With ServiceNow's deprecation of the GlideEncrypter API (used for Triple DES encryption) and its current planned removal by Q4 2025, there are a couple different approaches for encrypting data shared out of your ServiceNow instance with the Perspectium integration.
Default Approach of Encrypting Each Record Individually
The default approach encrypts data the way it has been since the Perspectium Core application for ServiceNow was first developed, with you choosing the encryption method to encrypt each record individually during sharing as each record is put into the outbound (psp_out_message) table to be sent to the Perspectium Integration Mesh. The records are encrypted using the encryption key specified in the shared queue used with the share.
With the deprecation of GlideEncrypter, TripleDES is still available as an option for the Encryption Method selection on bulk and dynamic shares but will use a third-party JavaScript library for doing the encryption in place of GlideEncrypter.
It is suggested not to use TripleDES with the default approach as there will be performance issues since the third-party JavaScript library is substantially slower than the GlideEncrypter API. This is due to the library being executed externally at the client platform level whereas ServiceNow APIs are ran at a lower platform level with more direct access to the data. As well, Triple DES as a security encryption standard is no longer a recommended option per NIST-800-131A (and the reason ServiceNow is removing GlideEncrypter).
It is recommended you change to use a more secure encryption method like AES128 or AES256 for configuring your (bulk and dynamic) shares when using the default approach. The AES encryption methods also use a third-party JavaScript library but are using a different library that has been optimized (since Triple DES is no longer considered a secure encryption method, third-party libraries are limited in their support, maintenance and optimization).
Encrypting Content Sent to MBS Approach
With Lithium 9.0.0+ and newer, there is an alternative approach for encrypting the content as it is sent to the Perspectium Integration Mesh (MBS).
Whereas the default approach will encrypt each record one by one (i.e. when you go to Perspectium > Messages > Outbound > Outbound Messages and open up a record, you will see the record is encrypted as stored in the Value field and you have the Decrypt value option to decrypt and see the actual record being shared), this approach will do one encryption of all the records in the batch at the same time before it is sent to MBS.
The sharing of data to put the records into the outbound table (psp_out_message) will only base64 encode the records since ServiceNow makes a Base64 API available that will performance similar to GlideEncrypter.
Then when the Perspectium Core application runs its scheduled job to take a batch of records from the outbound table (psp_out_message) and send those to MBS, the batch will first be encrypted using the encryption key specified in the shared queue used with the share before being sent to MBS.
We are still using third-party JavaScript libraries since GlideEncrypter is not available but by only encrypting the entire batch this will allow us to have better performance versus encrypting each record one by one. Because Triple DES is not considered a secure encryption method, this approach only supports AES128 and AES256 encryption methods.
NOTES:
- Encrypt on Send is not compatible with MultiOutput jobs created using the MultiOutput processing by sys_id option. If you have created jobs using this option, the Encrypt on Send option will not be available when configuring your shared queue. The feature will work with the MultiOutput processing by outbound queue option.
Set Up
To set up this approach do the following:
Upgrade to Lithium 9.0.0 and newer versions of Perspectium
This approach requires all applications you use for your integration (the Perspectium Core application, the DataSync Agent and Meshlets) to be upgraded to Lithium 9.0.0 and newer.
Configure Shared Queue using Encrypt on Send
Go to your shared queue (either ones that already exists or create new ones) under Perspectium > Perspectium Core > Shared Queues that you want to use this approach and go to the Miscellaneous tab and select the Encrypt on Send option:
This will display the Encryption method dropdown to select which encryption method you want to use, AES128 or AES256.
NOTE: If using AES256, you will need to enter an encryption key of 32+ characters.
Get Queue Status may not show the proper number of records you shared that are in the queue. See Optional features for shared and subscribed queues for more information.
Execute your bulk shares
The next time your bulk shares using a queue with the Encrypt on Send option runs, it will base64 encode records to put into the outbound (psp_out_message) table and then the entire batch will be encrypted when sent to MBS.
There are no additional configurations needed on the DataSync Agent or Meshlets so long as you have these applications pointed to the same queue you are sharing your ServiceNow data to and they have the same encryption key as specified in ServiceNow.
Note that for the DataSync Agent, it will log for when it receives an encrypted batch of records that it must first decrypt before processing the records in the batch:
2024-08-18 20:12:25.776 INFO - live_demo_subscribe - SubscriberTask - received an array of 1 elements 2024-08-18 20:12:25.777 INFO - live_demo_subscribe - SubscriberTask - element is message with topic encrypted_messages and name messages.bulk with 10 records 2024-08-18 20:12:25.791 INFO - live_demo_subscribe - SubscriberTask - received an array of 10 elements
Encrypted Batch Message
As the Perspectium Core application batches up the records and encrypts the batch to send to MBS, it will store this batch in a Perspectium message in JSON format as follows:
{
"topic": "encrypted_messages",
"type": "servicenow",
"name": "messages.bulk"
"key": "<your_servicenow_instance_name>", (ie. "dev12345")
"value": "<encrypted_batch_of_records",
"attributes" "<addtional_message_attributes>"
}
We use our standard Perspectium message format with specific properties for the topic, type and name so that target applications (DataSync Agent, meshlets and Perspectium Core on a subscribing ServiceNow instance) reading this message know this is an encrypted batch of messages to then decrypt first before doing the regular processing of each message.