The fix for PRB1320637 requires that the cacerts Truststore file password remains as the default "changeit", which many customers won't allow, causing certificate deletion during JRE upgrades (e.g. Quebec) and subsequent MID Server and Integration outage


Description

The fix for PRB1320637, to preserve the MID Server's "cacerts" Java Certificate Truststore file during MID Server upgrades that include a JRE upgrade, requires that the cacerts keystore password remains as the default and published "changeit", which many customers won't allow.  If the password has been changed, and the certificates can't be preserved, MID Server and Integration outages could happen after an upgrade.

The Quebec version will have the MID Server's bundled JRE version upgraded to Java 11. The fix for PRB1320637 in Quebec won't apply to this upgrade, but the code is also in later Orlando and Paris patches, so if it is an upgrade to Quebec from one of those patches, then this fix should work.

However, customers using the bundled JRE, and that have changed the password of the cacerts file, will lose their certificates. If the certificates in cacerts were used for the MID Servers connection via a firewall/proxy to the instance, then the MID Server will go down due to the certificate chain requirements added by PRB1419895 (cases caused by that change tracked by PRB1447511).  Other integrations, such as LDAPS, that used self-signed certificates would also go do (like previous cases linked to  PRB1320637).

Only customers that use the default password of "changeit" on the cacerts file, or use an external JRE and use the cacerts file within that instead, will have the cacerts file preserved, if the java version changes.

Steps to Reproduce

No steps confirmed yet, due to the Paris/Orlando patches for PRB1320637 not being available at the time of writing to use as a starting point.

Workaround

This problem is currently under review. You can contact ServiceNow Technical Support or subscribe to this Known Error article by clicking the Subscribe button at the top right of this form to be notified when more information will become available.

The workaround in PRB1320637 need to still be used:
KB0750004 A MID Server upgrade that includes a new JRE version will overwrite the cacerts file


Related Problem: PRB1451866