API Works in Postman/CURL but Fails from ServiceNowSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } In some cases, outbound API calls from ServiceNow to a third-party endpoint may fail with the errors listed below, while the same API call succeeds when tested using CURL or Postman. This behavior occurs because the API response can vary based on the source environment and network location from which the request is initiated, as well as the security controls and validations enforced on that path. ServiceNow applies strict security and validation checks during outbound connections to ensure the integrity, confidentiality, and security of communications. Common errors observed in these kinds of situations: Session contains no certificates – Untrustedjava.net.SocketException: Socket is closedjava.net.SocketTimeoutException: connect timed outjava.net.SocketTimeoutException: Read timed out 1. Session contains no certificates – UntrustedThis error usually occurs due to SSL certificate–related issues. The message “Session contains no certificates – Untrusted” appears when there is a problem with the certificate(s) installed on the endpoint (server).During an outbound HTTPS API call from ServiceNow, the platform performs the following three validations as part of the SSL/TLS handshake: Certificate Chain CheckCertificate Hostname VerificationCertificate Revocation Check a. What is Certificate Chain Check:During the SSL handshake, the server returns its certificate chain, which typically includes: Leaf (server) certificateIntermediate certificate(s)Root certificate Some tools such as Postman or CURL may not strictly enforce full certificate chain validation, depending on their configuration and the underlying operating system trust store. However, ServiceNow enforces strict certificate chain validation and requires the complete and valid certificate chain to be presented by the endpoint. If the certificate chain is incomplete or invalid, the connection is rejected with the error: Session contains no certificates – Untrusted ResolutionThe endpoint/server team must deploy the correct and complete certificate chain (leaf + intermediate certificates) on the endpoint. Additionally, the Root CA certificate in the chain must be signed by a globally trusted Certificate Authority (CA). If the Root CA is not trusted, ServiceNow will not establish the connection. In some scenarios, if the Root CA certificate is not trusted by ServiceNow by default, it must be explicitly added to the ServiceNow trust store. This can be done by uploading the Root CA certificate to the sys_certificate table with the Type set to “Trust Store Cert.” b. What is Certificate Hostname Verification Check:Certificate Hostname Verification is a critical security check during the SSL/TLS handshake. It ensures that the hostname being accessed exactly matches the hostname present in the server’s SSL certificate.If the hostname in the URL does not match the hostname (CN or SAN) in the certificate, the TLS connection is rejected. ResolutionThe endpoint team must ensure that the correct hostname is mapped in the SSL certificate used by the server. c. What is Certificate Revocation Check:Certificate Revocation Check is a security validation performed during the SSL/TLS handshake to confirm that the certificate: Is still trusted by the issuing Certificate Authority (CA)Has not been revoked, even if it has not yet expired If the certificate has been revoked or its revocation status cannot be validated (depending on policy), the SSL handshake fails. ResolutionThe endpoint team must work with the certificate authority or security team to: Validate the certificate revocation statusEnsure CRL or OCSP endpoints are reachable and correctly configured 2. java.net.SocketException: Socket is closedThis error occurs when a Java application (.i.e. ServiceNow) attempts to read from or write to a network socket that has already been closed.The socket may have been closed by: The remote serverA proxy or firewall ResolutionTroubleshoot the network connectivity and the connection lifecycle between the client and the server. 3. java.net.SocketTimeoutException: connect timed outThis error occurs when the client is unable to establish a TCP connection with the server within the configured timeout period. This happens before any data is exchanged, during the connection phase. Common Causes Server is unreachable(.i.e., third-party application)Network connectivity issuesFirewall, proxy, or VPN blocking outbound connections Resolution Troubleshoot the network path between the client and server and ensure: The endpoint is reachableRequired ports are openNo network devices are blocking the connection 4. java.net.SocketTimeoutException: Read timed outThis error occurs after the connection is successfully established, when the server takes too long to send a response. The client waits for data, but the server is slow or unresponsive beyond the configured read timeout.In this scenario client is "ServiceNow" and the server is the "Endpoint application". ResolutionIdentify why the server took too long to respond, such as: Backend processing delays on the serverPerformance issues on the serverLong-running API operations on the server