How To Create a MID Protocol Profile to use mTLS on a MID Server running in FIPS Enforced ModeSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } You can use mTLS with a MID Server by defining a MID Protocol Profile for connections that use mutual authentication. The MID Protocol Profile specifies the mTLS credential and certificate information required for the connection. The MID Server uses the information in the MID Protocol profile to retrieve the KeyStore, register protocols with the HTTP Client, and make outbound calls with mTLS. However, when a MID Server is in FIPS Enforced Mode, it is crucial to convert the Client Certificate being used for mTLS to a BCFKS type KeyStore, as this ensures that the Client Certificate will be deciphered and sent to the Server for authentication. Failure to do so will result in SSL Socket Connection and/or mTLS authentication issues, highlighting the importance of this conversion for MID Servers in FIPS Enforced Mode. Facts<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } MID Protocol Profiles are used in Integration Hub to make outbound REST and SOAP calls through a MID Server using Mutual TLS (mTLS) authentication.FIPS (Federal Information Processing Standards) Enforced Mode is used by customers in with instances in Government Community Cloud (GCC) IL-4 and National Security Cloud (NSC) IL-5 environments.When a MID server is run in FIPS Enforced Mode, only cryptographic algorithms which are FIPS validated are utilized. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Xanadu and later releases Instructions<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1. Enable MID Server FIPS Enforced Mode Procedure Shut down the MID Server.Execute the following bundled script provided to convert the MID to run in FIPS Enforced Mode: For Windows hosts: > <MID install directory>\agent\bin\scripts\set-fips-enforced-mode.bat onFor Linux hosts: $ <MID install directory>/agent/bin/scripts/set-fips-enforced-mode.sh on Success will be logged to the console including the location of modified files and any backups generated during the conversion process. If invoked programmatically, success will be indicated by a 0 return code. Start the MID Server. For more details on this procedure, please see MID Server FIPS Enforced Mode. 2. Convert the Client Certificate's KeyStore type to BCFKS Before you begin The mTLS Client Certificate needs to be in a directory accessible to the MID Server on it's host machine.Have the KeyStore password for the Client Certificate's private key.You'll also need to know the Client Certificate's KeyStore type. (PKCS12, PEM, JKS, etc) Procedure Change your current to directory to the MID Server's /agent/jre/bin directory where the Java Keytool is located.Convert the Client Certificates file type to BCFKS by using the below command: keytool -importkeystore -v -srckeystore <source keystore path> -srcstoretype <source keystore type> -srcstorepass <keystore password> -destkeystore <destination keystore path> -deststoretype BCFKS -deststorepass <keystore password> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath <full path to MID Server's …/agent/lib/bc-fips.jar> Before running the command, replace the parameter values as below.<source keystore path>: Set this to full path to the Client Certificate.<source keystore type>: Set this to the KeyStore Type of the Client Certificate.<keystore password>: Set this to the Client Certificate's KeyStore password for both the -srcstorepass and the -deststorepass parameters.<full path to MID Server's …/agent/lib/bc-fips.jar>: Set this to full path to the bc-fips.jar file located in the MID Server's /agent/lib directory.Below is an example of what this command would look like when converting a PKCS12 Certificate to BCFKS.keytool -importkeystore -v -srckeystore "C:\ServiceNow\mTLSCerts\mymtlsclientcert.p12" -srcstoretype PKCS12 -srcstorepass Password123 -destkeystore "C:\ServiceNow\mTLSCerts\mymtlsclientcert.bcfks" -deststoretype BCFKS -deststorepass Password123 -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:\ServiceNow\Mid_Server1\agent\lib\bc-fips.jar"Run the command.Success will be logged to the console and the new .bcfks Client Certificate should be found the directory that was specified in the -destkeystore parameter. 3. Create a MID Protocol Profile to use mTLS on a MID Server Procedure Create a Connection & Credential alias. Navigate to All > IntegrationHub > Connection & Credential Alias and select New.On the Connection & Credential Aliases form, enter a name in the Name field, and confirm that Connection type is set to HTTP.Select Save. Create a connection. On the Connection & Credential Aliases form, in the Connections tab, select New.On the HTTP(s) Connection form, enter a Name.Select URL builder, Mutual authentication, and Use MID server.In the MID protocol profile field, use the magnifying glass icon to open the MID Protocol Profiles form and select New. Create a MID Protocol Profile. On the form, fill in the fields Protocol: Enter a unique name to identify this HTTPS protocol, such as mauth. Note, Don't use upper case letters, special characters, and http or https. Keystore path: Set this to the full path for the BCFKS Client Certificate on the MID Server. Password: Set this to the BCFKS Client Certificate's KeyStore password. Applies to: Set this to Specific MID Servers MID Servers: Set this to the MID Server the Client Certificate is located on. Default Port: Set this to 443. External Credential Store: Leave this blank. Select Submit.On the HTTP(s) Connection form, enter the target host for the connection in the Host field and Save the Connection form. On the HTTP(s) Connection form, the Connection URL field is filled in with the connection URL. (Optional) Test your connection with a REST step. Navigate to All > Process Automation > Workflow Studio.On the Workflow Studio landing page, select New > Action.Give your action a name in the Action name field and select Build action.In the Action Outline section, select REST.In the REST step, in the Connection field, select Use Connection Alias and in the Connection Alias field, select the connection alias you created. The Base URL field should be filled in with the connection URL created in step 2. Save the REST step and select Test.In the pop-up window, select Run Test. After the test runs, the EXECUTION DETAILS page displays. In the ACTION section, expand the steps section. Scroll down to the Step Output Data section to view the Status Code. It should be 200, showing that you were able to make a successful call to the MID using mTLS. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ServiceNow Product Documentation MID Server FIPS Enforced Mode Using the mTLS protocol with a MID Server Create a Connection & Credential alias Create an HTTP(s) connection REST step Oracle Documentation on the Java KeyTool Utility Java KeyTool