Loading...
Loading...
ServiceNow has identified a defect due to which attempts to discover certificates from different CA (Certificate Authority) providers like DigiCert, Entrust, GoDaddy etc may fail due to the inability of MID Server to decrypt Password2 fields. This defect is observed after upgrading to any of the affected versions - San Diego Patch 10 Hot Fix 1a, Tokyo Patch 7a, Tokyo Patch 8, Utah Patch 1 or above. Attempts to discover certificates may fail with Authentication Failure despite correct credentials being provided. The error will occur upon running a discovery against a CA, please see below for DigiCert as an example: Input payload of pattern "DigiCert - Certificate Management": "status" : "GRACEFUL_TERMINATION", "message" : "Certificate List is Empty - Please check Credentials and Configurations (ca_api_url, ca_api_version, include_cert_status) Failed Condition(s): [(${certificate} : value=) IS NOT EMPTY ]", MID agent logs may show: *** Script: Certificate list is empty.It might be a request limit exceeded or api server issue.Retrying based on mid property(mid.ca.certificate.api.request.rate.limit.delay) please wait. *** Script: Result is empty. The issue may occur with any CA based certificate discovery. The issue occurs because of a failure to send the credentials within the API request, therefore resulting in authentication failure.
Upgrade instance to affected version (San Diego Patch 10 Hot Fix 1a or Tokyo Patch 7a or Tokyo Patch 8 or Utah Patch 1) Install Certificate Inventory and Management plugin Perform discovery against DigiCert or any other provider. Observe failure with error/information stating that certificate list is empty This same discovery may have also worked before instance upgrade with no changes made to configuration. Note : The credential must also be confirmed to be correct, otherwise this may simply be an incorrect credential issue.
This problem has been fixed from Certificate Inventory and Management v3.0.6. If you are able to upgrade, review the Fixed In section to determine the latest version with a permanent fix your instance can be upgraded to. The attached update set disables the current ‘StrictReject’ MAP (Module Access Policy) and creates a new MAP with ‘Track’ for 'mid_server' role. Note : Please note that applying Update Set Workaround is treated as a customization and corresponding records ( Name: sys_kmf_crypto_caller_policy_3496bf7d0726301019f0782a9cd30062 and sys_kmf_crypto_caller_policy_9e6fd729db9ae15c849a60ecd3961917 ) are created in the Customer Update [sys_update_xml] table where the Replace on upgrade field is set to false. Please refer to the product documentation to overwrite these customizations when upgraded to a fixed version later. During the upgrade process the skipped upgrades should be reviewed and reverted for any records in the "sys_kmf_crypto_caller_policy" table, within the "Certificate Inventory and Management" plugin.Not overwriting these customizations can prevent from getting any latest updates made on the corresponding records in later releases.
PRB1658670
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.