Installing Moveworks for Employee Center

The Moveworks Assistant can now be embedded on your ServiceNow Employee Center by simply installing a plugin! Learn more about the plugin on the ServiceNow documentation site.

Follow the instructions below to ensure that you have the necessary Moveworks configuration and information to install the plugin.

Installation Steps

The instructions below provide a walk through of how to install Moveworks for Employee Center via the ServiceNow App Store.

Navigate to Chat Platforms > Manage Chatbots and then select Create on the top right to create a Bot Configuration for the Embedded AI Assistant. Set the following configuration.

After you select Submit on the bottom right, navigate back to the page, and you should see the Bot ID was generated. Take note of this Bot ID as you will need to update this value in ServiceNow.
Follow the steps below under JWT Certificate Generation Guide (Mac & Windows) to generate the certificates used for authentication. After completing those steps, you should have 2 certificates a .jks file and a .crt file.
Navigate to Chat Platforms > Web Chatbot > Authentication and select Create on the top right, and set the following configuration (For ServiceNow Webchat Authentication config, it is recommended to use ITSM_USER_ID as the User Identifier Type as that is guaranteed to be unique for all users):

Don't forget to upload your .crt certificate!

Your .crt certificate file should be uploaded on the screen above in the file upload section labeled Webchat Credentials.

Once you have completed the steps above, follow the instructions here (https://www.servicenow.com/docs/r/employee-service-management/employee-experience-foundation/moveworks-ec-getting-started.html) to complete the Configurations in ServiceNow.

JWT Certificate Generation Guide (Mac & Windows)

Overview

This guide walks you through generating a self-signed JWT certificate (valid for 2 years) for use with Moveworks for Web.

The output is a liveCERT.jks file that you’ll upload into your ServiceNow environment, and a corresponding .crt cert that will be uploaded into Moveworks.

Mac

Prerequisites: openssl (pre-installed) and keytool (comes with Java/JDK)

Replace YOURORG and YOURPASSWORD with your values, then run:

$ ORG=YOURORG PW=YOURPASSWORD && \
> openssl genrsa -aes256 -passout pass:$PW -out $ORG.key 4096 && \
> openssl req -new -key $ORG.key -days 730 -passin pass:$PW \
>   -subj "/C=US/ST=CA/L=Mountain View/O=$ORG/OU=IT/CN=$ORG" \
>   -x509 -keyout liveOUT.key -out liveOUT.crt && \
> openssl pkcs12 -export -in liveOUT.crt -inkey $ORG.key \
>   -passin pass:$PW -passout pass:$PW -certfile liveOUT.crt -out liveOUT.p12 && \
> keytool -noprompt -importkeystore \
>   -destkeypass $PW -srcstorepass $PW -deststorepass $PW \
>   -srckeystore liveOUT.p12 -srcstoretype pkcs12 \
>   -destkeystore moveworks.jks -deststoretype JKS

Output: moveworks.jks — upload this file into your environment.

Windows

Option A: WSL (Recommended)

Install WSL (wsl --install in PowerShell as admin), then run the Mac commands above inside the WSL terminal.

Option B: Native Windows

Install OpenSSL for Windows and ensure Java/JDK is installed for keytool. Then run in PowerShell:

1 $ORG="YOURORG"; $PW="YOURPASSWORD"
2 openssl genrsa -aes256 -passout pass:$PW -out "$ORG.key" 4096
3 openssl req -new -key "$ORG.key" -days 730 -passin pass:$PW `
4   -subj "/C=US/ST=CA/L=Mountain View/O=$ORG/OU=IT/CN=$ORG" `
5   -x509 -keyout liveOUT.key -out liveOUT.crt
6 openssl pkcs12 -export -in liveOUT.crt -inkey "$ORG.key" `
7   -passin pass:$PW -passout pass:$PW -certfile liveOUT.crt -out liveOUT.p12
8 keytool -noprompt -importkeystore `
9   -destkeypass $PW -srcstorepass $PW -deststorepass $PW `
10   -srckeystore liveOUT.p12 -srcstoretype pkcs12 `
11   -destkeystore moveworks.jks -deststoretype JKS

Output: moveworks.jks — upload this file into your environment.

Installing Embedded AI Assistant using OIDC-Based SSO (Alternative)

First, follow the steps to configure an SSO application for authentication to the Embedded AI assistant in the guide related to the SSO system you are using (e.g. Azure, Okta, etc.).

Okta OIDC: /ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/moveworks-for-web-installation-okta-oidc
Azure OIDC: /ai-assistant/ai-assistant-web-surfaces/moveworks-for-web/moveworks-for-web-installation-azure-oidc

For additional SSO system guides, check the navigation menu on the left side of the page.

Once steps are complete and you have your code snippet, you can add it to your ServiceNow service portal.

Navigate to the sp_portal table. Find the portal(s) on which you’d like to include the widget, and click into its Theme record.

Find the footer field:

If there is nothing there, use the magnifying glass to create a new footer record and navigate to it. If there is already a footer there, navigate to that record.

In the footer record, add the relevant snippet to the Body HTML template field. For example:

<script src="https://webchat-kprod.moveworks.io/script/<bot_id>" />

Ensure the footer is applied to your theme:

Now the widget is set to appear on any page using that theme, including your Service Portal.

Once Moveworks configuration is complete, and you have access to the web bot, navigate to your Service Portal to see the Moveworks web AI Assistant widget.

FAQ

Q: How do I check the expiry of my cert?

A: You can use one of the following commands to check the expiry of a cert:

Check the .crt file directly: openssl x509 -in liveOUT.crt -noout -enddate OR openssl x509 -in liveOUT.crt -noout -dates

Check the .p12 (PKCS12) file: openssl pkcs12 -in liveOUT.p12 -passin pass:$PW -nodes | openssl x509 -noout -enddate

Check the .jks (Java KeyStore): keytool -list -v -keystore moveworks.jks -storepass $PW | grep "Valid from"