Encrypt checkbox missing on HR Case form after upgrade from Quebec to San diego

Jyoti Mehta · ‎05-13-2022

Hi Everyone,

we have upgrade our instance from Quebec to San Diego recently and after upgrade Encrypt checkbox for attachment is missing on HR Case form.

we have assigned the role to user but still user is unable to see the checkbox to encrypt the attachment. Before upgrade it was working fine. Encryption plugin is enabled in our system.

Does anyone have solution for this issue ?

Thanks in Advance!

Regards,

Jyoti

Javier C_ · ‎05-13-2022

To have this fully resolved you'll need the following

1) create a support ticket in the Hi Portal (support.servicenow.com) Make it a P2

2) They will tell you the following:

Keep in mind you can not execute step 1 or Step 2. this is something the support team in SN will need to do for you.

We also did a follow up on the encryption check box and we got this response:

3) Then you will need to set up the encryption modules. --Note Make sure you have Elevated Security Rights --- when setting this up. Instructions below:

Hi Javier,

My name is Joy and I am the support engineer within the APJ time zone assigned to assist you with your Case.
I understand that you need the functionality to be able to decide whether to encrypt an attachment, which is useful when attachments need to be shared with end users.

I have reached out to the team and found that in San Diego, Encryption Contexts have essentially been replaced by Encryption Module where if an Encrypted Field Configuration exists for the encryption of attachments, all attachments are automatically encrypted upon upload, the checkbox is no longer supported.

This change in design complies with the encryption standard. We do not revert back to legacy encryption as it is less safe.

With the new Encryption Module, you can use Multiple Encryption Modules, where the agent can have 2 roles (for example R_A and R_B) for 2 different Encryption Module (example EM_C for R_A and EM_D for R_B), while the end user has one role (R_A) and sharing one Encryption Module with the agent (EM_C).
The checked "Encrypt" checkbox would simulate the scenario when the agent uses the (EM_D) to encrypt the attachment, while the unchecked "Encrypt" checkbox would simulate the scenario when the agent uses (EM_C) so the end user would be able to access the attachment as well. Below are specific steps:
1. Create two Encryption Modules.
Encryption Module 1 is for the "snc_internal" role
Encryption Module 2 is for the "itil" role
2. Log in as itil, can select modules while uploading an attachment since this user has both the "snc_internal" and the "itil" roles.
Select the Encryption Module 1 and upload the attachment "Module 1 ITIL.jpg".
Select the Encryption Module 1 and upload the attachment "Module 2 ITIL.jpg".
3. Log in as abel.tuter who only has the "snc_internal" role.
This user can ONLY see the "Module 1 ITIL.jpg" encrypted attachment since it is encrypted by the Encryption Module 1 which is for the "snc_internal" role.
Upload the "Module 1 Abel Tuter.jpg" attachment, it can ONLY be encrypted by Encryption Module 1.
4. User itil can see the "Module 1 Abel Tuter.jpg" encrypted attachment.

Please refer to below for more information:
KB1117354 - How to access to multiple encryption modules when encrypting attachments

Please look at the above and let us know if you have questions and we are happy to assist further.

Kind regards,
Joy Quiwa
Senior Technical Support Engineer, APJ User Experience
ServiceNow | Works For You

4) Make sure you are in constant communication with your Sales Representative and support team... New things will be installed that you may need to be grandfathered.

5)GOOD LUCK! --- ServiceNow support team has advised that this will be fixed on future patches or most likely in the "Tokyo" release

View solution in original post

Community Alums · ‎05-13-2022

Hi @Jyoti Mehta ,

Please refer to this thread : https://community.servicenow.com/community?id=community_question&sys_id=204b8feddb5cdbc01dcaf3231f96...

Mark my answer correct & Helpful, if Applicable.

Thanks,
Sandeep

Jyoti Mehta · ‎05-13-2022

@Sandeep Dutta : Hi, Thanks for your reply! I have tried the solution mention in this link but that did not work for us. Still encrypt checkbox is not visible.

I have updated below script in attachment UI page client script.

if (g_form.getTableName() == 'sn_hr_core_case' && g_user.hasRole('efax_encryption_role')) {
var encryptCheck = gel("encrypt_checkbox");
if (encryptCheck) {
encryptCheck.checked = true;
$('sysparm_encryption_context').value = "303dca7c1bcbbb8042a5206ebd4bcb49";
}

}

Thanks,

Jyoti

Giuliana Martin · ‎05-13-2022

Hi Jyoti,

In San Diego, ServiceNow transitioned from Encryption Contexts to Column Level Encryptions.

We had the same issue. We had to submit a P2 in order for Support to be able to run some jobs to finish the transition to column level encryptions.

After this is complete, then all of the attachments loaded by the role that has the encryption ability will be encrypted automatically. The encrypt checkbox will no longer be available.

Thank you,

Giuliana

Javier C_ · ‎05-13-2022

Jyoti,

Giuliana is correct, A Problem record has been created by Service Now and has been marked as a known issue PRB1573372 - KB1117309 https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1117309

Below please find their details

Description

We have identified a new defect in San Diego that impacts instances if the KMF plugin had not been configured correctly i.e., IA KMF workflow did not run yet or failed. As a result, instances will see issues like severe performance impact.

Any issue with the Key Management Framework can potentially impact other features on the platform which are built upon the Key Management Framework, such as Column Level Encryption. This problem is specific to an issue solely with the Key Management Framework.

When an issue appears, you will see many sys_update_version records have been generated with the name sys_kmf_module_key_policy.  As a result, we will see long-running queries for sys_update_version causing semaphores to be exhausted across the nodes and the instance may be inaccessible. Additionally, the sys_kmf_instance_key and sys_kmf_module_key tables will be empty. These tables are normally populated after an upgrade with the KMF keys.

Some of the symptoms when this issue appears are:

- Performance Issues:

Semaphores are exhausted
High Response time
The instance is slow or not usable

Steps to Reproduce

We cannot reproduce the issue on Demand

To confirm the issue please review the system logs and look for the stack trace:

Encryption in the SecureUserCookie implementation was failing (see attached transaction_log_example.txt)
2022-04-26 01:08:27 (049) Default-thread-16 SYSTEM txid=a4528a9e1b4b SEVERE *** ERROR *** Failed to get IKEK from registry
2022-04-26 01:08:27 (049) Default-thread-16 SYSTEM txid=a4528a9e1b4b SEVERE *** ERROR *** ModuleKeyApiException error while generating key: com.glide.kmf.ModuleKeyApiException: Could not register key: cookie_encryption, Error: com.glide.kmf.AKMFKeyRegistry$KeyRegistryException: Error in key registration for key cookie_encryption : java.lang.RuntimeException: Failed to get IKEK from Instance key registry

Workaround

If an instance is noticed having impacted performance after an upgrade to San Diego, observe for a large number of sys_update_version records being generated for the sys_kmf_module_key_policy record for com_glide_cookie_hmac. If a large number of records are noticed, reach out to technical support.

Related Problem: PRB1573372