The DataSync Agent provides a plugin to support decrypting data that is edge encrypted. In order to decrypt this, you will need the following:
- Edge Encryption enabled in your ServiceNow instance
- Edge Encryption proxy server installed and configured
- Keystore containing the encryption key used for Edge Encryption. This keystore can be stored in an Azure Key Vault cloud key management or stored locally on a filesystem the Agent as access to.
With this information available, add the following configuration directives to your task definition within your agent.xml file:
All attributes are required to access the keystore from the Azure Key Vault.
For Azure Key Vault, add the following:
Directive | Parameters | Required? | Example Value | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
<plugin> | Plugin that will decrypt Edge Encrypted replicated data.
*See Authentication in Azure Key Vault for more information on these configurations. ^See Edge Encryption properties for more information on these configurations. <config> <agent> <subscribe> <task> ... <plugin keystore="azure" vault_tenant="VAULT_TENANT_GOES_HERE" vault_url="VAULT_URL_GOES_HERE" vault_principal="VAULT_PRINCIPAL_GOES_HERE" principal_secret="PRINCIPAL_SECRET_GOES_HERE" secret_name="SECRET_NAME_GOES_HERE" keystore_password="KEYSTORE_PASSWORD_GOES_HERE" keystore_alias="KEYSTORE_ALIAS_GOES_HERE" alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin> </task> </subscribe> </agent> </config> | Yes | See example below. |
If the keystore containing the encryption key is saved locally in the filesystem that the Agent has access to, add the following:
Directive | Description | Required? | Example Value | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
<plugin> | Plugin that will decrypt Edge Encrypted replicated data.
^See Edge Encryption properties for more information on these configurations. <config> <agent> <subscribe> <task> ... <plugin keystore="local" keystore_path="KEYSTORE_PATH_GOES_HERE" keystore_password="KEYSTORE_PASSWORD_GOES_HERE" keystore_alias="KEYSTORE_ALIAS_GOES_HERE" alias_password="ALIAS_PASSWORD_GOES_HERE">com.perspectium.replicator.sql.plugin.SQLSubscriberDecryptColumnPlugin</plugin> </task> </subscribe> </agent> </config> | Yes | See example below. |
If you want to use attachment handling with edge encryption so the attachments are each saved as a complete file, see Merging Attachments in the Database.