Signing Powershell scripts - Support and Troubleshooting

Signing Powershell scripts Note: The following steps to sign Powershell script is not a supported feature. These are the recommended steps to be followed by the customers. We don't have the ability to support customers apart from the following steps.

Issue

1. Customer is NOT experiencing a failure but they want PowerShell scripts signed.

Some customers like Defense Information Security Agency (DISA) Security Technical Implementation Guidelines (STIG) have policies that have this as a requirement This customer wants IntegrationHub action’s script signed, specifically Active Directory Spoke. They want us to force and require signing of the scripts. 2. Customer experiences a failure because their Windows host PowerShell ExecutionPolicy is AllSigned or RemoteSigned, and ServiceNow PowerShell scripts are not signed

This customer had errors when testing Orch activities and credentials. When the customer changed EP to “Unrestricted” it worked. Usually, scripts execute regardless of ExecutionPolicy on local MID but may fail per customer configuration. Signing Powershell Scripts

If a customer must sign their PowerShell scripts, use the following guidance

Powershell scripts can be found in table ecc_agent_script_file ( query: Parent = Powershell ) First, sign PSScript.ps1 . Both IntegrationHub and Orchestration run scripts on the MID using this as a wrapper script We recommend signing other infrastructure Powershell scripts ( query: Parent = Powershell and Directory = false ) If remote targeting is used then you will need to sign ExecuteRemote.ps1 as well. This script handles executing script on the target machine Now go ahead and sign all the other Powershell scripts For example - if you want to sign AD spoke Powershell scripts, you can find these scripts with query Parent = AdSpoke on table ecc_agent_script_file Note: As of now, inline scripts cannot be signed. During runtime, we store the inline script in the temp file on the MID server and delete it after the execution of the Powershell step. If the customer needs to sign these, then they must be converted to script files.

Saving the signed scripts

Save the signed scripts as an attachment. Select Use Attachment field and attach the script file to the ecc_agent_script_file record Note: The attachment name should be the same as the ecc_agent_script_file name field We are saving the script as an attachment to avoid OOB formatting when the script is saved inline A disadvantage of this approach is that we lose versioning of the ecc_agent_script_file records Verify scripts are valid

Wait for the scripts to get downloaded to MID. It takes around 10 seconds Verify the content of the signed scripts on MID. The scripts can be found in .. mid_folder_path/agent/scripts/Powershell or look for log messages similar to 02/09/21 07:16:02 (822) FileSync:ecc_agent_script_file Already synchronized C:\ \agent\scripts\PowerShell\PSScript.ps1 To validate the scripts on PowerShell ISE using the command: Get-AuthenticodeSignature " " Run Powershell test to confirm if the signature works Debugging issues with signed scripts

Don’t update the Powershell script directly in Windows. We regularly sync the ecc_agent_script_file scripts with MID. This sync job will override the local scripts with the instance version If the scripts fail to execute due to auth failures verify the Powershell script still as signature and verify the signature is valid by using the command: Get-AuthenticodeSignature " " If Powershell script contains the signature and fails to validate using the above command you will have to resign the script