- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2024 10:55 PM
You can add certificates to the MID Server to communicate over SSL/TLS in one of two ways:
- Add certificates directly to the bundled JRE TrustStore file, using the following procedure.
- Specify a different TrustStore file for the MID Server to use. For more information, see Specify an external TrustStore for the MID Server.
Review both methods to evaluate which best meets your needs.
During MID upgrade the bundled TrustStore is overwritten. The MID Server attempts to migrate certificates from the existing TrustStore to the incoming one. To be migrated, certificates must meet the following criteria:
Quebec (backported to Orlando Patch 10 and Paris Patch 4)
- X.509 v3 certificates
- Basic Constraints Extension evaluates to false (or is not present)
Rome (backported to Paris Patch 7 and Quebec Patch 2)
- X.509 certificates
- Any certificate present in the source, but not the destination TrustStore
Certificates that do not meet the criteria are overwritten. Alternatively, you can specify an external TrustStore file which is unaffected by MID Server upgrades. For more information, see Specify an external TrustStore for the MID Server
In Rome and later families, the migration strategy utilized during upgrade is configurable via the MID Server configuration parameter mid.truststore.migration.strategy. It can take the following values:
- migrate_delta: the default strategy (outlined above for Rome)
- migrate_non_ca: a strategy matching the one outlined above for the Quebec family
- do_not_migrate: disables the TrustStore migration during upgrade, though a backup of the original TrustStore is made in the event of overwrite
During this migration process, a backup of the original and upgrade TrustStores are made and stored in the agent’s work directory: …\agent\work\truststore_migration\<time epoch seconds>\. The original TrustStore is renamed to cacerts_before and the upgrade TrustStore is renamed to cacerts_from_upgrade.
Procedure
- Open a command prompt and navigate to the folder containing the JRE keytool.
This is the location of the JRE you installed. An example path might be: C:\Program Files\Java\jre1.8.0_161\bin
- Import a certificate into the MID Server's cacerts keystore, using this command:
keytool -import -alias <certificate alias> -file "<path to certificate>" -keystore "<path to the JRE>\lib\security\cacerts"
For example, you might enter: keytool -import -alias MyCA -file "C:\myca.cer" -keystore "C:\Program Files\Java\jre1.8.0_161\lib\security\cacerts"
Put the Password and press enter.
Restart the Service.
#Discovery
Solved! Go to Solution.
- 6,729 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2024 11:56 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2024 11:56 PM
Helpful. Thank you for sharing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2025 09:07 AM
Hi @Akash Bhardhwa1 ,
Do we need to create any password for keystore? I tried to use the default password as per the ServiceNow doc, but I am encountering the below error
Enter keystore password:
keytool error: java.io.FileNotFoundException: E:\XXXXXXXX (The system cannot find the file specified)
Kindly suggest!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2025 11:39 PM
It should be the default one.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
For importing ca certificates in order to use ldaps and other communications you do not have to use the import command (anymore) with specifying the keystore and a password. As the image shows you should use -cacerts. the keystore parameter is then not supported and you get immediately a dump of the cert and the option to import it. Easy going...