Certificate based authentication for Inbound REST API

Nico Marx
Tera Contributor

‎11-01-2021 06:00 AM

Hi Community,

I have a challenge at a client with the following scenario:

We want to connect a system to ServiceNow which pushes data into a table. The current system uses a certificate chain incl. client certificate to authenticate on other systems. I created a Scripted REST API with a POST resource - so far so good. The interface user should authenticate via mutual authentication which I implemented following this doc entry: Mutual Authentication. Both, the certificate chain and the client certification is valid. I also matched the client certification to the interface user. But when I now try to use this API I get the HTTP error 401: user not authenticated

{
    "error": {
        "detail": "Required to provide Auth information",
        "message": "User Not Authenticated"
    },
    "status": "failure"
}

I tested this with Postman (stored the client certificate in the "certificates" tab) and set the Authorization to "No Auth" because I want to avoid to use username + password. My expectation was that in this case the mutual authentication works and the incoming request incl. certificate will be matched based on the stored certificate chain and certificate + user match.

Any ideas?

Best regards

Labels:
  • 7,573 Views
11 REPLIES 11

Nico Marx
Tera Contributor
In response to Kshira

‎04-06-2022 08:11 AM

Hi @Kshira ,
it depends on your use case. For example in my case the 3rd party system created the certificates. Usually the certificates will be created as .crt but you can convert it to .cer and .pem with Windows utilities.


For example on Windows with a .crt file:

  1. Open the file with double click
  2. Click on "Details"
  3. Click on "Copy to file"
  4. Follow the wizard to "Export File Format"
  5. Choose "Base-64 encoded X.509 (.CER)"
  6. Give it a name and save it
  7. You can now rename the file to <cert>.pem and accept the warning of changing the format

Congrats, you have now a PEM file which ServiceNow can understand 🙂

It is important to map the user to the client certificate. You do not have to install it at another place.

Best regards,

Nico

0 Helpfuls

Greg75
ServiceNow Employee
ServiceNow Employee

‎04-06-2022 07:40 AM

"How to configure inbound Certificate Based Authentication (mutual authentication) in ServiceNow"
This article is meant only for inbound mutual authentication, known officially as Certificate-Based Authentication (CBA). For outbound mutual authentication, please refer to KB0696002.

 

Please review Servicenow knowledge article on Inbound Mutual Auth

Servicenow does support mutual auth for inbound contrary to an outdated KB.

0 Helpfuls