MID Server security and encryption

Several options are available for you to enhance security on MID Servers, including credential and encryption security, the authorization of SOAP requests, and the establishment of secure socket layer (SSL) connections.

How MID Server encryption works

The MID Server login credentials appear in the config.xml file in clear text by default, but you can encrypt them. While the username and password are initially set in a config.xml configuration file on the MID server, once the MID server retrieves the credentials, it can replace the clear-text password with an encrypted password. For the encryption of the local MID server service account, the password is encrypted using an AES128 encryption algorithm. The MID server also maintains an encryption key that is generated each time it starts and remains in memory and not on the hard disk. When credentials need to be sent from the instance to the MID server, the following process takes place:
  1. The instance retrieves the encrypted password and the unencrypted username from the instance database table.
  2. The instance decrypts the encrypted password, and then re-encrypts it using the MID server encryption key. 

  3. The username and re-encrypted password are sent to the MID Server through the encrypted TLS session was already established between the MID server and the instance. 

  4. The MID server receives the credentials and decrypts the password in memory before using the credentials for remote operations. At no point is the credential password stored on the disk in an unencrypted format.

To enable this encryption, see Encrypt MID Server login credentials.

MID Server encryption keypairs

Automation credentials are secured by encrypting them in the instance with the MID Server’s trusted public key prior to transmission. When the MID Server is created, it generates a keypair, consisting of a public and private key. After the MID Server is validated, it can use the private key to decrypt automation credentials. You should occasionally rekey the MID Server to meet your organizations security requirements. See Rekey a MID Server for instructions.

SSL certificates

You can add certificates to the MID Server if you want communication to occur over SSL. You can add these certificates to the cacerts keystore file:
  • Signing Certificate Authority (CA) certificate
  • MID Server certificate

See Add SSL certificates for the MID Server for instructions.

Basic authentication credentials and SOAP requests

You can enforce basic authentication on each request. The MID Server is not able to communicate through a proxy server if the proxy server supports only NTLM authentication. You can use basic authentication with a proxy server or create an exception for the MID server host.

Supplying basic authentication information, regardless of whether it is required, has an added advantage. The web service invocation creates or updates data using the supplied credentials. For example, when you create an incident record, the journal fields have the user id of the basic authenticated user instead of the default Guest user. This behavior allows you to identify data added by a specific MID Server.

You can set basic authentication credentials for SOAP requests. See Require basic authorization for incoming SOAP requests for instructions. Each SOAP request contains an Authorization header as specified in the Basic Authentication protocol.

Note: The setting for enforcing strict security controls how the instance uses the credentials you provide for the MID Server. When the setting is enabled, you must provide a user ID with access to the tables the MID Server is trying to access. When the setting is disabled, any valid user ID allows the MID Server to access to all tables.

Encrypt MID Server login credentials

Encrypt the MID Server login credentials for added security.

Before you begin

Role required: admin

About this task

Note: Any field in this file can be encrypted, but once encrypted, a field can be managed only from within the instance. You should encrypt password fields only for the MID Server and any proxy server specified.

Procedure

  1. Navigate to the agent directory that was created when the MID Server was installed and open the config.xml file using a text editor such as WordPad.
    The instance credentials section of the config.xml file looks like this:
    <!-- If your instance has authentication enabled (the normal case), set
    these parameters to define the user name and password the MID Server will use
    to log into the instance. --> 
    
    <parameter name="mid.instance.username" value="midsrvadmin" />
    <parameter name="mid.instance.password" value="securepassw0rd"/>
  2. Add the encrypt="true" attribute to the password tag.
    <parameter name="mid.instance.username" value="midsrvadmin" />
    <parameter name="mid.instance.password" encrypt="true" value="securepassw0rd"/>
  3. Save the config.xml file, and then restart the MID Server service.
    The password is now encrypted.
    <parameter name="mid.instance.username" value="midsrvadmin" />
    <parameter name="mid.instance.password" encrypt="true" value="encrypted:rhrfUNYRzZAI8/BkTtZmNA=="/>

Result

The password cannot be decrypted, which means it is displayed in clear text again, by changing the encryption attribute to false or by deleting the attribute. If the password is changed in the config.xml file and the MID Server restarted, the new password is encrypted.

Rekey a MID Server

Rekeying a MID Server forces it to restart and generate a new private key. Typically, this is only necessary if the MID Server keystore is compromised.

Before you begin

Role required: admin

About this task

When the MID Server comes back online, the system automatically validates the new key, and the MID Server resumes processing automation tasks.

Procedure

  1. Navigate to MID Server > Servers.
  2. Open the MID Server whose keypairs you want to rotate.
  3. Under Related Links, click Rekey.

Add SSL certificates for the MID Server

Configure the MID Server to connect to a source over SSL.

Before you begin

Role required: admin

About this task

Note: The MID Server does not support SSL when importing data from an integration, such as an LDAP server.

Procedure

  1. Open a command prompt and navigate to the folder containing the JRE keytool.
    An example path might be: C:\Program Files (x86)­\Service­Now\­<MidServer(­s)­>\agent\­jre\­bin
  2. Enter the following keytool command to import a certificate into the MID Server's cacerts keystore:
    keytool -import -alias <certificate alias> -file "<path to certificate>" -keystore "<path to MID Server(­s)­>\agent\­jre\­lib\­security\­cacerts"

    For example, you might enter: keytool -import -alias MyCA -file "C:\myca.cer" -keystore "C:\Program Files (x86)­\Service­Now\­MIDserver\agent\­jre\­lib\­security\­cacerts"

    Note: Keytool prompts for a certificate password. If the certificate is for a CA, keytool also asks whether to trust the certificate authority. To add a certificate to an instance, see Upload a certificate to an instance.

Require basic authorization for incoming SOAP requests

For added security, you can enforce basic authentication on each incoming SOAP request to the MID Server.

Before you begin

Role required: admin

Procedure

  1. Navigate to System Properties > Web Services.
  2. Select the check box for Require basic authorization for incoming SOAP requests.
  3. Click Save.
  4. To provide basic authentication credentials for a MID Server, navigate to C:\Program Files\ServiceNow\<MID Server name>\agent and edit the config.xml file, as follows:
    1. Find the element <parameter name="mid.instance.username" value=""/> and enter the instance administrator user name as the value.
      For example, you might enter <parameter name="mid.instance.username" value="admin"/>.
    2. Find the element <parameter name="mid.instance.password" value=""/> and enter the configured password for this instance as the value.
      For example, you might enter <parameter name="mid.instance.password" value="abc123"/>.