Encrypting traffic from Service Now App to DB Server (SSL Over JDCB) for on-premise instance

Samir Kurrimboc · ‎04-03-2020

Hi,

We are currently looking at encrypting the communication between Service Now Nodes and the DataBase server. (On-premise instance)

We are giving it a try with MariaDB
The steps seem pretty straight forward.

1- Define the SSL CA Cert, Server Cert, and Server Keys
2 - Define the Client Cert and Client Key

Then we configure the Server and the Client this way :

[server]
ssl-ca=/etc/mariadbssl/ca-cert.pem
ssl-cert=/etc/mariadbssl/server-cert.pem
ssl-key=/etc/mariadbssl/server-key.pem

[client]
ssl-cert=/etc/mariadbssl/client-cert.pem
ssl-key=/etc/mariadbssl/client-key.pem

However, we are not sure where to put this Client configuration
[client]
ssl-cert=/etc/mariadbssl/client-cert.pem
ssl-key=/etc/mariadbssl/client-key.pem

Do we need to create a new file in: /glide/nodes/node01/conf/overried.d to include this configuration ?
Thank you in advance for the clarification.

Has anyone managed to achieve this?

Thank you in advance for the help.

Kind Regards,

Samir

Daniel Draes · ‎05-07-2020

I am a bit surprised on why you would want to do this. You are on-premise and should trust the setup in your data center - right? if not, why host the software there in the first place?

I am not working in our infrastructure team but I am not aware that we support this option at the moment. Probably you can set it up using standard database configuration but I would argue that you will be outside standard support and hence loose our help if something goes wrong. Therefor I would strongly advise against it.

There are other encryption methods we DO support, like database encryption, full disk encryption, edge encryption and column level encryption. First check these and figure out if one of them would cover your requirement.

Samir Kurrimboc · ‎05-07-2020

Hi Fogg,

Thank you for taking the time to respond to this thread.

You mention trusting the data center setup, but as part of seting up a datacenter generic guidelines for all implementation would sometimes include encrypting communication from a Point A to a Point B. Even within a datacenter there must be security in place to mitigate the risk of data breach in the case of access to certain servers / applications has been compromised.

Encrypting communication in transit is one way to mitigate that risk.

Firewall, database encryption in transit, at rest, disk encryption ... all solve different problems.For this specific requirement, encryption of communication between App and DB seems to be the best option.

I am not myself a security specialist, however such requirement do make sense to me. (Data breach has become a common problem).

The KB : KB0563733 even mentions that SSL over JDBC is an option for on-premise customers, it just does not provide the guideline on how to set it up.

I will then dig further on my side to see if we can achieve it. Some high level guidelines from your infrastructure / development team would help tho.

Thank you.

Kind Regards,

Samir

Daniel Draes · ‎05-10-2020

Let me check internally, so far I have not heard from any customer using it - but then ... I do not know all customers myself 😄

Daniel Draes · ‎05-14-2020

I have received a documentation on how to enable this for on-premise customer ... woohooo 😄

The client part you are struggling with should only be required for the regular mysql-client to connect to the database. So the belongs into the my.cnf on the host you use mysql-client.

For ServiceNow to leverage SSL connections you have to set some glide-properties in conf/overrides.d/10-mysql-ssl.properties:

glide.db.mysql.jdbc.trustServerCertificate=true
glide.db.mysql.jdbc.useSSL=true

The documentation also states:

Keep in mind that you are incurring a 10-20% performance degradation when enabling SLL on all components.

Hope that helps.