Considerations when importing records containing KMF encrypted Password2 fieldsSummaryStarting from ServiceNow's Rome release, password2 fields (two-way encryption which allows the instance to decrypt) are encrypted with KMF.. Each instance has its own encryption keys for KMF, which enhances the platform's security. When exporting a record containing password2 field from "Instance A", and then importing it to "Instance B", you have to consider that "Instance B" will not be able to decrypt the password2 value because it was encrypted with the key from "Instance A". In order for "Instance B" to decrypt the password2 value, you will have to perform a KMF Resource Exchange.ReleaseRome and laterInstructionsNote: The below mentioned steps are only to help identify which module is being used so key exchange can be performed on an ad-hoc basis if needed. For this example: I will be using the OOB "SAML 2.0 Keystore_Key2048_SHA256_FIPS" [sys_certificate] record.https://<instance>.service-now.com/sys_certificate.do?sys_id=c60ad24b732220103a5b0dd43cf6a7db Lets try exporting the record as XML from "Instance A", importing it into "Instance B" and see what happens. Log into "Instance A" (instance which contains the original record).Navigate to the "SAML 2.0 Keystore_Key2048_SHA256_FIPS" [sys_certificate] record.Export the record as XML (click on the hamburger icon, select Export then XML).Log into "Instance B" (instance we are importing the record into).Import the XML exported in Step 3 (navigate to [sys_certificate] list view, right click any column header and select "Import XML").Navigate to the imported record and try to "Validate Stores/Certificates". It should return any error indicating that the validation failed, this is because the password2 value cannot be decrypted. Finding the Crypto Module Password2 fields are encrypted by Crypto Module Keys, so we need to first find the Crypto Module used: Log into "Instance A" (instance which contains the original record).Navigate to the "SAML 2.0 Keystore_Key2048_SHA256_FIPS" [sys_certificate] record.Perform a "Show XML" and take note of the first part of the "key_store_password" field (this is a password2 field). <key_store_password>073a92dcdb9f011084665e92f39619ea1b4MNzaX9JbsdsPqzYqePMA==3hMXs266k_ooquFUAAoEZ89AU2V_pmU=</key_store_password> The value in step 3 is the "sys_id" of the Module Key [sys_kmf_module_key] used to encrypt the password2 field.https://instanceA.service-now.com/sys_kmf_module_key_list.do?sysparm_query=sys_id=<sys_id_from_step_2>Note down the "Crypto module" value of the Module Key record (in this case it is "com_glide_certificates_glideencrypter"), as we will export this using Resource Exchange. KMF Resource Exchange - Exporting the KMF Module Key Now that we know the Crypto Module used to encrypt the password2 field of the original record, we need to initiate a KMF Resource Exchange to send the key to the target instance. Note: To perform this step, you will need to have the "sn_kmf.cryptographic_manager" role (which needs to be granted by a KMF Admin) and then elevate your role. Log into "Instance B" (instance we are importing the record into).Navigate to the "Key Management > Resource Exchange > Resource Exchange Requests".Click on "New", fill out the form and click "Submit Request".Exchange Frequency: Adhoc (we are doing a once off exchange)Source Instance Sys Id: You can get this from "stats.do" on "Instance A" (instance which contains the original record).Source Instance Host: instanceA.service-now.comCrypto Specifications: com_glide_certificates_glideencrypter (this may differ depending on your results from step 5 of "Finding the Crypto Module")There should now be an Exchange Request record with the "Status" as "Request Sent".Log into "Instance A" (instance which contains the original record).Navigate to the "Key Management > Resource Exchange > Resource Exchange Requests". You will see the record created from Step 3 with "Status" as "Pending Approval".Open the record, change the "Status" to "Request Approved" and update. Allow a few minutes for the keys to exchange.On "Instance B", navigate to the imported XML record and you should be able to successfully "Validate Stores/Certificates".Related LinksPassword2 encryption with KMF KMF Roles KMF Resource Exchange Configure Key Exchange