Add global-bundle.pem to default cert list

- Removed rds-ca-2019-root.pem as it is included in global-bundle.pem.
- This change simplifies the certificate management in the JDBC driver.

src/main/java/software/amazon/documentdb/jdbc/DocumentDbConnectionProperties.java

@@ -68,7 +68,7 @@ public class DocumentDbConnectionProperties extends Properties {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DocumentDbConnectionProperties.class.getName());
     private static final Pattern WHITE_SPACE_PATTERN = Pattern.compile("^\\s*$");
-    private static final String ROOT_2019_PEM_RESOURCE_FILE_NAME = "/rds-ca-2019-root.pem";
+    private static final String GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME = "/global-bundle.pem";
     private static final String ROOT_2021_PEM_RESOURCE_FILE_NAME = "/rds-prod-root-ca-2021.pem";
     public static final String HOME_PATH_PREFIX_REG_EXPR = "^~[/\\\\].*$";
     public static final int FETCH_SIZE_DEFAULT = 2000;
@@ -1431,9 +1431,9 @@ void appendEmbeddedAndOptionalCaCertificates(final List<Certificate> caCertifica
             }
         }
         // Load embedded CA root certificates.
-        try (InputStream pem2019ResourceAsStream = getClass().getResourceAsStream(ROOT_2019_PEM_RESOURCE_FILE_NAME);
+        try (InputStream globalBundleResourceAsStream = getClass().getResourceAsStream(GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME);
              InputStream pem2021ResourceAsStream = getClass().getResourceAsStream(ROOT_2021_PEM_RESOURCE_FILE_NAME)) {
-            caCertificates.addAll(CertificateUtils.loadCertificate(pem2019ResourceAsStream));
+            caCertificates.addAll(CertificateUtils.loadCertificate(globalBundleResourceAsStream));
             caCertificates.addAll(CertificateUtils.loadCertificate(pem2021ResourceAsStream));
         }
     }

src/markdown/setup/setup.md

@@ -36,12 +36,12 @@ If you are connecting to a TLS-enabled cluster, you may want to specify the Amaz
 on your connection string. By default, an Amazon RDS Certificate Authority root certificate has been embedded in the 
 JDBC driver JAR file which should work when connecting to Amazon DocumentDB clusters using SSL/TLS encryption. However, 
 if you want to provide a new Amazon RDS Certificate Authority root certificate, follow the directions below:
-1. [Download the root CA certificate](https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem)
+1. [Download the root CA certificate](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem)
 2. It is recommended to relocate the file to your user's home directory: `$HOME` for Windows or `~` for MacOS/Linux.
 3. Add the `tlsCAFile` option to your [JDBC connection string](connection-string.md). For example: 
 
     ~~~
-    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=rds-ca-2019-root.pem
+    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=global-bundle.pem
     ~~~
 
 To determine whether your cluster is TLS-enabled, you can 

src/markdown/support/troubleshooting-guide.md

@@ -119,8 +119,8 @@ The online security resources may give a pointer how to fix this.
    See [Specifying the Amazon RDS Certificate Authority Certificate File](../setup/setup.md#specifying-the-amazon-rds-certificate-authority-certificate-file). 
 1. Copy the file to your home directory.
 1. Provide the root certificate file name in the connection. 
-   - Tableau: *TLS Certificate Authority File (Optional)* : `~/rds-ca-2019-root.pem`
-   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/rds-ca-2019-root.pem`
+   - Tableau: *TLS Certificate Authority File (Optional)* : `~/global-bundle.pem`
+   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/global-bundle.pem`
 
 ### Invalid hostname 
 #### What to look for: 

src/test/java/software/amazon/documentdb/jdbc/DocumentDbConnectionPropertiesTest.java

@@ -65,7 +65,7 @@ public void testValidProperties() {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");
@@ -89,7 +89,7 @@ public void testValidProperties() {
         Assertions.assertTrue(properties.getTlsEnabled());
         Assertions.assertTrue(properties.getTlsAllowInvalidHostnames());
         Assertions.assertTrue(properties.getRetryReadsEnabled());
-        Assertions.assertEquals("src/main/resources/rds-ca-2019-root.pem",
+        Assertions.assertEquals("src/main/resources/global-bundle.pem",
                 properties.getTlsCAFilePath());
         Assertions.assertEquals("SSHUSER", properties.getSshUser());
         Assertions.assertEquals("SSHHOST", properties.getSshHostname());
@@ -109,7 +109,7 @@ public void testValidProperties() {
                         + "&scanLimit=100"
                         + "&replicaSet=rs0"
                         + "&tlsAllowInvalidHostnames=true"
-                        + "&tlsCAFile=src%2Fmain%2Fresources%2Frds-ca-2019-root.pem"
+                        + "&tlsCAFile=src%2Fmain%2Fresources%2Fglobal-bundle.pem"
                         + "&sshUser=SSHUSER"
                         + "&sshHost=SSHHOST"
                         + "&sshPrivateKeyFile=%7E%2F.ssh%2Ftest-file-name.pem"
@@ -241,7 +241,7 @@ public void testSetPropertiesFromConnectionString() throws SQLException {
                 "&" + DocumentDbConnectionProperty.REPLICA_SET.getName() + "=" + "rs0" +
                 "&" + DocumentDbConnectionProperty.TLS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.TLS_ALLOW_INVALID_HOSTNAMES.getName() + "=" + "true" +
-                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/rds-ca-2019-root.pem" +
+                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/global-bundle.pem" +
                 "&" + DocumentDbConnectionProperty.LOGIN_TIMEOUT_SEC.getName() + "=" + "4" +
                 "&" + DocumentDbConnectionProperty.RETRY_READS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.METADATA_SCAN_METHOD.getName() + "=" + "random" +
@@ -419,11 +419,11 @@ void testAppendEmbeddedAndOptionalCaCertificates() throws SQLException, IOExcept
                 .getPropertiesFromConnectionString(info, connectionString, DOCUMENT_DB_SCHEME);
         final List<Certificate> caCertificates = new ArrayList<>();
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(2, caCertificates.size());
+        Assertions.assertEquals(122, caCertificates.size());
         caCertificates.clear();
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(3, caCertificates.size());
+        Assertions.assertEquals(243, caCertificates.size());
         caCertificates.clear();
         properties.setTlsCAFilePath("invalid-path.pem");
         Assertions.assertThrows(SQLException.class,
@@ -447,7 +447,7 @@ void testBuildSshConnectionProperties() throws SQLException {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");