MID Server TLS/SSL certificate check policy Quebec upgrade information


Overview

For Quebec and beyond, the MID Server has enhanced security with TLS MID Server certificate check policies. The certificate checks occur during the TLS handshake process when MID Server connects to an endpoint. Customers can define certificate check policy for each endpoint or subnet, as well as to internet endpoints. There are three types of policies provided.

For existing customers upgrading to Quebec, all the certificate checks are enabled by default for ServiceNow. However, we recommend to enable this for all Internet traffics. Many endpoints do not host valid certificate authority (CA) signed certificates (for example, self-signed certificates). These security policies stop the connection to an invalid certificate host, which would break the integration. Customers must be aware of the new security policies and take necessary actions to maintain secure connections.

Potentially affected customers

If you have an integration with external servers using MID Server or integration endpoints that host self-signed certificate, you may be impacted. In these cases, you need to take action to prevent any failures. Typically products that use integrations with MID Server are: 

  1. Discovery/ServiceMapping
  2. Orchestration/IHUB

What actions do I need to take?

To maintain a secure connection, customers should review their integration endpoints and take the following actions.

  1. Update the endpoint to use a recognized CA signed certificate (recommended)
  2. Import self-signed certificate to MID Server JRE cacerts
  3. Modify the policy to disable checks or create an override policy for specific untrusted endpoints to connect to them insecurely. For more information, see the workaround MID Server connection failures when upgrading to Quebec [KB0864766].

If you do not own the endpoints, you may need to reach out to endpoint vendors to update to a recognized CA signed certificate.

For intranet traffic, the checks are disabled by default for existing customers to prevent interruption of traffic. To establish secure connections, the customer needs to configure and enable intranet check policies according to their network.

What steps do I need to take before the upgrade?

The TLS certificate check policy changes are triggered on the first connection after upgrading the MID Server. To prevent connection interruptions, prepare any integration endpoints by updating their certificates to recognized CA signed certificates. If you do not own the endpoints, you may need to reach out to endpoint vendors to update to a recognized CA signed certificate.

If this is not possible, please check in sub-prod environment, and identify what integration may fail and prepare for necessary change required to do on prod Instance post upgrade.  

What steps do I need to take after the upgrade?

Please ensure all your integrations are working correctly. Check if you are connecting to untrusted external endpoints. Insecure connections to untrusted endpoints are blocked by the certificate check policies. You can disable checks or create an overridden policy for specific untrusted endpoints to connect to them insecurely. For more information, see the workaround MID Server connection failures when upgrading to Quebec [KB0864766].

Failure Scenario

Failure to comply with TLS policy can lead to broken integrations. For example:

Self-Hosted Customers

Self hosted customers need to take the additional steps covered in MID Server certificate check security policies for self-hosted customers [KB0864770].

How do I troubleshoot?

The following is an example of an error observed in the MID Server logs:

10/04/20 10:58:44 (222) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 WARNING *** WARNING *** Request not sent to uri= https://<endpoint>.com/job/triggers/job/nightly-build-completed/build?json=%7B%22parameter%22%3A%5B%7B%22name%22%3A%22branch_name%22%2C%22value%22%3A%22track%2Fdtac%22%7D%2C%7B%22name%22%3A%22branch%22%2C%22value%22%3A%22track%2Fdtac%22%7D%2C%7B%22name%22%3A%22is_nightly%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22run_tests%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22nightly_build%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22release_branch%22%2C%22value%22%3A%22release%2F19.dtac.0.9%22%7D%2C%7B%22name%22%3A%22glide_version%22%2C%22value%22%3A%2219.dtac.0.9%22%7D%2C%7B%22name%22%3A%22sys_id%22%2C%22value%22%3A%22c959cdd31be7101045782f07b04bcb39%22%7D%2C%7B%22name%22%3A%22build_properties%22%2C%22value%22%3A%22none%22%7D%2C%7B%22name%22%3A%22priority%22%2C%22value%22%3A%225%22%7D%2C%7B%22name%22%3A%22has_commits%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22force_run%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22dmt_tests%22%2C%22value%22%3A%22dmt-dynamictranslation-test%22%7D%2C%7B%22name%22%3A%22request_id%22%2C%22value%22%3A%22none%22%7D%2C%7B%22name%22%3A%22prefix%22%2C%22value%22%3A%22none%22%7D%5D%7D&cause=NightlyComplete_alpha&delay=5400&token=e90d7205a34d9304e38263657c9710c2: 
org.apache.commons.httpclient.HttpException: Session contains no certificates - Untrusted
10/04/20 10:58:44 (224) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 Enqueuing: /glide/mid-pod/work/monitors/ECCSender/output_1/ecc_queue.9619b95fdbaf5410bc2e9b3c8a961968.xml
10/04/20 10:58:44 (224) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 Worker completed: RESTProbe source: https://<endpoint>.service-now.com/job/triggers/job/nightly-build-completed/build time: 0:00:00.024

For troubleshooting information, see MID Server connection failures when upgrading to Quebec [KB0864766].

Useful information and additional resources