MID Server certificate check security policies for self-hosted customers


Problem

When upgrading the MID Server to Quebec, self-hosted instances may have issues with certificate authentication within their network. The MID Server can fail to connect and the agent log lists an error such as the following:

10/04/20 10:58:44 (222) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 WARNING *** WARNING *** Request not sent to uri= https://jenkins-alpha.lab3.service-now.com/job/triggers/job/nightly-build-completed/build?json=%7B%22parameter%22%3A%5B%7B%22name%22%3A%22branch_name%22%2C%22value%22%3A%22track%2Fdtac%22%7D%2C%7B%22name%22%3A%22branch%22%2C%22value%22%3A%22track%2Fdtac%22%7D%2C%7B%22name%22%3A%22is_nightly%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22run_tests%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22nightly_build%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22release_branch%22%2C%22value%22%3A%22release%2F19.dtac.0.9%22%7D%2C%7B%22name%22%3A%22glide_version%22%2C%22value%22%3A%2219.dtac.0.9%22%7D%2C%7B%22name%22%3A%22sys_id%22%2C%22value%22%3A%22c959cdd31be7101045782f07b04bcb39%22%7D%2C%7B%22name%22%3A%22build_properties%22%2C%22value%22%3A%22none%22%7D%2C%7B%22name%22%3A%22priority%22%2C%22value%22%3A%225%22%7D%2C%7B%22name%22%3A%22has_commits%22%2C%22value%22%3Atrue%7D%2C%7B%22name%22%3A%22force_run%22%2C%22value%22%3Afalse%7D%2C%7B%22name%22%3A%22dmt_tests%22%2C%22value%22%3A%22dmt-dynamictranslation-test%22%7D%2C%7B%22name%22%3A%22request_id%22%2C%22value%22%3A%22none%22%7D%2C%7B%22name%22%3A%22prefix%22%2C%22value%22%3A%22none%22%7D%5D%7D&cause=NightlyComplete_alpha&delay=5400&token=e90d7205a34d9304e38263657c9710c2
org.apache.commons.httpclient.HttpException: Session contains no certificates - Untrusted
10/04/20 10:58:44 (224) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 Enqueuing: /glide/mid-pod/work/monitors/ECCSender/output_1/ecc_queue.9619b95fdbaf5410bc2e9b3c8a961968.xml
10/04/20 10:58:44 (224) Worker-Expedited:MIDWorker-9619b95fdbaf5410bc2e9b3c8a961968 Worker completed: RESTProbe source: https://jenkins-alpha.lab3.service-now.com/job/triggers/job/nightly-build-completed/build time: 0:00:00.024
The error can occur when the certificate presented by the target server is not signed by a well known root Certificate Authority. This is common when certificates are self-signed in a self-hosted network.

Solution

If your instance name does not contain ServiceNow, or you are self-hosted, then also add this parameter to the MID Server config.xml. Replace the value with your instance name.

<parameter name="mid.ssl.bootstrap.default.target_endpoint" value="FQDN_OF_THE_INSTANCE"/>

Note: DO NOT  include https:// or http:// and trailing ‘/’ in the value column. The following is a correctly formatted example:

<parameter name="mid.ssl.bootstrap.default.target_endpoint" value="dimension.mycompany.com”/>

Bootstrap policies will be used as system_defaults and are controlled exclusively by the defined checks in config.xml:

<parameter name="mid.ssl.bootstrap.default.check_cert_hostname" value="false"/>
<parameter name="mid.ssl.bootstrap.default.check_cert_chain" value="false"/>
<parameter name="mid.ssl.bootstrap.default.check_cert_revocation" value="false"/>

The same configuration parameters must to be set to false in the MID Server Certificate Check Policies table.

Note: This solution only applies to self hosted customer. If no traffic leaves the customer network then all certificate policies can be turned off on the MID Server Certificate Check Policies table.