<h2>TLS Security Policy for the MID Server</h2><br/><div style="overflow-x:auto"><article><div ><h3 >Issue </h3><section><ul><li>Mid server not only connects to the instance but to various resources within the customer’s network.<br /><br /></li><li><em><strong>TLS Security policy</strong></em> is to make things more secure on the traffic originating from the MID.<br /><br /></li><li>Checks performed<br /><br /> <ul><li><em><strong>Certificate Validation</strong></em> —> Receiver represents the certificate based on which it is validated and if signed by a valid certificate authority. Checks if the certificate is valid and for how long<br /><br /></li><li><em><strong>Hostname Validation</strong></em> —> Extracts the hostname from the certificate and compares it with the URL that it is trying to access<br /><br /></li><li><em><strong>Certificate revocation checks (OSCP) </strong></em><br /><br /></li></ul> </li><li>TLS policy table introduced from Quebec with three policies shipped OOB.<br /><br /><em>https://<instance_name>.service-now.com/mid_cert_check_policy_list.do</em><br /><br /><img src="/sys_attachment.do?sys_id=9a1d032ddb3f245014d6fb24399619f8" width="1010" height="189" /><br /><br /></li><li>Every HTTPS request initiated from the MID is intercepted and the appropriate TLS policy is applied runtime.<br /><br /></li><li>During the mid-upgrade, from Quebec, upgrade script converts the values listed under the property “<em><strong>mid.security.validation.endpoints</strong></em>” to a TLS policy.<br /><br /></li><li>So, what basically happens is, if there are endpoint values listed by the customer under the property above, they are read and are converted into the TLS policy. <br /><br /></li><li>Even if there are no endpoint values listed, a TLS policy gets created but the checks are turned off (as it was the same before the upgrade) to not break any connections.<br /><br /></li><li>Once the above are done, the property “<em><strong>mid.security.validation.endpoints</strong></em>” gets deleted<br /><br /></li><li>When looked at the MID server logs in the debug mode, information related to the enabled checks and their validation details can be observed.<br /><br /><img src="/sys_attachment.do?sys_id=ecfd0feddb3f245014d6fb243996197d" width="1020" height="234" /><br /></li></ul></section></div><div ><h3 >Related Links</h3><section><ul><li>What TLS certificates do we support and do we support self-signed certs ?<br /><br /> <ul><li>All the standard certificate providers have the root certificates that are already available in the Servicenow Truststore that the MID uses. If a customer has an internal root certificate, then you will have to either import that certificate to the mid Truststore or turn off the policy checks for that end point.<br /><br /></li><li>If policy checks are turned on and if there are self-signed certificates in place, you would see the certificate error as who signed it cannot be recognized. To overcome this,<br /><br /> <ul><li>Either create a policy for that endpoint or turn the checks off for that endpoint.<br /><br /></li><li>Import that certificate to the MID Truststore</li></ul> </li></ul> </li></ul></section></div></article></div>