TM1 10.2 HTTPS-Problem

[Willi]

Hi,

i have a Problem to configure TM1Web to run with SSL. I followed the description here:

http://pic.dhe.ibm.com/infocenter/cbi/v ... r_SSL.html

(Sorry it's german) and get the SSL running but with the Standard certificate issued to "CAMUSER". I also followed the steps described in the above mentioned document to install the certificat ein the Java Keystore and got the message that it's added. I than restarted all of the TM1-processes but still get the Certificate-Warning. What am I missing that the correct certificate is not used?

Thanks and best regards,
Willi

[declanr]

Sorry to start by asking the obvious but did you definitely target bin64 as opposed to bin? (Assuming its a 64 bit box)

[Willi]

No reason to say sorry! But yes, I'm sure that I targeted the 64-bit Environment. I used this:

"C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin\keytool.exe" ... -keystore "C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\lib\security\cacerts"

[Sebastian.Klein]

I've come up with the same problem a few weeks ago and it took me a long time to understand the documentation. Your link provide instructions to use your own SSL certificates in TM1Web, but not for the communication within the browser. It explains only the use of SSL towards the TM1 Server. I searched the web quite a long time to find the answer, finally an older TM1 documentation led me to the solution (please don't ask for the link, I have forgotten it), but there is no detailed description of what to do. So I provide my own documentation what I have done to get SSL working.

To enable your own SSL certificate within TM1Web you must configure Apache Tomcat to use the certificate instead of the default IBM one. The following steps are necessary to activate SSL:

1. Open Cognos Configuration on the server where TM1Web is installed
2. Change the following parameters under the node TM1 Application Server:

   Code: Select all

   TM1 Application Server Gateway URI: https://localhost:9514/pmpsvc 
   External server URI: https://localhost:9514 
   TM1 Application Server Dispatcher URI: https://localhost:9514/pmpsvc/dispatcher/servlet 
   

3. Save the new configuration
4. Restart the TM1 Application Server Service to ensure that the changes in the configuration are taking effect. After this part SSL works, but with the IBM certificate ("CAMUSER")
5. Edit the Tomcat configuration file: C:\Program Files\ibm\cognos\tm1_64\tomcat\conf\server.xml
6. There is a section inside starts with <Connector port="9514" (or whatever port you have configured above). Comment that out with <!-- at the beginning and --> at the end
7. Insert a new section under it:

   Code: Select all

   <Connector port="9514" 
              maxThreads="200" 
              scheme="https" secure="true" 
              clientAuth="false" sslProtocol="TLS" SSLEnabled="true" 
              keystoreFile="Path to certificate" 
              keystoreType="PKCS12" 
              keystorePass="your certificate password" 
          /> 
   

   Be sure to set the right values for keystoreFile and keystorePass. It is the certificate and its password itself, not the Java keystore, e.g. C:\Certificate\Certificate.pfx. If the certificate is in another format, please update the keystoreType to the right value. I assume, google will help you out.
8. Add your certificate to the key store as you mentioned above:

   Code: Select all

   "c:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin\keytool.exe" -importcert -file "your certificate.cer" -keystore "c:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\lib\security\cacerts" -storepass "changeit" -alias "your alias"
   

   Please note, that this certificate is in another format then the one configured for tomcat!
9. Configure the tomcat service to use the keystore. To do that, you must oben the tomcat service utility with the following command:

   Code: Select all

   "c:\Program Files\ibm\cognos\tm1_64\tomcat\bin\tomcat6w.exe" //ES//pmpsvc 

   Under the tab "Java" in the field "Java Options" you must add the following line:

   Code: Select all

   -Djavax.net.ssl.keyStore=C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\lib\security\cacerts 

   (Yes, there are no spaces betweend the -D and javax...)
10. Finally, restart the TM1 Application Server service. After that, you can reach tm1web only via SSL: http://your_server:9514/tm1web

All paths are the default installation paths after a 64bit TM1 Windows installation. Please check if they match your installation paths. If you make changes to the TM1 Configuration in the future, you must repeat the steps 5-7 because TM1 will overwrite the tomcat configuration.

I hope it is explained well for you. If not, don't hesitate to contact me, I also speak german, if it is easier to communicate

[Willi]

Hi Sebastian,

thx a lot for your replay. I tried this step by step but no success. Even worse: I cannot connect at all now. I corrected a typo in your Server.xml-config but this also had no effect. Very weird.

I think I'll try to contact you but I would like to let the community participate on the solution!?

Regards

[Willi]

Problem solved. The main issue was a misunderstanding on my side. In the Server.xml I have to point to the certificate-file. Not to the Java-Keystore. And as Password the Password of the Certificate not the keystore.

And small typo in the Server.xml of Sebastian was "cheme" instead of "scheme".

Thx a lot Sebastian. That was really an amazing help!!!

[Sebastian.Klein]

That sounds good, I am glad that I helped you with your problem. I corrected the typo and updated my instructions above, so it is clearer to understand, to which certificate file the options must point.

[Wim Gielis]

Danke schön Sebastian!

Given the informative content of your reply and also given that you're a TM1 consultant since 2008,
why did you only post 5 times in the forum? You should try to post more and become a regular

[Sebastian.Klein]

Danke schön Sebastian!

Given the informative content of your reply and also given that you're a TM1 consultant since 2008,
why did you only post 5 times in the forum? You should try to post more and become a regular

I will do my best, but time is rare and if I help too much, how would I earn my money in the future ?

[nedcpatm1]

Willi,
Do you remember the certificate file format you used to import certificate in the tomcat keystore (for tm1 app) and microsoft certificate store (for tm1 web)? I believe the files should have PEM and PFX extensions respectively. Please confirm.
Ned

[Willi]

As far as I remember: yes

[danmac]

Thanks so much for this, I can confirm the same approach works for 10.2.2.

I'm now being slightly held up though with configuring the integration with Cognos Workspace. I've altered the Atom file to use HTTPS, and I can see the server in Workspace, but it won't expand to show 'Applications' or 'Views'.

I'm thinking this could be a certificate issue, does anyone have any ideas where I would need to import the Cert (or the CA Cert) to make this work? I've tried on the 2 Dispatchers but it doesn't seem to work... Any other ideas?

Thanks
Dan

[danmac]

Huzzah, Solved this myself in the end.

For anyone looking for this information, there are 3 steps.
1. Alter the 'tm1_contribution.atom' file, typically found on BI Application Tier servers here: C:\Program Files\ibm\cognos\c10_64\configuration\icd\contributions\contrib
Change the HTTPS flag from 0 to 1 on any TM1 Server Definitions being used on this TM1Web Host.

2. Import the Certificate used by TM1 Web on the BI Application Server
"C:\Program Files\ibm\cognos\c10_64\bin64\jre\7.0\bin\keytool.exe" -import -trustcacerts -file "E:\SSL Certficates\<CERTFILENAME>.cer" -keystore "C:\Program Files\ibm\cognos\c10_64\bin64\jre\7.0\lib\security\cacerts" -storepass "changeit" -alias "<CERTALIAS>"

3. Import the Root CA Certificate used to validate the Certificate used by TM1 Web on the BI Application Server
"C:\Program Files\ibm\cognos\c10_64\bin64\jre\7.0\bin\keytool.exe" -import -trustcacerts -file "E:\SSL Certficates\<ROOTCERTFILENAME>.cer" -keystore "C:\Program Files\ibm\cognos\c10_64\bin64\jre\7.0\lib\security\cacerts" -storepass "changeit" -alias "<ROOTCERTALIAS>"

Then Restart the IBM Cognos BI Service, and voila! TM1 Web access in BI via SSL.

A quick note that this seems to be required if using Cognos BI with SSL, otherwise you can run in to issues with the browser about a secure site using insecured content.

Thanks
Dan

[Sudheer]

HI,
i have tried the same steps in tm1 10.2.2, But its not working for me. coudl you please help me on this.
we have got ssl certificate with .cer format. i did modify the server.xml file and instllaed the certifiacte in cacerts. after rest the application server tm1 web is not working with https.

[p2n]

Hi Sudheer,

I had some Problems as well. But now I have a (quite simple) solution:

1. Stop all TM1 Services
2. Check the Settings for SSL in Cognos Configuration --> Cryptography --> Digest algorithm
3. Save changes in Cognos Configuration and close it.
4. Create a folder somewhere (in my example: "E:\ssl_requests") (if you choose a different Folder, please ensure to change it in the following commands)
5. Open a cmd (as Administrator)
6. Goto "bin" in your installation Folder: cd "C:\Program Files\ibm\cognos\tm1_64\bin"
7. ThirdPartyCertificateTool.bat -java:local -c -s -d "CN={YOUR SERVER NAME / WEBADDRESS},O={ORGANIZATION NAME},C={COUNTRY}" -r E:\SSL_Requests\signRequest.csr -D "E:\SSL_Requests\signkeypair" -p NoPassWordSet
8. ThirdPartyCertificateTool.bat -java:local -c -e -d "CN={YOUR SERVER NAME / WEBADDRESS},O={ORGANIZATION NAME},C={COUNTRY}" -r E:\SSL_Requests\encryptRequest.csr -D "E:\SSL_Requests\encryptkeypair" -p NoPassWordSet
9. Now you have your certificate request. Now you have to sign them. (Other Topic)
10. Once you have your certificates save them in your folder. Don't forget the certificate with the root [and intermediate] certificate in it.
11. Within your folder 2 subfolder have been created while step 7 and 8. "encryptkeypair" and "signkeypair".
12. Delete or backup these 2 folder in „C:\Program Files\ibm\cognos\tm1_64\configuration“
13. Copy these two folders from your folder to „C:\Program Files\ibm\cognos\tm1_64\configuration“
14. ThirdPartyCertificateTool.bat -java:local -i -e -r E:\SSL_Requests\encryptRequest.pem -t E:\SSL_Requests\CA.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\encryptkeypair" -p NoPassWordSet
15. ThirdPartyCertificateTool.bat -java:local -i -s -r E:\SSL_Requests\signRequest.pem -t E:\SSL_Requests\CA.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -p NoPassWordSet
16. ThirdPartyCertificateTool.bat -java:local -i -T -r E:\SSL_Requests\CA.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -p NoPassWordSet
17. Change to folder "cd C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin"
18. keytool -import -trustcacerts -file "E:\SSL_Requests\CA.pem" -keystore ..\lib\security\cacerts -storepass changeit -alias CA
19. Open Cognos Configuration
20. Parameter „Use third party CA“ auf „True“ in Security --> Crypto --> Cognos
21. In Local Configuration --> Advanced properties --> Add: Name: “StandaloneCertificateAuthority”, Value: “True” (Please ensure the case of the letters)
22. Press "Save" in Cognos Configuration
23. Start the services.

Now it should work.

Regards
Paul

[dsproffitt]

These two links will work

http://www-01.ibm.com/support/docview.w ... wg21903098

http://www-01.ibm.com/support/docview.w ... wg21902547

If you are only implementing External SSL on TM1 (pmpsvc/tm1 web) then you dont need the above post's number 20 & 21 (even though it says you do in the Technotes as well)

[lucas7lhw]

To enable your own SSL certificate within TM1Web you must configure Apache Tomcat to use the certificate instead of the default IBM one. The following steps are necessary to activate SSL:
...
I hope it is explained well for you. If not, don't hesitate to contact me, I also speak german, if it is easier to communicate

Dear Sebastian and guys,

I still have some other questions below:

1. Would you mean to install Apache Tomcat under the same folder, and overwrite the default IBM built-in one?
2. In Step 7, what is keystoreFile? Now I have root.cer, intermediate.cer, signedCSR.pem by CA team and CSR generated by myself. Does anyone help to describe the steps one by one?
   This tech note confuses me right now..

P.S.: My current environment is TM1 10.2.2 with FP3.

THANKS A MILLION, guys!

Regards
Lucas

[lucas7lhw]

Hi Sudheer,

I had some Problems as well. But now I have a (quite simple) solution:

1. Stop all TM1 Services

Now it should work.

Regards
Paul

Hi Paul,

I have already re-config my environment 2 times, but I still cannot take SSL effect. Is there any way to "debug" or find the root cause? Thanks a lot!!

Regards,
Lucas

[deadsea]

Good Day All:

I read through the thread and it is stated that certs to imported should in PEM or PFX format. However, I am unable to find any documentation from IBM (thus far looked up the packaged install/config guide that comes with 10.2.2 install) that states that authoritatively.

The issue is that I am being given certs in *.CER format and got the following error:

CAM-CRP-1212: Unable to load CA Cert from file 'somecertfile.CER'.

Can anyone point me to any document or a source that authoritatively states that certs must be in PEM or PFX?

Thank you everyone.

[nedcpatm1]

We configured our SSL (tm1 10.1.1) using Cer file (both tm1 web and tm1 app); no conversion was required to PFX or PEM.