Issue with discovering certain certificates via "11.0.12" JRE mid - Known Error

Issue with discovering certain certificates via "11.0.12" JRE mid Description JRE 11.0.11 or later versions doesn't support TLS 1.1 and below as these legacy protocols are not considered as secure.Please find OpenJDK 11.0.11 release notes.

What this means to the Mid server:

In San Diego Release Mid server is shipped with JRE 11.0.12 as default JRE.As mention above, from JRE 11.0.11 onwards TLS 1.1 & TLS 1.0 are not supported. To support customers who are still using TLS 1.0 or TLS 1.1 protocols, we have enabled these protocols to work OOB. This means, all integrations communicating through MID server on TLS 1.0 & TLS 1.1 protocols continue to work in San Diego Release.

Steps to Reproduce

1. Point a mid to external java version 11.0.12 2. Install certificate inventory and management plugin (1.3.9) 3. Create a URL discovery schedule (discovery schedule > new > Discover: certificates> type: url certificate discovery> save and add urls to the schedule) 4. Trigger discovery (you can use the below mentioned instance for testing the flow)

Workaround Based on the usage, you could fall in to one of the below categories

a) MID using default JRE(11.0.12) which comes with SD release :

As we enable TLS 1.1 and TLS 1.0 these legacy protocols continue to work as usual but if customer wants to disable them follow the below steps :

1. Go to mid server installed directory.

2. Create a new file with any name(example java-overide.security) in path "agent/jre/conf/security".

3. Copy property "jdk.tls.disabledAlgorithms" with values from java.security. (File can be found in directory jre/conf/security)

4. Paste into new file and add "TLSv1, TLSv1.1" to the property.

5. In the wrapper-override.conf which is present in path "agent/conf", modify -Djava.security.properties= /{new file name}

6. Restart the mid server.

b) MID Server using external JRE which is JRE 11.0.10 and before :

No action Item, TLS 1.0 and TLS 1.1 would work OOB.

c) MID using external JRE which is JRE 11.0.11+ and want to use TLS 1.1 and TLS 1.0 :

To enable TLSv1/1.1 support on external JRE version 11.0.11 or later, follow below steps.

1. Go to mid server installed directory.

2. Create a new file with any name(example java-overide.security) in path "agent/jre/conf/security".

3. Copy property "jdk.tls.disabledAlgorithms" with values from java.security. (File can be found in directory jre/conf/security)

4. Paste into new file and remove "TLSv1, TLSv1.1" from the property.

5. In the wrapper-override.conf which is present in path "agent/conf", modify -Djava.security.properties= /{new file name}

6. Restart the mid server.