When creating Outbound REST or SOAP messages, if the assigned Mutual Authentication Profile is not valid, it is not used. Instead the last working configuration is used.

Steps to Reproduce


To reproduce the problem please:

  1. Create an Outbound REST/SOAP Message with Mutual Authentication
  2. Associate a working Protocol Profile, called for example working_profile, and then test if it works
  3. Associate a not working Protocol Profile, called for example wrong_profile, and testing you observe:

    *** ERROR *** Exception while registering protocol: wrong_profile Error: Cannot recover key 
    *** ERROR *** REST Msg Outbound - RESTMessageClient : Error executing REST request: unsupported protocol: 'wrong_profile' 

This is because it is using the working_profile instead.


To resolve the issue, fix the

Here is a list of the common fixes:




The keystore fails and it is not loaded because the passwords for the Keystore and Private Key do not match. These must match.

Make the Keystore and Private Key password match.

The Mutual Authentication profile has been changed.

Clear the cache, execute /

The keystore is incorrectly created.

Follow these steps:

Needed from the 3rdParty application:

  1. The signed certificate for the ServiceNow instance. servercert.pem
  2. The private key for point A. serverkey.pem

Follow these steps:

  1. Create the JKS file for the ServiceNow instance: 
  • Create a PKCS 12 file using 1 and 2 
    openssl pkcs12 -export -in [path to certificate\servercert.pem] -inkey [path to private key\serverkey.pem] -certfile [path to certificate\servercert.pem] -out keystore.p12 - define a password for the p12 file. 
  • Create a Java Key Store (JKS) using keytool command: 
    keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore javakeystore.jks -deststoretype JKS 
  • Obtain with the above the javakeystore.jks file. 
  • You can also change password of private key by doing: 
    keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store] 
  • Or the alias of the private key by doing: 
    keytool -changealias -keystore [path to key store] -alias [current alias] 
  • With javakeystore.jks keystore, upload it to the Certificates entry in the instance. 
  1. 2. With this keystore, generate the Public Certificate by doing the following: 
  • keytool -export -alias snclient -keystore javakeystore.keystore -storepass abc123 -file publiccert.cer 
  • The third party should upload publiccert.cer to their truststore.




Related Problem: PRB1057051

Seen In

There is no data to report.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-05-21 11:35:15