SSL with custom certificates - configuration

[daniel.havassy]

Hi Everyone!

I'm looking for a solution on how to implemet SSL with custom certificates, as working from what I found in documentation and forum topics here I did not succeed. Below I tried to give a detailed summary on steps I took. Any help is much appreciated.

Thanks,
Dan

=========================================================================

TM1 version: 10.2.2 FP5 (Windows 64bit)
Clients involved: Architect, Perspectives (both 32 bit), TM1 Web
Authentication method: Integrated Login (IntegratedSecurityMode=3)
NOTE: No Cognos BI components are invoved in the implementation whatsoever

Our TM1 implementation is working fine with SSL connection using the IBM generated certificates from the „TM1_install_dir\bin\SSL” directory. Our settings rely on using certificate version 2 (tm1ca_v2.pem etc, i.e. the 2048 bit version using SHA256). Also, our settings are not exporting any of the certificates from the Certificate Store.

Our Client expressed a need to use their own certificate authority and certificates, also without exporting them from the Certificate Store. We tried to make that happen, but failed to make it work and are now looking for help and / or a step-by-step guide on how to implement that.

What we have done was the following:

1. Created a Certificate Signing Request using the ThirdPartyCertificateTool. The command line commands issued were as follows:
for the Signings Identitiy
ThirdPartyCertificateTool.bat -java:local -c -s -d "CN=computername O=company C=country" -r D:\TM1\SignRequest.csr -D ../configuration/signkeypair -p NoPassWordSet
for the Encrypt Identity
ThirdPartyCertificateTool.bat -java:local -c -e -d "CN=computername O=company C=country" -r D:\TM1\EncryptRequest.csr -D ../configuration/encryptkeypair -p NoPassWordSet
2. Our Client’s IT team received the output files SignRequest.csr and EncryptRequest.csr and generated two .cer files respectively, and also sent us the root CA certificate file in .cer format, two issueing (intermediate) certificates (also in .cer format) and two certificate chain files for the signings and encryption certificates in PKCS#7 format.
3. Next, We imported the certificates to the keystores as follows
• ThirdPartyCertificateTool.bat -java:local -i -s -r SignCertificate.cer -D ..\configuration\signkeypair -p NoPassWordSet -t <sign certificate’s cert chain file in PKCS#7 format>
• ThirdPartyCertificateTool.bat -java:local -i -e -r EncryptCertificate.cer -D ..\configuration\encryptkeypair -p NoPassWordSet -t <encrypt certificate’s cert chain file in PKCS#7 format>
• ThirdPartyCertificateTool.bat -java:local -i -T -r <root CA cert in .cer format> -D ..\configuration\signkeypair -p NoPassWordSet
4. After that, using the java keytool, we imported the root CA certificate to the trusted CA Certs keystore.
• keytool -import -trustcacerts -file <root CA cert in .cer format> -keystore ..\lib\security\cacerts -alias RootCA
In Cognos Configuration under the Cryptography Node > Cognos the „Use Third Party CA?” parameter was set to True, and the StandaloneCertificateAuthority variable with a value of True was added to the Local Configuration Advanced properties.
From this point on, whatever parameters we set to the Admin Server’s SSL properties in Cognos Configuration, or the TM1 servers’ tm1s.cfg file and the Architect/Perspectives clients’ Options, we could not get things to work.

[dsproffitt]

First off, what are you trying to secure?

If it is pmpsvc/pmhub/tm1web then this we will call External SSL
If it is the instances/Admin server then this is Internal SSL

Both have slightly different procedures. One takes 10 mnutes with all the certs, the other can take an hour.

[daniel.havassy]

First off, what are you trying to secure?

If it is pmpsvc/pmhub/tm1web then this we will call External SSL
If it is the instances/Admin server then this is Internal SSL

Both have slightly different procedures. One takes 10 mnutes with all the certs, the other can take an hour.

Thanks for your reply. What I was trying to do was to secure communication beween all TM1 components, meaning Admin server / instances / thick & thin clients.

Can you elaborate on what the difference is between internal and external SSL, and what the internal workings of TM1 are in relation to these?

Thanks!

[dsproffitt]

Thanks for your reply. What I was trying to do was to secure communication beween all TM1 components, meaning Admin server / instances / thick & thin clients.
Can you elaborate on what the difference is between internal and external SSL, and what the internal workings of TM1 are in relation to these?
Thanks!

Ok, so everything .. that's cool.
Here are two Prezi presentations I give to my customers and colleagues when they want to learn how to do it.

https://prezi.com/cnjjuhree8hx/?utm_cam ... c=ex0share
https://prezi.com/eza7ncec-w5z/?utm_cam ... c=ex0share


You have to bear in mind this is only a guide for the bog-standard TM1 installation. No CAM, no SSO, no BI is involved.
The disclaimer here is that this is my own work, I know it works, I have used it numerous times.
This is not the IBM official way of doing it, and I do not purport it to be so.
Any discrepancies between it and the official documentation you will need to work out yourself.

I use OpenSSL to create the certs, but you can also use Portecle.

Practice on a test environment first.
Learn about how SSL works and what it does and doesnt do.
Then learn about how things can go wrong even when you have got the implementation right

You need to agree to these statements as screwing up an SSL implementation is dangerous and could leave you open to high security risk and loss of data.

[daniel.havassy]

Thanks for the Prezis, much appreciated.
I'll get to work soon and work my way through them. I'll let you know how it went

[conray]

sorry to hijack the thread..but is it possible that i follow the steps in the prezi for version 9.5.2?
Looking to overcome the applix cert expiring on 24th Nov 2016 issue..

[dsproffitt]

sorry to hijack the thread..but is it possible that i follow the steps in the prezi for version 9.5.2?
Looking to overcome the applix cert expiring on 24th Nov 2016 issue..

I am afraid these instructions only work for 10.2.x

[lotsaram]

sorry to hijack the thread..but is it possible that i follow the steps in the prezi for version 9.5.2?
Looking to overcome the applix cert expiring on 24th Nov 2016 issue..

9.5.2 won't support the v2 certs so your only option if stuck on 9.5.2 is to go the custom certificate route for 1024 bit certs. But unless you are off maintenance why would you stick with 9.5.2?

[kangkc]

See my findings :

http://www.tm1forum.com/viewtopic.php?f ... 420#p62420

[Mark RMBC]

Hi all,

I wondered if anyone could provide some step by step guide as to how to configure custom SSL certificates with planning Analytics (i.e. all components - everything). Just for clarity this is using the clients own certificates

I attempted to watch the vids in the thread by dsproffitt but they seem to have disappeared.

I know IBM provide guides but wanted something a normal human could understand before going down that road!

If I do go down the IBM road I may post specific questions along the way!

cheers, Mark

[dharav9]

First off, what are you trying to secure?

If it is pmpsvc/pmhub/tm1web then this we will call External SSL
If it is the instances/Admin server then this is Internal SSL

Both have slightly different procedures. One takes 10 mnutes with all the certs, the other can take an hour.

I would like to know whether following possible?

1) Without applying internal SSL, Can we apply external ssl to use PAW & PAX with https URL?
2) Which one takes 10 minutes?
3) Any efforts of IT team involves?

Purpose to install SSL Certificates:

=> While validating admin tool in PAW, we received an error of timeout. When we use HNS IP address to validate admin tool then it works. So in order to validate with FQDN, i have to assign the PAW URL with FQDN in trusted sites. In production environment, we cannot add any http site in the trusted sites due to Group policy restriction. So we must have to utilize https based URL only.


Thank You

Dharav