TM1Web 10.2.2 FP4 using SSL with default installed cert

[kangkc]

Has anyone managed to setup TM1Web 10.2.2 (FP4) with SSL using default installed cert.
IBM has a short article on how to enable TM1Web with SSL with external certs but there isn't much discussion on using the default installed certs.
I did a java keystore check and confirm the default certs are installed.

I presume it is just a simple change using Cognos Configuration to change all references of http://server:9510 to https://server:9514 (assume 9514 is the SSL port).
However when I try to start the application server, it failed to start with the following error. The first few lines of error on existing alias should not be the cause.
Reverting back to non-SSL and the application server can be started without any problem. I suspect there are some additional steps relating to pmpsvc but can't find any document on it.

Any suggestion ?

[Start]
[ ERROR ] Using JVM: C:\Program Files\Java\jdk1.7.0_79\jre\bin\server\jvm.dll
BINARY_PATH_NAME : "C:\Program Files\ibm\cognos\tm1_64\tomcat\bin\tomcat6.exe" //RS//pmpsvc
The service "pmpsvc" is registered
errorlevel 0 exit 0
Using JVM: C:\Program Files\Java\jdk1.7.0_79\jre\bin\server\jvm.dll
keytool error: java.lang.Exception: Certificate not imported, alias <applixca> already exists
java.lang.Exception: Certificate not imported, alias <applixca> already exists
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:2616)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:1009)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
keytool error: java.lang.Exception: Certificate not imported, alias <tm1ca_v2> already exists
java.lang.Exception: Certificate not imported, alias <tm1ca_v2> already exists
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:2616)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:1009)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
Updating the service "pmpsvc" ...
errorlevel before exit script 6
Using JVM: C:\Program Files\Java\jdk1.7.0_79\jre\bin\server\jvm.dll
Clearing caches ...
Starting the service "pmpsvc" ...
The IBM Cognos TM1 Application Server service is starting.
errorlevel 1 exit 1
The IBM Cognos TM1 Application Server service could not be started.

The service did not report an error.

More help is available by typing NET HELPMSG 3534.

[kangkc]

Found the problem after 1 week of testing and researching. I can confirm that 10.2.2 FP4 break the Application Server SSL and this is consistent after testing with 3 newly installed servers.

I updated it with FP5 and this seems to resolve the application server startup problem but it hit another Java exception problem. To resolve this, I have to point the JAVA_HOME to the IBM provided JRE or copy the bcprov-jdk14-145.jar to current JAVA_HOME.

[dsproffitt]

After applying FP4 to TM1 10.2.2.x when HTTPS is enabled for Tomcat the product does not start up any more (APAR 58030).
FP5 resolved this

[yingchai]

To resolve this, I have to point the JAVA_HOME to the IBM provided JRE or copy the bcprov-jdk14-145.jar to current JAVA_HOME.

Hi kangkc,

I also encountered the similar issue. So, I had upgraded from FP4 to FP5. Can you share more in details on this second resolution?

[kangkc]

If you do not have a JAVA_HOME define, you shouldn't encountered this issue. Else just look under IBM provided JRE and locate the mentioned jar and copy that to where you define the JAVA_HOME.
If possible, don't define any JAVA_HOME and leave that to the default setup by the TM1 installer.

[Babandit]

I ran into this issue when FP4 had just come out. I spent 2 weeks with IBM Support and finally he told me "Oh we have an FP4 interim fix"
once i installed the interim fix it worked fine.