The DataSync Agent can be configured to decrypt messages that have been published from a ServiceNow instance that is leveraging the ServiceNow Edge Encryption feature. Perspectium provides support for the Standard AES-128 and Standard AES-256 options.
Prerequisites
First, you will need to set up one of the Perspectium DataSync Agents.
You should stop running your DataSync Agent before making any Agent configuration changes.
Edge Encryption
In order to enable support for Edge Encrypted replicated data you must obtain configuration information that was defined in your ServiceNow Edge proxy configuration file edgeencryption.properties. The exception is the keystore password you created when you created the keystore. Once this information is available you'll use that information to populate your DataSync Agent's task configuration. The following table shows which proxy configuration directives are required and the associated replicator agent configuration directive.
| Edge Proxy directive | Agent directive |
|---|---|
| edgeencryption.encrypter.static.iv | initialization_vector |
| keystore password | keystore_password |
| edgeencryption.proxy.signature.keystore.keyalias | keystore_alias |
| edgeencryption.proxy.signature.keystore.password | alias_password |
With this information available add the following configuration directives to your task definition within your agent.xml file:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<config>
<agent>
<subscribe>
<task>
<task_name>example_subscribe</task_name>
<keystore_password>KEYSTORE_PASSWORD_GOES_HERE</keystore_password>
<keystore_alias>KEYSTORE_ALIAS_GOES_HERE</keystore_alias>
<alias_password>ALIAS_PASSWORD_GOES_HERE</alias_password>
<initialization_vector>INITIALIZATION_VECTOR_GOES_HERE</initialization_vector>
.
.
.
.
</task>
</subscribe>
</agent>
</config>
Additionally, you must obtain the keystore used by the ServiceNow proxy and place it within a directory called keystore within the Agent's root directory. The keystore file must be named keystore.jceks.
Edge Decryption
The Edge Decryption plugin will decrypt Edge Encrypted replicated datas when shared to the DataSync Agent. In order to support decryption, you will need the following:
- Edge Encryption enabled in your ServiceNow instance
- Set up the encryption configurations (see above, Edge Encryption)
- Keystore containing the encryption key must be saved locally or in an Azure Key Vault
With this information available add the following configuration directives to your task definition within your agent.xml file.
If the keystore containing the encryption key is saved in an Azure Key Vault, see the following:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<config>
<agent>
<subscribe>
<task>
<task_name>example_subscribe</task_name>
<plugin keystore="azure"
vault_tenant=""
vault_url=""
vault_principal=""
principal_secret=""
secret_name=""
keystore_password=""
keystore_alias=""
alias_password="ALIAS_PASSWORD_GOES_HERE"> com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
.
.
.
</task>
</subscribe>
</agent>
</config>
If the keystore containing the encryption key is saved locally, see the following:
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<config>
<agent>
<subscribe>
<task>
<task_name>example_subscribe</task_name>
<plugin keystore="local"
keystore_path=""
keystore_password=""
keystore_alias=""
alias_password="ALIAS_PASSWORD_GOES_HERE"> com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin>
.
.
.
</task>
</subscribe>
</agent>
</config>
All attributes are required to access the key vault and open the keystore from the Azure vault.