SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

Post Reply
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

Post by David Usherwood »

Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

Post by lotsaram »

David Usherwood wrote:Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required
Yes this is real. We have been working on, working with IBM for weeks to months now to try and speed up the process and get out new certificates and an info pack to customers on the steps required to install the new certificates. At least it looks like the process will be simple, but we need to remember that IBM isn't the only large corporate with slow internal process and approvals. The more time we have to get customers across this the better.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
moby91
MVP
Posts: 227
Joined: Fri Mar 11, 2011 2:18 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2003 2007

Re: SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

Post by moby91 »

David Usherwood wrote:Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required
Ahem. A year ago he informed us. He warned us. It seems no one paid attention.


http://www.tm1forum.com/viewtopic.php?t=11929#p57111

Part 11 - The SSL Certificate

Of course, what happens when this rapidly approaching date (10 years after the certificate start date, which is why I said "2006" above) ticks over is something I do not want to think about:

Image
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: SSL breaks on Nov 24

Post by David Usherwood »

I believe Alan is off the grid at the moment on a well-deserved break - so his opportunity to say (mainly to IBM) 'I told you so' will have to wait.
kangkc
Community Contributor
Posts: 206
Joined: Fri Oct 17, 2008 2:40 am
OLAP Product: TM1, PA , TMVGate
Version: 2.x
Excel Version: 36x
Location: Singapore
Contact:

Re: SSL breaks on Nov 24

Post by kangkc »

UseSSL=F

Worse scenario ?
BrianL
MVP
Posts: 264
Joined: Mon Nov 03, 2014 8:23 pm
OLAP Product: TM1
Version: 9.5.2 10.1 10.2 PA2
Excel Version: 2016

Re: SSL breaks on Nov 24

Post by BrianL »

IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.

Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.

http://www-01.ibm.com/support/docview.w ... wg21697266
User avatar
stephen waters
MVP
Posts: 324
Joined: Mon Jun 30, 2008 12:59 pm
OLAP Product: TM1
Version: 10_2_2
Excel Version: Excel 2010

Re: SSL breaks on Nov 24

Post by stephen waters »

Ahem. A year ago he informed us. He warned us. It seems no one paid attention.
Mmmm... A valid warning from Alan but it was buried in a very long technical doc!

We have emailed all our customers warning them very explicitly that, if they do nothing, their TM1 install will stop working. And we used that bold colour to help them notice!
declanr
MVP
Posts: 1815
Joined: Mon Dec 05, 2011 11:51 am
OLAP Product: Cognos TM1
Version: PA2.0 and most of the old ones
Excel Version: All of em
Location: Manchester, United Kingdom
Contact:

Re: SSL breaks on Nov 24

Post by declanr »

stephen waters wrote:We have emailed all our customers warning them very explicitly that, if they do nothing, their TM1 install will stop working. And we used that bold colour to help them notice!
Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!
Declan Rodger
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: SSL breaks on Nov 24

Post by lotsaram »

kangkc wrote:UseSSL=F

Worse scenario ?
Actually not so much.
As the keys for the IBM default certs are publicly available anyone who really wanted to could decrypt communication sent with them. Using the IBM default certs is really no better than not using SSL.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
tomok
MVP
Posts: 2831
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: SSL breaks on Nov 24

Post by tomok »

lotsaram wrote:
kangkc wrote:UseSSL=F

Worse scenario ?
Actually not so much.
As the keys for the IBM default certs are publicly available anyone who really wanted to could decrypt communication sent with them. Using the IBM default certs is really no better than not using SSL.
If you are running your TM1 behind a firewall then why the need to encrypt traffic? Even if you aren't, how's anyone going to make sense out of a TM1 driven packet anyway? It would just be a packet of numbers/data, with no context.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/
User avatar
George Regateiro
MVP
Posts: 326
Joined: Fri May 16, 2008 3:35 pm
OLAP Product: TM1
Version: 10.1.1
Excel Version: 2007 SP3
Location: Tampa FL USA

Re: SSL breaks on Nov 24

Post by George Regateiro »

declanr wrote:Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!
Funny since this similar thing happened to Applix a ways back, except it caught them by surprise. That incident is how I found the old Applix forum to begin with.
User avatar
stephen waters
MVP
Posts: 324
Joined: Mon Jun 30, 2008 12:59 pm
OLAP Product: TM1
Version: 10_2_2
Excel Version: Excel 2010

Re: SSL breaks on Nov 24

Post by stephen waters »

Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!
Declan,
We will be sending repeat emails With bigger and louder fonts UNTIL THEY NOTICE
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: SSL breaks on Nov 24

Post by lotsaram »

tomok wrote: If you are running your TM1 behind a firewall then why the need to encrypt traffic? Even if you aren't, how's anyone going to make sense out of a TM1 driven packet anyway? It would just be a packet of numbers/data, with no context.
I don't just tend to agree i absolutely agree.
My issue is with knucklehead IT types who insist on using SSL as "our corporate IT policy insists all server client communication must use SSL" but who then don't change the certs. As this is really just window dressing and doesn't actually add any security.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
kangkc
Community Contributor
Posts: 206
Joined: Fri Oct 17, 2008 2:40 am
OLAP Product: TM1, PA , TMVGate
Version: 2.x
Excel Version: 36x
Location: Singapore
Contact:

Re: SSL breaks on Nov 24

Post by kangkc »

On second thought UseSSL=F may not work as Admin server may not able to function due to expired cert.
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: SSL breaks on Nov 24

Post by David Usherwood »

Looks like you can set the Admin server to work with non SSL connections:
https://www.ibm.com/support/knowledgece ... SL_N12010F
kangkc
Community Contributor
Posts: 206
Joined: Fri Oct 17, 2008 2:40 am
OLAP Product: TM1, PA , TMVGate
Version: 2.x
Excel Version: 36x
Location: Singapore
Contact:

Re: SSL breaks on Nov 24

Post by kangkc »

You can only set to use ONLY SSL client (False) or both Non-SSL and SSL (True).
Doesn't seems to have a way to disable SSL totally.

At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.
u970700
Posts: 13
Joined: Wed Nov 24, 2010 3:27 am
OLAP Product: TM1
Version: PAL 2.0.9.2
Excel Version: Excel 2016
Location: Darwin, Australia

Re: SSL breaks on Nov 24

Post by u970700 »

Hi all,

We are currently still on version 9.5.2 FP3, and not planning to move to 10.x until 2017. I have a few burning questions hopefully someone can answer...

I imagine that there'd be a few of us haven't jumped to the version 10.x bandwagon yet, and since 9.5.2 is not supported by IBM anymore, has anyone actually installed the new v2 certs in 9.5.2 environment (assuming the new certs is still compatible)?

Our current tm1admsrv.ini:

Code: Select all

[TM1]
SupportNonSSLClients=True
Our current tm1s.cfg:

Code: Select all

UseSSL=F
Based on the above, is it just a matter of importing the v2 cert in MMC, without the need to update the configuration file of tm1admsrv.ini and tm1s.cfg? Are there any gotchas to watch out for?

I just want to get some thoughts and feedback before diving in with the testing the above.

Cheers.

Ray
TM1 9.5.2 FP3, Windows 2008 R2 64bit, Excel 2003 SP3
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: SSL breaks on Nov 24

Post by Steve Vincent »

kangkc wrote:You can only set to use ONLY SSL client (False) or both Non-SSL and SSL (True).
Doesn't seems to have a way to disable SSL totally.

At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.
As luck would have it I've only just installed a new TM1 server to replace an existing one, so i had an area to test this without getting in the way of normal operations.

My testing backs up your statement, even if i told the server to not use SSL it refused to show it to a client until they, the admin server and the tm1 server itself had all been changed to the 2048 certificates. Server updates are easy enough, but here any automated changes to the client are a nightmare to arrange. We'll be left with having to communicate what the clients need to do and hoping they can follow those instructions. Assuming they read them at all...
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
BrianL
MVP
Posts: 264
Joined: Mon Nov 03, 2014 8:23 pm
OLAP Product: TM1
Version: 9.5.2 10.1 10.2 PA2
Excel Version: 2016

Re: SSL breaks on Nov 24

Post by BrianL »

kangkc wrote:At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.
Not entirely true. You could always take the more secure path and use your own certificates. Not that IBM makes this easy either, but when done right is more secure than using the same shared keys as thousands of other customers.
User avatar
paulsimon
MVP
Posts: 808
Joined: Sat Sep 03, 2011 11:10 pm
OLAP Product: TM1
Version: PA 2.0.5
Excel Version: 2016
Contact:

Re: SSL breaks on Nov 24

Post by paulsimon »

Hi

I have clients using 9.5 and 10.1.

Unless anyone has a work around for 9.5 that is a problem that I will need to try out myself. Fortunately I think that there is a test server that I can use.

On 10.1 the original installation notes only refer to dh512.pem and dh1024.pem. The dh2048.pem that is present in 10.2.2 is not there for 10.1.1. Presumably this means that 10.1.1 did not support the 2048 bit encryption required for the new certificate and that a fix pack is needed.

I searched the IBM support site but I haven't been able to find a fix pack for 10.1.1 where the release notes say that it can use the v2 certificates. Has anyone else managed to find the fix pack? IBM have tried to improve the Support Site recently but it clearly needs more work, and I think for something like this they should be going out to customers more proactively.

Regards

Paul Simon
Post Reply