Announcement: The Cloud Application Integration localhost certificate provided with the Secure Agent package will expire on Monday, September 27, 2021

Version 4

    Issue:

    The Process Engine Secure Agent package uses Informatica’s own self-signed localhost certificate, which is also imported into the ae.cacert (truststore) and ae.keystore (keystore) files. The localhost certificate will expire on Monday, September 27, 2021. After the expiry date, you will encounter an issue if you have set the key-alias and keystore options to use the default localhost configuration.

     

    Possible failure scenarios:

    This issue arises only if you have set the key-alias and keystore options to use the default localhost configuration as shown in the following image:

    Note: You can ignore this announcement:

    • If you have changed the default values and do not use the localhost configuration
    • If you use HTTP to invoke processes published on the Secure Agent

     

    This issue is applicable only for direct invocation of the endpoint on the Secure Agent. Currently, processes that are published on the Secure Agent expose the HTTPS endpoint for invocation. Therefore, you will face an issue in the following scenarios after the certificate expiry date:

    1. If you invoke the HTTPS endpoint from the browser and you have imported the localhost.cer file into the browser to ensure that the endpoint is triggered securely, the call to the endpoint will fail.
    2. If you invoke the HTTPS endpoint from Postman, and you have enabled SSL validation and imported the localhost.cer file, the process invocation will fail.
    3. If you invoke the HTTPS endpoint using the curl command and pass the localhost.cer file as part of the command to set the certificates, the call to the endpoint will fail.
    4. If you invoke the HTTPS endpoint by using any client and the client uses the localhost.cer file to make a secure call, the call from the client will fail.

     

    Resolution:

     

    Secure Option:

    Perform the following steps to resolve the issue:

    1. Download the latest localhost.cer file and the ae.keystore file attached with this announcement.
    2. Complete the following steps after you download the files:
      1. Stop the Process Server.
      2. Delete the ae.keystore file from the following directory:
        <Secure Agent installation directory>/apps/process-engine/conf
      3. Delete the localhost.cer file from the following directory:
        <Secure Agent installation directory>/apps/process-engine/conf/certs
      4. Replace the existing ae.keystore file and localhost.cer file in the following directory with the files that you downloaded:
        <Secure Agent installation directory>/downloads/package-process-engine.<latestversion>/package/app/conf/certs
        Note: If the Secure Agent is installed on the Linux operating system, ensure that the permission for the ae.keystore file and localhost.cer file is set to 644.
      5. Restart the Process Server.

    After you restart the Process Server, you can use the new localhost.cer file, and import and use it in your clients (browser, Postman, curl, or any other client). You can then make secure calls to the endpoint.

          You can import the new certificates before the certificate expiration date.

     

    Insecure Options:

    Use one of the following steps to resolve the issue:

    1. Use the HTTP endpoint instead of the HTTPS endpoint. Click the following URL for more information:
      https://docs.informatica.com/integration-cloud/cloud-application-integration/current-version/3---invoke/runtime-tasks-for-processes/invoking-processes-deployed-to-the-secure-agent.html
    2. Disable the SSL validation and make a call to the HTTPS endpoint in an insecure manner. For example, in the curl command, you can set the ‘-k’ flag, which makes the call in an insecure manner.

     

    Note: The keystore file with the localhost certificate that was shipped by Informatica is only a sample to help you get started. You can customize it if you want to create and maintain your own keystore.