158 views

How to Example: Edge Encryption Rules Creation When Using a Customized Service Portal Page



Description


This article presents an example for creating a customized Edge Encryption Rule when a record is created from a Service Portal page for a specific use case as an example. This is just a single example, the creation of Edge Encryption rules can differ widely depending on what the user is trying to accomplish. This article should not be considered a guide for writing any and all Edge Encryption Rules.

The purpose for writing this Edge Encryption rule is to allow a single encrypted field to be encrypted successfully when submitting a Service Portal form from an Edge Proxy logged in user.  In this case the table to be encrypted is incident with a single string column being encrypted.

Attempt to create an incident from a service portal related form with a single encryption configuration field fails with: 
 
"Invalid attempt to insert non-encrypted data into field: u_confidential_data in table: incident." 
 
Clearly this requires a custom edge encryption rule.
 
Steps to Reproduce:  
  1. Make sure these plugins are activated: 
com.glide.service-portal.config 
com.glide.service-portal.designer 
com.glide.service-portal.esm 
com.glide.service-portal.knowledge-base 
com.glide.service-portal.service-catalog 
com.glide.service-portal.service-status 
com.glide.service-portal.sqanda 
com.glide.service-portal.survey 
com.snc.contextual_search.service-portal 
  1. Create a new column in the incident table:
    • Navigate to System Definition > Tables > Open Label = Incident
    • Select Table Columns > New
    • Fill out the form:
      • Type = string
      • Column label = Confidential data
      • Column name = u_confidential_data
      • Max length = 1,000
    • Save
  2. Log into the proxy and create an Edge Encryption Configuration for the new column in (2)
  3. Open any record in the incident table and add Confidential data to the Form
  4. From the proxy create a new incident using the regular incident form with a value in the "Confidential data" field - this will create fine, verify the encryption by logging into the instance and viewing the new INT, it should show "Confidential data" as encrypted
  5. Navigate to https://<proxy_url>/sp?id=form&table=incident&sys_id=-1&view=Default%20view - that should bring up a new incident form in Service Portal - put a value into the "Confidential data" field and try to save it - fails with:
    "Invalid attempt to insert non-encrypted data into field: u_confidential_data in table: incident." 
 This is expected since there is no encryption rule to cover this case.
 
What this looks like in the UI:
 
Put in the data to be encrypted into the "Confidential data" form:
 

Select the Save button in the bottom right:

 The error seen when trying to save the form and create the incident:

Procedure


If looking at the Request URL using the browser developer tools (in Chrome, or Firefox, or IE for example) at the time the incident form is submitted to create the incident, we see something like the following: 
 
201 POST: 
Request URL: https://<proxy_url>/api/now/sp/uiaction/4df52ee8dba51300123479e49f9619f3
Response: Invalid attempt to insert non-encrypted data into field: u_confidential_data in table: incident 
 
What this looks like in the Firefox browser > Developer > Toggle Tools > Network tab > Headers > Note the Request URL in the trace :
 
 
Response tab - shows the error message that is seen in the UI - "Invalid attempt to insert non-encrypted data into field: u_confidential_data in table: incident." - so looking at the correct message to build the Rule from:
 
 
From the Request URL in the trace - the part after /uiaction/ is the sysID of the UI form that is submitted. 
 
Create a rule that is not too broad so to not affect other rules, but also able to intercept the request at the same time. Hence, create new UI Actions that are tailored to the incident table, so later look for the specific path when we are writing the rule. 
  1. On the proxy, navigate to System Definition > UI Action > Filter by sysID is sysID.
    • In the example above, the sysID is '4df52ee8dba51300123479e49f9619f3'. There should only have one result now. This is a global UI Action for Save.
  2. Click on that record, change the table to incident.
    • Right click on the toolbar and select Insert and Stay.
      • Do not use Save. Insert and Stay creates a new record that does not change the original Save record.
      • Now a UI Action Save record that is tailored for the incident table has been created.
  3. In the same place System Definition > UI Action finds the equivalent global UI Action for Submit and repeat step 2
    • There are two new UI Actions on the incident table, one for Save and one for Submit
    • Keep the two new sys_ids for these two new records, they are used in the Edge Encryption Rule Condition
  4. Create the new Edge Encryption Rule for HTTP Post called IncidentSP - suggested Order is 5000: 
 Condition - the sys_id's in the if are the two new UI Actions created on the incident table for Save and Submit respectively so the rule works if the form is Saved or Submitted: 
 
function IncidentSPCondition(request) { 
var contentType = request.contentType; 
// Use the sys_ids of the new "Submit" and "Save" UI Actions in the "if" below
if((request.path.indexOf('api/now/sp/uiaction/5ef52ee8dba51300123479e49f96AC12') || request.path.indexOf('api/now/sp/uiaction/c8d81ae0dba51300123479e49f961915')) > -1 && contentType.indexOf('json') > -1 ){ 
return true; 
 
return false; 
 
 
Action: 
 
function IncidentSPAction(request) { 
var tableName = 'incident'; 
var jsonContent = request.getAsJsonContent(); 
var jsonNodeIterator = jsonContent.getIterator('data'); 
while (jsonNodeIterator.hasNext()) { 
var jsonNode = jsonNodeIterator.next(); 
var fieldName = jsonNode.getName(); 
jsonNode.valueFor(tableName, fieldName); 
 
  1. Verify the rule works:
    • Navigate here: https://<proxy_url>/sp?id=form&table=incident&sys_id=-1&view=Default%20view
    • Enter Confidential data in the form and select Save (Ctrl + s) from the bottom of the form
    • The incident is created and is encrypted if view from normal instance URL, but is decrypted if viewed in the proxy
    • Can also do the creation from the context menu to verify that Save and Submit both work 
For additional information on creating custom Edge Encryption Rules refer to the documentation site:
 
https://docs.servicenow.com/bundle/kingston-servicenow-platform/page/administer/edge-encryption/concept/c_EncryptionRules.html

Applicable Versions


All versions

Article Information

Last Updated:2018-06-27 06:41:02
Published:2018-06-27