MID Server certificate check policies

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server Certificate Check Policies

    The MID Server ensures secure external traffic through TLS/SSL certificate validation, hostname validation, and OCSP validation. These security checks can be managed via the MID Server certificate check policies table, enhancing the overall security posture of your ServiceNow instance.

    Show full answer Show less

    Key Features

    • TLS/SSL Certificate Validation: Verifies the authenticity of the web server’s certificate before establishing an encrypted connection.
    • Hostname Validation: Ensures the server identity matches the requested URL, preventing man-in-the-middle attacks.
    • Online Certificate Status Protocol (OCSP): Validates the status of certificates in real-time to ensure they are not compromised.
    • Security Policies: Defines policies for various connection types including ServiceNow endpoints, internet, intranet, and overridden policies for specific URLs.

    Key Outcomes

    By enabling all certificate validation checks, customers can significantly improve the security of their MID Server connections. The Quebec version defaults to having all checks activated for new installations, while upgrading customers should actively configure the intranet policy to enhance security. The MID Server can be set to either use its bootstrap parameters or sync with instance security policies, providing flexibility during setup.

    For successful connections, ensure that internal endpoints have valid CA-signed certificates, or consider importing self-signed certificates to the MID Server trust store. Insecure connections will be terminated, accompanied by appropriate error messages to assist in troubleshooting.

    MID Server uses three kinds of security checks to secure external traffic. The security checks use TLS/SSL certificate validation, hostname validation, and OCSP validation to improve security. Control these security checks with the MID Server certificate check policies table.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    TLS/SSL certificate validation

    TLS/SSL encryption security uses asymmetric encryption, also called public-key encryption. This encryption uses two cryptographic keys: the public key and the private key. The public key is used for encryption of data and is publicly visible. The private key is used for decryption of data and its security is essential to verifying authenticity. For more information about preparing your network, see MID Server TLS/SSL certificate check policy Quebec upgrade information [KB0867397].

    In TLS/SSL certificate validation, the MID Server attempts to connect to a web server secured with a TLS or SSL certificate. The web server sends a copy of its TLS/SSL certificate to the MID Server. The MID Server checks the authenticity of the certificate and sends a message to the webserver. The webserver responds with a digitally signed acceptance for initiating an TLS/SSL encrypted session. After which the MID Server can begin encrypted communication with the web server.

    Hostname validation

    Hostname verification is a part of HTTPS that involves a server identity check to ensure that the client is talking to the correct server. This check prevents sending information to a server after being redirected by a man in the middle attack.

    The check involves verifying that the dnsName of the certificate sent by the server matches the URL used to make the request. According to RFC 6125, hostname verification should be done against the certificate's subjectAlternativeName's dNSName field. In some legacy implementations, the check is done against the certificate's commonName field. If the names don't match, the connection is terminated.

    Note:
    Hostname validation derives the hostname from the validated certificate presented by the server. Therefore, TLS certificate validation is a pre-requisite for hostname validation.

    Online Certificate Status Protocol (OCSP)

    OCSP involves contacting the remote certificate authority server and verifying the certificate before the MID Server communicates further with the target server. Compromised certificates can be a security vulnerability, especially if those certificates have the ability to sign other certificates. If certificates have been broken or forged, then a certificate authority can inform a client which certificates are invalid and should not be used.

    An OCSP responder (a server typically run by the certificate issuer) returns a signed response that the certificate is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

    The certificate's issuer may delegate another authority to be the OCSP responder. This creates a chain of certificates that must be verified. The responder's certificate must be issued by the issuer of the certificate in question. The responder’s certificate must include a certain extension that marks it as an OCSP signing authority.

    Note:
    OCSP checks are secondary HTTP calls made to an OCSP responder. The primary call may discontinue the connection based on the response from the OCSP responder.

    MID Server security policy

    MID Server security policies control all HTTPS traffic originating from the MID Server. This includes HTTPS connections from the MID Server to an internet endpoint, ServiceNow URLs, intranet endpoints, as well as cloud endpoints.

    These connections can be further classified into 4 security policies:

    ServiceNow endpoint policy
    This policy is the system default exclusively for ServiceNow URLs. On the MID Server config.xml, there are bootstrap properties which are only used to make first connection to the instance and will get updated with the system_default policy.
    Internet policy
    These policies cover all HTTPS connections initiated from MID Server to any endpoint on the internet.
    Intranet policy
    These policies cover the reserved IP subnets, such as self-hosted networks.
    Overridden policy
    You can override specific endpoints or URLs with this policy definition. Overridden policies take the highest order of precedence during operation.

    Both tables are editable to include or exclude IP ranges, as well as control what kind of certificate validation checks need to be done. Enable all certificate validation checks to maximize security. The Quebec version has all policies and checks turned on by default for fresh installations.

    For upgrading customers, the intranet policy has the certificate validation checks disabled by default. To improve security, configure and enable the policy for endpoints within the internal network.
    Note:
    Internal endpoints or URLs need to possess a valid CA signed certificate for a successful connection.

    For endpoints that host a self-signed certificate, either import the certificate to the MID Server trust store or disable the policy checks which validate that host. For more information about adding certificates, see Add SSL certificates for the MID Server.

    After upgrading to Quebec, go to the certificate check policies table and make changes to policy configuration if necessary. Once the MID Server starts up and connects to the instance, any subsequent HTTPS connection originating from the MID server will start applying these certificate checks at runtime. Insecure connections are broken with appropriate error messages.

    Use Instance Security Policy

    The MID Server configuration parameter mid.ssl.use.instance.security.policy controls whether the MID Server uses its bootstrap parameters rather than the security policy from the instance. By default, mid.ssl.use.instance.security.policy is set to false in the config.xml so the bootstrap policies are not overwritten by the instance's.

    This default setting can prevent some problems during MID Server setup. For example if the host is unable to reach the OCSP responder, then a new MID Server installation is not disrupted by an instance's policy of requiring OCSP connection.

    The configuration parameter mid.ssl.use.instance.security.policy can be set for each MID Server. When set to true, the MID Server syncs all policies with the instance and the bootstrap configuration parameters are overwritten by the *.servicenow.com policy on the instance mid_cert_check_policy table. The final policies update the policy map in the MID Server memory as well as the config.xml.

    The default parameters in the config.xml are:
    • <parameter name="mid.ssl.bootstrap.default.check_cert_hostname" value="true"/>
    • <parameter name="mid.ssl.bootstrap.default.check_cert_chain" value="true"/>
    • <parameter name="mid.ssl.bootstrap.default.check_cert_revocation" value="false"/>
    • <parameter name="mid.ssl.use.instance.security.policy" value="false"/>

    Self-hosted or on-prem instances must add the following parameter for the config.xml: <parameter name="mid.ssl.bootstrap.default.target_endpoint" value="FQDN_OF_THE_INSTANCE"/>