To restore the trust relationship between the configuration source and the configuration receiver in order for configuration replication to work:
- On the configuration source, log on either directly or with SSH as root.
-
Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:
cd /usr/iwss/AdminUI/jre/bin
-
Enter the following command to display the hostname:
hostname
-
Enter the following command, replacing <hostname> with the output of the command from the previous step:
./keytool -export -alias tomcat-server -file <hostname>.crt -keystore /etc/iscan/AdminUI/tomcat/keystore
- The default keystore password is "adminIWSS85". If that does not work, check the keystorePass for port 8443 in /var/iwss/tomcat/conf/server.xml
-
If you get the error message "keytool error: java.lang.Exception: Alias does not exist", check the name of the alias with the following command:
/usr/iwss/AdminUI/jre/bin/keytool -v -list -keystore /etc/iscan/AdminUI/tomcat/keystore
- If the certificate format is PKCS #12 (.p12 or .pfx), add "-storetype pkcs12" to the commands above.
- Copy the file <hostname>.crt from the directory /usr/iwss/AdminUI/jre/bin on the configuration source to your desktop using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode.
- Copy the file from your desktop to the directory /usr/iwss/AdminUI/jre/bin on each configuration receiver.
- On each configuration receiver, log on either directly or with SSH as root.
-
Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:
cd /usr/iwss/AdminUI/jre/bin
-
Change the ownership of the file <hostname>.crt with the following command (replacing <hostname>.crt with the actual filename):
chown iscan:iscan <hostname>.crt -
Import the certificate into the keystore containing the trusted CA certificates on the configuration receiver with the following command (replacing <hostname>.crt with the actual filename):
./keytool -importcert -noprompt -keystore /usr/iwss/AdminUI/jre/lib/security/cacerts -storepass changeit -alias tomcat -file <hostname>.crt
The default storepass password is "changeit" -
Restart the web console with the following command:
/etc/iscan/S99IScanHttpd restart
- On each configuration receiver, log on either directly or with SSH as root.
-
Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:
cd /usr/iwss/AdminUI/jre/bin
-
Enter the following command to display the hostname:
hostname
-
Enter the following command, replacing <hostname2> with the output of the command from the previous step:
./keytool -export -alias tomcat-server -file <hostname2>.crt -keystore /etc/iscan/AdminUI/tomcat/keystore
- The default keystore password is "adminIWSS85". If that does not work, check the keystorePass for port 8443 in /var/iwss/tomcat/conf/server.xml
-
If you get the error message "keytool error: java.lang.Exception: Alias does not exist", check the name of the alias with the following command:
/usr/iwss/AdminUI/jre/bin/keytool -v -list -keystore /etc/iscan/AdminUI/tomcat/keystore
- If the certificate format is PKCS #12 (.p12 or .pfx), add "-storetype pkcs12" to the commands above.
- Copy the file <hostname2>.crt from the directory /usr/iwss/AdminUI/jre/bin on each configuration receivers to your desktop using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode.
- On the configuration source, copy the file from your desktop to the directory /usr/iwss/AdminUI/jre/bin .
- On the configuration source, log on either directly or with SSH as root.
-
Change the directory to /usr/iwss/AdminUI/jre/bin/ with the following command:
cd /usr/iwss/AdminUI/jre/bin
-
Change the ownership of the file <hostname2>.crt with the following command (replacing <hostname2>.crt with the actual filename):
chown iscan:iscan <hostname2>.crt
-
Import the certificate into the keystore containing the trusted CA certificates on the configuration source with the following command (replacing <hostname2>.crt with the actual filename):
./keytool -importcert -noprompt -keystore /usr/iwss/AdminUI/jre/lib/security/cacerts -storepass changeit -alias tomcat -file <hostname2>.crt
- The default storepass password is "changeit".
- If the alias already exists, you will be interrupted by the error “keytool error: java.lang.Exception: Certificate not imported,alias already exists”. In this case, change the alias “tomcat” to something else, for instance "tomcat1".
-
Restart the web console with the following command:
/etc/iscan/S99IScanHttpd restart
- On the web console of the configuration source go to Administration > IWSVA Configuration > Replication Configuration.
- In the list of replication receivers, click on the bin icon in the "Action" column for each receiver.
- On the web console of each configuration receiver go to Administration > IWSVA Configuration > Replication Configuration. Take note of the current settings.
- Change the server role to "Standalone" and click Save.
-
On the configuration receiver, change the server role back to "Configuration receiver" and enter the following settings:
- Management IP: IP address of the configuration source
- Management Port: 8443, tick next to "Connect using HTTPS"
- Administrator Account: admin (not configurable)
- Administrator Password: password for the admin account
- Click Save then wait for a few minutes.
- On the web console of the configuration source, refresh the page by clicking Replication Configuration in the navigation bar on the left. You will now see the receiver(s) in the list.
- Verify that the configuration replication is working by selecting the receiver(s) and clicking on Replicate Now. Select the type of replication, click OK and then OK again when prompted. Wait for a few minutes. If "last update time" is not populated immediately, refresh the page again.