In version 21.0, TLS is enabled/required for Agent/AWI <--> JCP communication.
If the certificate in the keystore needs to be renewed (due to coming up on expiration or adding servers to a SAN certificate), what is the best way to load these so the JCPs and agents recognise the updates?
In an active/active or high availability (HA) setup, does each server's JCPs need to be stopped one at a time?
Release : 21.0.4
As of 21.0.4, the JCP will automatically reload any new certificates in its keystore provided that the password and alias are the same as the old (these must match what is in the ucsrv.ini file for that JCP).
This reload is done within minutes of updating the certificate and will show something like:
20230303/123823.160 - 48 U00045428 The TLS certificate will expire on: '2024-02-21 22:25:06 UTC'
20230303/123823.161 - 48 U00045442 Keystore 'C:\tools\certs\main3_Automic1.p12' renewed successfully.
20230303/123823.199 - 48 Jetty: x509=X509@42392929(jetty,h=[server1, server1.fqdn.domain, server2, server2.fqdn.domain, server3, server3.fqdn.domain],a=[/IP1, /IP2, /IP3],w=[]) for Server@7d058777[provider=null,keyStore=file:///C:/certs/automic_keystore.p12,trustStore=null]
The agents will check the certificate in the "trustedCertFolder=" setting of their ini at next startup of the agent;
Since no restart of the JCP is required, the agents do not reconnect automatically at the load of certificate and will confirm the certificate validity the next time they stop and restart.
This information is part of the the release notes: