Configure HMAC to support authentication for REST API endpoints.

Before you begin

Role required: admin

Plugin required: API Key and HMAC Authentication (com.glide.tokenbased_auth)

Procedure

  1. Create an HMAC configuration.
    1. Navigate to All > System Web Services > API Access Policies > HMAC Configuration.
    2. Select New.
      Note: You can also use the Default HMAC SHA256 Base64 Encoding which is created when installing the plugin.
    3. On the form, fill the fields:
      Table 1. HMAC Configuration
      FieldDescription
      Name Name for the HMAC configuration.
      Application Scope of the configuration.
      Description Detailed description about the configuration.
      Hash Algorithm Choose the Hash Algorithm. Options available:
      • HmacSHA256
      • HmacSHA384
      • HmacSHA512
      HMAC util script Utility script for HMAC.
      Note: If you validate HMAC authentication using Request body, Time stamp and Secret with no Key Id, then do the following:
      • Create a customized script include as HMAC util script
      • Use that script include util to interpret the passed in timestamp, and request body.

      For every shared secret created in the ServiceNow® instance, there is a key ID. You need to configure the key ID into Default key id in HMAC auth profile.
      HMAC Configuration
    4. Submit the record.
  2. Create an inbound authentication profile.
    1. Navigate to All > System Web Services > API Access Policies > Inbound Authentication Profiles.
    2. Select New.
      The system displays the message What kind of authentication profile?
    3. Select Create HMAC authentication profiles.
      HMAC authentication profile
    4. On the form, fill in the fields.
      Table 2. HMAC authentication profiles
      FieldDescription
      Name Name to identify the authentication policy.
      Application Scope of the authentication policy.
      Configuration for HMAC Select the HMAC configuration that was created.
      Auth Parameter Select the auth parameter for the authentication request. You can select the default options or create a new auth parameter:
      • x-sn-hmac-signature-256: Auth Header
      • x-sn-hmac-signature-256: Query Parameter
      Default Key ID of Shared Secret The token information that can be updated in this field for using HMAC.
      Note: The selected option has to be defined in the REST call as part of the Auth Header or Query Parameter.HMAC Profile
    5. Submit the form.
  3. Create an HMAC secret.
    1. Navigate to All > System Web Services > API Access Policies > REST API HMAC Secret.
    2. Select New.
    3. On the form, fill the fields:
      Table 3. REST API HMAC Secret
      FieldDescription
      Name Name to identify the REST API HMAC secret.
      Description Description for the REST API HMAC secret.
      Active Status of the REST API HMAC secret.
      User User associated to the REST API HMAC secret. Use the look-up icon to select the user.
      Key ID Key ID that must be sent as part of the REST call. Key ID is generated after submitting the form.
      Shared Secret Shared secrets of the user. For example, the password.
      Source Source of the record.
      Expiry Time after which the credential is no longer valid. Empty value means no expiration.
      Note: For more information, about expiry of token, see Cleaning up token Expiry .
    4. Submit the form.
    5. Open the record that was created.

      Find the Key ID generated by the ServiceNow AI Platform for the user.

      HMAC Key ID
      Note: You can add the Key ID that was generated during the Key ID in the Authentication Profile that was created for HMAC if you don't want to specify the Auth or Query parameter for the API call.
  4. Create a REST API access policy.
    1. Navigate to All > System Web Services > REST API Access Policies.
    2. Select New.
    3. On the form, fill in the fields.
      Table 4. API Access Policies
      FieldDescription
      Name Unique name of the API access policy.
      Active Option to make the API access policy active.
      REST API The REST API to which the access policy is applied. For example, Attachment API.
      REST API PATH API path of the REST API. This field is auto-populated based on the selected REST API. For example, now/attachment.
      HTTP Method Method used for interacting with the API. This field is auto-populated based on the selected REST API.
      Version Version of the API. For example, v1. This field is auto-populated based on the selected REST API.
      Note: If you want to create an authentication policy for all versions of a REST API, you must create individual policies for each version.
      Resource Child resource of the REST API. This field is auto-populated based on the selected REST API. For example, /now/attachment
      Application Scope of the application.
      Global Enable this field to apply auth policy to all methods, versions, and resources for the API.
      Note: Token Based Auth isn’t allowed in the Global REST API Policy.
      Apply to all methods Enable this field to apply the auth policy for the API to all the methods, versions, and resources for the API.
      Apply to all resources Enable this field to apply the auth policy for the API to all the versions.
      Apply to all versions Enable this field to apply the auth policy for the API to all the resources.
    4. Add the API authentication profile that was created.
      HMAC Profile added to Access Policy
    5. Submit the form.
      You can send the REST API call:
      • With the x-sn-hmac-signature-256 that was generated by ServiceNow® during the API Key creation within the Header or Query parameter based on the configuration for authentication.
      • With pre-request Script with Shared Secret specified as part of the request.
      Warning: Use POST request when submitting any sensitive information to the server.