The DataSync Agent provides a plugin to support decrypting data that is edge encrypted. In order to decrypt this, you will need the following:
- Edge Encryption enabled in your ServiceNow instance
- Edge Encryption proxy server installed and configured
- Keystore containing containing the encryption key must be saved locally or used for Edge Encryption. This keystore can be stored in an Azure Key Vault cloud key management or stored locally on a filesystem the Agent as access to.
With this information available, add the following configuration directives to your task definition within your agent.xml file:
UI Text Box |
---|
|
All attributes are required to access the key vault and open the keystore from the Azure vaultKey Vault. |
If the keystore containing the encryption key is saved in an For Azure Key Vault, add the following:
Directive | Parameters | Required? | Example Value |
---|
<plugin> | Plugin that will decrypt Edge Encrypted replicated data. Parameter | Description |
---|
keystore | Specifies where the keystore is located. Value: azure | vault_tenant | tenant_id for the Azure Key Vault containing the keystore | vault_url | URL to the Azure Key Vault | vault_principal | principal_id for the Azure Key Vault | principal_secret | password for the Azure Key Vault | secret_name | Name of the keystore | keystore_password | password for the keystore | keystore_alias | Name of the key alias | alias_password | Password for the key |
*See Authentication in Azure Key Vault for more information on these configurations.
Code Block |
---|
Code Block |
---|
<config>
<agent>
<subscribe>
<task>
...
<plugin keystore="azure"
vault_tenant="VAULT_TENANT_GOES_HERE"
vault_url="VAULT_URL_GOES_HERE"
vault_principal="VAULT_PRINCIPAL_GOES_HERE"
principal_secret="PRINCIPAL_SECRET_GOES_HERE"
secret_name="SECRET_NAME_GOES_HERE"
keystore_password="KEYSTORE_PASSWORD_GOES_HERE"
keystore_alias="KEYSTORE_ALIAS_GOES_HERE"
alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
</task>
</subscribe>
</agent>
</config> |
| Yes | See example below. |
Example of a complete agent.xml configuration with the keystore in an Azure Key Vault
Code Block |
---|
|
<?xml version="1.0" encoding="ISO-8859-1" ?>
<config>
<agent>
<max_reads_per_connect>1</max_reads_per_connect>
<polling_interval>5</polling_interval>
<test_mode/>
<subscribe>
<task>
<polling_interval>5</polling_interval>
<task_name>oracle_subscriber_automated_test</task_name>
<handler>com.perspectium.replicator.sql.SQLSubscriber</handler>
<decryption_key>some_decryption_key_here</decryption_key>
<message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection>
<use_cache/>
<instance_connection user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection>
<database_type>sqlserver</database_type>
<database_port>1234</database_port>
<database_server>SERVER_URL</database_server>
<database_user>USER</database_user>
<database_password>PASSWORD</database_password>
<database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
<database>DATABASE_NAME</database>
<skip_columns_log_interval>200</skip_columns_log_interval>
<plugins>
<plugin keystore="azure"
vault_tenant="12345678-ab12-ab12-ab12-123456789ab"
vault_url="https://url.vault.azure.net/"
vault_principal="12345678-ab12-ab12-ab12-123456789ab"
principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a"
secret_name="some_secret_name"
keystore_password="efg123"
keystore_alias="128bitkey"
alias_password="abc123">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
</task>
</subscribe>
<share>
<task>
<task_name>attachment_processor</task_name>
<handler>com.perspectium.replicator.sql.subscriber.edge.SysAttachmentHandler</handler>
<encryption_key>some_encryption_key_here</encryption_key>
<message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev5678">https://URL.perspectium.net</message_connection>
<polling_interval>60</polling_interval>
<max_writes_per_connect>1</max_writes_per_connect>
<skip_queue/>
<skip_report/>
<topic>topic_here</topic>
<type>type_here</type>
<key>key_here</key>
<name/>
<database_type>sqlserver</database_type>
<database_port>1234</database_port>
<database_server>SERVER_URL</database_server>
<database_user>USER</database_user>
<database_password>PASSWORD</database_password>
<database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
<database>DATABASE_NAME</database>
<edge_encryption
keystore="azure"
vault_tenant="12345678-ab12-ab12-ab12-123456789ab"
vault_url="https://url.vault.azure.net/"
vault_principal="12345678-ab12-ab12-ab12-123456789ab"
principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a"
secret_name="some_secret_name"
keystore_password="efg123"
keystore_alias="128bitkey"
alias_password="abc123">true</edge_encryption>
</task>
</share>
</agent>
</config> |
If the keystore containing the encryption key is saved locally in the filesystem that the Agent has access to instead of a cloud keystore, add the following:
Directive | Description | Required? | Example Value |
---|
If the keystore containing the encryption key is saved locally in the filesystem that the Agent has access to, add the following:
Directive | Description | Required? | Example Value |
---|
<plugin> | Plugin that will decrypt Edge Encrypted replicated data. Parameter | Description |
---|
keystore | Specifies where the keystore is located. Value: local | keystore_path | File path to the keystore | keystore_password | Password for the keystore | keystore_alias | Name of the key alias | alias_password | Password for the key |
Code Block |
---|
<config>
<agent>
<subscribe>
<task>
...
<plugin keystore="local" |
|
<plugin> | Plugin that will decrypt Edge Encrypted replicated data.
Parameter | Description |
---|
keystore | Specifies where the keystore is located. Value: local |
keystore_path | File path to the keystore |
keystore_password | Password for the keystore |
keystore_alias | Name of the key alias |
alias_password | Password for the key |
Code Block |
---|
<config>
<agent>
<subscribe>
<task>
...
<plugin keystore="local"
keystore_path="KEYSTORE_PATH_GOES_HERE"
keystore_password="KEYSTORE_PASSWORD_GOES_HERE"
keystore_alias="KEYSTORE_ALIAS_GOES_HERE"
alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
</task>
</subscribe>
</agent>
</config> |
Yes | See example below. | Example of agent.xml
Code Block |
---|
|
<?xml version="1.0" encoding="ISO-8859-1" ?>
<config>
<agent>
<max_reads_per_connect>1</max_reads_per_connect>
<polling_interval>5</polling_interval>
<test_mode/>
<subscribe>
<task>
<polling_interval>5</polling_interval>
<task_name>oracle_subscriber_automated_test</task_name>
<handler>com.perspectium.replicator.sql.SQLSubscriber</handler>
<decryption_key>some_decryption_key_here</decryption_key>
<message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection>
<use_cache/>
<instance_connection user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection>
<database_type>sqlserver</database_type>
<database_port>1234</database_port>
<database_server>SERVER_URL</database_server>
<database_user>USER</database_user>
<database_password>PASSWORD</database_password><databaseparms>lockTimeout=15000;queryTimeout=15</database_parms>path="KEYSTORE_PATH_GOES_HERE"
|
|
<database>DATABASE_NAME</database>
keystore_password="KEYSTORE_PASSWORD_GOES_HERE"
keystore_alias="KEYSTORE_ALIAS_GOES_HERE"
alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
</task>
</subscribe>
</agent>
</config> |
| Yes | See example below. |
Example of a complete agent.xml configuration with the keystore in a local filesystem the Agent has access to:
Code Block |
---|
|
<?xml version="1.0" encoding="ISO-8859-1" ?>
<config>
<agent>
<skip_columns_log_interval>200</skip_columns_log_interval>
<plugins>
<plugin keystore="local"
keystore_path="abcdefg"
keystore_password="efg123"
<max_reads_per_connect>1</max_reads_per_connect>
keystore_alias="128bitkey"
alias_password="abc123">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin><polling_interval>5</polling_interval>
</task>
</subscribe><test_mode/>
<share>
<subscribe>
<task>
<task>
<task_name>attachment_processor</task_name>
<handler>com.perspectium.replicator.sql.subscriber.edge.SysAttachmentHandler</handler>
<polling_interval>5</polling_interval>
<encryption_key>some_encryption_key_here</encryption_key>
<task_name>oracle_subscriber_automated_test</task_name>
<message_connection user="USER" password="PASSWORD" queue="psp.out <handler>com.perspectium.replicator.dev5678">https://URL.perspectium.net</message_connection>
sql.SQLSubscriber</handler>
<polling_interval>60</polling_interval>
<max<decryption_key>some_writesdecryption_perkey_connect>1<here</max_writes_per_connect>decryption_key>
<skip_queue/>
<message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection>
<skip_report/>
<topic>topic_here</topic><use_cache/>
<type>type_here</type>
<instance_connection <key>key_here</key>user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection>
<name/>
<database_type>sqlserver</database_type>
<database_port>1234</database_port>
<database_server>SERVER_URL</database_server>
<database_user>USER</database_user>
<database_password>PASSWORD</database_password>
<database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
<database>DATABASE_NAME</database>
<edge_encryption
<skip_columns_log_interval>200</skip_columns_log_interval>
<plugins>
<plugin keystore="local"
keystore_path="abcdefg"
keystore_password="efg123"
keystore_alias="128bitkey"
alias_password="abc123">true</edge_encryption>>com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
</task>
</share>subscribe>
</agent>
</config> |