Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Service Now End Customer–Partner Communication Overview

    A Service Now end customer establishes connection with a Service Now partner using the HTTPS protocol. When a Service Now end customer initiates a request for communication with the Service Now partner, the Service Now partner provides an Secure Sockets Layer (SSL) certificate for the Service Now end customer to validate. Communication between the Service Now partner and Service Now end customer is established after the Service Now end customer validates the certificate.

    Figure 1 depicts the communication between a Service Now partner with a Service Now End Customer and Juniper Support System (JSS) using an SSL certificate.

    Figure 1: Service Now Partner Communicating with a Service Now End Customer and JSS Using SSL Certificate

    Service Now Partner
Communicating with a Service Now End Customer and JSS Using SSL Certificate

    For information about using SSL certificates, see Certificate Management Overview.

    By default, Junos Space Service Now uses a self-signed SSL certificate, provided by the Junos Space Network Management Platform to validate connections between a Service Now partner and Service Now end customer. However, from Service Now Release 14.1R3, a Service Now partner can use a custom SSL Certificate instead of the default self-signed certificate to secure communication with Service Now end customers.

    To secure the communication between a Service Now partner and Service Now End Customer, the following tasks must be performed:

    1. Generating CSR by Service Now Partner
    2. Obtaining Signature of a Certificate Authority
    3. Uploading the Certificate to Service Now Partner
    4. Obtaining the Intermediate Certificate (key) for Establishing Credibility of the SSL Certificate
    5. Obtaining SSL Certificate of the Service Now Partner

    Generating CSR by Service Now Partner

    To install a custom SSL certificate on the Service Now partner, you must first generate a Certificate Signing Request (CSR):

    To generate a CSR:

    1. Log in to the Junos Space Appliance.

      The Junos Space Settings Menu Is displayed.

    2. Type 7 if the Junos Space Appliance is a virtual appliance or type 6 if the Junos Space Appliance is a hardware appliance to access the SSH shell.
    3. Change the directory to /etc/pki/tls.
      [root@host] cd /etc/pki/tls
    4. Open the openssl.cnf file and comment out all instances of subjectAltName=${ENV::SAN}.
      <snip>
      # subjectAltName=${ENV::SAN}
      <snip>
      
    5. Save the file.
    6. Generate a private key by executing the following command:
       
      server $ openssl genrsa -des3 -out server.key 1024
      Generating RSA private key, 1024 bit long modulus
      ......++++++
      .............++++++
      e is 65537 (0x10001)
      
      Where 1024 is the length of the key in bits and server.key is the name of the key file.
    7. Enter a pass phrase for the private key.
      sever $  Enter pass phrase for server.key:
      Verifying - Enter pass phrase for server.key:
      

    8. Generate a signing request using the private key and password.

      You are prompted to provide your details such as the state or province to which you belong, your locality, email address and so on.

      server $ openssl req -new -key server.key -out server.csr
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:NSW
      Locality Name (eg, city) []:Sydney
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:Juniper
      Organizational Unit Name (eg, section) []:AS
      Common Name (e.g. server FQDN or YOUR name) []:he-man
      Email Address []:fred@juniper.net
      
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:fred1234
      An optional company name []:
      server $
      

      After this step is executed, you can find the following encrypted files in the /etc/pki/tls folder:

      • server.key—The private key for the SSL certificate.

        The following is a sample of the server.key file obtained by using the cat server.key command:

        server $ cat server.key
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,019649A2E4BBCC4C
        
        uKKzDLcMrBpuYDkxSl6epQqoScvcYnJvTM5kaJKNNxVrUarYA16JYFszBOEpqCjr
        AV7Ln6hg8Jl+UPEbrZPvXVED29qvM4tp1SDwKwuLs+IRWsON9ee2TSmVubCEOAc7
        aA8jg7kzubCktF3y+8/lM3yf+IWMy4EdWBXwTjMBO22kjU5KGwyznQeCsN2HtOLp
        WvFOFDQHgxougL0qfF7pkDsVby5bKv74OT+ju/On6HtLf8IUfZDh/Xui/scsoKeb
        8eJnNKNOldYAtU+eyNwkmP1o9j8Ly/GeeiOOamMFaDpO1WuMQLmEH8En3tVIULrD
        WZ2Ly0U9+d6Jl6f7LXXIEcBcH0eOOC3pp7Bq4zlkO/2WPq5FmcM9OmZZdeC2ZeYP
        fNzBk2lZVVDAM89ggNlRNsm6FG9F6kkfczjBOSvawhBs7AgTDzty5J279uTGIyol
        lCVXbijo9+KR3INX3nWatYYR7T7MUG1Yma/MbCg2dWAPR6iwYWY3w6VD51BIGNCP
        po42YOH4yLvT8OuVzkpQ8z9tjukO5ZAR6E8fWEdiYBbPIhfEBxc7WVUBdPE/OQaj
        8FuyLnzY5iCxYltkyWhtXntX32NrHJdJp6A8HfJf/v3ZnJ8FRHrNXtALcENVkgit
        iCgmsGr5zwThiJqdSp6Xd4YpJrws5baTGRNjOrhfunGyEebhYmsQVKZpuXYM/YuV
        5/Nqd3Hdmx58hWXViOCm7+HUlRFRCu+JBhBLOJ9rBzaDVAFRqNtkMkFlwHKQ6u9K
        ly+qgO7gT8jYIWGfKsB70QdMF+MntA+SvD5bfoUd6CY=
        -----END RSA PRIVATE KEY-----
        
        
      • server.csr—The CSR file to be signed by a Certificate Authority (CA).

        The following is a sample of the server.csr file obtained by using the cat server.csr command:

        server $ cat server.csr
        -----BEGIN CERTIFICATE REQUEST-----
        MIIB1jCCAT8CAQAwfTELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UE
        BxMGU3lkbmV5MRAwDgYDVQQKEwdKdW5pcGVyMQswCQYDVQQLEwJBUzEPMA0GA1UE
        AxMGaGUtbWFuMR8wHQYJKoZIhvcNAQkBFhBmcmVkQGp1bmlwZXIubmV0MIGfMA0G
        CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjA2megTM4/9iP9I56iNqmKmROQYfPwHLn
        pW7BWq1Dikzn8BqM6cFeMa1vUpRntiPJRNbUjGZPbfa3cwZEy/vgy3MyTALFj9Zy
        7tkpUIdlQn2Khw47mEcaixkEec5PxOUZm3Af1kKcMtIzajxxyVRs6cr6xLy0Bqew
        1TA+3Xj6PwIDAQABoBkwFwYJKoZIhvcNAQkHMQoTCGZyZWQxMjM0MA0GCSqGSIb3
        DQEBBQUAA4GBAJjxApGFYAFfUl1x0osdoGzedRkrVmR5693+hOEtI01n0z7ONCVu
        ixOin4dH0SDipNPgfZwQ0jx6wyVGx/b6wWpMxBTrvhxH1EiCgR9pP0U63eMZsyEI
        3RoU+7KeRTxxtXbRYUx0EHGPDOHSgiShbjVc2uAPXijSRlutI3sViTJ2
        -----END CERTIFICATE REQUEST-----
        
        

    Obtaining Signature of a Certificate Authority

    The Service Now partner should get the server.csr file signed by a Certificate Authority (CA); for example, GeoTrust®. To get the server.csr file signed by a CA, contact a CA. A signed certificate has the .der or .pem extension.

    Note: Service Now supports signed certificates in the x.509 format only. We recommend that while requesting a CA to sign your certificate, specify that you need the signed certificate in the x.509 format.

    After you receive the signed certificate, save it on your local system.

    Uploading the Certificate to Service Now Partner

    The signed server.csr file should be uploaded to the Junos Space Platform on which the Service Now partner is installed.

    For information about uploading custom SSL certificate to Junos Space Platform, refer to Installing Custom SSL Certificate on Junos Space Server.

    Obtaining the Intermediate Certificate (key) for Establishing Credibility of the SSL Certificate

    Download the certificate key from the website of the CA from whom you obtained the signature for the SSL certificate; for example, https://www.geotrust.com/resources/root-certificates/ is the website of GeoTrust®.

    Ensure that you select the appropriate root certificate. The root certificate obtained from the CA should be uploaded to the Junos Space Platform using the Administration > CA/CRL Certificates navigation path of the Junos Space Platform GUI. For more information, see Certificate Management Overview.

    Obtaining SSL Certificate of the Service Now Partner

    To secure communication with the Service Now partner, a Service Now end customer should obtain and install the SSL certificate from the Service Now partner.

    Note: The procedure to obtain SSL certificate of a Web server varies from one browser to another.

    To obtain the SSL certificate of the Service Now partner using Mozilla Firefox Web browser:

    1. Open Mozilla Firefox Web browser and enter the URL to access the Service Now partner.
    2. On the web browser, click the padlock present before the URL.

      A dialog box with the information about the identity and security of the Service Now partner’s Web site appears.

    3. Click More Information.

      The Page Info dialog box appears.

    4. Click Security > View Certificate on the Page Info dialog box.

      The Certificate Viewer dialog box appears displaying the SSL certificate used by the Service Now partner.

    5. Click the Details > Export tab on the Certificate Viewer to export the SSL certificate.

      The Save To dialog box of the web browser appears.

    6. Save the certificate on your local system.

      Ensure that the certificate is an X.509 certificate (*.pem).

    To obtain the SSL certificate of the Service Now partner using CLI:

    1. Connect to the Virtual IP (VIP) node of the Junos Space cluster on which the Service Now partner is installed and configured.
    2. Type 7 if the Junos Space Appliance is a virtual appliance or type 6 if the Junos Space Appliance is a hardware appliance to access the SSH shell.
    3. Type the following from the command line:
      server $ echo "" | openssl s_client -connect <hostname>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > cert.pem
      where <hostname> is the hostname of the Service Now partner.

    Modified: 2016-08-11