A MID Server upgrading to a version that includes a JRE upgrade will have the whole \agent\jre folder replaced, and that will include the \agent\jre\lib\security\cacerts file that stores all SSL certificates used by Integrations, or to connect to the instance through a proxy.
For example, an upgrade to Madrid replaced the /agent/jre folder with a new version based on OpenJDK, instead of Oracle.
Recent changes are:
This problem has been fixed in Quebec. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.
Backports are planned for both Orlando and Paris, even though there is no plan to upgrade the JRE version again until Quebec. The reason for this is that this fix only takes effect after you have upgraded to the fixed version. To avoid this problem clearing the cacerts file on an upgrade to Quebec, which upgrades to Java 11, you will need to first upgrade to the fixed patches of Paris or Orlando.
- First workaround option:
Move your JRE truststore outside of MID server bundled JRE.
- Second workaround option:
If you are aware of this problem beforehand, please move the JRE outside of the MID Server install folder(s), and then re-import your certificates:
Remember to do this for all MID Server in Clusters used for the integrations, or all MID Servers with Applications/Capabilities that MID Selector could use for the integration/Orchestration activities.
If you have already lost the cacerts file, then you will need to Add SSL certificates for the MID Server again. It may also be able to restore the cacerts file from a MID Server that has not upgraded yet, or is from a different instance. Copying the whole file from a different MID Server is possible.
The following KB article lists the MID Server versions that had a new JRE version, so you can confirm if a planned upgrade is likely to overwrite the JRE and loose your certificates from the cacerts file:
KB0719830 Which Java versions are supported and compatible with MID Servers (OpenJDK/Oracle JRE)
If the password of the cacerts file has been changed (from "changeit"), then this fix will not work. See:
PRB1451866: The fix for PRB1320637 requires that the cacerts Truststore file password remains as the default "changeit", which many customers won't allow, causing certificate deletion during JRE upgrades (e.g. Quebec) and subsequent MID Server and Integration outage
For more general information, see KB0863673 MID Servers and Certificates