Certificate Pattern Discovery doesn't work after upgrading to Certificate Inventory Management 1.3.8 in Quebec instances when KMF is enabled - Known Error

Certificate Pattern Discovery doesn't work after upgrading to Certificate Inventory Management 1.3.8 in Quebec instances when KMF is enabled Description Certificate Inventory Management 1.3.8 contained Cryptographic Modules for KMF, When KMF is enabled these Cryptographic Modules are utilised to encrypt the Certificate Management Credentials. The Decryption of these KMF encrypted passwords on Mid Server is supported from Rome release.

When Certificate Inventory Management 1.3.8 version is installed on Quebec and KMF is enabled, the passwords get encrypted through KMF but as the Mid Server is not able to decrypt these passwords the encrypted password is directly sent to the APIs which results in a 403 response (Unauthorised)

Steps to Reproduce

Install Certificate Inventory and Management v1.3.8 Plugin in Quebec Enable KMF Plugin Create a Certificate Inventory Management Credential Observer that the Credential created will be encrypted through KMF Trigger Certificate Authority Discovery, discovery will fail Workaround As a workaround we needs to remove the cryptographic module that was added in 1.3.8 version

1. Navigate to System Definition > Scripts - Background

2. Set the scope to "sn_kmf"

3. Copy paste the below script in the background script and run

var gr = new GlideRecord("sys_kmf_crypto_module"); gr.addQuery("sys_id","5cdac34b6b2620102e15a1512e44af4a"); gr.query(); if(gr.next()) { gs.info("Deleting the crypto module"); gr.deleteRecord(); } 4. Once the crypto module is deleted, please recreate the credential and try discovery again

Adding Back the Deleted Cryptographic Module When Certificate Inventory Management is upgraded to 1.3.18 (v4 Patch 1) a Fix script runs to check if the cryptographic module was deleted and adds it back if it was deleted. In Rome or above instances if we want to add the cryptographic modules manually

1. Navigate to System Definition > Scripts - Background

2. Set the scope to "sn_disco_certmgmt"

3. Copy paste the below script in the background script and run

var gr = new GlideRecord("sys_kmf_crypto_module"); gr.addQuery("sys_id", "5cdac34b6b2620102e15a1512e44af4a"); gr.query(); if (!gr.next()) { //Record does not exists adding the record back gs.info("Adding the crypto module back"); var cryptoGr = new GlideRecord("sys_kmf_crypto_module"); cryptoGr.initialize(); cryptoGr.setValue("alias", "glide_encrypter"); cryptoGr.setValue("crypto_module_lifecycle_state", "published"); cryptoGr.setValue("crypto_spec_template", "af44335953103300cd1eddeeff7b1285"); cryptoGr.setValue("internal_module", "false"); cryptoGr.setValue("name", "sn_disco_certmgmt.glide_encrypter"); cryptoGr.setValue("parent_crypto_module", "7d7ee9e3b7030010ebf7082e7e11a979"); cryptoGr.setValue("short_name", "glide_encrypter"); cryptoGr.setValue("sys_name", "glide_encrypter"); cryptoGr.setValue("sys_package", "5644310553c63300704dddeeff7b12a5"); cryptoGr.setValue("sys_update_name", "sys_kmf_crypto_module_5cdac34b6b2620102e15a1512e44af4a"); cryptoGr.setNewGuidValue("5cdac34b6b2620102e15a1512e44af4a"); cryptoGr.insert(); gs.info("Adding the crypto spec back"); var specGr = new GlideRecord('sys_kmf_module_crypto_spec'); specGr.initialize(); specGr.setValue("algorithm", "6d2e9e9553013300cd1eddeeff7b1224"); specGr.setValue("alias", " --- Symmetric Key Wrapping/Unwrapping"); specGr.setValue("auto_generate_key", "false"); specGr.setValue("crypto_module", "5cdac34b6b2620102e15a1512e44af4a"); specGr.setValue("crypto_purpose", "243e7b64c7003300af4d43c6f09763de"); specGr.setValue("generate_key", "1230c3bb0bc83300af4deaf1a3673a8a"); specGr.setValue("import_key_from_keystore", "0b0e5336c7003300af4d43c6f0976315"); specGr.setValue("integrity_preserving", "false"); specGr.setValue("key_alias", "sn_disco_certmgmt.ge_key"); specGr.setValue("key_type", "ca005cf7c7103300af4d43c6f0976328"); specGr.setValue("key_version", "-1"); specGr.setValue("origin", "servicenow"); specGr.setValue("sn_kmf_state", "definition"); specGr.setValue("sys_name", "5cdac34b6b2620102e15a1512e44af4a"); specGr.setValue("sys_package", "5644310553c63300704dddeeff7b12a5"); specGr.setValue("sys_update_name", "sys_kmf_module_crypto_spec_65da074b6b2620102e15a1512e44af1a"); specGr.setValue("upload_csk", "a4bff7d453010010cd1eddeeff7b12b0"); specGr.setNewGuidValue("65da074b6b2620102e15a1512e44af1a"); specGr.insert(); gs.info("Adding the module access policy back"); var mapGr = new GlideRecord('sys_kmf_crypto_caller_policy'); mapGr.initialize(); mapGr.setValue("active", "true"); mapGr.setValue("check_script_hash", "false"); mapGr.setValue("crypto_module", "5cdac34b6b2620102e15a1512e44af4a"); mapGr.setValue("impersonation", "false"); mapGr.setValue("owner", "18a16ead6c223010958bbcfd43336887"); mapGr.setValue("policy_name", "scriptside_reject_sn_disco_certmgmt.glide_encrypter"); mapGr.setValue("result", "strictreject"); mapGr.setValue("specify_purpose", "false"); mapGr.setValue("sys_name", "scriptside_reject_sn_disco_certmgmt.glide_encrypter"); mapGr.setValue("sys_package", "5644310553c63300704dddeeff7b12a5"); mapGr.setValue("type", "6"); mapGr.setValue("used", "false"); mapGr.setValue("target_scope", "5644310553c63300704dddeeff7b12a5"); mapGr.setNewGuidValue("3496bf7d0726301019f0782a9cd30062"); mapGr.insert(); }