Cloning of KMF Keys may result in KMF related issues on target instance


Description

If the two tables Instance Keys [sys_kmf_instance_key] and Module Keys [sys_kmf_module_key] are cloned, it will cause issues on the target instance, specifically with features that utilise KMF (Key Management Framework) internally such as Multiple Provider SSO, OAuth, IDR, etc.

Release or Environment

All recent ServiceNow releases with KMF (Key Management Framework) enabled.

Cause

The OOB (out of the box) Clone Profile "System Profile" contains Clone Exclude Tables and Clone Data Preservers records for the two tables:

- Instance Keys [sys_kmf_instance_key]

- Module Keys [sys_kmf_module_key]

However when using a custom "Clone Profile", there may not be any "Clone Exclude Tables" and "Clone Data Preservers" records for the above two tables.

This results in duplicate KMF keys on the target instance, so using features which utilise KMF may fail, and the below error messages may be observed:

2021-01-01 00:00:00 (000) Default-thread-12 CF0520B31B4E3C1069EC206B274BCB33 txid=2a9564b31b4e SEVERE *** ERROR *** More than one active key found in crypto module wit sys_id: 7d7ee9e3b7030010ebf7082e7e11a979 for key type id: sym_data_enc
2021-01-01 00:00:00 (000) Default-thread-12 CF0520B31B4E3C1069EC206B274BCB33 txid=2a9564b31b4e SEVERE *** ERROR *** More than one active instance key found for key type id: sym_hmac

 

2021-01-01 00:00:00 (000) Default-thread-5 2BB49B121B332010AE4B311D1E4BCB40 txid=a8d45f121b33 SEVERE *** ERROR *** HMAC validation failed for: 79e4b2151b3be0104814fc8f034bcba6 : com.glide.kmf.AKMFKeyRegistry$KeyRegistryException: HMAC validation failed for key: 79e4b2151b3be0104814fc8f034bcba6
com.glide.kmf.AKMFKeyRegistry$KeyRegistryException: HMAC validation failed for key: 79e4b2151b3be0104814fc8f034bcba6

Resolution

The duplicate KMF keys that were cloned over to the target instance will need to be deactivated.

Unfortunately at the current time, ServiceNow Customer Support will need to be involved to assist. Please raise a NOW Support ticket referencing this KB for further assistance.

 

When using a custom "Clone Profile" for cloning, please create "Clone Exclude Tables" and "Clone Data Preservers" records for the two tables:

- Instance Keys [sys_kmf_instance_key]

- Module Keys [sys_kmf_module_key]