. Therefore, SnowMirror comes with a support for high availability cluster (HA).
5.1. High Availability Cluster
A high availability cluster is a group of computers which run the same application (SnowMirror). When one server fails, there is still the second one which can do all the work. Because of that, the potential downtime is reduced to a minimum.
SnowMirror can be installed on several servers. All the SnowMirror installations connect to the same configuration and mirror database.
If you create a synchronization on the first SnowMirror installation, the second SnowMirror installation will see the synchronization. Why? That’s because all the installations use the same configuration database.
5.2. Installation
Prerequisites:
-
Have two or more servers up and running.
-
Have empty databases prepared - one for configuration meta-data, the second one for the data itself. You must not use H2 embedded database.
-
Have a network drive prepared so that both servers can store activity logs to the same folder.
5.2.1. Windows
-
Install the first SnowMirror to the first server.
-
Choose Custom installation.
-
On Host and ports page choose an installation name. This name uniquely identifies the installation. Every installation should have a different name.
-
On Host and ports page leave Installation Id empty.
-
After installation finishes, open SnowMirror in your web browser and configure SnowMirror (license, ServiceNow instance, mirror database, etc.).
-
-
Open SnowMirror in your web browser. Go to Settings → General Settings → Directories. Set the directories to point to a shared network drive which both installations can access.
Please use UNC path on Windows machines. That is the path beginning with two backslashes. E.g. \\YourServer\SnowMirror\activityLogs
-
Install the second SnowMirror to the second server.
-
Choose the same connection to the configuration database as you used on the first installation.
-
On Host and ports page choose an installation name. This name uniquely identifies the installation. Every installation should have a different name.
-
On Host and ports page fill in Installation Id field. Open "snow-mirror/data/installationId" file on the first installation and copy its contents to this field. This is necessary so that both installations encrypt passwords using the same key.
-
If you make a configuration change later on, you have to restart both SnowMirror installations. |
5.2.2. Linux
-
Install the first SnowMirror to the first server.
-
After installation finishes, open snowMirror.properties file and choose an installation name using "snowMirror.installation.name" property. Every installation should have a different name.
-
After installation finishes, open SnowMirror in your web browser and configure SnowMirror (license, ServiceNow instance, mirror database, etc.).
-
-
Open SnowMirror in your web browser. Go to Settings → General Settings → Directories. Set the directories to point to a shared network drive which both installations can access.
-
Install the second SnowMirror to the second server.
-
Choose the same connection to the configuration database as you used on the first installation.
-
Copy "snow-mirror/data/installationId" from the first installation and store it to "snow-mirror/data/installationId" on the second server. This is necessary so that both installations encrypt passwords using the same key.
-
After installation finishes, open snowMirror.properties file and choose an installation name using "snowMirror.installation.name" property. Every installation should have a different name.
-
-
Restart both SnowMirror installations.
If you make a configuration change later on, you have to restart both SnowMirror installations. |
5.3. Installation Types
Every installation is of a specific type. The first installation is Active. Every subsequent installation is Passive.
-
Active - This installation should execute synchronizations.
-
Passive - This installation should execute synchronizations only if no Active installation is running. Let’s say that a server with an Active installation crashes. A passive installation takes over and starts to execute synchronizations. When an Active installation is up-and-running again, the Passive installation stops executing synchronizations.
You can choose which installation is Active or Passive in Settings → General Settings → SnowMirror Cluster page.
5.3.1. Active - Passive
This is the default and recommended setup. One installation is Active and the second one is Passive. No additional settings is required.
Only one (the Active) installation is running the synchronizations. The second one is waiting and kicks in only if the first installation crashes and stops talking to the configuration database.
5.3.2. Active - Active
If you decide to set both installations as Active you have to consider how it will impact the performance of your ServiceNow instance. With Active-Active setup you can easily overload your ServiceNow instance.
Both installations run the synchronizations and therefore they utilize more ServiceNow resources. Let’s look at all the important properties you may have to tweak.
Node Count - each installation will connect to up to Node Count of ServiceNow nodes. Both installations may use the same ServiceNow nodes.
Sessions Per Node Count - each installation will create up to Sessions Per Node Count of session per ServiceNow node. With two Active installations in place, SnowMirror can create up to 2 * Sessions Per Node Count sessions per ServiceNow node.
Synchronizations Count - this property is shared among your installations. SnowMirror will not run more that Synchronizations Count number of synchronization in parallel.
Worker Threads Count - each installation will have its own worker threads. With two Active installations in place, SnowMirror can issue up to 2 * Worker Threads Count requests at the same time. This is where you can possibly overload your ServiceNow instance.
HTTP Connections Count - each installation will have its own connection. With two Active installations in place, SnowMirror will create up to 2 * HTTP Connections Count HTTP connections
You can tackle the overload issue by setting the appropriate properties (Sessions Per Node Count, Worker Threads Count, HTTP Connections Count) to two times smaller values.
On the downside, if only one synchronization is running it have a smaller number of threads available. Therefore, it is not as fast as possible. If at least two synchronizations are running in parallel, such a problem does not exist.
5.4. FAQ
I have two SnowMirror installations on two servers. Does that mean they execute more synchronizations in parallel?
This depends on the configuration.
-
In Active-Passive mode, only one installation is running the synchronizations at the same time. If you want to increase the number, you have to change "snowMirror.quartz.threadCount" advanced property and increase a memory available to your SnowMirror.
-
In Active-Active mode, the number of synchronizations stays the same, but they can utilize more resources. See Installation Types chapter for details.
Where do I find my activity logs?
By default, each SnowMirror installation stores the activity logs to its "<SnowMirror Installation Folder>\logs\activityLogs\" folder. That does not work in clustered environment. You have to set the activity logs folder to a network folder which both servers can access. See the image below.
How do I know which server was used to run the synchronization?
Open an activity log of your synchronization and search for a computer name. See the image below.
6. Settings
6.1. Profile Settings
In Profile Settings page you can see your roles and permissions. You can choose a timezone in which SnowMirror will present dates and times. Note that this settings will affect only your user account.
You can also choose a new password by clicking Change Password button and following a subsequent form.
6.2. Notification Management
To track synchronizations, you can add notifications. SnowMirror provides notifications for user-specified synchronizations when their run fails or the resulting state changes. Each notification can have its own set of tracked synchronizations and recipient email address.
6.2.1. Configure SMTP Server
For SnowMirror to be able to send notifications SMTP server has to be configured. On the page Settings / Notifications Management / SMTP Server you can specify its URL, port and credentials and security option.
Security option defines if and how the communication with SMTP server is encrypted:
-
None - No encryption on the outgoing emails. They will be sent as plain as day between SnowMirror and the server.
-
STARTTLS - SnowMirror will ask the SMTP server if it is possible to send data using TLS. If so, it will use the secure method. If not, data will be sent unencrypted.
-
Office 365 - Use this option. Office 365 requests encrypted connection when STARTTLS is being used.
-
-
SSL/TLS - SnowMirror will send data to SMTP server using encrypted connection. Data is never send unencrypted. This is the most secure method.
At the bottom of the page there is a button called Test Connection. It validates the configuration and send testing email to the email address you provide it the dialog window.
6.2.2. Create a New Notification
To create a new notification you need to provide an e-mail address. You can also choose specific synchronization you want to be informed about. If you want to receive information about all synchronizations, leave the Synchronization column on default All Synchronization option.
6.2.3. Delete Notification
All added notifications are in a notification table. To cancel sending of notifications you can delete them by selecting a checkbox next to desired email address and clicking on Delete button.
6.2.4. Notification Types
Let’s look at the events you may be notified about.
-
Every state change - you will be notified whenever a state of a synchronization changes (including a successful result of the very first synchronization).
-
All failed, all warnings, first successful - whenever a synchronization fails or finishes with a warning you will be notified. When you fix it, we will send another notification.
-
All failed, first warning, first successful - whenever a synchronization fails you will be notified. If it finishes with a warning we will notify you only once… why would we send it multiple times, you already know about the warning. When you fix it, we will send another notification.
-
All failed, no warning, first successfulsince 4.9.0 - whenever a synchronization fails you will be notified. If it finishes with a warning, we won’t notify you at all. When you fix a failed synchronization, we will send another notification.
-
First failed, first warning, first successfulsince 4.10.0 - when a synchronization fails, we will notify you. If the next synchronization fails again, we won’t notify you - you already know about the failure. If it finishes with a warning we will notify you only once… why would we send it multiple times, you already know about the warning. When you fix it, we will send another notification.
-
First failed, no warning, first successfulsince 4.9.0 - when a synchronization fails after a successful synchronization, you will be notified. If it finishes with a warning we won’t notify you at all. When you fix a failed synchronization, we will send another notification.
-
Every synchronization run - You will be notified after every synchronization run no matter if it succeeded or failed.
-
Schema change - if you add this type of notification SnowMirror will check if a schema of a table (new columns, deleted column, …) changed. If so, you will get a notification. SnowMirror won’t update the schema in mirror database unless you enable Auto Schema Update.
6.3. User Management
User Management page allows you to configure which users will be allowed to log in and which permissions will be assigned to them. Only users with Synchronization administrator role can change these settings.
6.3.1. Security Realms
SnowMirror provides three authentication options.
-
Internal Database - Users and their credentials are stored in configuration database. You manage the users, their credentials and permissions using Settings page.
-
LDAP - Users and their credentials are stored outside SnowMirror in your company’s LDAP (most usually Active Directory). You manage the users, their credentials and permission in your LDAP.
-
SSO - Single Sing-On using SAML 2.0
To configure which security realm you want to use, go to Setting → User Management and click the "Configure Security Realm" button.
6.3.2. Internal Database
Choose "Internal Database" in the Security Realm field. Then, don’t forget to create a user Create a New User with administrator permissions before you log out. Otherwise, you’d lock yourself out and would not be able to login and change settings.
6.3.3. LDAP
LDAP configuration is a bit more complicated than Internal database so let’s look at all the attributes in detail.
Field | Description |
---|---|
Server |
URL of your LDAP server. For example: myLdapServer.snow-mirror.com If your LDAP server uses a port other than default 389 (i.e. standard LDAP port), you can also append a port number. For example: myLdapServer.snow-mirror.com:1234 To connect to LDAP over SSL, specify it with the ldaps:// protocol. For example: ldaps://myLdapServer.snow-mirror.com If your LDAP over SSL uses a port other than default 636 (i.e. standard LDAPS port), you can also append a port number. For example: ldaps://myLdapServer.snow-mirror.com:1234 Commonly used ports:
|
Manager DN |
If your LDAP server does not support anonymous binding (i.e. it does not allow you to send a query without authentication), then you have to provide Manager credentials. SnowMirror will authenticate using these credentials and will query for user and group data using this account. |
Manager Password |
Password of the user from Manager DN field. |
Root DN |
LDAP is basically a tree. If empty, we will search the whole three. To improve performance you can specify the base DN - i.e. subtree. Then we will search only in this subtree. For example: DN=myServer,DN=com |
User Search Base |
Where in LDAP tree to search for users. |
User Search Filter |
The query used for finding users by their username. |
Group Search Base |
Where in LDAP tree to search for group your users belong to. |
Group Search Filter |
Looks for LDAP groups to which a user belongs to. |
Group Role Attribute |
The ID of the attribute which contains the role name for a group. Default value: cn |
After you fill in all the fields, you should test your configuration using "Test Connection" button. This is really important because if the configuration is invalid you would lock yourself out and won’t be able to login to SnowMirror at all.
After Test connection popup window opens, provide credentials of the user you will use to log in to SnowMirror. We will test if the user can log in and what permissions are assigned to him.
If everything went fine, you will see a green message. If something goes wrong, we print an error message.
6.3.3.1. LDAP Groups
To be able to work with SnowMirror you have to create groups in your LDAP and assign user to them.
You have to create following groups. Names of the groups match the names of SnowMirror roles. Their meaning is explained in User Manual.
-
SUPER_ADMINISTRATOR
-
SYNCHRONIZATION_ADMINISTRATOR
-
SYNCHRONIZATION_SUPERVISOR
-
API_CALLER
-
SYNCHRONIZATION_READER
Choosing Your Own Group Names
If you don’t want to create groups with these exact names, you can choose your own names.
Open "Settings → Advanced Settings" page and modify following properties so that their values match names of your LDAP groups:
-
snowMirror.auth.ldap.role.mapping.SUPER_ADMINISTRATOR
-
snowMirror.auth.ldap.role.mapping.SYNCHRONIZATION_ADMINISTRATOR
-
snowMirror.auth.ldap.role.mapping.SYNCHRONIZATION_SUPERVISOR
-
snowMirror.auth.ldap.role.mapping.API_CALLER
-
snowMirror.auth.ldap.role.mapping.SYNCHRONIZATION_READER
Fallback Role
SnowMirror does not allow users to login if they have no role assigned. This behavior is configurable - if a user does not have any role, you can assign him a default role.
You can do that by putting SnowMirror role name into "snowMirror.auth.ldap.role.fallbackRoles" advanced property.
6.3.3.2. Sample LDAP Configuration
It does not matter where in LDAP tree you create the groups. See an example from our testing LDAP server:
We have two users in our company. We have created the groups inside "ou=People" subtree.
Let’s look at the detail of SYNCHRONIZATION_ADMINISTRATOR group. See the member attribute? In this example, Michael Stipe was assigned to this group. When he logs in, he is able to do all the action super administrators can do.
6.3.4. Single Sing-On (SSO)
SnowMirror supports Single Sing-On over SAML 2.0 protocol and Web SSO profile.
6.3.4.1. Prerequisites
-
You have your own Identity Provider (IdP) up and running.
-
SnowMirror has to run on HTTPS.
-
You use SnowMirror 4.10.0 and later.
6.3.4.2. Dictionary
-
IdP: Identity Provider is an application which authenticates users (for example Microsoft Azure AD)
-
SP: Service Provider is an application which delegates authentication to IdP. SnowMirror is a service provider.
-
Entity Id: Unique identification of an application in IdP and SP.
6.3.4.3. Setup
-
IdP: Register SnowMirror as a new service provider. The service provider is sometimes referred to as a client. By default, SnowMirror’s Entity Id (sometimes referred to as "Client Id" or "Service Provider Name") is SnowMirror but you can choose whatever name you want.
-
IdP: locate IDPSSODescriptor. The location is IdP-specific. See documentation of your IdP to learn where to find it.
IDPSSODescriptor describes the IdP server:
-
URLs where to reach the IdP
-
Information whether SnowMirror should sign requests
-
Public key of the IdP (which allows SnowMirror to verify IdP’s signatures)
See sample IDPSSODescriptor. You cannot use this sample in your SnowMirror installation. Instead, you have to get your own from your IdP. The sample should give you an idea what kind of file SnowMirror needs.
-
-
SnowMirror: Configure SnowMirror to use SSO. Go to Settings → User Management → Security Realm page and choose "SSO" as a "Security Realm"
-
Entity Id: You have registered SnowMirror in your IdP. Please use the same name here. Default value is SnowMirror.
-
IdP Metadata: Copy and paste the IDPSSODescriptor from step 2. Note that if you change a configuration in IdP the "IDPSSODescriptor" may change too. Always make sure SnowMirror uses up-to-date descriptor.
-
Internal Realm: When enabled you can log in using credentials from internal database. We recommend you to have Internal Realm enabled until you successfully finished SSO configuration.
-
Enabled - besides SSO, you can log in on /sideDoor page using credentials from the configuration database. This is especially useful when you’re testing SSO configuration. If the SSO configuration is invalid, you can still log in using the configuration database credentials and you won’t get locked out.
-
Disabled - you can log in only using SSO. If the SSO configuration is invalid, you are locked out.
-
-
Roles Source: A location where you define and assign roles to your users.
-
SnowMirror - roles are defined and assigned in SnowMirror.
-
Identity Provider - roles are defined and assigned in your Identity Provider (Azure, Okta, etc.).
-
-
Role Attribute Name: A name of SAML attribute that contains user groups assigned in identity provider.
-
Not empty - we will look for the groups only in this attribute.
-
Empty - we will try to figure it out ourselves. We will search the following attributes: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, Groups, groups, Role, role
-
-
Once the configuration is finished and saved, SSO endpoints are made public and metadata file is generated.
The configuration page in SnowMirror does not contain any "Test Connection" button. It may be convenient to be logged-in in one browser using credentials from configuration database and test the configuration in another browser (not just a tab). This way you’re always logged-in in one browser and you use the second one for testing.
-
-
IdP: Finish the configuration you started in the first step. Use the information below.
-
SnowMirror’s Metadata file (https://your-snowmirror-server:9443/saml/metadata): The file describes SnowMirror’s SAML configuration. It contains URL where to reach SnowMirror. It also contains SnowMirror’s public signing and encryption keys. IdP can use the keys to verify signatures and to encrypt SAML assertions.
-
Assertion Consumer URL (https://your-snowmirror-server:9443/saml/SSO): This endpoint processes SAML messages.
-
Logout Service URL (https://your-snowmirror-server:9443/saml/SingleLogout): Allows the user to logout from SnowMirror and IdP.
-
6.3.4.4. Advanced Settings
Using Your Own Signing And Encryption Keys
SnowMirror contains a certificate (a pair of public and private keys). It uses it to sign SAML messages and encrypt assertions.
Signing key*: A pair of public and private key. SnowMirror uses the private key to sign data. IdP uses the public key to verify the signature. IdP knows the public key because it is available on "/saml/metadata" page.
Encryption key: A pair of public and private key. IdP uses the public key to encrypt assertions (it knows the public key because it is available on "/saml/metadata" page). SnowMirror decrypts the assertions with the private key.
If you need to use a different certificate, you can:
-
Download and install Keystore Explorer http://keystore-explorer.org/downloads.html. Keystore Explorer is a 3rd party tool which allows you to import keys and certificates. You could use a command-line "keytool" which is bundled with SnowMirror but Keystore Explorer is simpler to use.
-
Open snow-mirror/data/sso/samlKeystore.jks in KeyStore Explorer and import signing key/certificate pair (they’re bundled in one file). Then import encryption key/certificate pair. Use "snowmirror-sso" as alias. Use default password "changeit".
-
Reload SSO configuration: Go to Settings → User Management → Configure Security Realm → Click Save button
ADFS
If you use ADFS (Active Directory Federation Services) you have to configure SnowMirror and ADFS as follows:
-
ADFS: Add NameID as "Claim rule name", choose "Active Directory" as Attribute store, choose "SAM-Account-Name" as LDAP Attribute and "Name ID" as "Outgoing claim type", finish the wizard and confirm the claim rules window, in ADFS 3.0 you might need to configure the Name ID as a Pass Through claim.
How To Configure Cluster
This chapter is intended for owners of Cluster license. If you have a Cluster license, you have multiple SnowMirror installations (nodes) using the same configuration database.
Following properties must be configured separately for each node: Entity Id.
If you log into the first node and open Settings → User Management → Security Realm page you can configure Entity Id of that node. If you log in to the second node, you configure the second node.
Properties other than Entity Id are shared between the nodes, and it does not matter from which node you configure them.
You should restart SnowMirror after you make a change. That is necessary so that both nodes are properly initialized and aware of that change.
6.3.5. Create a New User
If you use Internal database security realm, you can create a new user. You have to provide its username, password, timezone and roles. See User Roles chapter so that you can decide which role you want to assign to the user. There is usually no need to add more than one role (except for the API Caller role).
6.3.6. User Detail
On user detail page you can see user’s information summary - his or hers username, selected timezone, roles and permissions.
Permissions are here just for your information and can’t be altered. They are connected to user’s role not the user itself. |
6.3.6.1. Edit User
On edit page you can edit username, selected timezone and user’s role (See User Roles). If you need to change user’s password, see Change Password Section.
6.3.6.2. Activate/Deactivate
The user’s account can be deactivated by clicking on Deactivate button. After that, the user is no longer able to log in. The account can be reactivated by clicking on Activate button.
6.3.6.3. Change Password
On this page you can set the password to any user. You can find it helpful when someone forgets the password and needs a new one.
6.4. General Settings
6.4.1. Cache Management
On the background, SnowMirror downloads meta-data about tables (names, columns, data-types, etc.). For better performance, it caches the meta-data so that it does not have to connect to ServiceNow every time it needs it.
To clear the cache manually, go to Settings menu, choose General Settings and click on Clear All Caches button.
6.4.2. General
-
Use Temporary Tables - This setting applies only to Clean And Synchronize. It can also be configured per synchronization on Advanced Settings page.
-
No - Cleans all data in target table and then re-downloads them from scratch. If the table is large, it may take a while to download everything from scratch.
In SnowMirror < 4.9.0, this option was called "Disabled".
-
Yes (rename table) - SnowMirror downloads all data to a temporary table. After the synchronization finishes, it removes the original table and replaces it with the temporary table. This feature allows you to have all your data available during a long clean synchronization. On the other hand, you will lose all your custom permissions defined on the target table.
In SnowMirror < 4.9.0, this option was called "Enabled".
-
Yes (copy data)since 4.9.0 - SnowMirror downloads all data to a temporary table. After the synchronization finishes, it deletes all data from the target table and copy the data there. This feature allows you to have all your data available during a long clean synchronization. You will not lose any custom permissions defined on the target table. On the other hand, this option is slower than "Yes (rename table)."
-
-
Synchronize Indexes - Enables/disables support for replication of database indexes. Available only in Enterprise edition or higher.
It can also be configured per synchronization on Advanced Settings page.
-
Archiving Support - Enables/disables support for Data Archiving Plugin. If enabled, SnowMirror checks for deleted records in sys_archive_log.
-
Records Delete - SnowMirror is able to find out when a record is deleted in ServiceNow and then delete it in your mirror database. Records Delete allows you to choose how to delete the record.
-
Hard - record is irreversibly deleted from mirror database.
-
Soft - record is not deleted and "mirror_deleted_on" column is filled in. The column contains date and time when SnowMirror found out it was deleted.
SnowMirror deletes all records (including soft-deleted records) in case:
-
Clean and synchronize is called
-
Truncate delete strategy is used
-
A new column is added using Auto Schema Update
If you switch from Soft to Hard, "mirror_delete_on" column will be dropped during the next synchronization run.
This settings can also be configured per synchronization on Advanced Settings page.
-
-
6.4.3. Activity Log Retention
Activity Log Retention removes old activity logs after the specified number of days (30 days by default). It removes activity logs from both configuration database and file system. Removing logs from file system saves you disc storage whereas removing logs from configuration database improves its performance. This is particularly true if you have a lot of synchronizations running very often.
If you are upgrading from SnowMirror < 3.2.0, this feature is disabled. On new installations it is enabled. You can change the settings on General Settings page.
-
Enabled - enable or disable activity log retention
-
Cleanup database - you may choose to remove the logs from configuration database or leave them there intact
-
Retention period - how many days you want to keep the activity logs intact
6.4.4. Consistency Check
Allows you to configure consistency check. On fresh installations the consistency check is enabled by default. On existing installations it is disabled.
Make sure you have enabled Aggregate Web Service plugin in ServiceNow. Without the plugin SnowMirror won’t be able to count records in ServiceNow and therefore it won’t perform the consistency check. |
-
Consistency Check - enable or disable consistency check
-
Issue Warnings - If enabled SnowMirror will set status of a synchronization to Warning if it contains suspicious number of records in mirror database. If disabled a result of the consistency will be only written to the activity log, and the synchronization will be marked as successful.
6.4.5. Data Processing
-
Skip Failing Records - If enabled SnowMirror will skip the records which it failed to insert or update. If that happens, the synchronization will finish with a warning (you can configure notifications not to miss any warning).
If SnowMirror skipped a record you have to analyze the root cause of the issue and fix it. Then you download the missing records using Differential synchronization, Synchronize from or Clean and synchronize.
-
Limit - There is a limit of how many records will SnowMirror skip at maximum. Let’s say you have a table with hundreds of thousands records and SnowMirror fails to insert all of them. Then you want the synchronization to fail also because there must be a global issue (like failing database connection, permissions in ServiceNow, etc.). On the other hand if just one record fails then you want to end up with a warning and fix the one records separately.
-
Data Truncationsince 4.9.0 - If enabled SnowMirror truncates large String values so that they fit into database columns.
-
Missing Columns Warning - If enabled a synchronization ends up in a warning status when ServiceNow does not return all columns.
6.4.6. Check Updates
-
Diff Check Updates - Controls how differential synchronization check updated records.
-
Yes - checks for updated records
-
No - does not check updated records
-
-
Database Check Updates - Controls which records can be updated.
-
Yes - updates only those records whose sys_updated_on column is greater than the one in mirror database
-
No - updates all downloaded records regardless its sys_updated_on column value
-
6.4.7. Auto Schema Update
-
Use Default Value - When Auto Schema Update is Enabled (no truncation) new columns are created. This option allows you to choose how to treat new columns.
-
Yes - SnowMirror fills in default value from sys_dictionary into new columns.
-
No - SnowMirror does not fill in default value. New columns are left empty.
-
6.4.8. Audit Log
Snow Mirror keeps an audit log of important events. This option allows you to control which events should SnowMirror audit.
-
Sync. Errors And Warnings - controls what should be logged into AuditEventLog table.
-
Enabled - When a synchronization produces a warning or an error, SnowMirror logs it into AuditEventLog table.
-
Disabled - SnowMirror does not log errors and warnings into AuditEventLog table.
-
6.4.9. Directories
Directories allow you to change directories where attachments, backups and activity logs are stored. Note, that SnowMirror does not move any files after changing the paths.
6.4.10. Timezone Settings
By default, SnowMirror stores data to mirror database in UTC. UTC is the most convenient and recommended way to store dates and times especially if your organization spans across several timezones. If you need to access and see date and time fields formatted in specific time zone, SnowMirror provides two ways to achieve that:
-
Mirror Data Time Zone - select a timezone of your choice. SnowMirror still receives dates and times from ServiceNow in UTC but when storing them to database it converts them to the timezone of your choice.
-
Timezone Data Types - If you enable this option you will force SnowMirror to use following data types for storage:
-
Oracle - timestamp with local time zone
-
PostgreSQL - timestamp with time zone
-
MySQL - timestamp
-
Embedded H2 - datetime
-
SQL Server - datetimeoffset
Internally dates and times are stored in UTC (MySQL, SQL Server, PostgreSQL) or in database timezone (Oracle). Every time you request the data using SQL they are converted to user local session time zone you chose when creating a connection to mirror database. This does not work in SQL Server where you have to convert the dates from UTC to other time zones manually.
Also note that you have to drop existing table for this option to work properly - SnowMirror needs to recreate the table with the proper data type.
-
6.4.11. SnowMirror Cluster
Allows you to change a type of SnowMirror installation you are currently working on.
-
Installation Name - This name identifies SnowMirror installation. The name is stored in snowMirror.properties files. It can be changed in that file (restart required).
-
Installation Type - Defines how the installation should behave.
-
Active - This installation should execute synchronizations.
-
Passive - this installation should execute synchronizations only if no Active installation is running. Let’s say that a server with an Active installation crashes. A passive installation takes over and starts to execute synchronizations. When an Active installation is up-and-running again, the Passive installation stops executing synchronizations.
-
The change of the Type is automatically picked up by SnowMirror in a few minutes.
6.5. License
On this page you can see basic information about current license.
If you click the Enter License button, you can enter a new valid license key. This action overrides the old license key if any is present.
6.5.1. License key
License key is generated string (about 600 characters long) which includes information about SnowMirror application. If you don’t have a license, you can get a trial key on our website.
6.6. ServiceNow
This page allows you to enter information which SnowMirror uses to create connections to ServiceNow. You can see the most important settings right away. To see the less widely used settings you have to click the Advanced Settings checkbox.
After making changes you should click "Test Connection" button to verify the settings. The button tests whether SnowMirror can create a connection to ServiceNow and whether is is able to access the data it needs. If the tester complains about not having enough privileges to access data you will have to grant us the access directly in your ServiceNow instance.
Fields
-
Instance Host - URL of your ServiceNow instance.
Example: guidevisiondemo6.service-now.com
If you do not have access to your own instance you can use our demo instance for evaluation.
-
Host: guidevisiondemo6.service-now.com
-
Username: snowmirror
-
Password: snowmirror
-
-
Username - Username of the account used for logging into ServiceNow.
-
Password - Password to the user account used for logging into ServiceNow.
-
API - API to be used for communication with ServiceNow. See SOAP API and REST API comparison.
-
Advanced Settings - Shows or hides Advanced Settings section.
-
Checked - shows Advanced Settings section
-
Unchecked - hides Advanced Settings section
-
-
Use Proxy - If your company uses a proxy server to access the internet please check the checkbox and provide us with information about the proxy server.
-
Proxy Host - Name of the proxy server.
-
Proxy Port - Port of the proxy server.
-
Proxy Username - Username to use to login to the proxy server. Leave it empty if your proxy server does not require authentication.
-
Proxy Password - Password to use to login to the proxy server. Leave it empty if your proxy server does not require authentication.
-
Authentication - An authentication protocol to use to authenticate to ServiceNow.
-
Basic - use Basic Access Authentication protocol. Credentials are sent over to ServiceNow with every HTTPS request.
-
OAuth2since 4.7.0 - use OAuth2 protocol. Credentials are sent over to ServiceNow only once so that SnowMirror can retrieve an access token. Only REST API supports OAuth2.
-
-
Flow - OAuth Flow
-
Resource Owner Password Credentials - use this one when you use ServiceNow as a token provider. Requires user credentials.
-
Client Credentialssince 4.9.5 - This OAuth2 flow does not require user credentials.
-
-
Client Id - Client Id is 32-characters long identifier which uniquely identifies SnowMirror in ServiceNow.
Where to find Client Id:
-
Login to ServiceNow
-
Go to "System OAuth" → "Application Registry".
-
Register SnowMirror there (only if you haven’t done that already).
-
Open the detail page of SnowMirror registration.
-
See the value of "Client ID" field. That is your Client Id.
-
-
Client Secret - Client Secret is a password which OAuth2 protocol uses to retrieve access tokens.
Where to find Client Secret:
-
Login to ServiceNow
-
Go to "System OAuth" → "Application Registry".
-
Register SnowMirror there (only if you haven’t done that already).
-
Open the detail page of SnowMirror registration.
-
Look at the "Client Secret" field, its value is encrypted. Click the "lock" icon to see it decrypted - that is your Client Secret.
-
-
Token Provider - An address of the server which issues tokens.
-
ServiceNow is your token provider - set this to oauth_token.do
-
If you use token provider other than ServiceNow, set this to an absolute URL of your token provider. The address must start with https://
-
Scope - An optional OAuth2 scope. If you use ServiceNow as a token provider, leave this empty. If you use some other token provider, you may have to define this scope.
-
-
SnowMirror Monitor Enabled - SnowMirror can push information about synchronizations to ServiceNow. You should enable this only if you already installed SnowMirror Monitor into ServiceNow.
SnowMirror Monitor is an optional feature.
-
Checked - SnowMirror Monitor is enabled, i.e. information about synchronization will be sent to ServiceNow.
-
Unchecked - SnowMirror Monitor is disabled, i.e. no information will be sent to ServiceNow.
-
-
Read Replica Statesince 4.11.0 - Internally, ServiceNow maintains a copy their database for read-only queries. You can configure SnowMirror to request data from these read-only replicas. That may improve a performance of your ServiceNow instance.
-
Enabled - SnowMirror will request the data from read-only replica. The name of the replica must be provided in Read Replica Name field.
-
Disabled - SnowMirror will not read data from read-only replica.
Synchronizations can overwrite this configuration.
-
-
Read Replica Namesince 4.11.0 - Internally, ServiceNow maintains a copy their database for read-only queries. You can configure SnowMirror to request data from these read-only replicas. That may improve a performance of your ServiceNow instance.
In this field, you can provide the name of your read-only replica. Synchronizations can overwrite this configuration.
Buttons
-
Save - Saves the changes. Resets and re-initializes all connections to ServiceNow. Therefore, currently running synchronizations may fail.
-
Test Connection - Verifies the settings.
6.7. Mirror Database
Allows you to configure connection to your mirror database where we store data from ServiceNow. We are able to store data into tables in relational database or into files in cloud storage
If your license supports it, you can configure multiple database connections simultaneously.since 5.7.0
-
Database:
-
Built-in database (evaluation only) - we store data into a file-based database. Useful only for quick evaluation.
-
My own database server - allows you to connect to your database or cloud storage.
-
-
Database Type: Choose your database vendor or cloud storage.
-
Relation databases: Amazon Redshift, Azure Synapse, MySQL, Oracle, PostgreSQL, Snowflake, SQL Server
-
Cloud storages: Amazon S3, Azure Storage, Google Storage
-
-
Test Connection button: Click this button to check, whether we can reach the database or cloud storage, authenticate, read and write data.
6.7.1. Amazon Redshift
SnowMirror needs access to both the database and cloud storage. First, we store the data into CSV files. Then, we load it into database table.
-
Database
-
Server - Address of your database server without a port. An example: snowmirror.000000000000.eu-central-1.redshift-serverless.amazonaws.com
-
Port - Port number on which the database is available. By default, it is 5439.
-
Database - Name of your database.
-
Schema - Name of your database schema
-
Username - A username to use to access the database.
-
Password - Password to use to access the database.
-
Require SSL - Communication with Redshift is always encrypted.
-
-
S3 Storage Account
-
AWS Access Key Id - Access key provides SnowMirror with access to your Amazon S3 storage.
-
A user account: In AWS console, open "IAM" page → Users → Click "Add users" and create a new user with permissions to read and write files to S3 storage.
-
Access Key: Open AWS console → "IAM" → Users → Choose your user → Security credentials → Access keys → Create access key
See AWS documentation for details.
-
-
AWS Secret Access Key - Secret Access key provides SnowMirror with access to your Amazon S3 storage.
-
Access Key: Open AWS console → "IAM" → Users → Choose your user → Security credentials → Access keys → Create access key
See AWS documentation for details.
-
-
-
Authenticate using IAM Roles
-
If SnowMirror is running on an EC2 instance, you can use IAM Roles for authentication. Otherwise, stick with access keys.
-
Please ensure that a role with the appropriate S3 bucket privileges is attached to this EC2 instance.
-
In the AWS console, open the "IAM" page → Roles → Click "Create role". Select an AWS Service, and then choose EC2 under Use Case. Create a custom policy in the permissions section that provides the minimum required permissions to access your S3 bucket.
-
Open the EC2 console → Instances → Choose the instance where SnowMirror is running → Actions → Security → Modify IAM role. Attach the created role to this instance.
See AWS documentation for details.
-
S3 Bucket Name - A bucket is a folder where we store your data.
To create a bucket, please open AWS console → Open S3 → Click Create bucket
-
Region - Every bucket is located in some data center. Please choose the region where your bucket is located so that we know where to connect.
-
Use Proxy - We communicate with Amazon S3 using HTTPS protocol. At some companies, you need to route this communication through a proxy server.
-
Proxy Host - An address of your proxy server
-
Proxy Port - A port number on which the proxy server runs
-
Proxy Username - Some proxy servers are secured with credentials. You may provide a username here.
-
Proxy Password - Some proxy servers are secured with credentials. You may provide a password here.
-
-
6.7.2. Synapse Specific Settings
SnowMirror needs access to both the database and cloud storage. First, we store the data into CSV files. Then, we load it into database table.
Database
* Server - Address of your database server without a port. An example: yourserver.sql.azuresynapse.net
* Port - Port number on which the database is available. By default, it is 1433.
* Instance - A name of your SQL Server Instance. You should provide either instance name or a port.
* Database - Name of your database.
* Schema - Name of your database schema
* Username - A username to use to access the database.
* Password - Password to use to access the database.
* *Require SSL - Communication with Redshift is always encrypted.
-
Use Unicodesince 4.3.7 - Allows you to choose how to store strings into database.
-
Checked - SnowMirror stores data into database using unicode character set. Text fields are stored into nvarchar data type.
-
Not Checked - SnowMirror stores data into database using a character set chosen during database creation. Text fields are stored into varchar data type.
If you change Use Unicode settings, SnowMirror will not change existing tables. If you want to change the data type in existing table you have to: 1) delete and recreate affected synchronizations. 2) or change the types manually on Edit Mappings page.
-
Azure Storage Account
-
Azure Account Name - Name of your Azure Storage Account. To find out your account name:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Access Keys
-
Find your name in Storage account name field.
-
-
You have several options how to authenticate against Azure. since 5.7.0 If SnowMirror is running in an Azure Container Instance, you can use Managed Identity for authentication. Otherwise, use access key or SAS token.
-
Azure Access Key - Access key allows SnowMirror to authenticate against Azure. To find out your access key:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Access Keys
-
Find your key in Key1 field.
-
-
Azure SAS token - SAS token allows SnowMirror to authenticate against Azure. To find out your SAS token:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Shared access tokens
-
Customize privileges as needed (Minimum requirements are Read, Add, Create, Write, Delete, List).
-
Generate Blob SAS token and URL.
-
Copy Blob SAS token field.
-
-
-
Azure Container Name - Name of a container, where SnowMirror can store CSV files. To find out name of your container, or to create a new one:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Containers
-
Find your container there or create a new one by clicking + Container button.
-
-
Use Proxy - We communicate with Azure Storage using HTTPS protocol. At some companies, you need to route this communication through a proxy server.
-
Proxy Host - An address of your proxy server
-
Proxy Port - A port number on which the proxy server runs
-
Proxy Username - Some proxy servers are secured with credentials. You may provide a username here.
-
Proxy Password - Some proxy servers are secured with credentials. You may provide a password here.
-
6.7.3. MySQL
MySQL is a relational database. You can use your own on-premise server, or MySQL in AWS RDS or Azure. We also support AWS Aurora and MariaDB.
-
Server - Address of your database server without a port. An example: localhost
-
Port - Port number on which the database is available. By default, it is 3306.
-
Database - Name of your database.
-
Username - A username to use to access the database.
-
Password - Password to use to access the database.
-
Require SSL - Should SnowMirror encrypt connections to the mirror database
-
Not checked - Connections to the database are not encrypted.
-
Checked - Connections to the database are encrypted. If the DB server does not support it and error is raised and the connection is not established at all. Certificates are not verified. If your MySQL runs on Amazon RDS or Azure, you should have it checked.
-
6.7.4. Oracle
-
Server - Address of your database server without a port. An example: localhost
-
Port - Port number on which the database is available. By default, it is 1521.
-
Connection Using - Connect using SID or Service Name
-
SID - SID (Oracle System Identifier) uniquely identifies a database.
-
Service Name - Service name which identifies your database.
-
Username - A username to use to access the database.
-
Password - Password to use to access the database.
-
Quote Identifiers - Affects how SQL queries to mirror database look like.
If you check this checkbox all identifiers (table name, column names, …) will be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too.
If the checkbox is not checked identifiers won’t be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too. Note that if a name of an identifier matches reserved word SnowMirror will append a suffix "_" to that name.
6.7.5. PostgreSQL
-
Server - Address of your database server without a port. An example: localhost
-
Port - Port number on which the database is available. By default, it is 5432.
-
Database - Name of your database.
-
Schema - Name of your database schema
-
Username - A username to use to access the database.
-
Password - Password to use to access the database.
-
Quote Identifiers - Affects how SQL queries to mirror database look like.
If you check this checkbox all identifiers (table name, column names, …) will be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too.
If the checkbox is not checked identifiers won’t be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too. Note that if a name of an identifier matches reserved word SnowMirror will append a suffix "_" to that name.
-
Require SSL - Should SnowMirror encrypt connections to the mirror database
-
Not checked - Connections to the database are not encrypted.
-
Checked - Connections to the database are encrypted. If the DB server does not support it and error is raised and the connection is not established at all. Certificates are not verified. If your SQL Server runs on Amazon RDS or Azure, you should have it checked.
-
6.7.6. Snowflake
Snowflake is an analytical database which always runs in cloud.
-
Account Name - Specifies the name of your account. The name is the first part of the URL you use to access Snowflake: https://
account-name
.snowflakecomputing.com -
Database - Name of your database.
-
Schema - Name of your database schema.
-
Username - A username to use to access the database.
-
Password - Password to use to access the database.
-
Quote Identifiers - Affects how SQL queries to mirror database look like.
If you check this checkbox all identifiers (table name, column names, …) will be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too.
If the checkbox is not checked identifiers won’t be enclosed within quotes. If you are going to query the database yourself you will have to quote identifiers too. Note that if a name of an identifier matches reserved word SnowMirror will append a suffix "_" to that name.
-
Require SSL - Communication with Redshift is always encrypted.
-
Use Proxy - We communicate with Snowflake using HTTPS protocol. At some companies, you need to route this communication through a proxy server.
-
Proxy Host - An address of your proxy server
-
Proxy Port - A port number on which the proxy server runs
-
Proxy Username - Some proxy servers are secured with credentials. You may provide a username here.
-
Proxy Password - Some proxy servers are secured with credentials. You may provide a password here.
-
-
6.7.7. SQL Server
SQL Server is a relational database. You can use your own on-premise server, or SQL Server in AWS RDS or Azure.
-
Server - Address of your database server without a port. An example: localhost
-
Port - Port number on which the database is available. By default, it is 1433.
-
Instance - A name of your SQL Server Instance. You should provide either instance name or a port.
-
Database - Name of your database.
-
Schema - Name of your database schema
-
Username - A username to use to access the database.
-
To use Windows Authentication, please provide your username including the domain: DOMAIN\\User
-
To use SQL Server Authentication, just provide your username (no domain, no backslash)
-
-
Password - Password to use to access the database.
-
Require SSL - Should SnowMirror encrypt connections to the mirror database
-
Not checked - Connections to the database are not encrypted.
-
Checked - Connections to the database are encrypted. If the DB server does not support it and error is raised and the connection is not established at all. Certificates are not verified. If your SQL Server runs on Amazon RDS or Azure, you should have it checked.
-
-
Use Unicodesince 4.3.7 - Allows you to choose how to store strings into database.
-
Checked - SnowMirror stores data into database using unicode character set. Text fields are stored into nvarchar data type.
-
Not Checked - SnowMirror stores data into database using a character set chosen during database creation. Text fields are stored into varchar data type.
If you change Use Unicode settings, SnowMirror will not change existing tables. If you want to change the data type in existing table you have to: 1) delete and recreate affected synchronizations. 2) or change the types manually on Edit Mappings page.
-
-
Database Driversince 4.13.0
-
JTDS - An open source database driver that we have been using for years. However, JTDS driver is not actively developed and maintained anymore. While we still support it, we have added an option to use Microsoft’s database driver.
-
Microsoft - Microsoft’s database driver. It provides more features than JTDS (Azure AD authentication, Failover settings, etc.).
Performance-wise, there is no difference between the two.
Which one to use: If you don’t know which one to use, use the default JTDS. If you need features not available in JTDS, switch to Microsoft.
-
6.7.8. Amazon S3
Amazon S3 is a cloud storage where we store data as CSV files.
SnowMirror needs to be able to read the bucket and work with objects in that bucket. See sample policies that you may have to set up in AWS Console: policy file for S3 bucket with default SSE-S3 encryption, policy file for S3 bucket with SSE-KMS encryption.
-
AWS Access Key Id - Access key provides SnowMirror with access to your Amazon S3 storage.
-
A user account: In AWS console, open "IAM" page → Users → Click "Add users" and create a new user with permissions to read and write files to S3 storage.
-
Access Key: Open AWS console → "IAM" → Users → Choose your user → Security credentials → Access keys → Create access key
See AWS documentation for details.
-
-
AWS Secret Access Key - Secret Access key provides SnowMirror with access to your Amazon S3 storage.
-
Access Key: Open AWS console → "IAM" → Users → Choose your user → Security credentials → Access keys → Create access key
See AWS documentation for details.
-
-
Authenticate using IAM Roles
-
If SnowMirror is running on an EC2 instance, you can use IAM Roles for authentication. Otherwise, stick with access keys.
-
Please ensure that a role with the appropriate S3 bucket privileges is attached to this EC2 instance.
-
In the AWS console, open the "IAM" page → Roles → Click "Create role". Select an AWS Service, and then choose EC2 under Use Case. Create a custom policy in the permissions section that provides the minimum required permissions to access your S3 bucket.
-
Open the EC2 console → Instances → Choose the instance where SnowMirror is running → Actions → Security → Modify IAM role. Attach the created role to this instance.
See AWS documentation for details.
-
-
S3 Bucket Name - A bucket is a folder where we store your data.
To create a bucket, please open AWS console → Open S3 → Click Create bucket
-
Region - Every bucket is located in some data center. Please choose the region where your bucket is located so that we know where to connect.
-
Use Proxy - We communicate with Amazon S3 using HTTPS protocol. At some companies, you need to route this communication through a proxy server.
-
Proxy Host - An address of your proxy server
-
Proxy Port - A port number on which the proxy server runs
-
Proxy Username - Some proxy servers are secured with credentials. You may provide a username here.
-
Proxy Password - Some proxy servers are secured with credentials. You may provide a password here.
-
6.7.9. Azure Storage
Azure Storage is a cloud storage where we store data as CSV files.
-
Azure Account Name - Name of your Azure Storage Account. To find out your account name:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Access Keys
-
Find your name in Storage account name field.
-
-
You have several options how to authenticate against Azure. since 5.7.0 If SnowMirror is running in an Azure Container Instance, you can use Managed Identity for authentication. Otherwise, use access key or SAS token.
-
Azure Access Key - Access key allows SnowMirror to authenticate against Azure. To find out your access key:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Access Keys
-
Find your key in Key1 field.
-
-
Azure SAS token - SAS token allows SnowMirror to authenticate against Azure. To find out your SAS token:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Shared access tokens
-
Customize privileges as needed (Minimum requirements are Read, Add, Create, Write, Delete, List).
-
Generate Blob SAS token and URL.
-
Copy Blob SAS token field.
-
-
-
Azure Container Name - Name of a container, where SnowMirror can store CSV files. To find out name of your container, or to create a new one:
-
Login to Azure Portal
-
Open detail of your Storage account
-
Click Containers
-
Find your container there or create a new one by clicking + Container button.
-
-
Use Proxy - We communicate with Azure Storage using HTTPS protocol. At some companies, you need to route this communication through a proxy server.
-
Proxy Host - An address of your proxy server
-
Proxy Port - A port number on which the proxy server runs
-
Proxy Username - Some proxy servers are secured with credentials. You may provide a username here.
-
Proxy Password - Some proxy servers are secured with credentials. You may provide a password here.
-
6.7.10. Google Storage
Google Storage is a cloud storage where we store data as CSV files.
-
Bucket Name - Name of a bucket, where SnowMirror can store CSV files. To find out name of your bucket, or to create a new one:
-
Login to Google Cloud Platform
-
Open menu on the left side
-
Choose Cloud Storage
-
Find your container there or create a new one by clicking + Create
-
-
Service Account Key - Authentication keys of your service account in JSON format. To create the keys:
-
Login to Google Cloud Platform
-
Open menu on the left side
-
Click IAM & Admin and choose Service Accounts
-
Click on your service account
-
Choose Keys
-
Choose Add key → Create new key
-
-
(Use Proxy) - We communicate with Google Storage using HTTPS protocol. At some companies, you need to route this communication through a proxy server. The proxy cannot be configured from user interface, you have to provide startup parameters: -Dhttps.proxyHost=your-proxy-url -Dhttps.proxyPort=your-proxy-port
6.7.11. Import / Export
In this section you can export your synchronization settings or import your previously exported setting. Note that only settings is exported - the actual data in mirror database stay intact.
Example: You have testing and production environment. Now you want to move all synchronization settings from your testing environment to production environment. You export the settings on testing environment and then import on production. |
In case imported file contains synchronizations which already exist SnowMirror will let you choose how to resolve the conflict:
-
Do not import duplicate synchronizations - this option won’t import synchronizations which already exist
-
Automatically rename duplicate synchronizations - this option will import all synchronizations but those with conflicted names will be renamed. For example: you try to import synchronization for table "task" but it already exists - SnowMirror will import the synchronization but its name and name of table in mirror database will be "task_1"
-
Update existing synchronizations - this option will overwrite (update) existing synchronizations.
6.8. Visual Theme
SnowMirror allows you to change colors of the user interface and add some text next to the logo. That helps you to easily distinguish production and testing environments.
-
Theme color: changes a color of the main navigation bar and all table headers
-
Text Beside Logo: shows a custom text next to the logo (e.g.: development, test, production, …). You can use at most 100 characters.
6.9. Tags
since 5.8.0
SnowMirror allows you to group synchronizations according to your preferences for greater clarity using tags.
6.9.1. Create New Tag
Name: text displayed inside of the tag
Color: changes a background color of the tag
6.10. Performance Tuning
Max. number of nodes to utilize: Trial: unlimited, Lite: 2, Enterprise: 2, Cluster: unlimited
Every production ServiceNow instance runs in a cluster which consists of nodes. Request routing is provided by a load balancer in the ServiceNow infrastructure and typically, it is out of control of individual users which node is processing a certain request.
However, SnowMirror can identify which node is handling a particular session which enables maintaining several sessions per ServiceNow node and downloading the data concurrently from multiple nodes at the same time. This dramatically improves the replication times.
Please note that each ServiceNow node has a certain number of so-called integration semaphores (by default 4). This is basically the number of concurrent integration requests that the node can handle at the same time. If all semaphores are in use, then all the new incoming requests are being queued and have to wait until a semaphore is available again.
That’s why SnowMirror maintains only two sessions per node to utilize only half of all available integration semaphores. Increasing the number of sessions per node improves the replication performance, but it might negatively impact other integrations.
Please be extremely careful with SnowMirror performance settings, misconfiguration might severely impact the ServiceNow performance.
SnowMirror users with Lite or Enterprise licenses can utilize up to 2 ServiceNow nodes. With Cluster license, you can utilize all your ServiceNow nodes.
6.10.1. Performance Settings
Please note that it is necessary to restart SnowMirror to apply all the performance settings changes.
Node Count - Number of ServiceNow nodes that can be utilized for downloading the data. If you don’t know how many nodes your ServiceNow instance has, click the Discover Nodes button.
Most of the production and almost all the sub-production instances have only two nodes and personal development instances consist of only one node. ServiceNow can increase the number of nodes for production instances according to their operation procedures. Typically, bigger instances or instances with higher load have more nodes. Please note that this number is not under ServiceNow customers’ control. It is fully driven by ServiceNow infrastructure team, and the number can vary over time.
It is recommended to check the node settings from time to time because the number of active nodes can change on the ServiceNow side.
Configuring a lower number of nodes than available is not an issue. Simply, only part of the ServiceNow cluster will be utilized for replication. However, configuring more nodes than available will result in ineffective session management and higher load on available ServiceNow nodes than intended. This cannot be recommended, and it is considered as a misconfiguration on the SnowMirror side.
Edit Advanced Settings - Enable advanced settings only if you are sure what you are doing! Misconfiguration can severely impact performance of your ServiceNow instance. Please contact SnowMirror support to consult the changes.
Sessions Per Node Count - Number of concurrent sessions per ServiceNow node. Each node has a certain number of semaphores, by default 4. This setting also means the max number of semaphores to utilize. Important: Increasing this number might impact other ServiceNow integrations. Default is 2.
Please note that each ServiceNow node has a certain number of so-called integration semaphores (by default 4). This is basically the number of concurrent integration requests that the node can handle at the same time. If all semaphores are in use, then all the new incoming requests are being queued and have to wait until a semaphore is available again.
ServiceNow infrastructure team can modify the number of integration semaphores. However, this cannot be requested, ServiceNow does it according to their own operation procedures (i.e. according to the load of the instance).
Increasing the number of sessions per node improves the replication performance, but it might negatively impact other integrations.
Worker Threads Count - Total number of threads for downloading the data from a ServiceNow instance. This thread pool is shared across all synchronizations. Recommended value is Node Count x Sessions Per Node Count.
If the number is higher than the recommended value, then the threads might be blocked by the number of HTTP connections anyway. Increasing this number does not make much sense. The only theoretical situation might be very slow mirror database which would utilize the threads more than just with the HTTP traffic.
HTTP Connections Count - Maximum number of concurrent HTTP connections to ServiceNow. Typically, equals to the number of worker threads. Recommended value is Node Count x Sessions Per Node Count.
If the number is higher than recommended (together with worker threads) then it effectively increases the load of ServiceNow nodes. The same as increasing the number of sessions per node, only worse way. Increasing this number does not make much sense.
Synchronizations Count - Number of synchronizations that can run in parallel. Other synchronizations must wait in a queue.
The replication throughput is limited by the worker thread pool anyway. So, this number does not affect the performance at all. It only means how big is the number of threads for the main scheduler. Increasing the number to very high numbers might have memory consumption consequences and results in slower SnowMirror.
You should not set this to a value higher than 32. Otherwise, you may run out of connections to the configuration database.
Mirror DB Max. Pool Size - Maximum size of a connection pool managed by SnowMirror. Should be higher than the number of worker threads.
Data Threads Count - Total number of threads dedicated to data processing. Data processing includes inserts/updates/deletes of data in mirror database. This thread pool is shared across all synchronizations. Recommended value is the same value as Worker Threads Count.
DB Commit Batch Size - Size of a database batch statement. This is the number of records being inserted at once in the mirror DB. Default is 250. Recommended value is the same as Records Batch Size.
DB Read Batch Size - Size of a database batch statement. This is the number of records being selected at once in the mirror DB. Default is 250. Recommended value is the same as Records Batch Size.
Keys Batch Size - Number of sys_ids downloaded in a single request. Default is 10,000. Increasing this batch size usually does not have significant performance effect.
Higher numbers will result is longer response/transaction times which is not optimal from the ServiceNow perspective. Each table might give different results.
Records Batch Size - Number of full records downloaded in a single request. Default is 250. Increasing this batch size usually does not have significant performance effect.
Higher numbers will result is longer response/transaction times which is not optimal from the ServiceNow perspective. Each table might give different results.
6.10.2. Discover Nodes
The performance page contains Discover Nodes button. This is useful if you don’t know how many nodes your ServiceNow consists of.
ServiceNow does not provide the number of nodes. Therefore, SnowMirror sends requests repeatedly and checks the established sessions. Based on the cookies content we can discover how many nodes responded to us.
6.10.3. Validate The Configuration
Before tuning the configuration, you should click the Validate button to find out if the configuration is valid or not. Please note that a misconfiguration can negatively impact ServiceNow performance.
6.10.4. Restore Defaults
If you changed the configuration, and you are not sure if it is correct you can always go back. There is the Restore Defaults button which sets all the properties to its default values.
6.11. Stats
Monitors SnowMirror internals to give users a better idea what is going on inside SnowMirror. Stats are especially useful for performance tuning.
6.11.1. Download
In case you need our help with analyzing the stats, you can download stats into a text file and send them to us by an email.
The file can be downloaded by clicking "Download" link on the top of the page.
6.11.2. HTTP Connection Pool
Monitors a pool of HTTP connections which are used for communication with ServiceNow.
Property | Description |
---|---|
Leased |
Number of connections currently being used |
Pending |
Number of processes waiting for a connection |
Available |
Number of connections ready to be used |
Max |
Max. number of connections in the pool |
6.11.3. Worker Thread Pool
Monitors a number of threads in which synchronizations are executed.
Property | Description |
---|---|
Core size |
Initial size of the pool |
Max. size |
Max. allowed size of the pool |
Current size |
Current size of the pool |
In use |
Number of threads currently being used |
Pending |
Number of processes waiting for a free thread |
Threads In Use |
Detailed description of threads which are currently executing |
W-1: {sync_1='alm_asset', logId=2564, queuedFor=00:00:00.001, started=2018-04-03 11:23:00.361, duration=00:00:00.028}
-
W-1
- name of the thread -
sync_1='alm_asset'
- thread is executing 'alm_asset' synchronization. Id of the synchronization is '1'. -
logId=2564
- Id of the activity log is '2564' -
queuedFor=00:00:00.001
- the synchronization had been waiting one millisecond in a queue before it was executed -
started=2018-04-03
11:23:00.361 - date and time when it was executed -
duration=00:00:00.028
- how long the synchronization have been executing
6.11.4. Data Processing Thread Pool
Monitors data processing thread pool.
Property | Description |
---|---|
Core size |
Initial size of the pool |
Max. size |
Max. allowed size of the pool |
Current size |
Current size of the pool |
In use |
Number of threads currently being used |
Pending |
Number of processes waiting for a free thread |
Threads In Use |
Detailed description of threads which are currently executing |
DP-2: {sync_1='alm_asset', logId=2564, queuedFor=00:00:00.001, started=2019-10-02 08:40:26.912, duration=00:00:00.021, status=running}
-
DP-1
- name of the thread -
sync_1='alm_asset'
- thread is executing 'alm_asset' synchronization. Id of the synchronization is '1'. -
logId=2564
- Id of the activity log is '2564' -
queuedFor=00:00:00.001
- the synchronization had been waiting one millisecond in a queue before it was executed -
started=2018-04-03
11:23:00.361 - date and time when it was executed -
duration=00:00:00.028
- how long the synchronization have been executing
6.11.5. Session Selection
Monitors sessions which are use for communication with ServiceNow.
Example:
1. session pool: NodeId_2558537226.45118.0000/SessionId_137774, Created: 2018-04-03 11:18:27
1. session pool: NodeId_2558537226.45118.0000/SessionId_213609, Created: 2018-04-03 11:18:28
2. session pool: NodeId_494939658.45886.0000/SessionId_612136, Created: 2018-04-03 11:18:28
2. session pool: NodeId_494939658.45886.0000/SessionId_126511, Created: 2018-04-03 11:18:26
In this example, SnowMirror uses two ServiceNow nodes and keeps two sessions on each one.
-
NodeId_2558537226.45118.0000/SessionId_137774
-
"2558537226.45118.0000" is an identification of the ServiceNow node
-
"137774" is a name of a session (the name is encoded so that the original name does not leak)
-
-
Created - date and time the session was created
6.11.6. Mirror DB Connection Pool
Monitors connections to mirror database.
Property | Description |
---|---|
Pooled |
Total number of connections in the pool |
Idle |
Number of free connections |
Busy |
Number of connections currently being used |
Pending |
Number of processes waiting for a free connection |
Max. Size |
Max. allowed size of the connection pool |
6.11.7. ServiceNow Response Time
Monitors request and response times. The stats are split into multiple sections - the first one shows stats for all requests on all nodes. The others show stats only for the individual nodes.
Example:
1 minute: 00:00:00.343 (11 transactions, 11 per minute, 0 errors, 00:00:00.143 tx time, 249 records)
In this example:
-
The average response time in the last one minute was 343 milliseconds.
-
SnowMirror processed 11 transactions during the last minute and there was no error.
-
The "tx time" is the average time it took ServiceNow to prepare the response.
-
We have downloaded 249 records.
6.11.8. SnowMirror Monitor
since 4.9.7 Provides information about status of SnowMirror Monitor.
Property | Description |
---|---|
Enabled |
Yes/No - is SnowMirror Monitor enabled or disabled? |
Upload of activity log files |
Enabled/Disabled - Is SnowMirror Monitor configured to upload or not to upload activity log files to ServiceNow? |
Status: |
|
6.12. Logs
Logs page provides you with access to server logs. This may come in handy especially if you don’t have access to the server, and you would have to ask you administrators for help every time you need to see logs.
The page lists all available logs and allows you to download them separately to your computer using the link in the "Actions" column. You can also download all logs into single ZIP file using the "Download All Logs" link.
The page may be disabled by setting snowMirror.settings.logs.showLogsInSettings Advanced Property to false.
6.13. Advanced Settings
Advanced Settings provides you a list of all configuration options. Changing these settings can badly influence stability, performance and security of SnowMirror. Continue only if you are sure what you are doing, or our documentation specifically instructed you to do so.
6.14. Time Zones
Every SnowMirror user can set his or hers own time zone. This does not affect communication with ServiceNow, or any of SnowMirror databases. The time zone setting is just for presenting data via SnowMirror gui. List of available time zones is configurable.
All data in mirror and configuration database are stored in UTC.
Communication with ServiceNow happens in two time zones. While requesting data via ServiceNow API, UTC (both request and response) is used. However, when sending data via API, the time zone of ServiceNow user is used. This time zone is in the configuration file.
6.14.1. Changing Timezone
For changing timezone click on the planet icon next to timezone in the left bottom.
7. Advanced Configuration
Most of the configuration settings can be done in SnowMirror on Settings page when the configuration choices are stored in a database. Yet some configuration have to be done using snowMirror.properties file.
-
snowMirror.properties - The file is located in the root of SnowMirror’s installation directory. It contains deployment URL (including port) and settings of configuration database.
The file contains just a small subset of all configuration options. These properties are necessary for SnowMirror to start up.
-
Settings page in browser - All the other settings (mirror DB connection, SMTP server, ServiceNow connection, etc.) are stored in your configuration database in a table named config. You configure these properties via your web browser. During the initial setup, you configure it via configuration Wizard. Later on, you configure it on Settings page.
7.1. Database Configuration
SnowMirror uses two databases - configuration database and mirror database. This chapter contains detailed information about configuration of these databases. You can see a list of supported databases in Requirements - Databases chapter.
Database | Description |
---|---|
Configuration DB |
|
Mirror DB |
|
7.1.1. Character Set & Collation
When you create a new database, you can specify a character set (what character is the DB able to store) and collation (how the DB sorts the characters). See our requirements in the table below.
Database | Character Set (Encoding) | Recommended Collation (How To Sort) |
---|---|---|
Choose what suits your needs the best. Don’t use UTF8. To store all possible characters into mirror DB, please make sure you have Use Unicode option enabled. |
||
AL32UTF8 |
Up to you. If you don’t know, don’t specify it when creating the DB. |
|
utf8mb4 |
utf8mb4_unicode_ci |
|
UTF8 |
Up to you. If you don’t know, don’t specify it when creating the DB (values for lc_collate and lc_ctype properties are provided automatically). |
|
By default, it uses UTF-8 |
Up to you. If you don’t know, don’t specify it when creating the DB. |
|
Choose what suits your needs the best. Don’t use UTF8. To store all possible characters into mirror DB, please make sure you have Use Unicode option enabled and SnowMirror will store data to nvarchar columns. |
||
- |
- |
7.1.2. Database Permissions
SnowMirror needs the following database permissions:
-
connect and login to the database
-
create, alter and delete tables and views
-
create, alter and delete indexes on those tables
-
insert, update and delete data in those tables and views
7.1.3. Databases
7.1.3.1. SQL Server
# SnowMirror configuration database (SQL Server)
config.db.type = mssql
config.jdbc.url = jdbc:jtds:sqlserver://127.0.0.1:1433/snowmirror
config.jdbc.username = root
config.jdbc.password = password
config.jdbc.schema = dbo
config.jdbc.encryption = IGNORE
If you want to use Windows authentication on SQL Server, please provide your domain username as follows: DOMAIN\username
Samples of SQL Server "config.jdbc.url":
-
JTDS database driver (default)
-
Use port: jdbc:jtds:sqlserver://localhost:1433/yourDbName
-
Use instance name: jdbc:jtds:sqlserver://localhost/yourDbName;instance=MSSQLSERVER
-
Use Azure AD authentication: not supported
-
-
Microsoft database driver
-
Use port: jdbc:sqlserver://localhost:1433;databaseName=yourDbName
-
Use instance name: jdbc:sqlserver://localhost\MSSQLSERVER;databaseName=yourDbName
-
Use Azure AD Authentication: jdbc:sqlserver://localhost:1433;databaseName=yourDbName;authentication=ActiveDirectoryPassword
-
Please see Encryption chapter on details how to configure config.jdbc_encryption property.
-
Minimal permissions - imagine you have a role named "snowmirror_role" in SQL Server. The following "grant" commands give that role minimal required permissions.
-
GRANT CONNECT TO [snowmirror_role];
-
GRANT CREATE TABLE, CREATE VIEW, REFERENCES TO [snowmirror_role];
-
GRANT ALTER, SELECT, INSERT, UPDATE, DELETE ON SCHEMA::[dbo] TO [snowmirror_role];
-
7.1.3.2. Oracle
# SnowMirror configuration database (Oracle)
config.db.type = oracle
config.jdbc.url = jdbc:oracle:thin:@127.0.0.1:1521:snowmirror
config.jdbc.username = root
config.jdbc.password = password
7.1.3.3. MySQL
CREATE DATABASE snowmirror CHARACTER SET = utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE DATABASE mirror CHARACTER SET = utf8mb4 COLLATE utf8mb4_unicode_ci;
# SnowMirror configuration database (MySQL)
config.db.type = mysql
config.jdbc.url = jdbc:mysql://127.0.0.1:3306/snowmirror
config.jdbc.username = root
config.jdbc.password = password
config.jdbc.encryption = IGNORE
Please see Encryption chapter on details how to configure config.jdbc_encryption property.
7.1.3.4. PostgreSQL
CREATE DATABASE snowmirror ENCODING 'UTF8';
CREATE DATABASE mirror ENCODING 'UTF8';
# SnowMirror configuration database (PostgreSQL)
config.db.type = postgres
config.jdbc.url = jdbc:postgresql://127.0.0.1:5432/snowmirror
config.jdbc.username = root
config.jdbc.password = password
config.jdbc.schema = public
config.jdbc.encryption = IGNORE
Please see Encryption chapter on details how to configure config.jdbc_encryption property.
PostgreSQL Client Certificate
Place your certificate files into a single directory (C:\Program Files\SnowMirror\snow-mirror\data\certs-custom).
Configuration Database
-
Open snowMirror.properties as administrator and add the following line:
-
Add a new line:
config.postgres.jdbc.url.param = ?useUnicode=true&characterEncoding=utf8&sslcert=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/client_cert.pem&sslkey=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/client_key.pem&sslrootcert=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/server_ca.pem
-
Save the file and restart SnowMirror.
Mirror Database
-
In SnowMirror, go to Settings → Advanced Settings → Find "mirror.mssql.jdbc.url.param".
-
Change the value to:
?useUnicode=true&characterEncoding=utf8&stringtype=unspecified&sslcert=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/client_cert.pem&sslkey=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/client_key.pem&sslrootcert=C:/Program%20Files/SnowMirror/snow-mirror/data/certs-custom/server_ca.pem
-
Save and go to Settings → Database → Click "Test Connection" to make sure it works.
7.1.3.5. H2
H2 Database is a lightweight SQL database embedded in SnowMirror. SnowMirror creates it automatically based on connection information from snowMirror.properties file. It is suitable only for evaluation. On production systems, please use some other database. If you already use H2, please migrate to some other database.
# SnowMirror configuration database (H2)
config.db.type = h2
config.jdbc.url = jdbc:h2:~/h2/snowmirror
config.jdbc.username = sa
config.jdbc.password = sa
7.1.4. Encryption
If you want to encrypt communication between SnowMirror and your database, you have to set config.jdbc.encryption property.
Value | Description |
---|---|
IGNORE |
Do not configure SSL at all. Default settings of the database driver is used. |
NONE |
Use unencrypted connection. |
SSL |
Use encrypted connection. If not supported by the server, raise an error. |
SSL_WITH_CERT_VERIFICATION |
Use encrypted connection. If not supported by the server, raise an error. Verify that server’s certificate is signed by a trusted CA. |
7.2. Application Deployment URL
Deployment address depends on the address of the server where the application is deployed. The application needs to know this address to correctly serve its pages and content.
Provided configuration is used to construct absolute URLs for resources files like JavaScript and CSS. See how SnowMirror constructs URLs using these properties:
{snowMirror.scheme}://{snowMirror.host}:{snowMirror.port}{snowMirror.context}
### SnowMirror base URL ###
snowMirror.scheme = http
snowMirror.host = localhost
snowMirror.port = 9090
snowMirror.controlport = 8005
snowMirror.context =
If you want SnowMirror to run not on http://localhost:9090 but on http://localhost:9090/snowMirror you have to change the snowMirror.context property. Note that when you specify a context it has to start with a backslash.
snowMirror.context = /snowMirror
-
Stop SnowMirror
-
Change
snowMirror.context
property in snowMirror.properties file. -
Delete webapps and work directories from SnowMirror installation directory.
-
On Windows, you need to perform these additional steps:
-
Open command line (cmd.exe) as administrator and type:
"C:\Program Files\SnowMirror\bin\tomcat10w.exe" //ES//SnowMirror
-
A window opens → Go to Java tab → In Java Options find -Dtomcat.snowMirror.context= and provide your context there. → Click OK
-
-
Start SnowMirror and open it in your browser on a new address.
SnowMirror runs on Apache Tomcat server which uses a notion of a control port. The port is used to receive shutdown request. The default value is provided but if you change the port in Apache Tomcat configuration files you also have to change snowMirror.controlport property.
snowMirror.controlport = 8005
7.3. Security
SnowMirror application communicates with ServiceNow via Web Services and uses basic HTTP authentication. You can set your credentials on Settings / ServiceNow page.
In general there are two situations you can deal with - when the Enforce strict security system option is set to true or false.
7.3.1. Enforce Strict Security
Usually, Enforce Strict Security is enabled. If that is your case, you need to specify the roles for your ServiceNow user which is used for connection from SnowMirror. See the chapters below.
If Enforce Strict Security option is disabled all users have access to all SOAP operations and are able to use SnowMirror application without any configuration changes. User does not need any roles to access any of the tables in this mode.
You can set Enforce Strict Security option as an admin user in ServiceNow application in Web Services section - option Enforce strict security. You need to be logged in as "security_admin". |
7.3.2. Permissions In ServiceNow
SnowMirror requires read access to several system tables and the tables you are going to be mirroring. Therefore, you have to create a new role and grant it all required permissions.
We provide you with and an update set which creates all necessary roles and ACLs for you. You can do that work manually too.
Depending on which API (SOAP, REST) you use, you need a different roles assigned.
-
SOAP API: Create SnowMirrorAgent role manually.
-
REST API: Create SnowMirrorRestApiAgent role from an update set.
-
REST API: Create SnowMirrorRestApiAgent role manually.
7.3.2.1. SOAP API: Import SnowMirrorAgent Role Update Set
Follow steps below to create a new SnowMirrorAgent role and to grant permissions to all required system tables.
-
Open your ServiceNow instance and go to System Update Sets → Retrieved Update Sets
-
Click "Import Update Set from XML" link and choose SnowMirrorAgentRole_v(CurrentVersion).xml update set. You can find it in /snow-mirror/role folder. Then click Upload.
-
Open the detail of the update set (i.e. click on its name)
-
Click on "Preview Update Set"
-
If everything went fine just click on the "Commit Update Set" button
-
Wait while the update set is being committed and then click Close
Now the role has been created. You then have to assign the role to a user.
-
Open your ServiceNow instance and go to User Administration → Users
-
Choose a user (or create a new user) you want to use to connect to SnowMirror.
-
On the "Roles" tab click Edit button.
= . Assign "SnowMirrorAgent" role and save
Now you can use the user in SnowMirror. But there is one more step to do - you have to grant your user with the read access rights to all tables you want to replicate:
-
If you already have a suitable role defined you can just assign it to your user
-
Beginning Fuji release you can use Read Only Role (snc_read_only) to grant read-only access
-
Or you can grant the read rights manually as shown below
To grant the read rights manually you have to create an entry in System Security → ACL table. Fill in the following data:
Type | record |
---|---|
Operation |
read |
Name |
Choose a table you want to replicate and choose "-- None --" in columns combobox. |
Admin overrides |
enabled |
Active |
enabled |
Requires role: |
SnowMirrorAgent |
That’s all. Now you can start replicating your data.
7.3.2.2. Create Role Manually
If you can’t or don’t want to use the SnowMirrorAgent update set then (presuming your ServiceNow has default ACL configuration) you will have to follow these steps to set up ACL:
-
Create a special role for your SnowMirror user (e.g. SnowMirrorAgent)
-
Add soap_query system role to SnowMirrorAgent inherited roles.
-
Create ACL rules for read operation, columns set as --None-- with role SnowMirrorAgent for the following system tables:
-
Dictionary Entry (sys_dictionary)
-
Dictionary Entry Overrides (sys_dictionary_override)
-
Field class (sys_glide_object)
-
Audit Deleted Record (sys_audit_delete)
-
Table (sys_db_object)
-
Database View (sys_db_view)
-
View Table (sys_db_view_table)
-
View Field (sys_db_view_table_field)
-
Attachment (sys_attachment)
-
Attachment Document (sys_attachment_doc)
-
Database Indexes (v_db_index)
-
Table Rotation Groups (sys_table_rotation)
-
Table Rotation Schedule (sys_table_rotation_schedule)
-
Archive Log (sys_archive_log)
-
System Properties (sys_properties)
-
-
Ensure the SnowMirrorAgent role has read access to the tables you want to replicate. If needed create ACL rules for these tables.
-
Assign the SnowMirrorAgent role to the user you are using for SnowMirror connection.
If you have already defined any ACL rules for above tables, you will have to add SnowMirrorAgent role to every ACL to ensure correct behaviour. |
For more information about ACL rules see ServiceNow documentation .
7.3.2.3. REST API: Import SnowMirrorRestApiAgent Update Set
Follow steps below to create a new SnowMirrorRestApiAgent role and to grant permissions to all required system tables.
-
Open your ServiceNow instance and go to System Update Sets → Retrieved Update Sets
-
Click "Import Update Set from XML" link and choose SnowMirrorRestApiAgentRole_v(CurrentVersion).xml update set. You can find it in /snow-mirror/role folder. Then click Upload.
-
Open the detail of the update set (i.e. click on its name)
-
Click on "Preview Update Set"
-
If everything went fine just click on the "Commit Update Set" button
-
Wait while the update set is being committed and then click Close
Now the role has been created. You then have to assign the role to a user.
-
Open your ServiceNow instance and go to User Administration → Users
-
Choose a user (or create a new user) you want to use to connect to SnowMirror.
-
On the "Roles" tab click Edit button.
= . Assign "SnowMirrorRestApiAgent" role and save
Now you can use the user in SnowMirror. But there is one more step to do - you have to grant your user with the read access rights to all tables you want to replicate:
-
If you already have a suitable role defined you can just assign it to your user
-
Beginning Fuji release you can use Read Only Role (snc_read_only) to grant read-only access
-
Or you can grant the read rights manually as shown below
To grant the read rights manually you have to create an entry in System Security → ACL table. Fill in the following data:
Type | record |
---|---|
Operation |
read |
Name |
Choose a table you want to replicate and choose "-- None --" in columns combobox. |
Admin overrides |
enabled |
Active |
enabled |
Requires role: |
SnowMirrorRestApiAgent |
That’s all. Now you can start replicating your data.
7.3.2.4. REST API: Create SnowMirrorRestApiAgent Manually
If you can’t or don’t want to use the SnowMirrorRestApiAgent update set then (presuming your ServiceNow has default ACL configuration) you will have to follow these steps to set up ACL:
-
Create special role for your SnowMirror user (e.g. SnowMirrorRestApiAgent)
-
Add snc_platform_rest_api_access system role to SnowMirrorRestApiAgent inherited roles.
-
Create ACL rules for read operation, columns set as --None-- with role SnowMirrorRestApiAgent for the following system tables:
-
Dictionary Entry (sys_dictionary)
-
Dictionary Entry Overrides (sys_dictionary_override)
-
Field class (sys_glide_object)
-
Audit Deleted Record (sys_audit_delete)
-
Table (sys_db_object)
-
Database View (sys_db_view)
-
View Table (sys_db_view_table)
-
View Field (sys_db_view_table_field)
-
Attachment (sys_attachment)
-
Attachment Document (sys_attachment_doc)
-
Database Indexes (v_db_index)
-
Table Rotation Groups (sys_table_rotation)
-
Table Rotation Schedule (sys_table_rotation_schedule)
-
Archive Log (sys_archive_log)
-
System Properties (sys_properties)
-
-
Ensure the SnowMirrorRestApiAgent role has read access to the tables you want to replicate. If needed create ACL rules for these tables.
-
Assign the SnowMirrorRestApiAgent role to the user you are using for SnowMirror connection.
If you have already defined any ACL rules for above tables, you will have to add SnowMirrorRestApiAgent role to every ACL to ensure correct behaviour. |
For more information about ACL rules see ServiceNow documentation .
7.3.3. Application Access Settings (Fuji and later)
Starting from Fuji release, you will have to set Allow access to this table via web services in the table definition for the tables that you wish to synchronize. By default, all system tables do have this option enabled.
If you do not allow this option, you will face 403 Forbidden exception in synchronization Activity log.
7.3.4. OAuth2
If you use REST API for communication with ServiceNow you can utilize OAuth2 protocol for authorization. OAuth2 allows SnowMirror to access your ServiceNow instance using access tokens rather than passing credentials with each request. OAuth2 defines several ways (so called "grants") how clients can obtain access tokens. SnowMirror uses Resource Owner Password Credentials grant.
Before you start using OAuth2 you have to register SnowMirror in your ServiceNow instance. This chapter describes how to do that.
7.3.4.1. Register SnowMirror in ServiceNow
-
Login to your ServiceNow instance.
-
Go to System OAuth → Application Registry
-
Click New button
-
Choose "Create an OAuth API endpoint for external clients" option.
-
Type SnowMirror into the "Name" field.
-
Click Submit
7.3.4.2. Setup OAuth2 in SnowMirror
After registering SnowMirror in ServiceNow, you have to configure SnowMirror to start using OAuth2.
-
ServiceNow: Login to your ServiceNow instance.,
-
ServiceNow: Go to System OAuth → Application Registry.
-
ServiceNow: Open a detail of SnowMirror registration.
-
ServiceNow: Remember "Client Id" and "Client Secret" (you have to click the "lock" icon to see the secret).
-
SnowMirror: Go to Settings → ServiceNow, change the authentication protocol to OAuth2 and enter Client Id and Client Secret.
7.3.5. Basic vs OAuth2
This chapter contains a short overview of Basic and OAuth2 authentication methods.
Basic Authentication
-
Every request contains username and password.
-
Communication between SnowMirror and ServiceNow is encrypted.
-
Supported by SOAP API and REST API.
OAuth2
-
SnowMirror communicates with ServiceNow using short-lived access tokens, client id and client secret.
-
When a short-lived access token expires, SnowMirror gets a new one using a refresh token.
-
Communication between SnowMirror and ServiceNow is encrypted.
-
Supported only by REST API.
-
Two flows are supported:
-
Resource Owner Password Credentials - username and password are sent over a network only when SnowMirror does not have a valid access and refresh tokens. That happens only when you restart SnowMirror, or the refresh token expires.
-
Client Credentials - username and password are not required at all.
-
7.3.6. Encryption
This chapter describes if and when your ServiceNow data is encrypted or un-encrypted.
Is Encrypted? | Description | |
---|---|---|
Connection to ServiceNow |
Always |
|
Connection to configuration database |
||
Connection to mirror database |
||
Memory (RAM) |
No |
Temporarily, data is held in memory. |
Database storage |
Up to you |
The database server is under your control. We don’t control, if the data is encrypted on the underlying hard-drive. |
No. |
ServiceNow Edge proxy is transparent - SnowMirror sees the data un-encrypted. |
|
No. |
In case your user has permissions to see the data, SnowMirror can see it un-encrypted. Otherwise, it cannot see the data. |
7.4. SnowMirror Over HTTPS
By default, SnowMirror is accessible through HTTP protocol. That means the communication between the user and SnowMirror is not encrypted. This chapter explains how to enable HTTPS protocol.
First, you have to enable HTTPS support. Then ask administrator at your company how to get a trusted certificate for your server.
If you already have a certificate you can import it to SnowMirror. If they ask you for a CSR (Certificate Signing Request) please generate a new untrusted certificate and generate CSR. Once they approve it, you will make the certificate trusted by importing their reply into SnowMirror.
7.4.1. Enable HTTPS
-
Stop SnowMirror
-
Prepare configuration files - Replace HTTP configuration files with HTTPS configuration files. Go to conf directory and rename following files:
-
server.xml → server-http.xml
-
server-https.xml → server.xml
-
web.xml → web-http.xml
-
web-https.xml → web.xml
-
-
Edit snowMirror.properties - Open snowMirror.properties file and change "snowMirror.scheme" and "snowMirror.port" properties.
snowMirror.properties excerptsnowMirror.scheme = https snowMirror.port=9443
-
Update Windows Service (Windows only) - Open "cmd.exe" as Administrator ad type:
"C:\Program Files\SnowMirror\bin\tomcat10w.exe" //ES//SnowMirror
The command opens a configuration of your Windows service. Click "Java" and in "Java Options", find a line "-Dtomcat.http.port=9090". Change it to "-Dtomcat.http.port=9443" and click "OK". Then, restart the service.
-
Start SnowMirror - open your browser and open SnowMirror running on HTTPS a port 9443. The browser should complain that it does not trust the certificate.
You can ignore the warning and continue to SnowMirror. The better thing to do is to use your own trusted certificate. See next chapters to learn how to do that.
7.4.2. Import Certificate
SnowMirror is configured to use HTTPS, but it uses a default untrusted certificate. This guide shows how to import your own certificate into SnowMirror.
The certificate being imported must contain both public key and private key. Usually, they are bundled in a single PFX or P12 file. You have to import the file into snowMirror-https.jks file. You can do it from command line as follows.
-
Stop SnowMirror
-
Windows: Open command line cmd.exe as and Administrator and type:
cd "C:\Program Files\SnowMirror" del snowMirror-https.jks jre\bin\keytool -importkeystore -srckeystore "PLEASE-PROVIDE-PATH-TO-YOUR-PFX-OR-P12-FILE" -destkeystore snowMirror-https.jks -destkeypass password
If you are asked for a source keystore password, type your password. If you are asked for a destination keystore password, type "password". When asked if you trust the certificate, type "yes". Please, replace the upper-case text PLEASE-PROVIDE-PATH-TO-YOUR-PFX-OR-P12-FILE with an actual path where we can find your PFX or P12 file. Keep the quotes. -
Linux: open your terminal and type:
Linux command linecd /opt/SnowMirror rm snowMirror-https.jks jre/bin/keytool -importkeystore -srckeystore "PLEASE-PROVIDE-PATH-TO-YOUR-PFX-OR-P12-FILE" -destkeystore snowMirror-https.jks -destkeypass password
-
Start SnowMirror
As you can see, we use a default password. You can choose whatever password you want. If you do so, you also have to change it in server.xml file. Look for a "keystore" attribute and change its value to your password. |
7.4.3. Generate A New Untrusted Certificate
This chapter describes how to generate a new key pair (public key and private key) and how to use it instead of the default one.
Windows
-
Open command line as Administrator
-
cd "C:\Program Files\SnowMirror"
-
ren snowMirror-https.jks snowMirror-https.jks.backup
-
Generate a new public/private key. Copy-past the command below and modify it so that:
-
CN - matches the URL of your SnowMirror. It must not contain "http://" or "https://" prefix. It must not contain the port.
-
OU, O, L, ST, C - these are specific to your company. You may change them, leave them empty or omit them.
jre\bin\keytool.exe -dname "CN=ADDRESS-OF-YOUR-SNOW-MIRROR, OU=SnowMirrorDev, O=GuideVision, L=Prague, ST=Czech Republic, C=CZ" -genkeypair -storepass password -keystore snowMirror-https.jks -alias snowmirror-https -keyalg RSA -keysize 4096
-
Linux
-
Open command line
-
cd "/opt/SnowMirror"
-
mv ./snowMirror-https.jks ./snowMirror-https.jks.backup
-
Generate a new public/private key. Copy-past the command below and modify it so that:
-
CN - matches the URL of your SnowMirror. It must not contain "http://" or "https://" prefix. It must not contain the port.
-
OU, O, L, ST, C - these are specific to your company. You may change them, leave them empty or omit them.
jre\bin\keytool -dname "CN=ADDRESS-OF-YOUR-SNOW-MIRROR, OU=SnowMirrorDev, O=GuideVision, L=Prague, ST=Czech Republic, C=CZ" -genkeypair -storepass password -keystore snowMirror-https.jks -alias snowmirror-https -keyalg RSA -keysize 4096
-
7.4.4. Generate CSR
When you generate a new public/private key, you need to have it signed so that it shows up as trusted in your browser. To sign it, you may be asked to generate CSR (Certificate Signing Request). Here’s how to do it:
-
Make sure you have generated a public/private key.
-
Run the following command to generate CSR. Please replace "ADDRESS-OF-YOUR-SNOW-MIRROR" with your actual address of your SnowMirror. It has to match "CN" attribute.
-
Windows: Open cmd.exe as Administrator and execute a command:
cd "C:\Program Files\SnowMirror\" jre\bin\keytool.exe -ext "san=dns:ADDRESS-OF-YOUR-SNOW-MIRROR" -storepass password -keystore snowMirror-https.jks -certreq -alias snowmirror-https > snowmirror-https.csr
-
Linux: Open command line and execute a command:
/opt/SnowMirror/jre/bin/keytool -ext "san=dns:ADDRESS-OF-YOUR-SNOW-MIRROR" -storepass password -keystore snowMirror-https.jks -certreq -alias snowmirror-https > snowmirror-https.csr
-
-
Hand over the CSR file to your certification authority to sign it.
7.4.5. Import CSR response
When your certificate authority approves your request, it provides you a response. You have to import that response to snowMirror-https.jks file.
You may receive a response in multiple different formats. Based on the format of your response, follow the instructions below.
-
P7B file - Windows
cd "C:\Program Files\SnowMirror" jre\bin\keytool.exe -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-https -file "PATH-TO-P7B-FILE"
-
P7B file - Linux
cd "/opt/SnowMirror" jre/bin/keytool -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-https -file "PATH-TO-P7B-FILE"
-
Multiple files including root and intermediate certificate - Windows
cd "C:\Program Files\SnowMirror" jre\bin\keytool.exe -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-dev-root -file "PATH-TO-RESPONSE-ROOT-CERT-FILE" jre\bin\keytool.exe -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-dev-intermediate-ca -file "PATH-TO-RESPONSE-INTERMEDIATE-CERT-FILE" jre\bin\keytool.exe -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-https -file "PATH-TO-RESPONSE-SNOWMIRROR-HTTPS-FILE"
-
Multiple files including root and intermediate certificate - Linux
cd "/opt/SnowMirror" jre/bin/keytool -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-dev-root -file "PATH-TO-RESPONSE-ROOT-CERT-FILE" jre/bin/keytool -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-dev-intermediate-ca -file "PATH-TO-RESPONSE-INTERMEDIATE-CERT-FILE" jre/bin/keytool -keystore snowMirror-https.jks -storepass password -importcert -trustcacerts -noprompt -alias snowmirror-https -file "PATH-TO-RESPONSE-SNOWMIRROR-HTTPS-FILE"
-
OpenSSL: OpenSSL private key file and one certificate file - Windows
cd "C:/Program Files/SnowMirror" del snowMirror-https.jks openssl pkcs12 -export -in PATH-OF-THE-CER-FILE -inkey PATH-OF-THE-PRIVATE-KEY-FILE -out snowMirror-https.pfx -name snowmirror jre\bin\keytool -importkeystore -srckeystore "snowMirror-https.pfx" -destkeystore snowMirror-https.jks -destkeypass password
-
OpenSSL: OpenSSL private key file and one certificate file - Linux
cd "/opt/SnowMirror" rm snowMirror-https.jks openssl pkcs12 -export -in PATH-OF-THE-CER-FILE -inkey PATH-OF-THE-PRIVATE-KEY-FILE -out snowMirror-https.pfx -name snowmirror jre/bin/keytool -importkeystore -srckeystore "snowMirror-https.pfx" -destkeystore snowMirror-https.jks -destkeypass password
-
Other formats - If they send you PEM file instead of P7B, you can most probably use the same commands as you would use with P7B. The commands expect, that the PEM file contains public key of your certificate and public keys of intermediary and root CA.
To find, whether PEM file contains the whole certificate chain, you can open it in notepad. Then look for "-----BEGIN CERTIFICATE-----". If you find multiple lines with this text, you can use the same commands as if you were importing P7B.
If you receive a CSR response in some other format, you can consult that with our support team.
7.5. Security Properties
On Settings → Advanced Properties page we offer several security related properties. Usually, there is no need to change them. This chapter explains these properties.
Property | Default | Description |
---|---|---|
snowMirror.security.httpHeaders.useXFrameOptions |
true |
If enabled, pages contain "X-Frame-Options: SAMEORIGIN" HTTP header. |
snowMirror.security.httpHeaders.useXXSSProtection |
true |
If enabled, pages contain "X-XSS-Protection: 1; mode=block" HTTP header. |
snowMirror.security.httpHeaders.useXContentTypeOptions |
true |
If enabled, pages contain "X-Content-Type-Options: nosniff" HTTP header. |
snowMirror.security.httpHeaders.useContentSecurityPolicy |
true |
If enabled, pages contain "Content-Security-Policy: default-src 'self'; img-src 'self' data:" HTTP header. |
snowMirror.security.showExceptionOnErrorPages |
true |
If enabled, the error page will display stack trace of an exception. Disable this property if your security policies do not allow to reveal such information. |
snowMirror.security.showSystemInfoOnErrorPages |
true |
If enabled, the error page will display system information like SnowMirror version, database type and version, etc. Disable this property if your security policies do not allow to reveal such information. |
snowMirror.security.showVersion |
true |
If enabled, pages contain SnowMirror version in a footer. |
snowMirror.security.showServiceNowUrls |
true |
If enabled, SnowMirror shows a link to ServiceNow in the footer and on detail of each synchronization. If disabled no links to ServiceNow are shown on any page. |
snowMirror.security.rememberMeEnabled |
true |
Is "Remember me" enabled or not? After changing this property, you need to restart SnowMirror. Allowed values: true, false |
snowMirror.security.sessionTimeoutInMinutes |
240 |
Specifies how long the session will be valid. Log out and log back in for the update to take effect. SnowMirror continuously refreshes data when open in a browser. To let the session expire, close any tabs where SnowMirror is currently open. |
Turn off Properties
To tighten security measures, you can disable properties after installing SnowMirror. Please manually connect to your configuration database and call:
UPDATE config SET property_value = 'false' WHERE property_key IN ('snowMirror.security.showExceptionOnErrorPages', 'snowMirror.security.showSystemInfoOnErrorPages', 'snowMirror.security.showVersion', 'snowMirror.security.showVersion', 'snowMirror.security.showServiceNowUrls')
Then, restart SnowMirror and finish Wizard configuration.
7.6. Trust an unknown certificate
SnowMirror contains certificates of trusted authorities. We encountered few cases where SnowMirror did not trust customer’s certificate (even though the certificate was just fine). Some companies run their own certificate authority. By default, SnowMirror does not trust it.
If SnowMirror does not trust your certificate you have to import it manually. The certificate has to be added to jre/lib/security/cacerts file and snowMirror.jks file.
7.6.1. Retrieving certificate of on-premise ServiceNow
If you have an on-premise ServiceNow and you need to retrieve its certificate, do this:
-
Download Keystore explorer - http://keystore-explorer.org/downloads.html. If you cannot install it, you can download ZIP file and run it without installation.
-
Open Keystore Explorer as Administrator
-
Click Examine → Examine SSL
-
Fill in SSL Host with the URL of your on-premise ServiceNow instance
-
Click Ok
-
-
A new window opens. There’s a field "Certificate hierarchy".
-
Click on the first line in Certificate Hierarchy, then Click Import. Choose "JKS". Click OK.
-
Click on the second line in Certificate Hierarchy and click Import. Repeat for all lines in Certificate hierarchy.
-
Click Ok
-
-
Save it
-
File → Save as
-
Type password: "changeit" (without quotes. Don’t change the password - the password must be "changeit")
-
Save it to snowMirror.jks
-
7.6.2. Import Certificate
If you have the certificate, and you need to configure SnowMirror to trust it:
-
Import your certificate to "snowMirror.jks"
-
Open cmd.exe as Administrator
-
type: cd "ABSOLUTE-PATH-OF-YOUR-SNOW_MIRROR-DIRECTORY"
-
type: jre\bin\keytool -keystore snowMirror.jks -storepass changeit -importcert -trustcacerts -noprompt -alias NAME-OF-YOUR-CERTIFICATE -file PATH-TO-YOUR-ROOT-CERTIFICATE-FILE
-
-
Import "snowMirror.jks" into "cacerts"
-
Open cmd.exe as Administrator
-
type: cd "ABSOLUTE-PATH-OF-YOUR-SNOW_MIRROR-DIRECTORY"
-
type: jre\bin\keytool.exe -importkeystore -srckeystore snowMirror.jks -destkeystore jre\lib\security\cacerts -storepass changeit
when asked for a password, type: changeit
-
-
Restart SnowMirror
7.7. TLS
Communication between SnowMirror and ServiceNow is encrypted using TLS protocol. Optionally, access to SnowMirror’s user interface is also encrypted. SnowMirror uses:
Environment | TLS Version |
---|---|
SnowMirror >= 3.6.0 |
TLS 1.2 |
SnowMirror <= 3.6.0 |
TLS 1.0 |
7.8. Memory Settings
SnowMirror allows you to configure how much memory it can use. After the start, SnowMirror allocates 700 MB of memory and is allowed to allocate up to 2 GB of memory.
In some cases you may need to increase a memory allocated to SnowMirror: If you download a lot of big records at once or if you increased the number of synchronizations running in parallel (snowMirror.quartz.threadCount property).
7.8.1. Windows service
-
Open cmd.exe from Windows Start menu as an Administrator
-
Type: cd "C:/Program Files/SnowMirror/bin"
(C:/Program Files/SnowMirror is default installation folder which is configurable during the installation) -
Open configuration window by typing: tomcat10w.exe //ES//SnowMirror
(SnowMirror is a name of the service - if you changed the name during the installation, change it in this command) -
Open "Java" tab and increase the value in "Maximum memory pool" field. Click OK.
-
Restart the service.
7.8.2. Linux
-
Stop SnowMirror
-
Edit file /opt/SnowMirror/snowMirror.properties
-
Add or edit the following line. Specify the value in megabytes (e.g. 1500m) or gigabytes (e.g. 2G):
snowMirror.memory.Xmx=2G
-
Save the file
-
Start SnowMirror
7.9. Audit Log
Auditing allows you to record events in SnowMirror. The audit log is written to the configuration database into "auditEventLog" table.
By default, auditing is enabled. You can disable it by setting snowMirror.audit.target Advanced Property from DATABASE to NONE. SnowMirror does not audit when embedded H2 database is used as configuration database.
7.9.1. Audit Event Log
To get data from the audit log, you’re expected to connect to your configuration database and query it using SQL. See description of the audit table below.
Column | Description |
---|---|
Id |
Id of the event |
Event |
Name of the event |
Created |
Date and time when the event has been recorded |
Created by |
Name of the user who was logged in when the event was recorded |
Data |
Additional data in JSON format which provides you a context of the event |
Code |
If a synchronization failed or finished with a warning, this field may contain its code. See the list of all known warnings and errors. |
7.9.2. Events
SnowMirror recognizes following events.
Event | Description |
---|---|
ConfigUpdated |
Configuration properties have been updated |
Login |
Successful login |
LoginFailure |
Failed login attempt |
Logout |
Successful logout |
SyncCreated |
A new synchronization has been created |
SyncDeleted |
A synchronization has been deleted |
SyncUpdated |
A synchronization has been updated |
SyncWarning |
A synchronization has finished but needs your attention |
SyncError |
A synchronization has failed |
UserCreated |
A new user has been created |
UserUpdated |
A user has been updated |
UserPasswordChanged |
A password has been updated |
7.10. ServiceNow API
7.10.1. REST API and Performance API Quota
By default, ServiceNow grants you up to 60 seconds to process a request. After 60 seconds, the requests times-out. Usually, that is enough. However, sometimes it may be necessary to increase this time-out limit. You can do that in your ServiceNow instance by configuring Transaction Quotas.
This chapter explains, how to exclude your user from the default quota and how to create a new quota specifically for SnowMirror.
-
Login to your ServiceNow instance
-
Exclude SnowMirror from the default Quotas.
-
Open Transaction Quota Rules page
-
Find a quota named "REST Table API request timeout" and open it.
-
Add a "Condition": "User" "is not" "NameOfYourUser". Save changes by clicking "Update" button.
-
Find a quota named "REST Aggregate API request timeout" and open it.
-
Add a "Condition": "User" "is not" "NameOfYourUser". Save changes by clicking "Update" button.
-
Find a quota named "REST and JSON Catch All" and open it.
-
Add a "Condition": "User" "is not" "NameOfYourUser". Save changes by clicking "Update" button.
-
-
Create a new quota for SnowMirror
-
Fill in:
-
Name = SnowMirror Quota
-
Active = checked
-
Maximum Duration = 120
-
Condition:
-
Type is REST
-
and "URL" "matches regex" ".*/api/now(/v[0-9]+)?/(table|stats).*" or "URL" matches regex" ".*/api/gvs/performance_api/.*"
-
and "User" "is" "NameOfYourUser"
-
Description: This quota rule applies to all incoming REST Aggregate API and REST Table API transactions. Any transaction exceeding the maximum duration will be cancelled.
-
-
-
Save changes by clicking "Submit" button.
-
7.10.2. Custom Parameters and Headers
By default, SnowMirror calls SOAP API and REST API with certain parameters and HTTP headers. If you wish to specify your own parameters and HTTP headers, please go to Settings → Advanced Properties page and change following properties.
API | Advanced Property | Sample Value |
---|---|---|
SOAP |
serviceNow.do.soap.customParams |
myParam1=myValue1&myParam2=myParam2 |
SOAP |
serviceNow.do.soap.customHttpHeaders |
MyHeader1=my value,MyHeader2=Escape\, comma |
REST |
serviceNow.rest.api.customParams |
myParam1=myValue1&myParam2=myParam2 |
REST |
serviceNow.rest.api.customHttpHeaders |
MyHeader1=my value,MyHeader2=Escape\, comma |
7.11. Meta-Data Cache
On the background, SnowMirror downloads meta-data about tables (names, columns, data-types, etc.). For better performance, it caches the meta-data so that it does not have to connect to ServiceNow every time it needs it.
Meta-data in Service now can change. Therefore, SnowMirror caches the meta-data up to 24 hours and then it reloads it.
7.11.1. Auto Schema Update And Notifications
Synchronizations may be configured to automatically check for schema changes using Auto Schema Update Settings. They may also notify users about those schema changes. How does SnowMirror works with the meta-data cache when Auto Schema Update or Notifications are enabled?
Every time a synchronization is executed, SnowMirror clears meta-data of that synchronization from cache. Because of that, schema changes are discovered as soon as possible and that is really nice. On the other hand, SnowMirror has to make requests to ServiceNow to download the meta-data. SnowMirror installations with plenty of synchronizations or aggressive schedules may benefit (performance-wise) from making less meta-data requests.
You can change that behavior on Settings → Advanced Settings page by setting "snowMirror.cache.clearBeforeSynchronization" property to false. With such settings, a synchronization do not clear cache every time it is executed. Therefore, the number of meta-data requests is minimized. Schema changes will be discovered with up to 24 hours delay.
7.12. Reset Forgotten Password
If you have forgotten your password and cannot login to SnowMirror please follow the following steps:
H2 Configuration Database
If you use the embedded H2 database go to "snow-mirror/data/h2" directory and send us snowmirror.h2.db file. We will reset the password for you.
All Other Databases
-
Manually connect to your configuration database.
-
Call the following SQL query to update password of "admin" user:
UPDATE users SET password = 'FveMBW1EiuG2UdAE1Zqe0tjedqaOrkm7b4jDdmsw2ak=' WHERE username = 'admin'; -
Your new password is: password
-
After logging in, go to Settings → Profile Settings → Change Password and choose a new password.
7.13. FAQ
-
How SnowMirror hashes passwords that users use to log in to user interface.
SnowMirror can keep user accounts in its own internal database. It hashes passwords using BCrypt. If you don’t want to store passwords in SnowMirror’s internal database, you can configure it to use LDAP or SAML SSO where passwords are stored outside SnowMirror and are under your control.
SnowMirror uses BCrypt to hash passwords. BCrypt salts password with a 128-bit long dynamic/random salt.
SnowMirror uses BCrypt implementation from Spring framework library. More specifically, it uses BCryptPasswordEncoder component (source code) and BCrypt component (source code).
-
How SnowMirror stores password to external systems like ServiceNow or database server
To authenticate to ServiceNow or a database server, we need to have passwords available in plain-text so that we can send it to ServiceNow or database. Such passwords are encrypted using AES-256. An encrypted password of your configuration database is stored in "snowMirror.properties" file. All other encrypted passwords are stored in "config" table in your configuration database.
-
Does SnowMirror enforce password complexity?
SnowMirror can keep user accounts in its own internal database. It requires passwords at least 6 characters long. Otherwise, it does not impose any restrictions.
If you are one of the customers where this is not sufficient, do not store user account into SnowMirror’s internal database. Instead, use LDAP or SAML SSO. In such case, passwords are stored outside SnowMirror and are under your control (including password complexity).
-
Session timeout - for how long a user stays logged in?
A session times out after 4 hours and is not configurable.
-
Does SnowMirror log login attempts?
Login attempts can be found in your configuration database in Audit Log (auditEventLog table). To find login attempts, filter the table using "event" column and look for "Login" and "LoginFailure" events.
Sample SQL Query to Select Login AttemptsSELECT * FROM auditEventLog WHERE event IN ('Login', 'LoginFailure') ORDER BY created DESC;
-
Does SnowMirror supports "Control Flow Guard"?
SnowMirror does not support Control Flow Guard (CFG). SnowMirror runs on Java and Apache Tomcat and none of these use CFG.
-
What is a maximum size of import file?
SnowMirror allows you to import synchronizations from XML file. By default, SnowMirror accepts files with a size up to 50MB. The limit is configurable on "Settings → Advanced Settings" page via "snowMirror.maxUploadSizeKb" property.
-
Does SnowMirror cache passwords in memory?
When you log in into a virtual machine with SnowMirror and you make a memory dump of SnowMirror process, you may be able to see a password of logged-in user for some time. SnowMirror works with the password in memory only for a short period of time. However, it may stay in memory for a longer time. SnowMirror runs on Java which is responsible for cleaning up the memory. SnowMirror cannot affect when Java cleans up the memory.
8. How To
This chapter contains a bunch of mutually unrelated "How To" guides which don’t fit into any other chapter.
Upgrade SM >= 4.3.0 If Using SQL Server With SSO
If you need to upgrade from SnowMirror < 4.3.0 to SnowMirror >= 4.3.0, and you are using SQL Server with SSO authentication you have to follow the following instructions:
-
Open cmd.exe from Windows Start menu as an Administrator
-
Type: cd C:/Program Files/SnowMirror/bin (C:/Program Files/SnowMirror is default installation folder which is configurable during the installation)
-
Open configuration window by typing: tomcat10w.exe //ES//SnowMirror (SnowMirror is a name of the service - if you changed the name during the installation, change it in this command too)
-
Open "Java" tab and and find a parameter "-Djava.library.path=…". Remember it for a later use.
-
Close the window.
-
Upgrade SnowMirror and stop it.
-
Type: tomcat10w.exe //ES//SnowMirror, go to "Java" tab and add the "-Djava.library.path=…" you remembered.
-
Restart SnowMirror.
8.1. H2 Migration
Some SnowMirror installations use embedded H2 database as a configuration database. The H2 database is great for evaluation because it works out-of-the box (no configuration is needed). However, it is not suitable for production environment. In the long run, it is susceptible to failures. We are able to fix such failures, however the production environment is down until we fix it.
These kinds of failures do not happen on other databases (SQL Server, Oracle, MySQL, PostgreSQL). If you use H2 database, we recommend you to migrate to some other database. This chapter describes how to do that.
-
Make sure, that you use at least SnowMirror 4.7.3. If you use older version, please upgrade your SnowMirror first.
-
Create a new empty database in SQL Server, Oracle, MySQL or PostgreSQL
-
Backup snowMirror.properties file - make a copy of that file and name it snowMirror.properties.bak.
-
Open snowMirror.properties file and SnowMirror to connect to the new database: SQL Server, Oracle, MySQL or PostgreSQL.
-
Restart SnowMirror.
-
Open SnowMirror in your browser. You’ll see a Configuration Wizard. In the bottom right corer, click on the "Migrate from embedded H2 database" link.
-
Type locations of H2 database file and InstallationId file. This is useful if you’re moving these files from some other server. Otherwise, you can leave the default values unchanged.
-
H2 Database File Path - Absolute location of your H2 database file on your file system. By default, it is located inside SnowMirror’s installation directory: snow-mirror/data/h2/snowmirror.h2.db
-
Installation Id File Path = Absolute path of InstallationId file. SnowMirror uses this file to encrypt passwords inside the configuration database.
-
-
Click "Migrate" button and wait until the migration finishes.
-
Restart SnowMirror.
-
Login to SnowMirror and check that everything works as expected (run some synchronization). If something goes wrong, please switch back to H2 database.
-
Delete snowMirror.properties.bak file.
8.1.1. Failed H2 Migration
In case the migration fails, please switch back to H2 database:
-
Rename snowMirror.properties.bak file back to snowMirror.properties
-
Restart SnowMirror.
-
Login to SnowMirror and check that everything works as expected (run some synchronization).
-
Contact our support - send us snowMirror-server.log file, and we will investigate why the migration failed.
8.2. Thread Dump
Thread dump captures the current state of SnowMirror and its threads. It allows us to understand what was going on inside SnowMirror at moment you captured it. That is useful in case SnowMirror gets stuck. You are not expected to understand thread dump output - that is job for our L3 support.
How To Create Thread Dump On Windows
Version: 4.3.0 and newer, OS: Windows
-
Open Task Manager (Ctrl + Shift + Esc)
-
Click "Details" tab
-
Find "tomcat10.exe" and remember the value of "PID" column
-
Open cmd.exe as an Administrator
-
Execute:
cd "C:\Program Files\SnowMirror"
-
Execute:
jre\bin\jstack.exe PID > logs\thread-dump.log
-
Send us
C:\Program Files\SnowMirror\logs\thread-dump.log
file
How To Create Thread Dump On Linux
Version: 4.3.0 and newer, OS: Linux
-
Connect to your server.
-
Find out PID of SnowMirror:
ps aux | grep [/]opt/SnowMirror | awk '{print $2}'
-
Create a thread dump file:
/opt/SnowMirror/jre/bin/jstack PID > /opt/SnowMirror/logs/threaddump.log
-
Send us
/opt/SnowMirror/logs/thread-dump.log
8.3. Move to Another Server
This tutorial describes how to move SnowMirror installation from one server to another. You will keep using your existing databases. Please follow the instructions:
This tutorial does not describe how to move your database server. Database server is under your control, and it is out of scope of this documentation. If you also want to copy databases, see additional instructions in chapter Copy Your Environment.
8.3.1. Windows To Windows
-
New server: Install the same version of SnowMirror. Choose H2 as a configuration database (don’t worry, we will switch to your existing database later). Do not open SnowMirror in web browser - in this step, you only work with the EXE installer.
-
New server: Stop SnowMirror.
-
Old server: Stop SnowMirror.
-
New server: Delete C:\Program Files\SnowMirror\snow-mirror\data directory.
-
New server: Copy content of C:\Program Files\SnowMirror\snow-mirror\data from old server to the new one.
-
New server: Copy files from old server to the new one:
-
C:\Program Files\SnowMirror\snowMirror.properties
-
C:\Program Files\SnowMirror\snowMirror.jks (only if it exists)
-
C:\Program Files\SnowMirror\snowMirror-https.jks
-
C:\Program Files\SnowMirror\conf\server.xml
-
C:\Program Files\SnowMirror\conf\web.xml
-
C:\Program Files\SnowMirror\jre\lib\security\cacerts
-
-
New server: Copy activity logs directory from the old server to the new one: c:\Program Files\SnowMirror\logs\activityLogs
-
New server: In case you changed memory settings on the old server, please change it on the new server too.
-
New server: If the URL of SnowMirror changed, open C:\Program Files\SnowMirror\snowMirror.properties and change snowMirror.host accordingly.
-
New server: If the connection to configuration database changed, open /opt/SnowMirror/snowMirror.properties and change config.jdbc properties accordingly.
-
New server: Start SnowMirror.
-
Open SnowMirror in your browser and check that everything works.
-
Old server: If everything works on the new server, you can uninstall SnowMirror from the old server.
8.3.2. Linux To Linux
-
Old server: Stop SnowMirror.
-
New server: Copy the whole SnowMirror directory /opt/SnowMirror from the old server to the new one.
-
New server: In case you installed SnowMirror as a service, please do it on the new server too.
-
New server: If the URL of SnowMirror changed, open /opt/SnowMirror/snowMirror.properties and change snowMirror.host accordingly.
-
New server: If the connection to configuration database changed, open /opt/SnowMirror/snowMirror.properties and change config.jdbc properties accordingly.
-
New server: Start SnowMirror.
-
Open SnowMirror in your browser and check that everything works.
-
Old server: If everything works on the new server, you can uninstall SnowMirror from the old server.
8.3.3. From Windows To Linux
-
New server: Partially install the same version of SnowMirror. Do not edit snowMirror.properties and do not start SnowMirror.
-
New server: Delete /opt/SnowMirror/snow-mirror/data directory.
-
Old server: Deactivate all synchronizations.
-
Old server: Stop SnowMirror.
-
New server: Copy content of /opt/SnowMirror/snow-mirror/data from old server to the new one.
-
New server: Copy files from old server to the new one:
-
/opt/SnowMirror/snowMirror.properties
-
/opt/SnowMirror/snowMirror.jks (only if it exists)
-
/opt/SnowMirror/snowMirror-https.jks
-
/opt/SnowMirror/conf/server.xml
-
/opt/SnowMirror/conf/web.xml
-
/opt/SnowMirror/jre/lib/security/cacerts
-
-
New server: Optionally, setup an auto-start service.
-
New server: If the URL of SnowMirror changed, open /opt/SnowMirror/snowMirror.properties and change snowMirror.host accordingly.
-
New server: If the connection to configuration database changed, open /opt/SnowMirror/snowMirror.properties and change config.jdbc properties accordingly.
-
New server: In case you changed memory settings on the old Windows server, please change it on the new server too.
-
New server: Start SnowMirror.
-
New server: Open SnowMirror in your browser and go to Settings → General Settings → Directories. Check, if the paths are correct or not. If they start with "C:/Program Files/SnowMirror", change them to start with "/opt/SnowMirror".
-
New server: Activate all your synchronizations and check that everything works.
-
Old server: If everything works on the new server, you can uninstall SnowMirror from the old server.
8.3.4. Copy Your Environment
The chapters above describe, how to move SnowMirror installation from one server to another and keep your databases intact. In this chapter, we describe how to make a copy of your environment. For example, you have a testing (trial) environment, and you want to create an exact copy of that environment.
Creating a new virtual machine and making a copy of your databases is out of context of this documentation. Once you have a copy of your databases, follow the instructions below.
-
Configuration database contains connection configuration to your mirror database. Before you connect SnowMirror to the new configuration database, you have to change the connection information.
-
Manually connect to your new configuration database.
-
See connection settings of your mirror database:
SELECT * FROM config WHERE property_key IN('mirror.jdbc.url', 'mirror.jdbc.username', 'mirror.jdbc.password', 'mirror.jdbc.schema', 'mirror.jdbc.database');
-
Update the properties so that they point to the new mirror database.
-
If you configured multiple database connections, see all connections related properties:
SELECT * FROM config WHERE property_key LIKE 'mirror%[1-1000]';
-
Locate the properties you want to change and use the same technique to update them as described in the previous step.
-
-
Follow the instructions from previous chapters:
9. FAQ
-
What is the default timezone?
Application uses UTC as default timezone. Also, the data stored in database are in UTC timezone.
-
Can I delete old log files about synchronization runs?
Yes, you can. They are located by snowMirror.activityLog.dir property (default value is logs/activityLogs). The files are located by this pattern: <synchronizationId>/<yyyy-MM>/<logId>.log. If you find the activityLogs directory too large you can delete files or whole directories to save some disk space.