I raised a concern with our account manager the other day about the lack of communication and the fact this technote was incomplete. It seems that might have worked to a fashion - the note was updated yesterday to include details on pmhub / opsconsole.BrianL wrote:IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.
Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.
http://www-01.ibm.com/support/docview.w ... wg21697266
SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Re: SSL breaks on Nov 24
I confirmed with IBM yesterday that they are releasing a new 1024 bit certificate, that will allow existing users (including 9.5) to remain untouched in terms of software upgrades. The new certificate is going to be part of an interim fix for 10.2 but may also be issued separately for those who cannot upgrade.
All it *should* mean is to just re-point to the new certificate in your client and server. Or, perhaps just rename the file to the current name and re-distribute the file to everyone.
This is good news. I was afraid that this was going to be used as a way for IBM to generate upgrade revenue on those people who have not kept up.
All it *should* mean is to just re-point to the new certificate in your client and server. Or, perhaps just rename the file to the current name and re-distribute the file to everyone.
This is good news. I was afraid that this was going to be used as a way for IBM to generate upgrade revenue on those people who have not kept up.
- paulsimon
- MVP
- Posts: 808
- Joined: Sat Sep 03, 2011 11:10 pm
- OLAP Product: TM1
- Version: PA 2.0.5
- Excel Version: 2016
- Contact:
Re: SSL breaks on Nov 24
Thanks BlackHawk
We have also approached our own Account Manager. He said he is going to look in to it but it will take him a few days to get back to us. It appears that even the Account Managers are not aware of this issue.
I will point him in the direction of your post and ask him to confirm when the new certificate is going to be made available.
Regards
Paul Simon
We have also approached our own Account Manager. He said he is going to look in to it but it will take him a few days to get back to us. It appears that even the Account Managers are not aware of this issue.
I will point him in the direction of your post and ask him to confirm when the new certificate is going to be made available.
Regards
Paul Simon
-
- Posts: 54
- Joined: Tue May 08, 2012 3:58 pm
- OLAP Product: TM1
- Version: 9.5.2 FP2
- Excel Version: Excel 2007
Re: SSL breaks on Nov 24
We are on 10.2.2. I have read the Technote instructions on how to change over to using the Version 2 certificates, but am not sure what the correct sequence of changes should be. The technote has the items in this order:Steve Vincent wrote:I raised a concern with our account manager the other day about the lack of communication and the fact this technote was incomplete. It seems that might have worked to a fashion - the note was updated yesterday to include details on pmhub / opsconsole.BrianL wrote:IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.
Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.
http://www-01.ibm.com/support/docview.w ... wg21697266
TM1 Admin Server Configuration change
TM1 Server tm1s.cfg config change
TM1 Architect Options change
TM1 Application Server xml change
But I should stop all TM1 Servers before the TM1 Admin Server Configuration change to Certificate Version 2, correct?
Has anyone successfully switched to using the Version 2 2048 bit certificates yet?
If so, what was the order of changes used?
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: SSL breaks on Nov 24
Yes. We have tested it. All services have to be stopped before V2 certs configuration. And of course Admin server has to be up first before all TM1 instances once V2 certs are done. The client side will be client by client.
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: SSL breaks on Nov 24
PMhub is currently causing issues, otherwise the rest has been simple enough. The technote for the pmhub section is incorrect (for Windows at least) and I've got an open PMR with IBM on trying to find out what the correct actions are.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- Site Admin
- Posts: 1458
- Joined: Wed May 28, 2008 9:09 am
Re: SSL breaks on Nov 24
My belief (but happy to be corrected) is that PMhub is only for Ops Console. In our experience, and our clients', Ops Console is a nice idea that never worked - possibly due to the documentation issues. I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE. It's even broken on TM1 Cloud. If others have better experience and find Ops Console of value, I'd be happy to change my view.PMhub is currently causing issues, otherwise the rest has been simple enough. The technote for the pmhub section is incorrect (for Windows at least) and I've got an open PMR with IBM on trying to find out what the correct actions are.
-
- MVP
- Posts: 1822
- Joined: Mon Dec 05, 2011 11:51 am
- OLAP Product: Cognos TM1
- Version: PA2.0 and most of the old ones
- Excel Version: All of em
- Location: Manchester, United Kingdom
- Contact:
Re: SSL breaks on Nov 24
I might be one of the few but I always use ops console now in place of TM1 Top and don't really have any issues - other than remembering to turn off compatability view in IE (I have a blindspot in my memory on that one.)David Usherwood wrote: My belief (but happy to be corrected) is that PMhub is only for Ops Console. In our experience, and our clients', Ops Console is a nice idea that never worked - possibly due to the documentation issues. I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE. It's even broken on TM1 Cloud. If others have better experience and find Ops Console of value, I'd be happy to change my view.
The current client I am working at is using CAM security through full BI for TM1 and it works well but I will admit that I haven't checked Cafe as its something I rarely use if it can be avoided.
EDIT - I will caveat that I am just using it as a TM1 top replacement and that I have had issues with trying to view transactions logs in it (if they have more than about 4 records)... used the application server monitor a couple of times but there are better free tools for that.
Last edited by declanr on Tue Sep 13, 2016 11:00 am, edited 1 time in total.
Declan Rodger
- qml
- MVP
- Posts: 1095
- Joined: Mon Feb 01, 2010 1:01 pm
- OLAP Product: TM1 / Planning Analytics
- Version: 2.0.9 and all previous
- Excel Version: 2007 - 2016
- Location: London, UK, Europe
Re: SSL breaks on Nov 24
If I remember correctly, CAFE also connects to the PMhub. Which would explain this problem:David Usherwood wrote:My belief (but happy to be corrected) is that PMhub is only for Ops Console.
I have to agree with you that Ops Console, like too many of TM1 interfaces/tools, looks better on paper than in practice. However, I am organically opposed to running any server monitoring and management tools as a web service. It should be implemented as a thick client (in this case TM1top on steroids) which can connect to the server directly and lets you fix things even when everything else fails.David Usherwood wrote:I recall trying to configure it when going through the 10.2.2 BI/TM1 integration, when the documented steps broke CAFE.
Kamil Arendt
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: SSL breaks on Nov 24
Nope, we use it and after some setup niggles it seems to work just fine, both with and without CAM authentication. It's the only way we have of seeing what is going on if a customer complains about performance issues. We don't use CAFE (yet) so if they are the only 2 areas we might struggle with then I think we can work with that.declanr wrote: I might be one of the few but I always use ops console now in place of TM1 Top and don't really have any issues - other than remembering to turn off compatability view in IE (I have a blindspot in my memory on that one.)
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- Posts: 18
- Joined: Tue Mar 01, 2016 5:55 am
- OLAP Product: TM1 + BI
- Version: TM1 10.2
- Excel Version: Excel 2010
Re: SSL breaks on Nov 24
Hi All,
You should have a look at this article:
http://cubewise.com/blog/solutions-expi ... tificates/
It describes the different solutions depending on the TM1 version.
Cheers,
You should have a look at this article:
http://cubewise.com/blog/solutions-expi ... tificates/
It describes the different solutions depending on the TM1 version.
Cheers,
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: SSL breaks on Nov 24
all fine except that option B still means local changes on client machines, and worse still it is usually harder for anyone with a deployed app to do rather than just asking users to update a client config (its no different to adding an adminhost really). people seem to forget that a lot of companies don't allow editing of software like that, and in our case the deployed software is packaged & installed by a 3rd party. all that costs money and more significantly time, let alone the need to thoroughly test beforehand because fixes for one thing have a nasty habit of breaking another 5...
for us, the only viable option I can see is swapping all the servers & other apps to the 2nd cert and asking users to edit their own configs. nothing else allows us the needed time to deploy it before BOOM day
for us, the only viable option I can see is swapping all the servers & other apps to the 2nd cert and asking users to edit their own configs. nothing else allows us the needed time to deploy it before BOOM day
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- Posts: 1
- Joined: Sun Jan 25, 2015 7:31 pm
- OLAP Product: Cognos TM1
- Version: 10.2
- Excel Version: 2010
Re: SSL breaks on Nov 24
Have they will effect on IntegratedSecurityMode=5 or other authorize (CAM , LDAP) ?
-
- MVP
- Posts: 3683
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: SSL breaks on Nov 24
SSL affects whether client<->server communication is encrypted or not. Can you please explain how your question is relevant?jinnivan wrote:Have they will effect on IntegratedSecurityMode=5 or other authorize (CAM , LDAP) ?
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
-
- Community Contributor
- Posts: 110
- Joined: Thu Aug 26, 2010 7:41 am
- OLAP Product: TM1, PA
- Version: PAL 2.0.8
- Excel Version: 2016
- Location: North West England
Re: SSL breaks on Nov 24
RE: Cubewise - Option B
For those in the know, Do you know if there is anything extra needed for a CX Installation (Running 10.2.0), I don't thing there will be as it is a TM1 communication issue, but unsure if CX possibly leverages the same SSL Certs for anything else.
Also is it just a simple case of deletions and renames on the relevant Bin folders on the Servers and Clients, Is there no requirement to register the new certificates into the Servers trust store or will that be done automatically at some stage.
For those in the know, Do you know if there is anything extra needed for a CX Installation (Running 10.2.0), I don't thing there will be as it is a TM1 communication issue, but unsure if CX possibly leverages the same SSL Certs for anything else.
Also is it just a simple case of deletions and renames on the relevant Bin folders on the Servers and Clients, Is there no requirement to register the new certificates into the Servers trust store or will that be done automatically at some stage.
Always Open to Opportunities
-
- Community Contributor
- Posts: 248
- Joined: Tue Nov 01, 2011 10:31 am
- OLAP Product: TM1
- Version: All
- Excel Version: All
- Location: Manchester
- Contact:
Re: SSL breaks on Nov 24
A different IBM Technote on SSL Certificates released today:
https://www-01.ibm.com/support/docview. ... SS9RXT-_-R
https://www-01.ibm.com/support/docview. ... SS9RXT-_-R
Technote (FAQ)
Question
My TM1 Certificates expire in late-November. How can these be updated so that our environment is not impacted?
Answer
Option 1 - Secure your IBM Cognos TM1 Environment with Custom Certifciates
When: You can do this today if you wish - no Interim Fix required
Why: IBM Cognos TM1 comes packaged with default SSL certificates. In general, it is recommended to use your own organizations SSL Certificates.
How: See the following documentation (Change version using dropdown on page):
http://www.ibm.com/support/knowledgecen ... es_N1207C4
Option 2 - Switch to the IBM Cognos TM1 v2 Certificates (TM1 10.2+ only)
When: You can do this today if you wish - no Interim Fix required
Why: The v2 certificates provided were created as 2048 encrypted keys, whereas the default Applix certifcates were 1024. These guys expire in 2022.
How: See the following technote: http://www-01.ibm.com/support/docview.w ... wg21697266
**Note: 2048 is just an encryption method. There has been some confusion around the use of 2048...simplify this and think of it as nothing more than a different set of keys.
Option 3 - Apply an Interim Fix Updater
The IBM Cognos TM1 Development team will be releasing an interim fix which only includes updated default/applixca certificates. This fix will be applicable to the following versions of TM1:
10.1.0 ( Including any interim fix/fixpack builds )
10.1.1 ( Including any interim fix/fixpack builds )
10.2.0 ( Including any interim fix/fixpack builds )
10.2.2 ( Including any interim fix/fixpack builds )
Once the fix is available, it will need to be applied to all TM1 Server components - as well as all TM1 Client components (both a server side, and client side updater will be released).
INSTALLING THE UPDATER:
1) Download/Extract the Updater to your TM1 Servers (this includes application servers)
2) Stop your TM1 Services
3) Run the installer as an Administrator
4) Next, Next, Finish (follow the prompts to apply the fix to your TM1 directory)
5) After the installer has been completed, the following directories will contain the updated certificates:
<install dir>\tm1_64\bin\ssl
<install dir>\tm1_64\bin64\ssl
<install dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
6) Start your TM1 Services
7) Update TM1 Client machines following the same steps - with the Client Updater
(If you used the Server install to install your TM1 Clients - then continue to use the server fix, to update your install)
The ETA for this Interim Fix is not currently available. This document will either be updated with an ETA - or a reference to a link where the fix can be found. The release of the fix is very near.
- Steve Vincent
- Site Admin
- Posts: 1054
- Joined: Mon May 12, 2008 8:33 am
- OLAP Product: TM1
- Version: 10.2.2 FP1
- Excel Version: 2010
- Location: UK
Re: SSL breaks on Nov 24
great, except it tells us nothing new and points us back to the original technote anyway. I've received some stuff from my PMR today, hoping it'll complete the gaps and i'll then know exactly what we need to do
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
-
- Posts: 54
- Joined: Tue May 08, 2012 3:58 pm
- OLAP Product: TM1
- Version: 9.5.2 FP2
- Excel Version: Excel 2007
Re: SSL breaks on Nov 24
OK thank you.kangkc wrote:Yes. We have tested it. All services have to be stopped before V2 certs configuration. And of course Admin server has to be up first before all TM1 instances once V2 certs are done. The client side will be client by client.
-
- Posts: 66
- Joined: Wed Jul 16, 2014 9:20 am
- OLAP Product: All of them
- Version: All of them
- Excel Version: 2003 -2013
Re: SSL breaks on Nov 24
This site has the answers to the SSL conundrum.
It assumes TM1 default installation and is a temporary solution to the certificate issue until the Interim Fix is pushed out.
http://ibm.biz/TM1SSLCertificate
It assumes TM1 default installation and is a temporary solution to the certificate issue until the Interim Fix is pushed out.
http://ibm.biz/TM1SSLCertificate
- Steve Rowe
- Site Admin
- Posts: 2439
- Joined: Wed May 14, 2008 4:25 pm
- OLAP Product: TM1
- Version: TM1 v6,v7,v8,v9,v10,v11+PAW
- Excel Version: Nearly all of them
Re: SSL breaks on Nov 24
Hi Duncan,
From your post in your link.
"So, before 24/11/2016 any customer must upgrade to TM1 v10.2.2 FP6, TM1 v10.2.0 FP2 or TM1 v10.1.1 FP2 as only for these releases the new Interim Fix will be published."
Are you saying categorically that there is no alternative to this and that IBM are only going to patch supported releases? Is this the official IBM position?
Will there be a method documented by IBM to fix unsupported releases?
Cheers,
From your post in your link.
"So, before 24/11/2016 any customer must upgrade to TM1 v10.2.2 FP6, TM1 v10.2.0 FP2 or TM1 v10.1.1 FP2 as only for these releases the new Interim Fix will be published."
Are you saying categorically that there is no alternative to this and that IBM are only going to patch supported releases? Is this the official IBM position?
Will there be a method documented by IBM to fix unsupported releases?
Cheers,
Technical Director
www.infocat.co.uk
www.infocat.co.uk