Issue
Mutual Authentication establishes trust by exchanging secure sockets layer (SSL) certificates.
Data Flow
- Client (eg. ServiceNow) and Server (eg. a third party) will do a handshake before transmitting any data.
- Client will have a keystore with Public and Private Key Pair
- Server will have a keystore with Public and Private Key Pair
- Client will share the public key( a certificate) with Server and Server will keep it in its trust store.
- Server will share the public key( a certificate) with Client and Client will keep it in its trust store.
- Lets say, client initiated the handshake, it will send out its public certificate to Server.
- Server will check if it has this public certificate in its trust store = which it does.
- Server sends its public certificate to client and client will check if it has this public certificate in its trust store = which it does.
- Since handshake is now successful, Client will send out the payload
- Client will encrypt the payload using Server's Public Certificate from its trust store.
- Server receives this payload and decrypts this payload from the private key in Server's keystore.
- Server responds with payload encrypted using Client's Public Certificate from its trust store.
- Client receives this payload and decrypts this payload from the private key in Client's keystore.
Example
Step 1: Generate Keystore Pair (Public and private key), self-signed:
C:\Program Files\Java\jre1.8.0_162\bin>keytool -genkey -alias Keystore_alias -keyalg R
SA -validity enter_Validity_in_Days -keystore Keystore_name.keystore -storepass Keystore_Password -keypass Key_Password
What is your first and last name?
[Unknown]: ..........
What is the name of your organizational unit?
[Unknown]: ..........
What is the name of your organization?
[Unknown]: ..........
What is the name of your City or Locality?
[Unknown]: ..........
What is the name of your State or Province?
[Unknown]: ..........
What is the two-letter country code for this unit?
[Unknown]: ..........
Is CN=vab, OU=servicenow, O=servicenow, L=sydney, ST=nsw, C=61 correct?
[no]: yes
Step 2: Extract the public certificate from the above keystore pair:
C:\Program Files\Java\jre1.8.0_162\bin>keytool -export -alias Keystore_alias -keystore
Keystore_name.keystore -storepass Keystore_Password -file Cert_name.cer
Certificate stored in file <snclient.cer>
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS
12 which is an industry standard format using "keytool -importkeystore -srckeyst
ore snclient.keystore -destkeystore snclient.keystore -deststoretype pkcs12".
Release
Resolution
Related Links
- Debugging Mutual Authentication: KB0696599 - Debugging Mutual Authentication
- Steps to set up Mutual Authentication Keys: KB0696776 - Steps to set up Mutual Authentication: Keys
- Configuring Mutual Authentication: https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/security/concept/c_MutualAuthentication.html
- Configure Outbound Mutual Authentication in ServiceNow: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0696002
