Notifications

372 views

MID Server upgrades could reset the Java properties and certificates installed on cacerts

Problem

MID Server upgrades, especially long versions, can reset the Java properties and certificates installed on cacerts.

Integrations using custom MID Server certificates or custom Java properties can therefore fail, for example, LDAPS integrations using a MID Server.

Symptoms


Integrations report errors related to SSL or the certificates. For example:

PKIX path building failed: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.

Cause


When the MID Server is upgraded, Java is also upgraded. The Java cacerts information could reset with the Java upgrade. Without the LDAPS certificates on the MID Server, the LDAPS connection will fail.

Resolution


Keep MID Servers updated to the latest versions as soon as they are available. This avoids problems and applies fixes otherwise ignored if the upgrades do not happens. However, note that tampering with the MID Server Java certificates and properties is not maintained by ServiceNow. Although ways are provided to customize it, MID Server administrators are responsible for keeping the customizations active.

These customizations on Java need to be re-applied after any MID Server upgrade or your integration using the custom properties or certificates could fail. This is mostly noticeable after Java version upgrades.

For example, to resolve LDAPS integrations missing the certificates after an upgrade, add the certificates to the Java lib\security\cacerts keystore. Be sure to document these customizations and ensure that your upgrades consider this requirement in the future.

Note: The product documentation topic LDAP integration via MID Server notes that the following are NOT available with the MID Server:
  • LDAP authentication
  • SSL connection
  • Refreshing user and group records from LDAP

 

 

Article Information

Last Updated:2018-12-06 23:50:09
Published:2018-05-28