Is it possible to 'reload' the UCMDB Server Truststore without restarting UCMDB?

We have SSO configured between UCMDB and SMAX. Without wanting to get too bogged down in the detail, users access SMAX through a proxy with a CA cert, whereas UCMDB connects to SMAX internally and SMAX presents a self-signed cert, which was added to the UCMDB server.truststore.

The self-signed SMAX certificate recently expired and was replaced, however we are having issues accessing the Java Client because UCMDB doesn't appear to trust the certificate, despite it having been added to the truststore. 

Does anyone know, is it possible to get UCMDB to re-process the truststore without a UCMDB restart? We'll restart if we have to but would rather not if it can be avoided.
 

  • Verified Answer

    The keystore and truststore are loaded into memory when the JVM starts so you can't avoid a UCMDB service restart.

    This is the Java design AFAIK. If I am wrong then it's easy to test. Just add a new certificate in the trustore and without restarting then use a flow which needs that certificate. Theoretically the validation will check the truststore on the disk although I know that it will check it from the memory.
    Never tried this path. I always restarted the UCMDB service.

  • Thanks for your response. I think that's kind of what I was getting at. It's already apparent that it doesn't read the truststore 'on the fly' as the new cert has already been added and it's not working.

    I was more after suggestion of whether there was a command or similar that could effectively reload the contents into memory without a full UCMDB restart, which is obviously service affecting.

    If a restart is the only way to go, it's by no means a show stopper and is something that's not going to occur too often, but it does mean it has to wait until a quiet time before it can be done. I'll write it into our plan for future but had been hoping for something more immediate in this instance.



  • Ack.

    My best suggestion is to check your logs to see if you have a fuse to increase or other reasons to restart the UCMDB service. Once you have enough reasons and an approved downtime then you can go for the restart.

    I presume you added the certificate and you can see it using Keytool or something similar.