REST does not automatically pick up new certificates from keystore without restart
search cancel

REST does not automatically pick up new certificates from keystore without restart

book

Article ID: 437425

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

When replacing an expiring SSL/TLS certificate in the keystore, the JCP (Java Communication Process) may detect and pick up the new certificate automatically. However, the REST process continues to use the old/expired certificate. This can result in the following:

  • AWI Search Failures: Search functionality in the Automic Web Interface (AWI) no longer returns results because it relies on the REST API.
  • AWI Logs: Reporting that the certificate for the REST port (e.g., 8088) has expired.
  • Interface Issues: "Odd things happening" within the AWI interface due to failed REST communication.
  • Error Messages:
    • U00045393 SSL Certificate invalid: The validity period of the certificate has expired or not yet reached
    • javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
    • Caused by: java.security.cert.CertificateExpiredException: NotAfter: [Date]

Environment

  • Automic Automation 21.0, 24.x, 26.x
  • REST API has TLS/SSL enabled (sslenabled=1)

Cause

In Automic Automation v21 and v24, the AWI search functionality and other services rely on the REST API. While normal JCPs are programmed to monitor the keystore and refresh certificate entries automatically, the REST process (JCP REST) does not currently share this functionality. It initializes its SSL context during startup and does not re-examine the keystore for changes while running.

Resolution

This behavior will be updated in a new release of 24.4 and 26.x.

Workaround

To apply a new or updated certificate to the REST process and restore functionality (including AWI search):

  1. Update Keystore: Add the new certificate to the keystore (ensure the alias and password match the ucsrv.ini configuration).
  2. Clean Up: Remove any old or expired certificates from the keystore to prevent conflicts.
  3. Restart REST Process: Manually stop and restart the REST process(es) (identified as type REST in the Administration perspective).
  4. Verification:
    • Use openssl s_client -connect [Host]:[Port] to verify the new certificate is being presented.
    • Log back into the AWI and confirm the search functionality is operational.
Powered by Wolken Software