How to enable MTLS for inbound REST APIs in servicenow

GeoThomas
Tera Contributor

I was trying to configure MTLs for my servicenow inbound REST APIs and followed the below steps:

. Verify that the Certificate-based authentication plugin (com.glide.auth.mutual) is activated in your instance.
. Ensure that ADC-to-APP mTLS is enabled for your instance by accessing https://myinstance.service-now.com/adcv2/supports_tls. If it returns "true", proceed to the next step. If it returns "false", include this information in your request.

 

But even after this, my API is returning the response even if I dont pass my certificate. Can someone help me with the steps to make sure that APIs dont return data if certificate is not passed. I have basic authentication, but need MTLs on top of it.

 

I have also Created a Group Filter Criteria (Adding a the user to a group which has access to the API via basic auth), Added this Filter Criteria to an Authentication Policy, Added this policy to a standard authentication profile of the type Certificate Based Auth, created a REST API Access Policy where I selected the required API and added the AUthentication Profile to this policy

 

4 REPLIES 4

yad_achyut
Giga Guru

@GeoThomas :Steps to Enable MTLS for Inbound REST APIs

1. Obtain and Configure Certificates

  1. Obtain a Server Certificate:
    • Ensure your ServiceNow instance has a valid SSL/TLS certificate installed. This is typically managed by ServiceNow for production instances with subdomains (e.g., instance.service-now.com).
  2. Obtain Client Certificates:
    • Clients consuming your REST APIs must have their client certificates signed by a trusted Certificate Authority (CA).

 

2. Enable Mutual Authentication

  1. Navigate to System Web Services > Inbound > Mutual Authentication.
  2. Click New to create a new mutual authentication configuration.
  3. Configure the following fields:
    • Name: Provide a descriptive name (e.g., "Inbound REST MTLS").
    • Certificate Issuer: Add the CA or intermediate certificate that signed the client certificates.
    • Enabled: Ensure this option is checked.
  4. Save the record.

 

3. Bind Mutual Authentication to REST APIs

  1. Navigate to System Web Services > REST API Explorer or directly configure the API endpoint.
  2. Open the specific REST API or service endpoint for which you want to enforce MTLS.
  3. In the Security section:
    • Set the Requires Mutual Authentication field to True.

 

4. Test and Validate MTLS

  1. Client Configuration:
    • The client consuming the API must provide a valid client certificate during the HTTPS handshake.
    • Ensure the client certificate is signed by a CA listed in the mutual authentication configuration.
  2. Use Tools:
    • Use tools like Postman,

We are not able to get System Web Services > Inbound > Mutual Authentication. options
Can you pls share the path for the same

Randheer Singh
ServiceNow Employee
ServiceNow Employee

Hi @GeoThomas ,

You can follow the steps provided in this KB.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993615

 

Thanks,

Randheer

Hi @Randheer Singh 

I followed the same steps, but the problem i face is that my API returns response without and with a certificate passed. I am trying to enforce certificate in the request. The API should fail if the right certificate is not passed