I took a poc box done with a "typical" configuration and looked at the keystores. It looks like the cacerts contains the tree certs as well as the OSP and tomcat.ks keys if I remember correctly. But I didn't see the osp or tomcat.ks keystores as containing anything from the cacerts keystore.

I'm looking at having two IDM engines, 2 Identity App servers and 1 reporting server and one sentinel server.

The reporting server will have it's own URL apart from the identity application url. They will all be fed through a VIP or load balancer.

I'm assuming that reporting can't be clustered and that it can't reside on the identity application server.

What I'm looking for:
What trusted keys need to be where?
I"m assuming I'll have a tomcat.ks on the reporting box. We would point OSP on the reporting box to the two identity boxes.
I'm assuming that that trusted cert needs to be imported into the cacerts on both boxes.
I'm assuming that the osp.jks and cacerts can be coppied from the first Identity application box to the second Identity application box and configure clustering.

looking for best practices and recommendations. I've been in circles in the past with the keystores and hoping to have a good path to go down.