Mutual Authentication: Overview - Support and Troubleshooting

Mutual Authentication: Overview Issue Mutual Authentication establishes trust by exchanging secure sockets layer (SSL) certificates.

Data Flow Client (eg. ServiceNow) and Server (eg. a third party) will do a handshake before transmitting any data. Client will have a keystore with Public and Private Key Pair Server will have a keystore with Public and Private Key Pair Client will share the public key( a certificate) with Server and Server will keep it in its trust store. Server will share the public key( a certificate) with Client and Client will keep it in its trust store. Lets say, client initiated the handshake, it will send out its public certificate to Server. Server will check if it has this public certificate in its trust store = which it does. Server sends its public certificate to client and client will check if it has this public certificate in its trust store = which it does. Since handshake is now successful, Client will send out the payload Client will encrypt the payload using Server's Public Certificate from its trust store. Server receives this payload and decrypts this payload from the private key in Server's keystore. Server responds with payload encrypted using Client's Public Certificate from its trust store. Client receives this payload and decrypts this payload from the private key in Client's keystore.

Example Step 1: Generate Keystore Pair (Public and private key), self-signed:

C:\Program Files\Java\jre1.8.0_162\bin>keytool -genkey -alias Keystore_alias -keyalg R SA -validity enter_Validity_in_Days -keystore Keystore_name.keystore -storepass Keystore_Password -keypass Key_Password What is your first and last name? [Unknown]: .......... What is the name of your organizational unit? [Unknown]: .......... What is the name of your organization? [Unknown]: .......... What is the name of your City or Locality? [Unknown]: .......... What is the name of your State or Province? [Unknown]: .......... What is the two-letter country code for this unit? [Unknown]: .......... Is CN=vab, OU=servicenow, O=servicenow, L=sydney, ST=nsw, C=61 correct? [no]: yes Step 2 : Extract the public certificate from the above keystore pair:

C:\Program Files\Java\jre1.8.0_162\bin>keytool -export -alias Keystore_alias -keystore Keystore_name.keystore -storepass Keystore_Password -file Cert_name.cer

Certificate stored in file

Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS 12 which is an industry standard format using "keytool -importkeystore -srckeyst ore snclient.keystore -destkeystore snclient.keystore -deststoretype pkcs12". Related Links Debugging Mutual Authentication: KB0696599 - Debugging Mutual Authentication Steps to set up Mutual Authentication Keys: KB0696776 - Steps to set up Mutual Authentication: Keys