Add global-bundle.pem to default cert list

src/main/java/software/amazon/documentdb/jdbc/DocumentDbConnectionProperties.java

@@ -68,7 +68,7 @@ public class DocumentDbConnectionProperties extends Properties {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(DocumentDbConnectionProperties.class.getName());
     private static final Pattern WHITE_SPACE_PATTERN = Pattern.compile("^\\s*$");
-    private static final String ROOT_2019_PEM_RESOURCE_FILE_NAME = "/rds-ca-2019-root.pem";
+    private static final String GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME = "/global-bundle.pem";
     private static final String ROOT_2021_PEM_RESOURCE_FILE_NAME = "/rds-prod-root-ca-2021.pem";
     public static final String HOME_PATH_PREFIX_REG_EXPR = "^~[/\\\\].*$";
     public static final int FETCH_SIZE_DEFAULT = 2000;
@@ -1431,9 +1431,9 @@ void appendEmbeddedAndOptionalCaCertificates(final List<Certificate> caCertifica
             }
         }
         // Load embedded CA root certificates.
-        try (InputStream pem2019ResourceAsStream = getClass().getResourceAsStream(ROOT_2019_PEM_RESOURCE_FILE_NAME);
+        try (InputStream globalBundleResourceAsStream = getClass().getResourceAsStream(GLOBAL_BUNDLE_PEM_RESOURCE_FILE_NAME);
              InputStream pem2021ResourceAsStream = getClass().getResourceAsStream(ROOT_2021_PEM_RESOURCE_FILE_NAME)) {
-            caCertificates.addAll(CertificateUtils.loadCertificate(pem2019ResourceAsStream));
+            caCertificates.addAll(CertificateUtils.loadCertificate(globalBundleResourceAsStream));
             caCertificates.addAll(CertificateUtils.loadCertificate(pem2021ResourceAsStream));
         }
     }

src/markdown/setup/connection-string.md

@@ -25,7 +25,7 @@
 | `retryReads`               | (true/false) If true, the driver will retry supported read operations if they fail due to a network error.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | `true`
 | `tls`                      | (true/false) If true, use TLS encryption when communicating with the DocumentDB server.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | `true`
 | `tlsAllowInvalidHostnames` | (true/false) If true, invalid host names for the TLS certificate are allowed. This is useful when using an internal SSH tunnel to a DocumentDB server.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | `false`
-| `tlsCAFile`                | (string) The path to the trusted Certificate Authority (CA) `.pem` file. If the path starts with the tilde character (`~`), it will be replaced with the user's home directory. Ensure to use only forward slash characters (`/`) in the path or URL encode the path. Providing the trusted Certificate Authority (CA) `.pem` file is optional as the current Amazon RDS root CA is used by default when the `tls` option is set to `true`. This embedded certificate is set to expire on 2024-08-22. For example, to provide a new trusted Certificate Authority (CA) `.pem` file that is located in the current user's `Downloads` subdirectory of their home directory, use the following: `tlsCAFile=~/Downloads/rds-ca-2019-root.pem`. | `NONE`
+| `tlsCAFile`                | (string) The path to the trusted Certificate Authority (CA) `.pem` file. If the path starts with the tilde character (`~`), it will be replaced with the user's home directory. Ensure to use only forward slash characters (`/`) in the path or URL encode the path. Providing the trusted Certificate Authority (CA) `.pem` file is optional as the current Amazon RDS root CA is used by default when the `tls` option is set to `true`. This embedded certificate is set to expire on 2024-08-22. For example, to provide a new trusted Certificate Authority (CA) `.pem` file that is located in the current user's `Downloads` subdirectory of their home directory, use the following: `tlsCAFile=~/Downloads/global-bundle.pem`.    | `NONE`
 | `sshUser`                  | (string) The username for the internal SSH tunnel. If provided, options `sshHost` and `sshPrivateKeyFile` must also be provided, otherwise this option is ignored.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | `NONE`
 | `sshHost`                  | (string) The host name for the internal SSH tunnel. Optionally the SSH tunnel port number can be provided using the syntax `<ssh-host>:<port>`. The default port is `22`. If provided, options `sshUser` and `sshPrivateKeyFile` must also be provided, otherwise this option is ignored.                                                                                                                                                                                                                                                                                                                                                                                                                                                   | `NONE`
 | `sshPrivateKeyFile`        | (string) The path to the private key file for the internal SSH tunnel. If the path starts with the tilde character (`~`), it will be replaced with the user's home directory. If the path is relative, the absolute path will try to be resolved by searching in the user's home directory (`~`), the `.documentdb` folder under the user's home directory or in the same directory as the driver JAR file. If the file cannot be found, a connection error will occur. If provided, options `sshUser` and `sshHost` must also be provided, otherwise this option is ignored.                                                                                                                                                               | `NONE`

src/markdown/setup/setup.md

@@ -36,12 +36,12 @@ If you are connecting to a TLS-enabled cluster, you may want to specify the Amaz
 on your connection string. By default, an Amazon RDS Certificate Authority root certificate has been embedded in the 
 JDBC driver JAR file which should work when connecting to Amazon DocumentDB clusters using SSL/TLS encryption. However, 
 if you want to provide a new Amazon RDS Certificate Authority root certificate, follow the directions below:
-1. [Download the root CA certificate](https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem)
+1. [Download the root CA certificate](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem)
 2. It is recommended to relocate the file to your user's home directory: `$HOME` for Windows or `~` for MacOS/Linux.
 3. Add the `tlsCAFile` option to your [JDBC connection string](connection-string.md). For example: 
 
     ~~~
-    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=rds-ca-2019-root.pem
+    jdbc:documentdb://localhost:27017/<database-name>?tlsAllowInvalidHostnames=true&tlsCAFile=global-bundle.pem
     ~~~
 
 To determine whether your cluster is TLS-enabled, you can 

src/markdown/support/troubleshooting-guide.md

@@ -119,8 +119,8 @@ The online security resources may give a pointer how to fix this.
    See [Specifying the Amazon RDS Certificate Authority Certificate File](../setup/setup.md#specifying-the-amazon-rds-certificate-authority-certificate-file). 
 1. Copy the file to your home directory.
 1. Provide the root certificate file name in the connection. 
-   - Tableau: *TLS Certificate Authority File (Optional)* : `~/rds-ca-2019-root.pem`
-   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/rds-ca-2019-root.pem`
+   - Tableau: *TLS Certificate Authority File (Optional)* : `~/global-bundle.pem`
+   - DbVisualizer: `jdbc:documentdb://localhost:27017/test?tls=true&tlsAllowInvalidHostnames=true&tlsCAFile=~/global-bundle.pem`
 
 ### Invalid hostname 
 #### What to look for: 

src/test/java/software/amazon/documentdb/jdbc/DocumentDbConnectionPropertiesTest.java

@@ -65,7 +65,7 @@ public void testValidProperties() {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");
@@ -89,7 +89,7 @@ public void testValidProperties() {
         Assertions.assertTrue(properties.getTlsEnabled());
         Assertions.assertTrue(properties.getTlsAllowInvalidHostnames());
         Assertions.assertTrue(properties.getRetryReadsEnabled());
-        Assertions.assertEquals("src/main/resources/rds-ca-2019-root.pem",
+        Assertions.assertEquals("src/main/resources/global-bundle.pem",
                 properties.getTlsCAFilePath());
         Assertions.assertEquals("SSHUSER", properties.getSshUser());
         Assertions.assertEquals("SSHHOST", properties.getSshHostname());
@@ -109,7 +109,7 @@ public void testValidProperties() {
                         + "&scanLimit=100"
                         + "&replicaSet=rs0"
                         + "&tlsAllowInvalidHostnames=true"
-                        + "&tlsCAFile=src%2Fmain%2Fresources%2Frds-ca-2019-root.pem"
+                        + "&tlsCAFile=src%2Fmain%2Fresources%2Fglobal-bundle.pem"
                         + "&sshUser=SSHUSER"
                         + "&sshHost=SSHHOST"
                         + "&sshPrivateKeyFile=%7E%2F.ssh%2Ftest-file-name.pem"
@@ -241,7 +241,7 @@ public void testSetPropertiesFromConnectionString() throws SQLException {
                 "&" + DocumentDbConnectionProperty.REPLICA_SET.getName() + "=" + "rs0" +
                 "&" + DocumentDbConnectionProperty.TLS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.TLS_ALLOW_INVALID_HOSTNAMES.getName() + "=" + "true" +
-                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/rds-ca-2019-root.pem" +
+                "&" + DocumentDbConnectionProperty.TLS_CA_FILE.getName() + "=" + "~/global-bundle.pem" +
                 "&" + DocumentDbConnectionProperty.LOGIN_TIMEOUT_SEC.getName() + "=" + "4" +
                 "&" + DocumentDbConnectionProperty.RETRY_READS_ENABLED.getName() + "=" + "true" +
                 "&" + DocumentDbConnectionProperty.METADATA_SCAN_METHOD.getName() + "=" + "random" +
@@ -419,11 +419,11 @@ void testAppendEmbeddedAndOptionalCaCertificates() throws SQLException, IOExcept
                 .getPropertiesFromConnectionString(info, connectionString, DOCUMENT_DB_SCHEME);
         final List<Certificate> caCertificates = new ArrayList<>();
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(2, caCertificates.size());
+        Assertions.assertEquals(122, caCertificates.size());
         caCertificates.clear();
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.appendEmbeddedAndOptionalCaCertificates(caCertificates);
-        Assertions.assertEquals(3, caCertificates.size());
+        Assertions.assertEquals(243, caCertificates.size());
         caCertificates.clear();
         properties.setTlsCAFilePath("invalid-path.pem");
         Assertions.assertThrows(SQLException.class,
@@ -447,7 +447,7 @@ void testBuildSshConnectionProperties() throws SQLException {
         properties.setTlsAllowInvalidHostnames("true");
         properties.setTlsEnabled("true");
         properties.setRetryReadsEnabled("true");
-        properties.setTlsCAFilePath("src/main/resources/rds-ca-2019-root.pem");
+        properties.setTlsCAFilePath("src/main/resources/global-bundle.pem");
         properties.setSshUser("SSHUSER");
         properties.setSshHostname("SSHHOST");
         properties.setSshPrivateKeyFile("~/.ssh/test-file-name.pem");