Anytime anyone wants to talk about security, certificates, and certificate authorities most people zone out as if they were on a dinner date and everyone started to talk about religion or politics (and yes, I love to talk religion and politics).

Besides being able to send and receive signed Web service requests using WS-Security, ServiceNow is also able to consume web services that require mutual authentication. Mutual authentication is also known as mutual SSL authentication, two-way SSL authentication, or certificate-based mutual authentication. With this method of authentication, two parties authenticate to each other by each verifying signed certificates provided by the other entity. This “handshake” process takes place before any web service payload is exchanged.

Please Note: While ServiceNow Web service clients can be configured to make SOAP, REST, or other Web service requests with mutual authentication, operational and data center constraints current prohibit ServiceNow from supporting inbound mutual authentication requests.

Please Note as Well: ServiceNow does not currently (December 2013) support outbound mutual authentication through a MID Server. MID Servers are running within the local network, so this shouldn’t be a big deal since you likely trust the communication within your network more than the internet.

General setup to prepare for Mutual Authentication

Before you can perform mutual authentication, there are some steps that are required to be set up between a client and a server. Within this article, we will refer to ServiceNow as the client, and a third-party service as the server.

STEP 1 – Generate Signed Certificate for ServiceNow

Screenshot_12_17_13_7_37_AM

A certificate must be generated and signed for the ServiceNow instance. For demo purposes a self-signed certificate is usually just fine. However, in production systems, you will likely want to generate a certificate and have it signed through a trusted Certificate Authority.

If I were to generate a self-signed certificate for testing, I might do the following:

1
2
#Generate the certificate, sign it, and create a keystore to put it in
keytool -genkey -alias snclient -keyalg RSA -validity 365 -keystore snclient.keystore -storepass abcd1234 -keypass abcd1234

The tool will prompt me with several questions that I can answer:

Screenshot_12_17_13_7_49_AM

Once I complete this, my certificate and private key will be generated and stored in a java keystore file named: “snclient.keystore”. Both the keystore and the private key will have a password of “abcd1234”.

STEP 2 – Upload keystore to ServiceNow

Screenshot_12_17_13_7_38_AM

The keystore containing the certificate and private key will need to be uploaded into the ServiceNow instance.

Sample Keystore Setup in ServiceNow

Sample Keystore Setup in ServiceNow

To do this, browse to System Definition > Certificates. Click New. Give the record a name, and then set the Type field to be Java Key Store. Type in the keystore password (in this example, I used “abcd1234”). Finally, attach the keystore file to the record and then click the Submit button.

STEP 3 – Share public certificate with third party service

Screenshot_12_17_13_7_41_AM

The Public Certificate that was generated for the ServiceNow instance should be shared with the third party service you will be consuming. You can do this in any format that they third party requires. Usually a certificate in the DER format (.cer file) is sufficient. If you had your certificate signed by a Certificate Authority, it is good to send all of the certificates involved in the certificate chain used by the signing authority.

In order to extract the public certificate from the keystore we created, we can issue the following command:

1
keytool -export -alias snclient -keystore snclient.keystore -storepass abcd1234 -file snclient.cer

This gives me a public certificate file in the “DER” format by the name of “snclient.cer”. I can now give this to the person managing the third party service so that they can load it into their trust store.

STEP 4 – Load the third party certificate into ServiceNow

Ask for the third party certificate in either PEM or DER format. If the certificate is involved in a trust chain, ask for the corresponding certificates as well. Load the certificate(s) into the ServiceNow instance by browsing to System Definition > Certificates. Click New. Give the record a name, and then set the Type field to be Trust Store Cert.

If the certificate was in PEM format, set the Format field to PEM and paste the PEM string into the PEM Certificate field on the record. Be sure to include the “—— BEGIN CERTIFICATE ——-” and “———- END CERTIFICATE ———-” strings.

If the certificate was in DER format, set the Format field to DER and attach the certificate file to the record.

Sample Certificate Record loaded in DER format.

Sample Certificate Record loaded in DER format.

After you click Submit the record will be populated through the information in the certificate.

STEP 5 – Set up Mutual Authentication Protocol properties

ServiceNow lets you define your own protocol and port for communicating with an endpoint that requires Mutual Authentication. When you use that protocol class, it triggers the mutual authentication.

For example, I can choose to create a protocol class of “myhttps”. When this protocol class is used in an Endpoint in the system, it automatically triggers mutual authentication over a specified port.

A SOAP request going to “https://myexample.com/SOAPWebService/ticket” will post without Mutual Authentication over HTTPS on port 443.

I can set up two properties in the ServiceNow instance that lets me trigger the mutual authentication.

  • glide.httpclient.protocol.DESIREDPREFIXSTRING.class
  • glide.httpclient.protocol.DESIREDPREFIXSTRING.port

The first property must be set to the following java class signature: “com.glide.certificates.DBKeyStoreSocketFactory”.
The second property can be set to whatever port the third party is running on (it can even be port 443).
Both properties should have the same DESIREDPREFIXSTRING value in the property name.

For example, let’s say I set the properties up in the following manner:
mauthprops-2

In this case, if I change my previous SOAP endpoint to be: “myhttps://myexample.com/SOAPWebService/ticket”, this will trigger the request to go over port 6767 and perform a mutual handshake before sending the payload. The key is the “myhttps” protocol prefix. This prefix can be whatever you want, as long as it is not already used by the system.

To view the video demo that covers this and the actual setup/execution of a Mutual Authentication call within ServiceNow, view the How to set up Mutual Authentication video link.