Certificate based authentication for Inbound REST API

Nico Marx
Tera Contributor

‎11-01-2021 06:00 AM

Hi Community,

I have a challenge at a client with the following scenario:

We want to connect a system to ServiceNow which pushes data into a table. The current system uses a certificate chain incl. client certificate to authenticate on other systems. I created a Scripted REST API with a POST resource - so far so good. The interface user should authenticate via mutual authentication which I implemented following this doc entry: Mutual Authentication. Both, the certificate chain and the client certification is valid. I also matched the client certification to the interface user. But when I now try to use this API I get the HTTP error 401: user not authenticated

{
    "error": {
        "detail": "Required to provide Auth information",
        "message": "User Not Authenticated"
    },
    "status": "failure"
}

I tested this with Postman (stored the client certificate in the "certificates" tab) and set the Authorization to "No Auth" because I want to avoid to use username + password. My expectation was that in this case the mutual authentication works and the incoming request incl. certificate will be matched based on the stored certificate chain and certificate + user match.

Any ideas?

Best regards

Labels:
  • 7,589 Views
11 REPLIES 11

gauthamaron
Mega Contributor
In response to Nico Marx

‎03-15-2022 08:40 PM

Hi Marx,

Thanks for your prompt response. If you don't mind, could you please briefly describe the steps you have configured for inbound mutual auth to make it work?

I greatly appreciate your help 🙂

0 Helpfuls

Nico Marx
Tera Contributor
In response to gauthamaron

‎03-16-2022 01:04 AM

Hi,

sure, if I get it correctly your instance is currently on Rome which is good. A lot of smaller issues are solved with this upgrade. My steps to make this work are the following:

  1. Create HI ticket to enable your instance for inbound mAuth
  2. Create on "Certificated Based Authentication > CA Certificate Chain" the root certificate. The type has to be "CA Cert".
  3. Create on "Certificated Based Authentication > CA Certificate Chain" the intermediate certificate and the type has to be "CA Cert" too.
  4. Create a matching of client certificate and user "User to Certificates Mapping"

You can test the solution with postman. Authentication should be "none" and then add the certificate chain "root + intermediate" + key file. After this I was able to connect to the instance via cert based auth.

Also useful: You can add log statements in this Script Include: MutualAuth. If this Script Include is triggered the hardest work is done.

Hope it helps 🙂

Best regards,

Nico

gauthamaron
Mega Contributor
In response to Nico Marx

‎03-16-2022 06:41 AM

Thanks, Marx, for being informative and helpful. Can I ask a few other related questions?

We only got a CA cert which I believe is a root and type CA cert. Do I also need an intermediate CA cert, and if yes, can I use the same CA cert for the other record?

Do we need to click on related links to establish anything with a trusted code signing cert in the CA cert record?

find_real_file.png

 

Also, in step 4, where we map the user to cert, I don't understand why we need to include it as we would not be passing user details via the postman.

And while testing in postman, we will use the client cert section and upload the client cert, key file and passphrase? I don't get where we will be adding root+intermediate?

Could you please elaborate on the above questions?

I appreciate all your help on this as there is very little/limited information available.

Thank you very much, and have a great day 🙂

 

Postman Client cert add section below:

find_real_file.png

Preview file
145 KB
Preview file
217 KB
0 Helpfuls

Nico Marx
Tera Contributor
In response to gauthamaron

‎04-06-2022 08:23 AM

Hi gauthamaron,

I am not a certificate expert but I would say that you need an intermediate certificate. When you already imported the root certificate there is no need to use it in another record. 1. ServiceNow already knows this root cert and 2. you will receive an error message due to duplicate certificate entries.

For my case I did not click on the related link because when you upload the certificate it will land in the queue and as soon as this is established it should be "active".

You have to map the client cert to the user because ServiceNow has to know which user is meant with requesting certificate. At least I did not see any hint that ServiceNow can work with mAuth without this setting.

During your testing with postman you just have to insert the client certificate, passphrase or keyfile because the magic happens in ServiceNow. Therefore you map the client cert to the user 😉 And sending the root certificate will be the worst case scenario for you security guy 🙂 the root certificate should only be exchanged in a secure way. The combination of root and intermediate cert will be done in ServiceNow as described.

I hope this helps.

Best regards,

Nico

0 Helpfuls

Kshira
Tera Expert
In response to Nico Marx

‎04-01-2022 07:42 AM

Hi @Nico Marx ,

Your answer is very helpful

Also could you please elaborate Step 4, Who will generate client certificate? Is it a 3rd party system?If yes in which format do we need to request? If no then how to generate this client certificate 

Is it sufficient to map the client certificate to user record or do we need to install this client certificate anywhere else on Service now? or any configuration/steps needs to be done on Servicenow(for eg: converting private client certificate to public client certificate or format conversions)

It will be very helpful if you answer these questions

Thanks in Advance,

Kshira

0 Helpfuls