Set up a secure connection to the Hermes Messaging Service

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:6分

    • Secure your Kafka topics by generating a ServiceNow® instance-signed certificate.

    始める前に

    Setting up the Hermes Messaging Service requires coordination with your network administrator and with your Kafka administrator. Work with your network administrator to obtain required security certificates and open the required ports. Work with your Kafka administrator to ensure that your Kafka environment is configured correctly and that your applications can connect to the Hermes Messaging Service using the standard Kafka protocol.

    Make sure the following setup is in place:

    • The Hermes Messaging Service is activated. See Activating the Hermes Messaging Service.
    • The Key Management Framework plugin (com.glide.kmf.global) is activated.
    • The Certificates [sys_kmf_certificate] table contains a ServiceNow instance root CA certificate.
    • The instance isn't configured with a Custom URL. Custom URLs are not supported with the Instance PKI Certificate Generator.

    Role required: hermes_admin, sn_kmf.cryptographic_manager, or admin

    For details on assigning KMF roles, see Roles installed with Key Management Framework.

    手順

    1. Navigate to All > Certificate Generator > Instance PKI Certificate Generator.
    2. オプション: Control access to topics by configuring Access Control Lists (ACLs) at the namespace or topic-level.
      OptionDescription
      Apply ACLs to namespaces
      1. Select Configure ACLs.
      2. In the Topic ACLs dialog box, select Namespaces.
      3. Enter a namespace that you want to configure.
      4. Set the permission level by selecting either Read Only or Read/Write.
      5. Select Add.
      Apply ACLs to defined topics
      1. Select Configure ACLs.
      2. In the Topic ACLs dialog box, select Defined topics.
      3. Enter an existing topic that you want to configure.
      4. Set the permission level by selecting either Read Only or Read/Write.
      5. Select Add.
      The bearer of the certificate is granted read or read/write access to the topics in the namespace or the existing topic that you selected.
    3. Set up security for the Hermes Messaging Service.
      1. Navigate back to the Instance PKI Certificate Generator page.
      2. Enter a keystore password in the Certificate Password field.
      3. Select Generate.
      The system generates an instance-signed certificate in the Certificates [sys_kmf_certificate] table, creates a keystore, and creates a truststore.

      If Restricted Caller Access isn't allowed for the IPKI Certificate Generator, a cross scope access error appears. Contact Customer Service and Support for assistance with allowing Restricted Caller Access. To resolve this issue, Customer Service and Support can reference source_scope=76f9d51369115083f4ea77aab1677cc0 in the Restricted Caller Access Privileges [sys_restricted_caller_access] table.

    4. Save a copy of the keystore by selecting Download Keystore.
    5. Save a copy of the truststore by selecting Download Truststore.
    6. Copy the keystore and truststore files to each producer and consumer client that will connect to the Hermes Messaging Service.

    タスクの結果

    You can now create a secure connection to the Hermes Messaging Service.

    注:
    You must use the keystore that you generated using the Instance PKI Certificate Generator to connect to Hermes. Custom-generated keystores that aren't created according to the ServiceNow documentation aren't supported.

    次のタスク