You must export and import certificates to get the SAM Tomcat server and M&R Tomcat server to trust each other.

Prerequisites

First, export a certificate on the SAM server. Then import it into the M&R Tomcat server. Then export a certificate from the M&R server and import it into the SAM Tomcat server.

Procedure

  1. Export a certificate from the SAM Tomcat server. For example,
    /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -export -keystore /opt/InCharge/SAM/smarts/.keystore -alias tomcat -rfc > SAMtomcat.cert
    1. Copy SAMtomcat.cert to the host where M&R Tomcat server is installed.
    2. On the M&R host, import the SAMtomcat.cert. For example,
      /opt/APG/Java/Sun-JRE/<Java-Version>/bin/keytool -import -file SAMtomcat.cert -alias SAMtomcat -keystore /opt/APG/.keystore
      Note:
      If you see the following warning, type yes and continue :
      Certificate already exists in keystore under alias <tomcat>
      Do you still want to add it? [no]: yes
      Certificate was added to keystore
    3. Back up the original M&R cacerts file.
      cp /opt/APG/Java/Sun-JRE/<Java-Version>/lib/security/cacerts /opt/APG/Java/Sun-JRE/8.0u51/lib/security/cacerts-SAVE    # Backup old cacerts file
    4. Copy .keystore and rename it to cacerts.
      cp /opt/APG/.keystore /opt/APG/Java/Sun-JRE/<Java-Version>/lib/security/cacerts
  2. Restart Tomcat server on the M&R host.
    /opt/APG/bin/manage-modules.sh service restart tomcat
  3. Export a certificate from the M&R host. For example,
    /opt/APG/Java/Sun-JRE/<Java-Version>/bin/keytool -export -keystore /opt/APG/.keystore -alias tomcat -rfc > W4Ntomcat.cert
  4. Copy W4ntomcat.cert to the SAM server host.
  5. On the SAM server host, run this command to import a certificate copied from the M&R server host.
    /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -import -file W4Ntomcat.cert -alias W4Ntomcat -keystore /opt/InCharge/SAM/smarts/.keystore
    Note:
    If you see the following warning, type yes and continue :
    Certificate already exists in keystore under alias <tomcat>
    Do you still want to add it? [no]: yes
    Certificate was added to keystore
  6. Copy the keystore file.
    cp /opt/InCharge/SAM/smarts/jre/lib/security/cacerts /opt/InCharge/SAM/smarts/jre/lib/security/cacerts-SAVE    # Backup old cacerts file
    cp /opt/InCharge/SAM/smarts/.keystore /opt/InCharge/SAM/smarts/jre/lib/security/cacerts
  7. Confirm the certificates copied properly (review entries).
    For SAM
    /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -list -keystore /opt/InCharge/SAM/smarts/.keystore
    For M&R
    /opt/APG/Java/Sun-JRE/<Java-Version>/bin/keytool -list -keystore /opt/APG/.keystore
  8. Stop and start the Tomcat service on the SAM server:
    1. /opt/InCharge/SAM/smarts/bin/sm_service stop smarts-tomcat
    2. /opt/InCharge/SAM/smarts/bin/sm_service start smarts-tomcat
  9. Restart the M&R services.
    /opt/APG/bin/manage-modules.sh service restart all
  10. Check the <SAM_BASEDIR>/smarts/local/logs/tomcat/smarts-edaa.log file for certificate exchange errors (SSLHandshake exception).

    If you see any such certificate exchange errors, it is recommended to remove <SAM_BASEDIR>/smarts /.keystore and /opt/APG/.keystore files and regenerate the certificates and perform certificate exchange again.