A MID Server upgrade that includes a new JRE version will overwrite the cacerts file


Description

A MID Server upgrading to a version that includes a JRE upgrade will have the whole \agent\jre folder replaced, and that will include the \agent\jre\lib\security\cacerts file that stores all SSL certificates used by Integrations, or to connect to the instance through a proxy.

For example, an upgrade to Madrid replaced the /agent/jre folder with a new version based on OpenJDK, instead of Oracle.

Recent changes are:

Steps to Reproduce

  1. Install a New York Patch 7 or Orlando Patch 2 MID Server, which includes the OpenJDK 1.8.0_181
  2. Using keystore.exe add a certificate to \agent\jre\lib\security\cacerts
    (For example, that certificate might be used for connecting to an AD server for LDAPS integrations of instance users.)
  3. Upgrade the MID Server to New York Patch 9 or Orlando Patch 4a (Q3-2020 Patching Targets)
  4. A new empty cacerts file will overwrite the customer's file, loosing the ability to use those certificates.
  5. Integrations that relied on the certificate will now have an outage.

Workaround

This problem has been fixed in Quebec. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.

Backports are planned for both Orlando and Paris, even though there is no plan to upgrade the JRE version again until Quebec. The reason for this is that this fix only takes effect after you have upgraded to the fixed version. To avoid this problem clearing the cacerts file on an upgrade to Quebec, which upgrades to Java 11, you will need to first upgrade to the fixed patches of Paris or Orlando.

- First workaround option:

Move your JRE truststore outside of MID server bundled JRE.

- Second workaround option:

If you are aware of this problem beforehand, please move the JRE outside of the MID Server install folder(s), and then re-import your certificates:

  1. Stop the MID Server
  2. Before you upgrade look for cacerts file - backup the cacert file one level up of the JRE file 
  3. Once upgrade is done copy the cacerts file back to its original location 

Notes:

Remember to do this for all MID Server in Clusters used for the integrations, or all MID Servers with Applications/Capabilities that MID Selector could use for the integration/Orchestration activities.

If you have already lost the cacerts file, then you will need to Add SSL certificates for the MID Server again. It may also be able to restore the cacerts file from a MID Server that has not upgraded yet, or is from a different instance. Copying the whole file from a different MID Server is possible.

The following KB article lists the MID Server versions that had a new JRE version, so you can confirm if a planned upgrade is likely to overwrite the JRE and loose your certificates from the cacerts file:
KB0719830 Which Java versions are supported and compatible with MID Servers (OpenJDK/Oracle JRE)

If the password of the cacerts file has been changed (from "changeit"), then this fix will not work. See:
PRB1451866: The fix for PRB1320637 requires that the cacerts Truststore file password remains as the default "changeit", which many customers won't allow, causing certificate deletion during JRE upgrades (e.g. Quebec) and subsequent MID Server and Integration outage

For more general information, see KB0863673 MID Servers and Certificates


Related Problem: PRB1320637