Set up the keystore and encryption keys used by the Edge Encryption proxy server.

Before you begin

Role required: security_admin

Procedure

  1. Carefully determine the appropriate type of keystore to use based on your organization's needs.
    Supported keystore Description
    File store

    Keys are stored in a file in a file system accessed by the Edge Encryption proxy server. Because encryption keys stored in a file are not encrypted, it is your responsibility to protect these files.
    Java KeyStore A Java KeyStore:
    • Stores keys in a Java JCEKS KeyStore.
    • Is password protected and more secure than storing keys in a file in the file system.
    • Can store multiple keys. A key alias represents each key, making it easier to manage multiple keys.

    The Edge Encryption proxy ships with the Java JCEKS KeyStore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow public key used to validate encryption rules signed by ServiceNow.
    Enterprise Key Management (EKM) SafeNet KeySecure

    Keys are stored and retrieved with SafeNet KeySecure key management.

    You must secure a license with Gemalto, download the libraries, and install the SafeNet KeySecure keystore on a host machine in your network before configuring the keystore on the Edge Encryption proxy server.

    Unbound Technology

    The base64-encoded wrapped encryption key is stored as text file on the Edge Encryption proxy server. The Unbound Technology implementation (previously Dyadic Security) maintains control of the wrapping key.

    The Edge Encryption proxy server must run on the same machine as the Unbound technology client.
    Note: If using a keystore other than the base system Java JCEKS KeyStore, you must import the ServiceNow public key into your keystore. The public key alias is servicenow.
  2. Set up the keystore and encryption keys in your local network.