After confirming firewall/ports are open, PAM cannot connect to ServiceNow through a Zscaler internet proxy. The Zscaler team sees SSL handshake errors on their end. Such problems tend to get resolved by adding the Zscaler root CA certificate to the keystore used by the application connecting to Zscaler. Using the Upload feature on the Configuration > Security > Certificates page doesn't help though, the problem persists. Is there another certificate store involved? How can we get this to work?

Service desk target applications do not allow you to enter a certificate, unlike e.g. an LDAP target application. The Normalized Integration Management (NIM) module used by PAM to integrate with service desk implementations runs in a tomcat server that uses the cacerts file from its JRE to validate certificates, which does not include the Zscaler Root CA certificate. The NIM/Service Desk logs can be downloaded from the Configuration > Diagnostics > Diagnostic Logs > Download page. When this problem occurs, the Nim.log file under the ca-nim-sm folder will contain exceptions like the following:

[26/11/24 13:43:35:386 UTC] [TP7] ERROR common.GenericSOAPDispatchService: SOAPException thrown: PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.

...

Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
    at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source) ~[bc-fips-1.0.2.3.jar:1.0.2.3]

Most likely you will need assistance from PAM Support to get the Zscaler Root CA certificate added to the tomcat keystore.

If you had an LDAP server in your environment with an untrusted, e.g. self-signed, certificate that you don't have integrated with PAM, it should be possible to define an LDAP target application and store in it the Zscaler certificate instead of the actual LDAP server certificate. Define any target account for the application and try to set it to synchronized. PAM would try to connect to the LDAP server, fail the first connection attempt with a certificate validation error, add the certificate stored in the target application to the keystore, and then try again. Since the target application contains the wrong certificate, the second connection attempt still will fail, but now the Zscaler certificate should be in the keystore, which should resolve the problem with the Zscaler internet proxy connections.