AgentSkillsCN

servicenow-server-security

保护出站请求的安全性,加密敏感数据,并妥善管理认证凭据。该技能涵盖请求签名、OAuth 认证、证书加密、密钥管理,以及密码学运算。当您需要保障 API 通信安全、加密敏感信息、管理认证凭据、实现 OAuth 流程,或执行密码学操作时,可使用此技能。

SKILL.md
--- frontmatter
name: servicenow-server-security
description: Secure outbound requests, encrypt sensitive data, and manage authentication credentials. Covers request signing, OAuth authentication, certificate encryption, key management, and cryptographic operations. Use when securing API communications, encrypting sensitive information, managing credentials, implementing OAuth flows, or performing cryptographic operations.

Server Security

Quick start

OAuth token management:

javascript
var oauth = new sn_auth.GlideOAuthClient();
oauth.setCredentialId('credential_sys_id_here');

// Get new access token
var token = oauth.getNewAccessToken();
var accessToken = token.getAccessToken();
var expiresIn = token.getExpiresIn();

// Refresh token
var refreshed = oauth.refreshAccessToken('refresh_token_value');

Request signing (AWS, OAuth, custom):

javascript
var httpRequest = new sn_auth.HttpRequestData();
httpRequest.setMethod('GET');
httpRequest.setEndpoint('https://api.example.com/data');

var credential = new sn_auth.AuthCredential();
credential.setCredentialId('sys_id');

var signedRequest = new sn_auth.RequestAuthAPI()
    .generateAuth(credential, httpRequest);

var authedData = signedRequest.getAuthorizedRequest();

Data encryption:

javascript
// Modern: Use Key Management Framework (KMF)
var operation = new sn_kmf_ns.KMFCryptoOperation()
    .setCryptoModuleID('module_sys_id')
    .setOperation('symmetric_encrypt')
    .setData('sensitive_data');

var encrypted = operation.doOperation();

Certificate operations:

javascript
var cert = new GlideCertificateEncryption();
var signature = cert.sign('data_to_sign', 'private_key');
var verified = cert.verify('signature', 'public_key', 'data');

Message digest (hash generation):

javascript
var digest = new GlideDigest('SHA256');
var hash = digest.hexDigest('input_string');

Security APIs

APIPurpose
GlideOAuthClientOAuth token lifecycle
RequestAuthAPIRequest signing for APIs
AuthCredentialCredential management
GlideCertificateEncryptionCertificate operations
KMFCryptoOperationModern cryptography
GlideDigestHash generation
GlideEncrypterLegacy encryption (deprecated)

Best practices

  • Use credentials stored in discovery_credentials table
  • Never hardcode credentials or API keys
  • Use KMF for new cryptography needs
  • Validate SSL certificates in production
  • Rotate OAuth tokens before expiration
  • Use HMAC for message integrity verification
  • Test authentication flows on sub-production
  • Log security operations for audit trails
  • Always use HTTPS for outbound requests

Authentication patterns

Standard Credentials Provider:

javascript
var provider = new sn_cc.StandardCredentialsProvider();
var credential = provider.getAuthCredentialByID('credential_sys_id');

Security Manager for ACLs:

javascript
var secMgr = new GlideSecurityManager();
var hasAccess = secMgr.canRead(grRecord, true); // true = enforcing

Reference

For OAuth security patterns, encryption best practices, and injection prevention, see BEST_PRACTICES.md