Notifications

42769 views

Description

ServiceNow is deprecating the use of TLS 1.0 and 1.1. Customers will be required to use TLS 1.2 and above for all communications with their instances.

Impact

Any services that currently rely on TLS 1.1 or older will no longer be available. The two most likely reasons ServiceNow customers see TLS 1.1 traffic or older is due to customer usage of older web browsers, older customized integrations.

Why

Use of TLS 1.2 is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions and to maintain compliance with the latest industry standards.

When

We are moving customers in groups, starting August all the customers who started using TLS1.2 will have changes made to their VIPs not allowing any TLS1.0/1.1 traffic further. This is done at VIP level effecting both Prod and sub-prod same time. While few customers have exceptions and not want to go in August will be scheduled later in September. Like wise we want to complete moving all the customers by October 31, 2019 without any exception. Will have sent notifications to customers having usage on TLS1.1 and lower protocols and work with them.

Required Action

ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive notification from our Global Technical Support group. Please review this information and update any relevant services to use TLS 1.2 or higher. If you detect usage of these older protocols, please ensure that the personnel within your company are using a modern, updated web browser and review any custom integrations that your instance is using.

Open a case ticket with our Global Technical Support team with a subject of Deprecation of TLS 1.1 and 1.0 if you require assistance or further details regarding this matter.

ServiceNow encourages customers to configure their client systems to restrict traffic to only allow TLS 1.2 or higher.

If you have additional questions, please contact via the INT that is open for this purpose or reach out to ServiceNow Global Technical Support team at http://www.servicenow.com/support/contact-support.html.

 

FAQ

1. To whom is this Communication Directed to? And what is the intent?

The intention of this communication is to notify all customers that ServiceNow would stop accepting connections from any sources that use TLS 1.1 or lower versions and only be available to connect over TLS 1.2 or higher versions.  You can have TLS 1.0 and TLS 1.1 in your environment for other services that do not connect to ServiceNow.  ServiceNow will only use TLS 1.2 for all your browsers and 3rd party integrations.

2. When is the change going through?

We want all of our customer to have the most secure version of TLS to enable more secure connections between their network and ServiceNow.  We want to move all our customers to TLS 1.2 by October 31, 2019.  We will send notifications to customers using TLS1.0/1.1 to ask them to configure their browsers or 3rd party integrations to use TLS 1.2.

Please note: If you have a 3rd party vendor that is using Web Services via SOAP. Our logs do not capture the TLS version information and you would need to reach out to your vendor to confirm they support TLS 1.2. 

3. What all areas are impacted on the Instance by the TLS Deprecation?

ONLY incoming HTTPS traffic is affected by this Change. The main source of TLS versions can be the internet browsers being used, and any integrations incoming from other systems (Rest/SOAP endpoints, MID Servers, etc) into your ServiceNow instance. If any of those are using older TLS version and its deprecated on ServiceNow then those browsers/integrations won't be able to connect to the instance.

4. How can customers track whether they are impacted by it or not? How can ServiceNow help on the same?

The customer can only check it internally if there are any integrations or browsers using older versions if not then there is no way for the customer to check the same on the ServiceNow instance. ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive a notification from our Global Technical Support team.

5. What action do customers need to take?

While ServiceNow is working to identify the potentially impacted customers, please make sure that the browsers your users are using are up-to-date. Most of the industry standard browsers (like Chrome, IE, Firefox, Safari) use up-to-date TLS versions. Have an assessment in place to have your stakeholders use up-to-date TLS versions. Reach out to your integration partners and make sure they are using TLS 1.2 or a higher version.

6. Is customer supposed to deprecate TLS 1.1 or lower? Or will TLSv1.2 or above will work with older versions?

No, do not need to disable TLS 1.1 or older if you already have TLSv1.2 enabled on your browsers and integrations. However, ServiceNow will only use TLS 1.2 or higher to establish communication.

7. Why ServiceNow is enforcing TLS 1.2?

The reason we are enforcing TLS 1.2 is that it is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions.

8. How to determine what types of TLS and SSL are supported momentarily?

The easiest way to determine what types of TLS and SSL are supported momentarily is using a test provided on the "SSL Labs" WebSite:
https://www.ssllabs.com/ssltest/analyze.html?d=hi.service-now.com

Please change the last part of the url to the instance that you want to check.

Example
https://www.ssllabs.com/ssltest/analyze.html?d=myproductioninstance.service-now.com
https://www.ssllabs.com/ssltest/analyze.html?d=mytestinstance.service-now.com
https://www.ssllabs.com/ssltest/analyze.html?d=mydevinstance.service-now.com

Scroll down to Configuration and it will look like this.

Configuration

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

9. Can I remove my instance from an upcoming change?

Yes. We can remove you from an upcoming change.

Please note:
We want to upgrade all instances by October 31, 2019.

10. Can I rollback the TLS 1.2 update to use TLS 1.0/1.1/1.2?

Yes. We can rollback the change. Please open a ticket.

Please note:
We want to upgrade all instances by October 31, 2019 after doing a rollback. However we cannot accept roll backs on October 31.

11. Will it cause a disruption if I do a rollback of the TLS1.2 update?

No. You will not experience a disruption.

12. Can I perform a Rollback or Update on my DEV or TEST instance only.

Unfortunately, there is no way to do it to individual instances. It is done using your Virtual IP which affects all your instances.

13. What are the Common Errors seen after TLS 1.2 update and what should I look for in the logs?

"The client and server cannot communicate, because they do not possess a common algorithm"
"Could not establish secure channel for SSL/TLS with authority 'sms.service-now.com'"
“Could not create SSL/TLS secure channel.”
"SSL negotiation failed"
"The request was aborted: Could not create SSL/TLS secure channel."

14. I did not get an email about the TLS Change. When was this sent out?

An email was sent out in Spring 2019 to notify our customers of the upcoming change starting in August 2019. Please check with the primary and secondary contacts associated with your cases, your Bulk Email folder or custom rules to see if the email was send to another folder or archived based on your retention policy.

15. Why was a change not created or initiated?

The change was created as an internal ServiceNow change for multiple customers and not an individual change for each customer.

16. Can I perform an update or rollback on the weekend?

Changes are NOT executed on weekends starting Friday 3.00 PM PDT to Sunday 3.00 PM PDT

17. Can I use a Personal Developer instance to test TLS 1.2?

 Unfortunately, the Personal Developer instances use a shared Virtual IP address.  We will not be able to perform the update on one without affecting other Personal Developer instances.  They will all be updated by October 31, 2019.

18. How to check what TLS version is running on your browser?

By following the below steps in the browser we can find out with what TLS version the browser is communicating with the instances in Chrome. 

More tools->Developer Tools->security tab -> Under security connection settings.

(example: The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.)

  • If you are running an older browser, you need to enable the browser's TLS 1.2 protocols to help with page viewing. For instructions on how to enable these protocols in your older browsers, check the list below:

Microsoft Internet Explorer

  1. Open Internet Explorer
  2. From the menu bar, click Tools > Internet Options > Advanced tab
  3. Scroll down to the Security category, manually check the option box for Use TLS 1.2
  4. Click OK
  5. Restart Internet Explorer

Microsoft Edge

  1. In the Windows menu search box, type Internet options.
  2. Under Best match, click Internet Options.
  3. In the Internet Properties window, on the Advanced tab, scroll down to the Security section
  4. Check Use TLS 1.2 checkboxes.
  5. Click OK.
  6. Restart the Microsoft Edge browser.

Google Chrome

  1. Press Alt + F and select Settings
  2. Scroll down and select Show advanced settings...
  3. Scroll down to the Network section and click on Change proxy settings...
  4. Select the Advanced tab
  5. Scroll down to the Security category, manually select the checkboxes for Use TLS 1.2
  6. Click OK
  7. Restart Google Chrome

Mozilla Firefox

  1. In the address bar, type about:config and press Enter
  2. In the Search field, enter tls. Find and double-click the entry for security.tls.version.min
  3. Set the integer value to 2 to force protocol of TLS 1.2
  4. Click OK
  5. Restart Mozilla Firefox

Opera

  1. Press Ctrl + F12
  2. Scroll down to the Network section and click on Change proxy settings...
  3. Select the Advanced tab
  4. Scroll down to Security category, manually check the option box for Use TLS 1.2
  5. Click OK
  6. Restart Opera

Apple Safari

There are no options for enabling SSL protocols. If you are using Safari version 7 or newer, TLS 1.1 and TLS 1.2 are automatically enabled.

Power Shell Script

Add the following code to force the Invoke-WebRequest cmdlet to use TLS v 1.2.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

19. Things to consider prior while updating to TLS 1.2?

Please ensure all of your plug-ins are updated to the latest version; for example: Password Reset application - Latest version is compatible with TLS 1.2  

20.  What do I do if you are not sure that your integrations or applications are impacted by the change?

Please create a case for ServiceNow mentioning that your integrations are not working and our technical teams will help you out. 

 

Article Information

Last Updated:2019-11-04 01:18:30
Published:2019-11-01