Loading...
Loading...
RCA records fail to validate signatures associated with them. For instance, when a new Log Export Service source record is created, the below error message appears due to restricted cross scope privilege access. Error: "Execute operation on script include 'LoggerConfiguration' from scope 'Log Export Service' was denied. The application 'Log Export Service' must declare a cross scope access privilege. Please contact the application admin to update their access requests." "Something went wrong with the configuration setup. Please try again later by setting active to true and updating the record." Steps to Reproduce a) Active the LES Source for sys_audit (https://instancexxxx.service-now.com/nav_to.do?uri=sn_logstoanalytics_source.do?sys_id=xxxxxxx) b) check property and confirm it is set glide.db.audit.lazy=true https://instancexxxx.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=8e32bea61b3e215036ac10e69b4bcb32 (should be set to true according) c) Update a CSM case, incident or Problem which triggers a sys_audit record creation: change the priority so that an Audit record is logged d) Go to the Topic Inspector, select the LES Topic and check if new messages are available for the last minutes. e)You will see an error ""Execute operation on script include 'LoggerConfiguration' from scope 'Log Export Service' was denied. The application 'Log Export Service' must declare a cross scope access privilege. Please contact the application admin to update their access requests" once you tried to activate LES source.
The problem has been fixed. If you can upgrade, please review the Fixed In section at the bottom of the KB and upgrade to a version that has a permanent fix. If you can not upgrade at this time, please apply the below workaround.
Run the below script to fix the issue. (function () { // Step 1: Print the current signature status var startTime = new GlideDateTime(); // Validate and print status of all sys_restricted_caller_access records signatures validateAndPrintStatus(); // Step 2: Extract computed signature sysids from syslog var signatureRecordSysIds = []; // Loop through syslog table var logGr = new GlideRecord("syslog"); logGr.addQuery("sys_created_by", gs.getUserName()); // If there are still invalid signatures, comment the below line logGr.addQuery("sys_created_on", ">=", startTime.getValue()); logGr.addQuery("level", 2); // error logGr.addQuery("source", "com.glide.ui.ServletErrorListener").addOrCondition("source", "Code Signing"); logGr.query(); while (logGr.next()) { var message = logGr.getValue("message"); gs.log("***message***" + message); var signatureIdMap = extractIds(message); if (signatureIdMap) { signatureRecordSysIds.push(signatureIdMap.signatureRecordSysId); } } if (signatureRecordSysIds.length === 0) { gs.log("No invalid signature records found in syslog"); return; } else { gs.log( "Invalid signature records found in syslog: " + signatureRecordSysIds + "; fixing them.." ); } // Step 3: Append entry in sn_cs_plugin_signatures var pluginId = "com.glide.code_signing"; var pluginGr = new GlideRecord("sn_cs_plugin_signatures"); pluginGr.addQuery("plugin_id", pluginId); pluginGr.query(); if (!pluginGr.next()) { gs.log("Plugin not found: " + pluginId); return; } gs.log("***Found plugin***: " + pluginId); // Append new signatures, ensuring no duplicates var existingSignatures = pluginGr.getValue("signatures").split(":"); var newSignatures = signatureRecordSysIds.join(":"); var signatureArray = existingSignatures.concat(newSignatures.split(":")); var uniqueSignatures = signatureArray.filter(function (item, pos) { return signatureArray.indexOf(item) === pos; }); pluginGr.setValue("signatures", uniqueSignatures.join(":")); pluginGr.update(); // Helper functions function validateAndPrintStatus() { var gr = new GlideRecord("sys_restricted_caller_access"); gr.query(); while (gr.next()) { var sysId = gr.getValue("sys_id"); var isValid = isRecordTrusted(sysId); gs.info(sysId + " -> " + (isValid ? "valid" : "invalid")); } } function extractIds(logMessage) { var regex = /Cannot just-in-time load the signature record: Couldn't find pluginId for documentId: (\w+) with signatureRecordSysId: (\w+)/; var match = logMessage.match(regex); if (match) { return { documentId: match[1], signatureRecordSysId: match[2], }; } else { return null; } } function isRecordTrusted(sysId) { var api = new sn_cs_ns.CodeSigningAPI(); return api.isRecordTrusted( "sys_restricted_caller_access", sysId, "access_control_evaluation" ); } })(); Explanation of the above script: sys_restricted_caller_access: Record the start time. Loop through all sys_restricted_caller_access records. For each record: Extract sys_id. Verify the signature using the isRecordTrusted() API. This would record signature failures in the logs syslog: Query the syslog table with the following query: sys_created_by is the current user sys_created_on > start time level is 2 // error source is com.glide.ui.ServletErrorListener Read messages from the query results. For each message: Extract expected signature sysIds using a regular expression (signature failure message). Add the signatureRecordSysId to an array. Serialize the array into a : separated string. sn_cs_plugin_signatures: In the sn_cs_plugin_signatures table, check if plugin_id sn_cs_plugin_signatures exists Append the signatures field with the serialized signature sysIds. Ensure no duplicate entries.
PRB1783883
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.