Securing and encrypting MID Server data

Release version: Washingtondc

Updated February 1, 2024

3 minutes to read

Summarize

Summarized using AI

Summary of Securing and Encrypting MID Server Data

This guide outlines the security and encryption measures available for the MID Server, ensuring that sensitive data is protected during operations. Key features include encrypting parameter values in the config.xml file, establishing secure connections, and utilizing various security options to safeguard data integrity and confidentiality.

Show full answer Show less

Key Features

Encryption of Credentials: The MID Server uses AES256 encryption to secure passwords stored in the config.xml file, replacing clear-text passwords with encrypted ones.
Encryption Key Management: A unique encryption key is generated at each startup and kept in memory to enhance security.
Secure Communication: Credentials are sent over an encrypted TLS session, ensuring they are not exposed during transmission.
Built-in Security Options: Options include a default encryptor, Windows Data Protection API, and custom encryption settings for enhanced security.
Certificate Check Policies: Control external traffic to the MID Server with certificate policies.
Unified Key Store: Allows the MID Server to utilize a common repository for certificates and key pairs across all products.
Command Audit Log: Records commands executed by the MID Server to enhance tracking and security auditing.
SSL Certificates: Facilitate secure communication over SSL by adding necessary certificates to the MID Server.
SSH Cryptographic Algorithms: The MID Server automatically selects optimal cryptographic algorithms for SSH-based discovery actions.

Key Outcomes

By implementing these security measures, ServiceNow customers can ensure that their MID Server data is encrypted and secure, thereby safeguarding sensitive information and maintaining compliance with data protection standards. Customers can expect improved security posture through enforced authentication, encrypted communications, and a robust auditing process for command actions.

After configuring your MID Server, you can add security by encrypting MID Server parameter values in the config.xml file. Encryption protects data that the MID Server returns to the ECC Queue. Other available security options include the authorization of SOAP requests, restricting access to the MID Server configuration file, and establishing secure socket layer (SSL) connections.

How MID Server password encryption works

The username and password are initially set in the config.xml file on the MID Server. When the MID Server retrieves the credentials, it replaces the clear-text password with an encrypted password automatically, using an AES256 encryption algorithm. In continued efforts to improve MID Server security, the encryption algorithm has been enhanced. The MID Server also maintains an encryption key that is generated each time it starts and remains in memory and not on the hard disk. When credentials need to be sent from the instance to the MID Server, the following process takes place:

The instance retrieves the encrypted password and the unencrypted username from the instance database table.
The instance decrypts the encrypted password, and then re-encrypts it using the MID Server encryption key.
The username and re-encrypted password are sent to the MID Server through the encrypted TLS session was already established between the MID server and the instance.
The MID Server receives the credentials and decrypts the password in memory before using the credentials for remote operations. At no point is the credential password stored on the disk in an unencrypted format.

Security options

The MID Server provides built-in security options for other content in the configuration file, such as the default encryptor, Windows Data Protection API, and options for custom encryption.

MID Server certificate check policies: Control the MID Server with the certificate check policies table to secure external traffic.
Encrypt or decrypt MID Server configuration file values: You can encrypt and decrypt any value in the MID Server config.xml file.
MID Server configuration file security: Protect sensitive MID Server configuration data in the config.xml file using internal and external data encryption and external data storage.
MID Server authentication credentials and SOAP requests: Set basic authentication credentials to update the web service invocation data and enforce basic authentication on each incoming SOAP request to the MID Server.
MID Server unified key store: The MID Server unified key store allows all products on the MID Server to use a common certificates and key pairs.
MID Server command audit log: The command audit log records the commands run by the MID Server for the Discovery application.
Rekey a MID Server: Rekey a MID Server to force it to restart and generate a new private key. Typically, this process is only necessary if the MID Server keystore is compromised.
Add SSL certificates for the MID Server: Add certificates to the MID Server to communicate over SSL.
MID Server SSH cryptographic algorithms: The MID Server utilizes SSH clients to perform many discovery actions. The MID Server automatically determines the best cryptographic algorithm to use.
MID Server authentication credentials and SOAP requests: For added security, enforce basic authentication on each incoming SOAP request to the MID Server.
Attach a script file to a file synchronized MID Server: Attach a script file and synchronize it to a MID Server to prevent Windows enhanced security from blocking MID Server download files it determines are dangerous.