Page History

Versions Compared

Old Version 14

changes.mady.by.user user-b885f

Saved on Jul 08, 2021

compared with

New Version Current

changes.mady.by.user user-b885f

Saved on Jul 09, 2021

Key

This line was added.
This line was removed.
Formatting was changed.

The DataSync Agent can be configured to decrypt ServiceNow records with data encrypted using Edge Encryption. Perspectium provides support for records encrypted using the AES-128 and AES-256 options.

Prerequisites

First, you will need to set up one of the Perspectium DataSync Agents.

You should stop running your DataSync Agent before making any Agent configuration changes.

The DataSync Agent provides a plugin to support decrypting data that is edge encrypted. In order to decrypt this, you will need the following:

Edge Encryption enabled in your ServiceNow instance
Edge Encryption proxy server installed and configured
Keystore containing containing the encryption key must be saved locally or used for Edge Encryption. This keystore can be stored in an Azure Key Vault cloud key management or stored locally on a filesystem the Agent as access to.

With this information available, add the following configuration directives to your task definition within your agent.xml file:

UI Text Box

type	note

All attributes are required to access the key vault and open the keystore from the Azure vaultKey Vault.

If the keystore containing the encryption key is saved in an For Azure Key Vault, add the following:

Directive

Parameters

Required?

Example Value

Plugin that will decrypt Edge Encrypted replicated datasdata.

Parameter	Description
keystore	Specifies where the keystore is located. Value: azure
vault_tenant	tenant_id for the Azure Key Vault containing the keystore*
vault_url	URL to the Azure Key Vault*
vault_principal	principal_id for the Azure Key Vault*
principal_secret	password for the Azure Key Vault*
secret_name	Name of the keystorekeystore^
keystore_password	password for the keystorekeystore^
keystore_alias	Name of the key aliasalias^
alias_password	Password for the keykey^

*See Authentication in Azure Key Vault for more information on these configurations.

^See Edge Encryption properties for more information on these configurations.

Code Block

<config>
	<agent>
		<subscribe>
			<task> 
				...
				<plugin keystore="azure"
                 vault_tenant="VAULT_TENANT_GOES_HERE" 
                 vault_url="VAULT_URL_GOES_HERE"
                 vault_principal="VAULT_PRINCIPAL_GOES_HERE" 
                 principal_secret="PRINCIPAL_SECRET_GOES_HERE" 
                 secret_name="SECRET_NAME_GOES_HERE"
                 keystore_password="KEYSTORE_PASSWORD_GOES_HERE" 
                 keystore_alias="KEYSTORE_ALIAS_GOES_HERE" 
  				 alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>

			</task>
		</subscribe>
	</agent>
</config>

Yes

See example below.

Example of a complete agent.xml configuration with the keystore in an Azure Key Vault

Code Block

language	xml
theme	Eclipse

<?xml version="1.0" encoding="ISO-8859-1" ?>
<config>
    <agent>
        <max_reads_per_connect>1</max_reads_per_connect>
        <polling_interval>5</polling_interval>
        <test_mode/>
        <subscribe>
            <task>
                <polling_interval>5</polling_interval>
                <task_name>oracle_subscriber_automated_test</task_name>
                <handler>com.perspectium.replicator.sql.SQLSubscriber</handler>
                <decryption_key>some_decryption_key_here</decryption_key>
                <message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection>
                <use_cache/>
                <instance_connection user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection>
                <database_type>sqlserver</database_type>
                <database_port>1234</database_port>
                <database_server>SERVER_URL</database_server>
                <database_user>USER</database_user>
                <database_password>PASSWORD</database_password>
                <database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
                <database>DATABASE_NAME</database>
                <skip_columns_log_interval>200</skip_columns_log_interval>
				<plugins>
					<plugin keystore="azure"
                            vault_tenant="12345678-ab12-ab12-ab12-123456789ab"
                            vault_url="https://url.vault.azure.net/"
                            vault_principal="12345678-ab12-ab12-ab12-123456789ab"
                            principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a"
                            secret_name="some_secret_name"
							keystore_password="efg123"
                            keystore_alias="128bitkey"
                            alias_password="abc123">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
        </task>
    </subscribe>
    <share>
        <task>
            <task_name>attachment_processor</task_name>
            <handler>com.perspectium.replicator.sql.subscriber.edge.SysAttachmentHandler</handler>
            <encryption_key>some_encryption_key_here</encryption_key>
            <message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev5678">https://URL.perspectium.net</message_connection>
            <polling_interval>60</polling_interval>
            <max_writes_per_connect>1</max_writes_per_connect>
            <skip_queue/>
            <skip_report/>
            <topic>topic_here</topic>
            <type>type_here</type>
            <key>key_here</key>
            <name/>
            <database_type>sqlserver</database_type>
            <database_port>1234</database_port>
            <database_server>SERVER_URL</database_server>
            <database_user>USER</database_user>
            <database_password>PASSWORD</database_password>
            <database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
            <database>DATABASE_NAME</database>

            <edge_encryption
                    keystore="azure"
                    vault_tenant="12345678-ab12-ab12-ab12-123456789ab"
                    vault_url="https://url.vault.azure.net/"
                    vault_principal="12345678-ab12-ab12-ab12-123456789ab"
                    principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a"
                    secret_name="some_secret_name"
					keystore_password="efg123"
					keystore_alias="128bitkey"
					alias_password="abc123">true</edge_encryption>
        </task>
    </share>
</agent>
</config>

If the keystore containing the encryption key is saved locally, add the following:

DirectiveDescriptionRequired?Example Value

</agent>
</config>

If the keystore containing the encryption key is saved locally in the filesystem that the Agent has access to, add the following:

Directive

Description

Required?

Example Value

Plugin that will decrypt Edge Encrypted replicated data.

Parameter	Description
keystore	Specifies where the keystore is located. Value: local
keystore_path	File path to the keystore^
keystore_password	Password for the keystore^
keystore_alias	Name of the key alias^
alias_password	Password for the key^

^See Edge Encryption properties for more information on these configurations.

Code Block
<config> <agent> <subscribe> <task> ... <plugin keystore="local"

Plugin that will decrypt Edge Encrypted replicated datas.

Parameter	Description
keystore	Specifies where the keystore is located. Value: local.
keystore_path	File path to the keystore
keystore_password	Password for the keystore
keystore_alias	Name of the key alias
alias_password	Password for the key

Code Block
<config> <agent> <subscribe> <task> ... <plugin keystore="local" keystore_path="KEYSTORE_PATH_GOES_HERE" keystore_password="KEYSTORE_PASSWORD_GOES_HERE" keystore_alias="KEYSTORE_ALIAS_GOES_HERE" alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin> </task> </subscribe> </agent> </config>

Code Block

<config>
	<agent>
		<subscribe>
			<task> 
				...
				<plugin keystore="local"
                keystore_path="KEYSTORE_PATH_GOES_HERE"
                keystore_password="KEYSTORE_PASSWORD_GOES_HERE" 
                keystore_alias="KEYSTORE_ALIAS_GOES_HERE"
 				alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
			</task>
		</subscribe>
	</agent>
</config>

YesSee example below.

Example of agent.xml

Code Block

language	xml
theme	Eclipse

<?xml version="1.0" encoding="ISO-8859-1" ?> <config> <agent> <max_reads_per_connect>1</max_reads_per_connect> <polling_interval>5</polling_interval> <test_mode/> <subscribe> <task> <polling_interval>5</polling_interval> <task_name>oracle_subscriber_automated_test</task_name> <handler>com.perspectium.replicator.sql.SQLSubscriber</handler> <decryption_key>some_decryption_key_here</decryption_key> <message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection> <use_cache/> <instance_connection user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection> <database_type>sqlserver</database_type> <database_port>1234</database_port> <database_server>SERVER_URL</database_server> <database_user>USER</database_user> <database_password>PASSWORD</database_password> <database_parms>lockTimeout=15000;queryTimeout=15</database_parms> <database>DATABASE_NAME</database> <skip_columns_log_interval>200</skip_columns_log_interval> <plugins> <plugin keystore="azure" vault_tenant="12345678-ab12-ab12-ab12-123456789ab" vault_url="https://url.vault.azure.net/" vault_principal="12345678-ab12-ab12-ab12-123456789ab" principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a" secret_name="some_secret_name" keystore_password="efg123"

              keystore_path="KEYSTORE_PATH_GOES_HERE"
                keystore_

alias

password="

128bitkey"

KEYSTORE_PASSWORD_GOES_HERE"

keystore_alias="KEYSTORE_ALIAS_GOES_HERE"
 				alias_password="

abc123

ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
			</task>
		</subscribe>
	</agent>
</config>

Yes

See example below.

Example of a complete agent.xml configuration with the keystore in a local filesystem the Agent has access to:

Code Block

language	xml
theme	Eclipse

<?xml version="1.0" encoding="ISO-8859-1" ?>
<config>
    <agent>
        </task>
    </subscribe>
    <share>
        <task>
            <task_name>attachment_processor</task_name>
            <handler>com.perspectium.replicator.sql.subscriber.edge.SysAttachmentHandler</handler>
            <encryption_key>some_encryption_key_here</encryption_key>
            <message_connection user="USER" password="PASSWORD" queue="psp.out.replicator.dev5678">https://URL.perspectium.net</message_connection>
    <max_reads_per_connect>1</max_reads_per_connect>
        <polling_interval>5</polling_interval>
        <polling<test_interval>60</polling_interval>mode/>
        <subscribe>
            <max_writes_per_connect>1</max_writes_per_connect>
<task>
                <skip<polling_queueinterval>5</>polling_interval>
            <skip_report/>    <task_name>oracle_subscriber_automated_test</task_name>
            <topic>topic_here</topic>
    <handler>com.perspectium.replicator.sql.SQLSubscriber</handler>
        <type>type_here</type>
            <key>key<decryption_key>some_decryption_key_here</decryption_key>
            <name/>
    <message_connection user="USER"       <database_type>sqlserver</database_type>
     password="PASSWORD" queue="psp.out.replicator.dev1234">https://URL.perspectium.net</message_connection>
       <database_port>1234</database_port>
            <database_server>SERVER_URL</database_server><use_cache/>
            <database_user>USER</database_user>
    <instance_connection user="USER" password="PASSWORD">https://dev1234.service-now.com</instance_connection>
      <database_password>PASSWORD</database_password>
            <database_parms>lockTimeout=15000;queryTimeout=15<type>sqlserver</database_parms>type>
            <database>DATABASE_NAME</database>

    <database_port>1234</database_port>
        <edge_encryption
             <database_server>SERVER_URL</database_server>
       keystore="azure"
          <database_user>USER</database_user>
          vault_tenant="12345678-ab12-ab12-ab12-123456789ab"
      <database_password>PASSWORD</database_password>
                vault_url="https://url.vault.azure.net/"
<database_parms>lockTimeout=15000;queryTimeout=15</database_parms>
                <database>DATABASE_NAME</database>
                vault_principal="12345678-ab12-ab12-ab12-123456789ab<skip_columns_log_interval>200</skip_columns_log_interval>
				<plugins>
					<plugin keystore="local"
                    principal_secret="3213156165-adasdasd_a1s5d6a5s1d6a		keystore_path="abcdefg"
               			keystore_password="efg123"
          secret_name="some_secret_name"
					keystore_password="efg123"
					              keystore_alias="128bitkey"
 						alias_password="abc123">true</edge_encryption>>com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
        </task>
    </share>subscribe>
</agent>
</config>

If you want to use attachment handling with edge encryption , see Attachment Handlerso the attachments are each saved as a complete file, see Merging Attachments in the Database.

Can't find what you're looking for?

See the FAQ or browse the Perspectium Community Forum.

...

Content

Space Tools

Versions Compared

Old Version 14

New Version Current

Key

Prerequisites

Can't find what you're looking for?

See the FAQ or browse the Perspectium Community Forum.