JEA with custom certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-13-2022 12:30 PM
Hi Community,
we are trying to get Discovery set up with JEA. However, we can't get the custom certs generated by/for our internal CA to work.
We started with the suggested start configuration and the self-signed cert, which worked right away. However, when using our own cert it runs, seems to authenticate, but then terminates prematurely with log warning:
Warning |
Classification payload is empty. Stopping classification. |
In the MID server logs we see more entries with the suggested (SN) configuration, for example
Worker-Interactive:MultiProbe-xyz DEBUG: Successfully executed the WinRmQueryCommand on port: 5985,
while equivalent ones are missing for scenarios with the certs that do not work (Unfortunately there is also no log entry that would explain that - at least not identifiable for me).
Our understanding is that the certs obviously need to be installed on the MID server and on the target.
Then we changed the following line on the instance in the JEAUtils.psm1m
($mycert = Get-ChildItem Cert:\LocalMachine\My | Where {$_.Issuer -eq 'CN=jea-disco@servicenow.com' -and $_.Subject -eq 'CN=jea-disco@servicenow.com'})
to match the custom cert and in init.ps1 the following line accordingly.
( $mycert = Get-ChildItem Cert:\LocalMachine\My | Where {$_.Issuer -eq 'CN=jea-disco@servicenow.com' -and $_.Subject -eq 'CN=jea-disco@servicenow.com'})
After some peer discussions it was recommended to ensure our custom cert is generated with the option "Microsoft Enhanced RSA and AES Cryptographic Provider" - which we did (by default that was not active in the Windows environment), but no better result with that either.
(Note that we followed: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0782125
We also created a set of certs with different variations of SHA1, SHA 256 - kind of confusing as the ootb looks like a SHA1, but in the JEAUtils script it says:
# Code Signing Algorithm
$SNC_HASH_ALGORITHM = "SHA512"
(Needless to say: I am neither a Windows Powershell, not a Cert expert....)
Happy if anybody has any suggestions!
Thanks,
Christian
- Labels:
-
Discovery
-
Service Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-12-2023 02:19 PM
Hi Christian,
Did you get any resolution on this? We're also facing the exact same issue. Any lead is appreciated!
Regards,
Sagar Pawar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-10-2023 09:07 AM
Hi everyone
I was facing the same problems as Christian. I was however able to solve by changing the CSP of the certificate to "Microsoft Enhanced RSA and AES Cryptographic Provider"
I did this following the resolution instructions in KB1211508 (not the same issue, but seemed to be related)
But please, check with your Security/PKI Team if the Certificate + its Chain is still in accordance to your internal guidelines and rules.
Hope this helps
Regards,
Thomas
