Configure the OAuth authentication method production instance

  • Release version: Australia
  • Updated May 29, 2026
  • 6 minutes to read

    • Export OAuth records from the development instance, import them into the production instance, correct Key Management Framework (KMF) credential encryption, and configure development-to-production authentication so that both instances can validate their connections to each other.

    About this task

    After the development instance is validated (see Configure the OAuth authentication method development instance), the production instance must be able to communicate with development, and development must be able to communicate with production. This requires two rounds of record export and import; one in each direction with KMF credential correction performed after each import.

    Important:
    When OAuth records are imported into a new instance, KMF re-encrypts password fields using the receiving instance's cryptographic key. The stored values will appear jumbled and must be manually overwritten with the correct password before the connection can be validated.

    Before you begin

    • Complete Configure the OAuth authentication method development instance on the development instance and confirm that the development connection validates successfully.
    • The integration user account must already exist on the production instance with the sn_se.scan_engine_admin and sn_se.internal_rest_integration roles assigned. See Create an integration user account.
    • Have the integration account password available in a text editor. You will paste it multiple times during this procedure.
    • Role required: Scan Engine Admin (sn_se.scan_engine_admin).

    Procedure

    Stage 1 — Export OAuth records from the development instance
    1. On the development instance, navigate to All > Scan Engine > My SN Instances and open the development instance record.
    2. Select and hold (or right-click) the form header of the MySN instance record and select Export > XML.
    3. Save the file to a local folder (for example, SE_Data).
    4. From the MySN instance record, drill into the OAuth User Profile field, open the linked record, and export it as XML.
    5. Navigate to All > System OAuth > Application Registry and filter the list to show only records scoped to Scan Engine.

      Application registry filtering Scan Engine scope.

      Two records should be present: OAuth Client Dev and OAuth Provider Dev.

    6. Select both records and export them together as XML.
    7. Open the OAuth Provider Dev record and locate the auto-generated OAuth entity profile record linked at the bottom of the form.
      OAuth Entity profile for OAuth Provider-Dev.
    8. Open the OAuth entity profile record and export it as XML.
      You should now have four XML files in your export folder:
      • MySN instance record
      • OAuth user profile
      • Two application registry records (OAuth Client Dev and OAuth Provider Dev)
      • OAuth entity profile record
    Stage 2 — Prepare Key Management Framework access on the production instance
    1. Log in to the production instance.
    2. In the Navigator, type key and open Key Management Administration.
    3. Add your user account to the selected users list and save.
      The role sn_kmf.admin is automatically assigned to your account.
    4. Log out and log back in, then navigate to your user record.
    5. In the Roles related list, select Edit and also assign sn_kmf.cryptographic_manager.
    6. Log out and log back in to activate both KMF roles.
    Stage 3 — Import development records into the production instance
    1. On the production instance, navigate to All > Scan Engine > My SN Instances.
    2. Import the four XML files in the following order, using Import XML for each file:
      1. OAuth entity profile record
      2. Second OAuth entity profile record (if present)
      3. MySN instance record
      4. OAuth user profile (OAuth2 configuration) record
    Stage 4 — Correct KMF-encrypted credentials on the production instance
    1. Navigate to sys_auth_profile_oauth2.list and open the Integration Account OAuth user profile record.
    2. Switch the application scope to Scan Engine.
    3. If the Username and Password fields are not visible, configure the form to display them, or open the record using the list layout.
      When prompted whether to edit in Scan Engine or Global scope, select Global for the form configuration only.
    4. Overwrite the Password field with the integration account password from your text editor and select Save.
      Importing the record causes KMF to re-encrypt the password field with the production instance key. Overwriting it restores the correct value.
    5. Navigate to All > System OAuth > Application Registry and open OAuth Client Dev.
    6. Unlock the Client Secret field, overwrite it with the integration account password, and select Save.
    7. Return to the Application Registry list and open OAuth Provider Dev.
    8. Unlock the Client Secret field, overwrite it with the integration account password, and select Save.
    Stage 5 — Grant KMF module access and validate the development connection
    1. In the Navigator, type key.
    2. Navigate to All > Key Management Framework > Module Access Policies > All.
    3. Filter the Script table column to show Script Includes only and locate the record named ScanEngine API Util.
    4. Open the record, change the access decision to Track, and select Save.
    5. Navigate to All > Scan Engine > My SN Instances, remove any active filters, and open the development instance record.
    6. Select Validate Connection.
      Connection Status updates to Connection valid. The production instance can now communicate with the development instance. See Validate your instance connection for additional information.
    Stage 6 — Create the OAuth client and provider for the production instance
    1. Confirm the application scope is set to Scan Engine.
    2. Navigate to All > Scan Engine > My SN Instances and confirm that a MySN instance record exists for the production instance.
      If the production instance record has not been created yet, complete Register your instance before continuing as follows. The record must exist before OAuth fields can be configured.
      Field Value
      Instance Name The instance name as it appears in stats.do for the production instance.
      URL The full URL of the production instance.
      Environment Production
    3. Navigate to All > System OAuth > Inbound Integrations and select New Integration.
    4. Select Resource Owner Password Credential Grant and fill out the form as follows:
      Field Value
      Name OAuth Client Prod
      Provider Name Leave empty.
      Client ID Copy the auto-generated value to your text editor for use in the next step.
      Client Secret Enter the integration account password.
      Auth Scope useraccount
      Advanced options: Token Format Opaque
    5. Select Save.
    6. Navigate to All > System OAuth > Application Registry and select New.
    7. Select Connect to an OAuth Provider (simplified) — Outbound and fill out the form as follows:
      Field Value
      Name OAuth Provider Prod
      Client ID Paste the client ID copied from OAuth Client Prod.
      Client Secret Enter the integration account password.
      Default Grant Type Resource Owner Password Credentials
      Redirect URL Select the redirect URL for the production instance. Example: https://prod.servicenow.com/oauth_redirect.do
      Token URL Use the redirect URL with the path changed to oauth_token.do. Example: https://prod.servicenow.com/oauth_token.do
    8. Select Save.
      An OAuth entity profile record is automatically generated and appears at the bottom of the form. Leave this record as-is.
    Stage 7 — Link OAuth records to the production MySN instance and validate
    1. Navigate to All > Scan Engine > My SN Instances and open the production instance record created in Register your instance.
    2. Configure the record as follows:
      Field Value
      Authentication Type OAuth
      OAuth Application Registry OAuth Provider Prod
      OAuth User Profile Select the existing Integration Account profile (the same profile used for the development connection).
    3. Select Save, then click Validate Connection.
      Note:
      Because the KMF module access policy for ScanEngine API Util was already set to Track in Stage 5, the connection should validate immediately without additional KMF steps. See Validate your instance connection for additional information.
      Connection Status updates to Connection valid.
    Stage 8 — Export production records and import into the development instance
    1. From the production instance, navigate to All > System OAuth > Application Registry and export the following records as XML:
      • OAuth Client Prod
      • OAuth Provider Prod
      • The OAuth entity profile auto-generated by OAuth Provider Prod
    2. Export the production MySN instance record as XML.
    3. Log in to the development instance and navigate to All > Scan Engine > My SN Instances.
    4. Import the four XML files using Import XML.
    5. Navigate to All > System OAuth > Application Registry and correct the KMF-encrypted client secret on both OAuth Client Prod and OAuth Provider Prod by overwriting each with the integration account password.
      See Stage 4 for the correction procedure.
    6. Navigate to All > Scan Engine > My SN Instances, remove any active filters, and open the production instance record.
    7. Select Validate Connection.
      Connection Status updates to Connection valid. Both instances now have valid MySN instance records for development and production.

    Result

    Both the development and production instances have validated MySN instance records in each direction. Definition synchronization, update set summary synchronization, and exception reason synchronization are now available.

    What to do next