Security Database restore leading to lingering Certificate Template id in Config files
02 March 2020 11:08 AM
MarkLogic stores Certificate files in security database. All user created Security files are stored along with template ID in Security Database.
For example, new signed Certificate installed will be stored as uri -http://marklogic.com/xdmp/pki/certificates/160051481396114827.xml and it will have template id value in it (<pki:template-id>13176215136521847243 </pki:template-id>)
Reference for template ID is also stored in groups.xml of that App Server config file when Cert template is attached to a specific App Server.
Template Id is only configuration value which has two way reference, one to value stored in groups.xml config file and other is value inside Security DB Cert URL document.
When security database is restored, it replaces existing Certificate files in Security Database along with reference for old Template ID. Now, if Template ID is still referenced by any AppServer, previous SSL App Server which never detached Cert template prior to Security DB restore, then ‘groups.xml’ file will still have reference to nonexistence Template ID.
In that scenario, user will receive an HTTP 500 Internal server error.
How to avoid the situation from occurring?
Best path is to remove all App Server to Template Id association by going through each AppServers before any Security Database restored. Once Security Database restore is done, AppServer to new Templates association based on restored Security can be done again to enable SSL for App Server.
How to recover?
Workaround for this, will be to stop MarkLogic Service and remove Template ID from Config files as well. groups.xml Config file is located at /var/opt/MarkLogic/config.xml location, and lingering Template ID can be found under App Server <ssl-certificate-template> tag which needs to be removed.
Please follow below steps to replace the groups.xml on cluster.
In latest version of MarkLogic, Warning message can be found about missing certificate template ID in Config file. However, there is further work that is still in progress to avoid issue from occurring all together, which requires certain redesign.
Related MarkLogic Documentation