Setting up MID Web Server and mTLS connection

Community Alums · ‎02-16-2022

Hi Community,

I need help on setting up the mTLS for Mutual Authentication between MID Server and ServiceNow instance.

I have went through few links in order to achieve this but yet, no luck. I'm asking here to seek for advise and guidance on how to move forward.

The links that I have referred to:

1) Setting up mutual authentication

2) Configure a secure MID Web Server extension

3) MID Web Server mTLS Authentication

4) Configure a secure keystore connection for the MID Web Server

I have tried to generate the certs and create a JKS keystore in the MID Server. Also, I have set the mid.webserver.truststore.path in the MID Server config file.

My MID Server is still in Basic Authentication. I haven't change it to Mutual Authentication type.

When I tried to start the Web Server through the UI, it gives me an error cannot find the keystore:

Can anyone help me on this please?

Daniel Draes · ‎02-22-2022

Maybe I misunderstood. What are you trying to achieve?

If you want to use certificates for the connection between the ServiceNow instance and the MID Server the above will do exactly that. The certificate will then be used as a form of validating the host and authenticating a user. In this sequence the certs will also be validated against the CA - hence we require you to have a properly signed certificate. Self-signed certs will not work (AFAIK).

if you want to use mTLS from MID to another system, this is currently not supported. It is on our roadmap for a future release. You may check the idea portal for this and either enter or upvote an entry there.

Community Alums · ‎03-01-2022

Your understanding is correct. My apologies for the delay in response. I was trying to follow the steps and try and error at my end.

I have followed the steps by preparing the Java Keystore, Public Key, Pem bundle certificate.

Unfortunately, after I place everything in the location and run the

/servicenow/XXXXXX/agent/bin/scripts/install-certificate.sh <PEM bundle path>

and start my MID server, I received this error on the agent log:

Do you know any clue on this?

Daniel Draes · ‎03-01-2022

I am not an expert on that part either - you may raise a ticket with our support for better answer.

You can check this KB as it seems somewhat related:

MID Server issues for mTLS (mutual authentication/certificate-based authentication) - Support and Tr...

Are you working on a MID Server which used plain authentication before? It seems we do have a known PRB (mentioned above) where changing from plain to certificate based causes issues. You would need to in-validated the MID server before switching.