How to Implement DB encryption using CCS with On Prem Fortanix ?

Community Alums · ‎04-20-2023

Dear ServiceNow Community,

This is related to implementing DB Encryption (DBE) with Customer Controlled Switch (CCS) using On Prem Fortanix Data Security Manager (DSM).

As per the understanding shared in 2 knowledge base articles, CCS gateway is a capability inside ServiceNow and is a proxy for DB Instance.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0993681

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0789788

Environment:

- ServiceNow is On Cloud

- Fortanix DSM (Data Security Manager) is On Prem

- Private Tunnel is there between ServiceNow and On Prem with dedicated bandwidth and faster connectivity

- This is an outbound request (from Customer ServiceNow Instance (OnCloud) to On Prem Fortanix Data Security Manager (DSM))

- This call needs to pass through Private Tunnel ECX (ECX is a private dedicated tunnel for connectivity between Customer ServiceNow Instance (OnCloud) to Customer On Prem Environment)

Considering this, please help to answer the below question:

Question : What are the alternatives to implement DBE-CCS (Database Encryption using Customer Controlled Switch) in ServiceNow:

1. How can the CCS Gateway inside ServiceNow call the Full URL rather than the Small URL and pass the X-DB certificate as part of the payload to the Fortanix On Prem instance?

2. If CCS Gateway cannot do, what is the alternative solution?

Example of URLs:

- Small URL : https://{your custom domain name}/kek/{Instance}/{Version}

- Small URL Example: https://pkidsm.domain.com/kek/{servicenow}/v1)

- Full URL : https://pkidsm.domain.com/sys/v1/plugins/invoke/PLUGIN_ID/kek/{instance}/{version}

- Full URL Example: https://pkidsm.domain.com/sys/v1/plugins/invoke/PLUGIN_ID/kek/{servicenow}/v1)

Request you to review and share your inputs at the earliest.

Thanks in advance for your help and support!