How to add an edge encrypted attachment to a record using an Inbound REST web service call




Adding an edge encrypted attachment to a record using an inbound REST web service call



You can encrypt an attachment to a record using an Edge Encryption proxy using an inbound REST POST. By using the REST client Postman, a Chrome browser extension, you can post an attachment to the incident table. This may also be done using other REST clients.


Add an edge encrypted attachment using an inbound REST web service call

  1. Create an Edge Encryption attachment configuration for the table the REST call makes an attachment to. In the following example, it is the incident table:
    1. Login to the instance using the Edge Proxy and elevate Roles to security_admin.
    2. Navigate to Edge Encryption Configuration > Encryption Configurations > Create New.
    3. Create a new record as follows:
      • Table=Incident [incident]
      • Type=Attachment
      • Encryption type = <as appropriate to your environment>
      • Active = checked
      • Save


  2. In order for the instance to accept the attachment you must set this system property to false in the sys_properties table:

    Name =

    Type = true|false

    Value = false

    Otherwise you will see this in the node log when trying to post the attachment:

    2017-04-06 14:51:43 (684) Default-thread-48 2882029C4FC2B2002BEDA9D18110C762 WARNING *** WARNING *** Attachment request received without valid CSRF token

  3. The Postman App and Postman Interceptor Extension need to be added to the Chrome browser. These can be found and added from the Chrome Web Store:

  4. From Chrome, navigate to Settings > Extensions > Postman.
  5. Select Details > Launch App.
  6. Set the action to be a POST and set the URL to point to the Edge Encryption hostname, port, and (for example, https://localhost:8092/
    You do not need to set an authorization or any other settings.
  7. Select Body and Form-data, and create the following content:

    Content-Type: multipart/form-data; boundary=---------------------------12296202189918688451571609901Text
    -----------------------------12296202189918688451571609901 Text
    -----------------------------12296202189918688451571609901 Text
    -----------------------------12296202189918688451571609901 Text
    attachFile<choose the attachment file, e.g. a file named myFile.txt>File
    -----------------------------12296202189918688451571609901-- Text


    • 12296202189918688451571609901 is arbitrary and used as the separator of the multipart form data
    • Maintain the same number of dashes (--------) as in the example for all lines
    • The value of Content-Length is arbitrary
    • sysparm_sys_id is the sys_id of the record in the ServiceNow instance where the attachment is made, in this case a sys_id of an incident record
    • sysparm_table is the name of the table that corresponds to the sysparm_sys_id, i.e. the table that gets the attachment, in this case the incident table will get the attachment for the incident sys_id of 6ef8cd2fdbf4f200d5cff2131f961927
    • attachFile is the actual file that you attach (which you will add to the REST request as loaded from a local file location)
    • filename is the name of the attachment file stored on the instance

  8. From the upper right corner, select the Interceptor icon and set it to active.
    Following is the complete setting for Postman:

  9. To make the encrypted attachment, select Send from Postman.
    If this is successful, you should see 200 OK and the Response Body Attachment processed:

  10. To verify the attachment is not accessible when bypassing the Edge Encryption Proxy, log into the instance using the non-Edge Encryption proxy URL (for example, the normal https://<instance_name> and go to the record where the attachment was made (for example, to the sysparm_table table and the sysparm_sys_id sys_id).
  11. Select the attachment.
    The following information is displayed:

    This indicates that the attachment is not accessible because it is encrypted and you are not accessing the record using the Edge Encryption proxy.

  12. To verify that the attachment is accessible using the Edge Encryption Proxy, log into the instance using the Edge Encryption proxy URL, and go to the record where the attachment was made (to the sysparm_table table and the sysparm_sys_id sys_id). When you select the attachment, you have the option to download:

    After downloading the file, ensure that the content is as expected and is not encrypted.