IBM Content Search Services cannot connect to the IBM FileNet P8 Content Engine server because the SSL certificate is missing

When the IBM Content Search Services server tries to connect to Content Engine server via an HTTPS connection, and no valid certificate is found, no connection is established between the servers.

Symptoms

When connecting to the IBM FileNet P8 Content Engine server via an HTTPS connection, the server on which IBM Content Search Services runs requires a valid SSL certificate. If no valid certificate is found, no connection is established.

Causes

The JRE truststore of the IBM Content Search Services server does not contain the certificate of the Content Engine server.

Resolving the problem

For SSL server authentication, you must deploy certificates on each IBM Content Search Services server that connects to the Content Engine server. Import the certificate of the FileNet P8 Content Engine server into the JRE truststore that is bundled with IBM Content Search Services.

To deploy the certificate:

Stop the IBM Content Search Services server, if it is running.
Access the FileNet P8 Content Engine server. In your web browser, enter the appropriate URL address, such as, https://hostname:9443/wsi/FNCEWS40MTOM.
A website with an error message regarding this website's security certificate is displayed. The message varies depending on the web browser that you use.

Export the certificate.

The following instructions are for Microsoft Internet Explorer 9 and Mozilla Firefox 23. The procedure might be different for your web browser.

Table 1. Instructions for exporting a certificate
Browser	Procedure
Microsoft Internet Explorer 9	After you saw this message `There is a problem with this website's security certificate.`, follow these steps: Click Continue to this website (not recommended). Click the Security report icon next to the address bar. In the Untrusted certificate message box, click View Certificates. On the Details tab, click Copy to File... to save the certificate to file. As certificate format, select DER encoded binary X.509 (.CER). Specify a fully qualified file name, for example, c:\MyCertificates\mysite.cer and store the certificate file.
Mozilla Firefox 23	After you saw this message `This Connection is Untrusted`, follow these steps: From the options that are available on this website, select I Understand the Risks and click Add an Exception. In the Add Security Exception window, click View. On the Details tab of the Certificate Viewer window, click Export. Select a folder and specify a file name. Select X.509 Certificate (DER) (*.der) as type and click Save.

Copy the exported certificate to the IBM Content Search Services machine.
Log on to the IBM Content Search Services machine, then copy the JRE truststore file to a temporary directory:
```
> cd \tmp\workdir  
> copy CSS_Server_HOME\Java60\jre\lib\security\cacerts \tmp\workdir\
```
Import the certificate to the JRE truststore file:
```
  > cd \tmp\workdir
  > CSS_Server_HOME\Java60\jre\bin\keytool.exe -import  
-alias keyStoreAlias -file mycertificatefile  -keystore .\cacerts -storepass 
passwd 
```
-alias keyStoreAlias

Specify the option if you import the certificates for more than one FileNet P8 Content Engine server to distinguish between the keystore entries for the different servers.

-storepasspasswd

Is the JRE default truststore password.
Back up the JRE truststore file (cacerts file) in the IBM Content Search Services installation directory and then replace it with the JRE truststore file (cacerts file) that you created in the temporary directory.

Verify that the FileNet P8 Content Engine server certificate is in the cacerts file:

> cd CSS_Server_HOME\Java60\jre\lib\security
       > CSS_Server_HOME\Java60\jre\bin\keytool.exe 
-list -v -keystore .\cacerts -storepass passwd

Restart the IBM Content Search Services server.
Repeat these steps for all IBM Content Search Services servers that connect to the FileNet P8 Content Engine server.