How to share a KMF generated AES Key with a third party system for decrypting the REST Response

ankitamallah
Giga Contributor

3 weeks ago

We are using the ServiceNow Key Management Framework (KMF) to encrypt the outbound REST API responses using a symmetric AES key and need the third party system to decrypt the payload.

 

When an AES key is generated using KMF, what is the recommended or supported way to share that key with an external system?

 

Any guidance from anyone who has implemented KMF based outbound encryption with external decryption would be greatly appreciated.

 

Thanks in advance!

0 Helpfuls
  • 629 Views
4 REPLIES 4

Matthew_13
Mega Sage

3 weeks ago

If the AES key is generated inside KMF, there really isn’t a supported or recommended way to export that key and hand it to a third party. KMF is intentionally designed to keep key material inside the platform, not to act as a key-distribution mechanism.

In practice, teams usually handle this one of two ways:

  • Best option: generate the AES key outside of ServiceNow (in your own KMS, HSM, or vault), share it with the third party using your normal secure process, and then import that same key into KMF. That way both sides legitimately have the key and KMF is just using it, not owning it exclusively.

  • More secure design: avoid sharing a long-lived AES key at all. Encrypt the payload with a one-time AES key, then encrypt (wrap) that AES key using the third party’s public key. The third party unwraps the AES key with their private key and decrypts the payload. This avoids key distribution issues entirely.

If you try to share a KMF-generated AES key directly, you’ll be fighting the framework rather than using it as intended.

So the basic answer: don’t export KMF-generated keys. Either bring your own key and import it, or redesign the integration so the third party never needs a shared symmetric key.

 

@ankitamallah - Please mark as Accepted Solution and Thumbs Up if you find Helpful!!

Fernando Diaz
Tera Contributor
In response to Matthew_13

Tuesday

Hi Matthew, i'm looking for the documentation that explains how to import external generated keys into Servicenow, but couldn't fin anything. can you please share the insights to import this key? Thanks!

0 Helpfuls

Matthew_13
Mega Sage
In response to Fernando Diaz

Tuesday

Hi Buddy,

There actually isnt a single piece of documentation titled “import external generated keys into ServiceNow, which is why its hard to find. This is one of those things thats supported, but covered indirectly through Import Sets and Transform Maps.

Basically, importing external keys is done by using Import Sets with coalesce, and optionally mapping to sys_id if that’s really what you need. 

My recommended way to think about it:

  • ServiceNow always generates a sys_id by default.

  • However, during an import, ServiceNow will accept an externally generated key if you explicitly map it and tell the transform how to use it.

  • This is controlled through Transform Maps, not a special setting or property.

There are two common patterns customers use:

  1. Recommended approach (most common)
    Import the external key into a custom field (for example u_external_id) and mark that field as Coalesce = true in the transform map.
    This lets ServiceNow match and update records based on your external key while still managing its own sys_id.

  2. Direct sys_id import (only if you really need it)
    If you need ServiceNow records to use the external key as the sys_id itself:

    • Include a sys_id column in your import data

    • Map source sys_id → target sys_id

    • Set Coalesce = true on that mapping
      As long as the values are valid 32-character IDs and unique, ServiceNow will use them instead of generating new ones.

The official documentation that explains this behavior is spread across:

  • Import Set and Transform Map configuration

  • Coalesce behavior in transform maps

  • sys_id handling during imports

So while theres no single external key import doc, this approach is fully supported and commonly used for integrations and data migrations.

If you can share what kind of key you’re importing GUID, numeric ID, composite key and whether it needs to become the sys_id or just a matching key, I can suggest the cleanest setup for your case.

@Fernando Diaz Please mark Thumbs Up if you find Helpful!!

0 Helpfuls

Matthew_13
Mega Sage

Tuesday

@ankitamallah - I hope I answer your question if so please mark solution Accepted for me. Thanks Kindly

0 Helpfuls