Unable to decrypt Key Store password after upgrading to San Diego - Known Error

Unable to decrypt Key Store password after upgrading to San Diego Description The password2 submodule ("com_glide_certificates_glideencrypter") that protects data within tables related to sys_certificate provided out-of-the-box is missing module access policies.

Because of that, any attempt to decrypt the key store password is refused (which is the default behavior when no policy is defined).

Steps to Reproduce

1. Navigate to sys_certificate. 2. Open any KeyStore record. 3. Use "Show XML" to access the ciphertext (contained in key_store_password ). 4. Via background script (or Script Include, or ...), use GlideEncrypter to decrypt the KMF-encrypted value in 3.

Expected: Value is decrypted successfully (Rome behavior) Actual: Access Denied to cryptographic module 'global.com_glide_certificates_glideencrypter'

Workaround 1. Navigate to the list of auto-generated Module Access Policies for the 'com_glide_certificates_glideencrypter' crypto module: https:// .service-now.com/sys_kmf_crypto_caller_policy_list.do?sysparm_query=crypto_module%3D8994cbe3ff23201022f462aa453bf13d%5Eactive%3Dtrue%5Eresult%3Dreject

2. Review each policy, and switch them to "Result" = "Track" as needed to grant access to a specific scope/script/role.

NOTE: This must be done as a user with the 'sn_kmf.cryptographic_manager' role. Customers can assign it by elevating to security_admin and following: https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/key-management-framework/reference/kmf-roles.html . Alternatively, this change can be executed by ServiceNow support as MAINT user.