Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

How to enable MTLS for inbound REST APIs in servicenow

GeoThomas
Tera Contributor

‎01-23-2025 02:32 PM - edited ‎01-24-2025 02:03 PM

I was trying to configure MTLs for my servicenow inbound REST APIs and followed the below steps:

. Verify that the Certificate-based authentication plugin (com.glide.auth.mutual) is activated in your instance.
. Ensure that ADC-to-APP mTLS is enabled for your instance by accessing https://myinstance.service-now.com/adcv2/supports_tls. If it returns "true", proceed to the next step. If it returns "false", include this information in your request.

 

But even after this, my API is returning the response even if I dont pass my certificate. Can someone help me with the steps to make sure that APIs dont return data if certificate is not passed. I have basic authentication, but need MTLs on top of it.

 

I have also Created a Group Filter Criteria (Adding a the user to a group which has access to the API via basic auth), Added this Filter Criteria to an Authentication Policy, Added this policy to a standard authentication profile of the type Certificate Based Auth, created a REST API Access Policy where I selected the required API and added the AUthentication Profile to this policy

 

0 Helpfuls
  • 4,721 Views
5 REPLIES 5

yad_achyut
Giga Guru

‎01-24-2025 02:10 AM

@GeoThomas :Steps to Enable MTLS for Inbound REST APIs

1. Obtain and Configure Certificates

  1. Obtain a Server Certificate:
    • Ensure your ServiceNow instance has a valid SSL/TLS certificate installed. This is typically managed by ServiceNow for production instances with subdomains (e.g., instance.service-now.com).
  2. Obtain Client Certificates:
    • Clients consuming your REST APIs must have their client certificates signed by a trusted Certificate Authority (CA).

 

2. Enable Mutual Authentication

  1. Navigate to System Web Services > Inbound > Mutual Authentication.
  2. Click New to create a new mutual authentication configuration.
  3. Configure the following fields:
    • Name: Provide a descriptive name (e.g., "Inbound REST MTLS").
    • Certificate Issuer: Add the CA or intermediate certificate that signed the client certificates.
    • Enabled: Ensure this option is checked.
  4. Save the record.

 

3. Bind Mutual Authentication to REST APIs

  1. Navigate to System Web Services > REST API Explorer or directly configure the API endpoint.
  2. Open the specific REST API or service endpoint for which you want to enforce MTLS.
  3. In the Security section:
    • Set the Requires Mutual Authentication field to True.

 

4. Test and Validate MTLS

  1. Client Configuration:
    • The client consuming the API must provide a valid client certificate during the HTTPS handshake.
    • Ensure the client certificate is signed by a CA listed in the mutual authentication configuration.
  2. Use Tools:
    • Use tools like Postman,

AshishKumaS1050
ServiceNow Employee
ServiceNow Employee
In response to yad_achyut

‎05-14-2025 01:43 AM

We are not able to get System Web Services > Inbound > Mutual Authentication. options
Can you pls share the path for the same

0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎01-24-2025 05:27 AM

Hi @GeoThomas ,

You can follow the steps provided in this KB.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993615

 

Thanks,

Randheer

GeoThomas
Tera Contributor
In response to Randheer Singh

‎01-24-2025 06:02 AM

Hi @Randheer Singh 

I followed the same steps, but the problem i face is that my API returns response without and with a certificate passed. I am trying to enforce certificate in the request. The API should fail if the right certificate is not passed

0 Helpfuls