This document describes the procedures required to upgrade the existing EEM certificate with a key length 2048.

=======================
=  Single EEM Environment  =
=======================

Login to the EEM server and set the following variables...

UNIX
export EIAM_HOME=/opt/CA/SharedComponents/EmbeddedEntitlementsManager
export JAVA_HOME=$EIAM_HOME/jre
export PATH=$EIAM_HOME/jre/bin:$PATH

Windows
set EIAM_HOME=<installation_path_of_CA EEM Server>

REM  Use Windows 8.3 name for the installation path value above, example:  c:\progra~1\CA\SC\EmbeddedEntitlementsManager  is the default value,  if you use "program files"  instead of progra~1  the next commands may not work properly

set JAVA_HOME=%EIAM_HOME%\jre
set PATH=%EIAM_HOME%\jre\bin;%PATH%

cd to $EIAM_HOME/bin and type
java -jar eiam-clustersetup.jar
Type 'Y' and press Enter
Type 'modifycerts' and press Enter
Select the 2048 keylength
Select the SHA256 Digest Algorithm
Type 'Y' and press Enter
When it returns to the prompt, type 'exit' and press Enter

========================
=  EEM Failover Environment  =
========================

Open a session on each node and set the following variables...

UNIX
export EIAM_HOME=/opt/CA/SharedComponents/EmbeddedEntitlementsManager
export JAVA_HOME=$EIAM_HOME/jre
export PATH=$EIAM_HOME/jre/bin:$PATH

Windows

set EIAM_HOME=<installation_path_of_CA EEM Server>

REM  Use Windows 8.3 name for the installation path value above, example:  c:\progra~1\CA\SC\EmbeddedEntitlementsManager  is the default value,  if you use "program files"  instead of progra~1  the next commands may not work properly

set JAVA_HOME=%EIAM_HOME%\jre
set PATH=%EIAM_HOME%\jre\bin;%PATH%

Break up the EEM HA cluster
===========================

On the primary EEM node...

1. cd $EIAM_HOME/bin  and type
2. java -jar eiam-clustersetup.jar
3. Type 'Y' and press Enter
4. Type 'remove' and press Enter
5. Type the number corresponding to the secondary EEM Server that you want to remove and press Enter
6. Type 'Y' and press Enter

Repeat steps 4 thru 6 for each of the other secondary EEM servers.

Type 'list' and press Enter. Confirm that only the primary is listed.
Type 'resetprimary' and press Enter
Take the default DSA port (509)
Select [1] Internal failover mechanism for the HA mode
Type 'Y' and press Enter
Type 'exit' and press Enter

On each secondary EEM node...

cd to $EIAM_HOME/bin
java -jar eiam-clustersetup.jar
Type 'Y' and press Enter
Type 'resetprimary' and press Enter
Take the default DSA port (509)
Select [1] Internal failover mechanism for the HA mode
Type 'Y' and press Enter
Type 'exit' and press Enter

Generate the 2048 Certificate
=============================

On all nodes...

cd $EIAM_HOME/bin
 java -jar eiam-clustersetup.jar
Type 'Y' and press Enter
Type 'modifycerts' and press Enter
Select the 2048 keylength
Select the SHA256 Digest Algorithm
Type 'Y' and press Enter
When it returns to the prompt, type 'exit' and press Enter

Reconfigure nodes into HA cluster
=================================

On the primary node...

1. cd $EIAM_HOME/bin
2. java -jar eiam-clustersetup.jar
3. Type 'Y' and press Enter
4. Type 'add' and press Enter
5. Type the fully qualified hostname of the secondary EEM server
6. Take the default DSA port (509)
7. Type 'Y' and press Enter

Repeat steps 4 thru 7 for each of the remaining secondary EEM servers

Type 'exit'

On each secondary node...

cd $EIAM_HOME/bin
java -jar eiam-clustersetup.jar -p <fully qualified hostname of the primary EEM server>
Type the EiamAdmin password and press Enter
Type 'Y' and press Enter
Type 'sync' and press Enter
Enter the number corresponding to the secondary EEM server that you are on
Select "[2] [DELTA] secondary node is being synced to update configurations:"
Type 'Y' and press Enter.
Type 'exit'

After the EEM servers are configured with 2048 bit certs, if needed follow below two articles to rebind Autosys / WCC back with EEM:

https://knowledge.broadcom.com/external/article/9957/how-to-regenerate-eem-certificates-for-c.html