Java 8 to Java 11 Upgrade

Hi

we are planning to upgrade the Groundplex nodes from Java 8 to Java 11 as per the below instructions given on portal (applicable to our system)

  1. Stop the existing JCC node by running the following command:
    $ sudo /opt/snaplogic/bin/jcc.sh stop

  2. Download the new Snaplex installer and install the Groundplex, running the RPM, DEB, or Docker installers as appropriate.
    For RPM systems, run the following command:
    $ rpm -U snaplogic-snaplex.rpm

  3. Add the following entry to the /etc/sysconfig/jcc directory. You must create this directory and file if neither are present.
    export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/

  4. Start the JCC node by running the following command:
    $ sudo /opt/snaplogic/bin/jcc.sh start.

however, I have confusion on point 3 as I am unclear what we exactly need to do here.
as we don’t have /jcc folder there I will create it but what permission we need to grant to that folder? permission should be given to which user?
what is the name and extension of the file we need to create here? do we need to put the given export statement inside it or its command?

please give more clarity on this point

The /etc/sysconfig directory should contain a file named jcc with the contents

export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/

The /etc/sysconfig directory and /etc/sysconfig/jcc file should be readable by everyone. One way to create the file would be

sudo mkdir -p /etc/sysconfig; sudo sh -c "echo 'export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/' >> /etc/sysconfig/jcc"

We will update the documentation.

Thanks Dave, i could see it in documentation also.

Also can you tell how can we copy current cacerts files from current to new location using keytool utility with reference to below notes in documentation (we don’t have any additional customization to be done on the nodes )

"
To use custom truststore entries, you should back up the /opt/snaplogic/pkgs/jre1.8.0_162/lib/security/cacerts file and copy any additional custom truststore entries to the /opt/snaplogic/pkgs/jdk-11.0.1/lib/security/cacerts file using the keytool utility.
"
let me know if there is any command handy with you.
thanks

If there are no customizations to be done, then there is no need to copy any entries into the new JRE cacerts.

In case there are new trust entries to be added, the command will be something like

/opt/snaplogic/pkgs/jdk-11.0.1/bin/keytool -import -trustcacerts -keystore /opt/snaplogic/pkgs/jdk-11.0.1/lib/security/cacerts -storepass changeit -alias myalias -import -file mytrust.txt

The command will change based on what format the trust certificate file is in.

How about an easy process for getting the certs out of the existing Java8 cacerts truststore and into the new Java11 one? Or can we just copy the cacerts file itself?

Copying the trust store file directly is possible but it is not recommended, the newer JRE installation will have updated CA trust entries which would get overwritten if the file is directly copied. To copy a custom trust entry, it can be exported and then imported. To get the alias names in existing trust store, do

$OLD_JRE/bin/keytool -list -keystore $OLD_JRE/lib/security/cacerts -storepass changeit -v | grep ^Alias | grep -v "\[jdk\]"

The CA trust entries have aliases like “digicerttrustedrootg4 [jdk]”, excluding jdk should list only the custom trust entry aliases.

To export a specific certificate named MYALIAS, do
$OLD_JRE/bin/keytool -keystore $OLD_JRE/lib/security/cacerts -storepass changeit -export -file MYALIAS.cert -alias MYALIAS

To import MYALIAS.cert into new trust store, do
$NEW_JRE/bin/keytool -keystore $NEW_JRE/lib/security/cacerts -storepass changeit -import -file MYALIAS.cert -alias MYALIAS

Taking a backup of the cacerts file before the import would be good.

1 Like