Up to current release (Tokyo) it's not possibile to invoke an external web service with certificate based mutual authentication from a mid server. This is a workaround intended for scenarios where web services are not accessible directly from a ServiceNow instance (so need to invoked from a mid server) but require mTLS.
The idea is to deploy a Nginx based reverse proxy on the mid server machine configured to listen for localhost http requests and proxy them the target endpoint after performing a certificate based mTLS authentication.
Statically linked Nginx binary (https://github.com/jirutka/nginx-binaries/tree/binaries) is deployed as script payload, configuration and certificates are created on the fly and the process is executed in the context of the mid server environment.
WARNING: attached update sets are provided as an example and are intended for demonstration purpose. Please review, evaluate and properly finalise. In addition, this example is intended for mid server deployed on a 64bit Linux host.
After committing the update set you will find script folder mtls-proxy in mid server script files containing 2 items: Nginx static binary for Linux and a shell script.
Edit mtls-tunnel.sh to change listening port and target host (default point to a public site to test mTLS which return certificate details):
Relevant parameters are:
- LISTEN (address and port where Nginx will accept http requests)
- TARGET (destination URL where Nginx will forward requests after performing mTLS authentication)
You should also replace the block containing certificate and private key used for mTLS authentication. Section starts with -----BEGIN CERTIFICATE----- and ends with -----END PRIVATE KEY-----
[...]
Script mtls-tunnel.sh does the following:
- Kills and previously launched instances of Nginx
- Cleans previous configuration and certificate file
- Generates a new certificate file using the certificate block
- Generates a new certificate file with the configuration block
- Runs Nginx binary deployed as script payload script
- Returns as output the result of a process listing
*********************************
To execute the script create an ECC entry. Example:
Agent: mid.server.<your_mid_server_name>
Topic: Command
Name: . scripts//mtls-proxy/mtls-tunnel.sh
Queue: output
State: ready
Payload: <?xml version="1.0" encoding="UTF-8"?><parameters><parameter name="skip_sensor" value="true"/></parameters>
If successful you will see the running process as output:
<?xml version="1.0" encoding="UTF-8"?><results probe_time="5141"><result command=". scripts//mtls-proxy/mtls-tunnel.sh"><stdout>
ubuntu 199295 0.0 0.0 5000 888 ? Ss 19:39 0:00 nginx: master process /opt/servicenow/mid/agent/scripts/mtls-proxy/nginx-1.22.0-x86_64-linux -c /opt/servicenow/mid/agent/work/nginx.conf
ubuntu 199300 0.0 0.2 7020 2004 ? S 19:39 0:00 grep nginx-1.22.0-x86_64-linux
</stdout><stderr/></result>*********************************
To test the mTLS proxy create an REST Message that submits an http request to the address and port specified in the LISTEN. This will be forwarded to the TARGET.
In the provided example, REST message test-nginx-mtls-proxy sends a GET request to http://127.0.0.1:18080/ that is forwarded to https://certauth.idrix.fr/ with a mTLS authentication. Remember to specify the correct mid server to use.
The service will respond with details of the certificate used for mTLS authentication.
<html>
<head>
<title>TLS Client Authentication Test</title>
<style type="text/css">
SPAN.sslsuccess {font-weight: bolder; color : green}
SPAN.sslerror {font-weight: bolder; color : red}
</style>
</head>
<br><span class="sslsuccess">TLSv1.2 Authentication OK!</span><br><br>Technical information follows :<pre>Array
(
[LANG] => C.UTF-8
[INVOCATION_ID] => d79760fd110c41d99f287b0aa17a9cca
[HTTP_USER_AGENT] => Jakarta Commons-HttpClient/3.1
[HTTP_CONNECTION] => close
[HTTP_HOST] => certauth.idrix.fr
[SSL_CLIENT_I_DN] => emailAddress=antonio.rizzi@servicenow.com,CN=mtls-test,OU=Solution Consulting,O=ServiceNow,L=Rome,ST=RM,C=IT
[SSL_CLIENT_S_DN] => emailAddress=antonio.rizzi@servicenow.com,CN=mtls-test,OU=Solution Consulting,O=ServiceNow,L=Rome,ST=RM,C=IT
[SSL_CLIENT_VERIFY] => FAILED:self signed certificate
[SSL_CLIENT_V_END] => Sep 9 20:59:15 2032 GMT
[SSL_CLIENT_V_START] => Sep 12 20:59:15 2022 GMT
[SSL_CLIENT_SERIAL] => FBBD72E515511359
[SSL_CLIENT_FINGERPRINT] => 08f85955ed0675b40ffa457348732a887c5b0fe3
[SSL_SERVER_NAME] => certauth.idrix.fr
[SSL_CIPHER] => ECDHE-RSA-AES256-GCM-SHA384
[SSL_PROTOCOL] => TLSv1.2
[HTTPS] => on
[PATH_INFO] =>
[SERVER_NAME] => certauth.idrix.fr
[SERVER_PORT] => 443
[SERVER_ADDR] => 54.36.191.227
[REMOTE_PORT] => 58624
[REMOTE_ADDR] => 15.160.211.71
[SERVER_PROTOCOL] => HTTP/1.0
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /
[CONTENT_LENGTH] =>
[CONTENT_TYPE] =>
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_TIME_FLOAT] => 1663098748.6285
[REQUEST_TIME] => 1663098748
)
</pre><br><a href="index2.php">Load second page</a>
</body>
</html>
