MID Server upgrades could reset the Java properties and certificates installed on cacerts
MID Server upgrades, especially long versions, can reset the Java properties and certificates installed on cacerts.
Integrations using custom MID Server certificates or custom Java properties can therefore fail, for example, LDAPS integrations using a MID Server.
This issue affects anything that required a SSL certificate in the MID Server, so also MID Server to Instance communication via a Proxy or MID Server to any other database/integration/web service, where a certificate is required.
Integrations report errors related to SSL or the certificates. For example:
PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
When the MID Server is upgraded, Java is also upgraded. The Java cacerts information could reset with the Java upgrade. Without the LDAPS certificates on the MID Server, the LDAPS connection will fail.
ServiceNow's MID Server development team have agreed that this would make a good product enhancement in a future release. Incidents should be linked to the following problem ticket which are tracking the demand:
KB0721386/PRB1320637 A MID Server upgrade that includes a new JRE version will overwrite the cacerts file
Keep MID Servers updated to the latest versions as soon as they are available. This avoids problems and applies fixes otherwise ignored if the upgrades do not happens. However, note that tampering with the MID Server Java certificates and properties is not maintained by ServiceNow. Although ways are provided to customize it, MID Server administrators are responsible for keeping the customizations active.
These customizations on Java need to be re-applied after any MID Server upgrade or your integration using the custom properties or certificates could fail. This is mostly noticeable after Java version upgrades.
For example, to resolve LDAPS integrations missing the certificates after an upgrade, add the certificates to the Java lib\security\cacerts keystore. Be sure to document these customizations and ensure that your upgrades consider this requirement in the future.
|Note: The product documentation topic LDAP integration via MID Server notes that the following are NOT available with the MID Server:|