How to enable MTLS for inbound REST APIs in servicenow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2025 02:32 PM - edited ‎01-24-2025 02:03 PM
I was trying to configure MTLs for my servicenow inbound REST APIs and followed the below steps:
. Verify that the Certificate-based authentication plugin (com.glide.auth.mutual) is activated in your instance.
. Ensure that ADC-to-APP mTLS is enabled for your instance by accessing https://myinstance.service-now.com/adcv2/supports_tls. If it returns "true", proceed to the next step. If it returns "false", include this information in your request.
But even after this, my API is returning the response even if I dont pass my certificate. Can someone help me with the steps to make sure that APIs dont return data if certificate is not passed. I have basic authentication, but need MTLs on top of it.
I have also Created a Group Filter Criteria (Adding a the user to a group which has access to the API via basic auth), Added this Filter Criteria to an Authentication Policy, Added this policy to a standard authentication profile of the type Certificate Based Auth, created a REST API Access Policy where I selected the required API and added the AUthentication Profile to this policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2025 02:10 AM
@GeoThomas :Steps to Enable MTLS for Inbound REST APIs
1. Obtain and Configure Certificates
- Obtain a Server Certificate:
- Ensure your ServiceNow instance has a valid SSL/TLS certificate installed. This is typically managed by ServiceNow for production instances with subdomains (e.g., instance.service-now.com).
- Obtain Client Certificates:
- Clients consuming your REST APIs must have their client certificates signed by a trusted Certificate Authority (CA).
2. Enable Mutual Authentication
- Navigate to System Web Services > Inbound > Mutual Authentication.
- Click New to create a new mutual authentication configuration.
- Configure the following fields:
- Name: Provide a descriptive name (e.g., "Inbound REST MTLS").
- Certificate Issuer: Add the CA or intermediate certificate that signed the client certificates.
- Enabled: Ensure this option is checked.
- Save the record.
3. Bind Mutual Authentication to REST APIs
- Navigate to System Web Services > REST API Explorer or directly configure the API endpoint.
- Open the specific REST API or service endpoint for which you want to enforce MTLS.
- In the Security section:
- Set the Requires Mutual Authentication field to True.
4. Test and Validate MTLS
- Client Configuration:
- The client consuming the API must provide a valid client certificate during the HTTPS handshake.
- Ensure the client certificate is signed by a CA listed in the mutual authentication configuration.
- Use Tools:
- Use tools like Postman,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-14-2025 01:43 AM
We are not able to get System Web Services > Inbound > Mutual Authentication. options
Can you pls share the path for the same
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2025 05:27 AM
Hi @GeoThomas ,
You can follow the steps provided in this KB.
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993615
Thanks,
Randheer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-24-2025 06:02 AM
I followed the same steps, but the problem i face is that my API returns response without and with a certificate passed. I am trying to enforce certificate in the request. The API should fail if the right certificate is not passed
