Key Management Framework Health

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Access on-demand health status information for the Key Management Framework. Warning and malfunction errors contain a detailed message.

    Before you begin

    Role required: sn_kmf_admin and either sn_kmf.cryptographic_auditor or sn_kmf.cryptographic_manager

    About this task

    Each component of the Key Management Framework is outlined and reports the following statuses and colors:
    • Green/Operational: The component is operational, no errors to report.
    • Gray/Disabled: The component is inactive, therefore no health check is performed.
    • Yellow/Degraded: Warning, the component is working, but delays/transient issues are susceptible to occur.
    • Red/Malfunction: A fatal error is preventing the component from operating, which is likely to cause partial outages.

    Components can include subcomponents with individual reports and their own health status impacts the parent as follows:

    • If all subcomponents are inactive, the parent shows as inactive. Inactive subcomponents don’t impact the health of their parents.
    • If one or more subcomponents is degraded or malfunctioned, the parent health shows as degraded.
    • If all subcomponents report as malfunctioned, then the parent also reports as malfunctioned.

    For additional information on subcomponents, see Instance level keys in the Key Management Framework.

    Note:
    Health checks run every 15 seconds. Refresh the health page to rerun the report.

    Procedure

    1. Navigate to All > Key Management > > Diagnostics.
    2. Review the following health status information:
      Table 1. Diagnostic Information
      Category Details
      Key Secure Checks if encryption is being attempted.
      File Key Store Checks if an Instance Root Key (IRK) fetch attempt is occurring.
      Note:
      The File Key Store is an offline alternative to Key Secure used for on-premise instances and developer instances.
      GlideEncrypter Checks if a GlideEncrypter instance-level cryptographic module, specification, and key are present.
      Note:
      GlideEncrypter is a scriptable component that enables transparent encryption of Password2 fields and other legacy encryption usages through the Key Management Framework.
      Instance Key Encryption Key (IKEK) Checks if the key can be fetched from the File Key Store or KeySecure.
      Instance HMAC Key Checks if the key can be fetched from the File Key Store or KeySecure.
      Vault PKI Checks Vault connectivity to verify if the Instance Asymmetric Encryption Key (IAEK) and Instance Signature Key (ISK) are usable and can be fetched from Vault.
      EJBCA PKI Checks LDAP connectivity to verify if IAEK and ISK are usable and can be fetched from cache and LDAP.
      Instance PKI Checks the File Key Store and KeySecure for a key and whether the certificate is present and matches the symmetric key.
      Note:
      Instance PKI is only available on instances within a ServiceNow datacenter.
      For assistance in troubleshooting, contact Customer Service and Support.