With ServiceNow's deprecation of the GlideEncrypter API (used for Triple DES encryption) and its current planned removal by Q4 2025, there are a couple different approaches for encrypting data shared out of your ServiceNow instance with the Perspectium integration.


What's on this page?




Default Approach of Encrypting Each Record Individually

The default approach encrypts data the way it has been since the Perspectium Core application for ServiceNow was first developed, with you choosing the encryption method to encrypt each record individually during sharing as each record is put into the outbound (psp_out_message) table to be sent to the Perspectium Integration Mesh. The records are encrypted using the encryption key specified in the shared queue used with the share.

With the deprecation of GlideEncrypter, TripleDES is still available as an option for the Encryption Method selection on bulk and dynamic shares but will use a third-party JavaScript library for doing the encryption in place of GlideEncrypter.

It is suggested not to use TripleDES with the default approach as there will be performance issues since the third-party JavaScript library is substantially slower than the GlideEncrypter API. This is due to the library being executed externally at the client platform level whereas ServiceNow APIs are ran at a lower platform level with more direct access to the data. As well, Triple DES as a security encryption standard is no longer a recommended option per NIST-800-131A (and the reason ServiceNow is removing GlideEncrypter).

It is recommended you change to use a more secure encryption method like AES128 or AES256 for configuring your (bulk and dynamic) shares when using the default approach. The AES encryption methods also use a third-party JavaScript library but are using a different library that has been optimized (since Triple DES is no longer considered a secure encryption method, third-party libraries are limited in their support, maintenance and optimization).


↑ Go to top of page




Encrypting Content Sent to MBS Approach

With Lithium 9.0.0+ and newer, there is an alternative approach for encrypting the content as it is sent to the Perspectium Integration Mesh (MBS).

Whereas the default approach will encrypt each record one by one (i.e. when you go to Perspectium > Messages > Outbound > Outbound Messages and open up a record, you will see the record is encrypted as stored in the Value field and you have the Decrypt value option to decrypt and see the actual record being shared), this approach will do one encryption of all the records in the batch at the same time before it is sent to MBS.

The sharing of data to put the records into the outbound table (psp_out_message) will only base64 encode the records since ServiceNow makes a Base64 API available that will performance similar to GlideEncrypter.

Then when the Perspectium Core application runs its scheduled job to take a batch of records from the outbound table (psp_out_message) and send those to MBS, the batch will first be encrypted using the encryption key specified in the shared queue used with the share before being sent to MBS.

We are still using third-party JavaScript libraries since GlideEncrypter is not available but by only encrypting the entire batch this will allow us to have better performance versus encrypting each record one by one. Because Triple DES is not considered a secure encryption method, this approach only supports AES128 and AES256 encryption methods.

NOTES:

Set Up

To set up this approach do the following:

Upgrade to Lithium 9.0.0 and newer versions of Perspectium

This approach requires all applications you use for your integration (the Perspectium Core application, the DataSync Agent and Meshlets) to be upgraded to Lithium 9.0.0 and newer.

Configure Shared Queue using Encrypt on Send

Go to your shared queue (either ones that already exists or create new ones) under Perspectium > Perspectium Core > Shared Queues that you want to use this approach and go to the Miscellaneous tab and select the Encrypt on Send option:

This will display the Encryption method dropdown to select which encryption method you want to use, AES128 or AES256. 

(info) NOTE: If using AES256, you will need to enter an encryption key of 32+ characters.

Get Queue Status may not show the proper number of records you shared that are in the queue. See Optional features for shared and subscribed queues for more information.

Execute your bulk shares

The next time your bulk shares using a queue with the Encrypt on Send option runs, it will base64 encode records to put into the outbound (psp_out_message) table and then the entire batch will be encrypted when sent to MBS.

There are no additional configurations needed on the DataSync Agent or Meshlets so long as you have these applications pointed to the same queue you are sharing your ServiceNow data to and they have the same encryption key as specified in ServiceNow.

Note that for the DataSync Agent, it will log for when it receives an encrypted batch of records that it must first decrypt before processing the records in the batch:

2024-08-18 20:12:25.776 INFO  - live_demo_subscribe - SubscriberTask - received an array of 1 elements
2024-08-18 20:12:25.777 INFO  - live_demo_subscribe - SubscriberTask - element is message with topic encrypted_messages and name messages.bulk with 10 records
2024-08-18 20:12:25.791 INFO  - live_demo_subscribe - SubscriberTask - received an array of 10 elements



Encrypted Batch Message

As the Perspectium Core application batches up the records and encrypts the batch to send to MBS, it will store this batch in a Perspectium message in JSON format as follows:

{
	"topic": "encrypted_messages",
	"type": "servicenow",
	"name": "messages.bulk"
	"key": "<your_servicenow_instance_name>", (ie. "dev12345")
	"value": "<encrypted_batch_of_records",
	"attributes" "<addtional_message_attributes>"
}


We use our standard Perspectium message format with specific properties for the topic, type and name so that target applications (DataSync Agent, meshlets and Perspectium Core on a subscribing ServiceNow instance) reading this message know this is an encrypted batch of messages to then decrypt first before doing the regular processing of each message.


↑ Go to top of page

  • No labels