It looks like IDM 4.72 introduces a 4th potential keystore to manage.
Currently there are:
Private key of tomcat, eDir Tree pub key, OSP Pub key (Good)
Private key of OSP, eDir tree key, and Tomcat pub key (Good)
Tomcat, OSP, eDir pub keys (good)
But there is also the idm.jks created, and referenced in the ism config file as:
DirectoryService/realms/jndi/params/KEYSTORE_PATH = /opt/netiq/idm/apps/tomcat/conf/idm.jks
Mine had the eDir tree CA and some GeoTrust CA public keys, which was a bit odd. Adding in the Tomcat public key made my UA Integration Activities work (Had been failing before this).
So who makes this, why does it make it, what is it meant for?
I should note that OSP 6.3.1 for IDG 3.5.x now has a configupdade.sh that allows you to segment the keystores into app keystores seperate from the private key keystores. But I am not talking about that here. This is purely IDM.