Configure a JWT provider and token for HLA<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Introduction This KB describes the steps needed to create a JWT token for ITOM Cloud Services, which can be used for authentication for sending data from Amazon Data Firehose to HLA. For troubleshooting suggestions and additional documentation, see KB2117152. Requirements HLA version 36.0.19 or higherThe instance user that creates the KeyStore on the instance must have appropriate ACLs to create records in appropriate tables and cryptographic modules. Step 1 - Create a KeyStore When uploading the keystore to the instance, the user can create either JKS or PKCS12. The keystore must have a password. Below is an example of creating the necessary public/private keys and the keystore using openssl. Optionally, you are welcome to rename the "my_keystore" values in the -out and -name parameters # generate the private key openssl genrsa -out private.key 2048 # create the certificate - all metadata is optional when prompted openssl req -new -x509 -key private.key -out public_key.cer -days 9125 -sha256 # create a keystore openssl pkcs12 -export -in public_key.cer -inkey private.key -out my_keystore.p12 -name my_keystore Step 2 - Create the certificate record Navigate to sys_certificate tableCreate a new record with "Java Key Store" as shown in the screenshotThis MUST be a "Java Key Store" type.Add the password from the previous step.Upload the keystore file created above (eg. my_keystore.p12) to this record. Select Update to complete the record Step 3 - Create JWT key Navigate to the "JWT Key" table.Select the sys_certificate record we created above in Step 2 for the "Signing Keystore" valueEnter the keystore password for the "signing key" created in step 1 and used in step 2Review the screenshot below for other valuesSelect Update to complete the record Step 4 - Create JWT provider Navigate to the "JWT Provider" table.Select New to create a new recordSet the "Signing Configuration" to the JWT Key record that you just created.Set the Expiry interval to 3600Select Update to complete the record Step 5 - Create ICS JWT Config Navigate to the "ICS JWT Config" table.Select New to create a new recordChoose the previously created JWT Provider recordAttach the public certificate from the "Create a Keystore" step (eg public_key.cer file from Step 1)Select Update to complete the record Step 6 - Getting and using a Token Once the above setup is complete then you can proceed to configure the Integration Launchpad Tile of your choosing to use for ingest. If you will use the OpenTelemetry MID-less tile in Integrations Launchpad if you can complete the naming of the tile and can proceed to the ITOM Gateway url, Integration Id and Token values you have succeeded. You can follow the documentation found here if you are doing this to configure the AWS Firehose: https://www.servicenow.com/docs/bundle/yokohama-it-operations-management/page/product/health-log-analytics-admin/task/il-connector-hla-firehose.html?state=seamless in order to generate a token to use, and integrate with HLA. Troubleshooting If you have had issues with this setup check these items as well: Assure the password has been entered correctly when prompted. Reenter the values and in the Certificate you can choose to "Validate Keystore" to confirm it is correct.Make sure that the keystore and public ceertificate files have been attached to the records above. A common error is if the user creating a KeyStore and associated records on the instance does not have correct ACLs or permissions to do so. See https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1112530 for additional recommendations.