Cloning an instance is important to help ensure your sub-Production environments are configured similarly to your Production environment, and contain a representative set of data. However, Edge Encryption adds a layer of complexity during the cloning process, since the Edge proxy and the instance must have some matching configuration settings. Before the clone, the Production instance and Edge proxy have consistent settings, and the clone target (and its Edge proxy) will have a different configuration. After the clone, the clone target instance will now have all of the settings used by Production, but the Edge proxy will still have the pre-clone settings. What just happened?

When cloning while Edge Encryption is active, follow these steps to ensure your Edge proxy and instance can communicate and successfully display the expected encoded values. At a high level, you will copy the Edge proxy installation from Production to the clone target machine, update the configuration files on the target machine to point to the clone, and update the local Edge database (if used). After this, you can proceed to clone Production to the target. Once the clone is finished, you can start the Edge proxy and verify everything is working as expected.

How to clone when there is an Edge Encryption proxy involved

Here are the detailed steps for cloning when there is Edge Encryption is active. For simplicity we are providing instructions for one proxy, but this can be extended to multiple proxies if necessary when the instance has multiple proxies assigned.

1. Zip the entire Edge Encryption proxy installation used by the source instance which is on the Edge Encryption proxy machine. For example, on Linux, zip the entire contents of the Edge Encryption proxy installation: $ zip -r edge_helsinki.zip edge_helsinki
   
   Where edge_helsinki.zip is the name of the zip file and edge_helsinki is the name of the top directory that contains the entire Edge Encryption proxy installation files that are used by the source instance.
   
   
2. Copy the .zip file to the Edge Encryption machine that will be used by the clone target instance.
   
   
3. Unzip the .zip file on the edge encryption machine that will be used by the clone target instance: unzip edge_helsinki.zip
   
   
4. At the unzipped location, change the directory to $proxy_installation_location/conf and edit the edgeencryption.properties file, changing these lines to point to the clone target instance configuration as appropriate: edgeencryption.target.host = <clone target instance name>.service-now.com
   
   Example: edgeencryption.target.host = myinstance.service-now.com
   edgeencryption.proxy.host = <hostname or IP address of the edge encyrption proxy machine used by the clone target instance>
   
   Example:
   edgeencryption.proxy.host = 10.0.2.15
   edgeencryption.proxy.host = myedgeproxy.mycompany.com
   edgeencryption.proxy.https.port = <https port of the edge encryption proxy machine used by the clone target instance>
   
   Example:
   edgeencryption.proxy.https.port = 8082
   If MySQL database is used, also modify these properties as needed:
   edgeencryption.db.url = <jdbc connection string to the database used by the edge encryption proxy machine used by the clone target instance>
   
   Example:
   edgeencryption.db.url = jdbc:mysql://localhost
   edgeencryption.db.user = <root user>
   edgeencryption.db.password = <root password>
   edgeencryption.db.name = <database name>
   
   

   If you are re-using the edgeencryption.db.name from the pre-cloned instance, you may want to change this to a new edgeencryption.db.name or drop the associated database (and of course the tables and data in that database will also drop) so that the database is clean. In this example we log into the MySQL database used by the clone target Edge Encryption proxy and we will drop the current database and reuse the same database name in the edgeencryption.db.name setting.

   If you decide to reuse the same database, please follow step 5.   If you are going to create a new database, skip to step 6.
5. Log in to mySQL database: $ mysql -u root
   Show all of the databases currently used by the Edge proxy before we start the clone. In this case, my database name is ee_istanbul. After the clone we are going to reuse the same edgeencryption.db.name = ee_istanbul database name, so we are going to drop that database so that it will be clean post-clone:
   
   mysql> show databases;
   +--------------------+
   | Database                     |
   +--------------------+
   | information_schema |
   | edgeencryption         |
   | ee_istanbul               |
   | mysql                           |
   | performance_schema |
   | test                             |
   +--------------------+
   6 rows in set (0.01 sec)
   
   Drop the ee_istanbul database. Then confirm that the ee_istanbul database no longer exists:
   
   mysql> drop database ee_istanbul;
   Query OK, 3 rows affected (0.01 sec)
   
   mysql> show databases;
   +--------------------+
   | Database                     |
   +--------------------+
   | information_schema |
   | edgeencryption         |
   | mysql                           |
   | performance_schema |
   | test                             |
   +--------------------+
   5 rows in set (0.00 sec)
   
   

   You may review the edgeencryption.properties file in its entirety and change any other settings that would be appropriate to your environment.

6. Execute the clone from source to target instances following the standard cloning procedure.
   
   
7. Following the clone, start the Edge Encryption proxy serving the target clone while observing the $proxy_installation_location/conf/edgeencryption.log. If the proxy does not start or warning and/or errors are seen, consult the following articles:
   • Browser Access to an Instance via an Edge Proxy Fails and Results in a Secure Connection Failed Mess...
   • Edge Encryption Proxy Fails to Start with Error "failed signature validation" (KB0621218)
   • Edge Encryption Proxy Fails to Start with Error "Failed to load encryption rules" (KB0621286)
   • How to Increase Debug Logging for the Edge Encryption Proxy (KB0621289)
     
     
8. Once the proxy starts up successfully, you can log in to the MySQL database and verify that the database for the clone target has been created. In this example the database is called ee_istanbul since that is how edgeencryption.db.name = ee_istanbul was set in the edgeencryption.log file of the clone target:
   
   $ mysql -u root
   mysql> show databases;
   +--------------------+
   | Database                     |
   +--------------------+
   | information_schema |
   | edgeencryption         |
   | ee_istanbul               |
   | mysql                           |
   | performance_schema |
   | test                             |
   +--------------------+
   6 rows in set (0.01 sec)

Following these steps will ensure that, after you clone your Production instance over a sub-Prod instance, you will be able to view all of the encrypted data when accessing the instance through the Edge proxy. If you do not follow these steps, you may encounter proxy startup errors, and all of the data will remain encrypted and unusable by all client applications (browsers and web servers). As designed, the only way to decrypt the data in the newly cloned instance is to ensure the Edge proxy server is configured with the same configuration that was used to encrypt the data while it was in Production.