Java 8 to Java 11 Upgrade


we are planning to upgrade the Groundplex nodes from Java 8 to Java 11 as per the below instructions given on portal (applicable to our system)

  1. Stop the existing JCC node by running the following command:
    $ sudo /opt/snaplogic/bin/ stop

  2. Download the new Snaplex installer and install the Groundplex, running the RPM, DEB, or Docker installers as appropriate.
    For RPM systems, run the following command:
    $ rpm -U snaplogic-snaplex.rpm

  3. Add the following entry to the /etc/sysconfig/jcc directory. You must create this directory and file if neither are present.
    export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/

  4. Start the JCC node by running the following command:
    $ sudo /opt/snaplogic/bin/ start.

however, I have confusion on point 3 as I am unclear what we exactly need to do here.
as we don’t have /jcc folder there I will create it but what permission we need to grant to that folder? permission should be given to which user?
what is the name and extension of the file we need to create here? do we need to put the given export statement inside it or its command?

please give more clarity on this point

The /etc/sysconfig directory should contain a file named jcc with the contents

export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/

The /etc/sysconfig directory and /etc/sysconfig/jcc file should be readable by everyone. One way to create the file would be

sudo mkdir -p /etc/sysconfig; sudo sh -c "echo 'export SL_JAVA_HOME=/opt/snaplogic/pkgs/jdk-11.0.1/' >> /etc/sysconfig/jcc"

We will update the documentation.

Thanks Dave, i could see it in documentation also.

Also can you tell how can we copy current cacerts files from current to new location using keytool utility with reference to below notes in documentation (we don’t have any additional customization to be done on the nodes )

To use custom truststore entries, you should back up the /opt/snaplogic/pkgs/jre1.8.0_162/lib/security/cacerts file and copy any additional custom truststore entries to the /opt/snaplogic/pkgs/jdk-11.0.1/lib/security/cacerts file using the keytool utility.
let me know if there is any command handy with you.

If there are no customizations to be done, then there is no need to copy any entries into the new JRE cacerts.

In case there are new trust entries to be added, the command will be something like

/opt/snaplogic/pkgs/jdk-11.0.1/bin/keytool -import -trustcacerts -keystore /opt/snaplogic/pkgs/jdk-11.0.1/lib/security/cacerts -storepass changeit -alias myalias -import -file mytrust.txt

The command will change based on what format the trust certificate file is in.

How about an easy process for getting the certs out of the existing Java8 cacerts truststore and into the new Java11 one? Or can we just copy the cacerts file itself?

Copying the trust store file directly is possible but it is not recommended, the newer JRE installation will have updated CA trust entries which would get overwritten if the file is directly copied. To copy a custom trust entry, it can be exported and then imported. To get the alias names in existing trust store, do

$OLD_JRE/bin/keytool -list -keystore $OLD_JRE/lib/security/cacerts -storepass changeit -v | grep ^Alias | grep -v "\[jdk\]"

The CA trust entries have aliases like “digicerttrustedrootg4 [jdk]”, excluding jdk should list only the custom trust entry aliases.

To export a specific certificate named MYALIAS, do
$OLD_JRE/bin/keytool -keystore $OLD_JRE/lib/security/cacerts -storepass changeit -export -file MYALIAS.cert -alias MYALIAS

To import MYALIAS.cert into new trust store, do
$NEW_JRE/bin/keytool -keystore $NEW_JRE/lib/security/cacerts -storepass changeit -import -file MYALIAS.cert -alias MYALIAS

Taking a backup of the cacerts file before the import would be good.

1 Like

If we’ve installed custom server certificates, which the ground nodes present for triggered tasks and such (in /etc/snaplogic/jcc-serverkeys.jks), do we have to redo anything there?

No change is required as part of the JRE upgrade for handling custom SSL certificates and certificates used for enhanced encryption.

1 Like

Okay, thanks! Got a question on this step:

Download the new Snaplex installer and install the Groundplex, running the RPM, DEB, or Docker installers as appropriate.
For RPM systems, run the following command:
$ rpm -U snaplogic-snaplex.rpm

I downloaded snaplogic-sidekick-4.master-6851-x86_64.rpm from my Manager UI, but when I run the following:

rpm -U snaplogic-sidekick-4.master-6851-x86_64.rpm

I get the following response, and the RPM update quits:

package snaplogic-sidekick-1:4.mrc298-1.x86_64 (which is newer than snaplogic-sidekick-4.master_6851-1.x86_64) is already installed

Any thoughts what this is about?

FYI for others’ awareness -

I opened a case with support, and they claim our original RPM of SnapLogic (on this particular machine) is “very old” (<3yr) when they used a different RPM versioning format, so the rpm -U (update) won’t work as documented. They say we need to completely uninstall the existing package and then reinstall the latest package, which means that not only do the CA certs have to be re-applied (planned), but also the SERVER certs (not planned), and probably have to redo the system service/init.d settings as well (not planned). And that process may vary on each machine, depending on the original RPM used to install on that specific machine (basically age of the original install) - even though everything is running latest release…


This ended up having a simplier solution!

rpm -U --force


1 Like