SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[Guillaume Galtier]

He will update this section tho:

Do NOT proceed with this documentation unless you either:
a) Do NOT use TM1 Operations Console/PMHub/CAFE
b) or are on TM1 10.2.2 FP4+


To state:
IBM Cognos TM1 v2 Certificates (TM1 10.2.2 FP4 IF1+ only)

Not sure to follow you. That means that switching to v2 certificates can be considered as a valid solution only if your TM1 version is higher or equal to 10.2.2 FP4 IF1 ??

Kamil's answer was suggesting the opposite:

The manual switch to v2 certs approach you have chosen is absolutely fine for pre-10.2.2 FP4 versions, including yours, except for the following components: Ops Console, PmHub, CAFE. So if you are not using them, then you need not worry.

Here is a quote from Duncan Proffitt's FAQ:

What is special about Ops Console, PMHub & CAFE in relation to TM1 10.2.2 FP4? Why cant I install v2 certs in anything older than that version?
The reason that this is in is because of a bug in the application of custom certificates when using SSL and TM1. (with Ops Console, PMHub/tm1/servers & CAFE)
Version 2 certificates ARE custom certificates, therefore they will not work with anything that is older than TM1 10.2.2 FP4 when trying to reach Ops Console, PmHub or CAFE.

While this doesn't say in a straightforward way that it will work for other components, I believe this is the intended implication and also it's what testing shows.

And I really prefer Kamil's answer...

We are running 10.2.2 FP1 and as already said, switching to v2 certificates seems to work fine.
Should I plan to take another option now?

[Steve Vincent]

I'm on the same set up as you, although we do use Ops Console and have desires to use CDM in the future too. My testing seemed to show it was mostly fine, as long as you don't currently or in the future have requirements to use other tools with TM1 then you should be fine.

[Guillaume Galtier]

I'm on the same set up as you, although we do use Ops Console and have desires to use CDM in the future too. My testing seemed to show it was mostly fine, as long as you don't currently or in the future have requirements to use other tools with TM1 then you should be fine.

Thank you Steve.
We're not using other tools and will probably never as my client plan to fully decommission TM1 in the coming months/years...
So, switching to v2 certif looks like the easiest and less costly option.

And also time is running out...

[Jefflinde]

I have a question on the V2 Certificate option (#4). I am reading through the "How to Configure" file provided by IBM and i am not seeing anything that references the Client. Does option 4 not have a required client side update? This would be great as that will save me the headache of preparing a package for deployment but I want to make sure that I am not missing something.

Cheers.

Jeff

[Guillaume Galtier]

I have a question on the V2 Certificate option (#4). I am reading through the "How to Configure" file provided by IBM and i am not seeing anything that references the Client. Does option 4 not have a required client side update? This would be great as that will save me the headache of preparing a package for deployment but I want to make sure that I am not missing something.

Hi Jeff,

No way to go through the 24th of November without updating the Client.
Considering the option 4 (switching to v2 certificates) you've at least to configure TM1 Architect to update the Certificate Authority field (technote: http://www-01.ibm.com/support/docview.w ... wg21697266).

[BariAbdul]

Sorry if it has already been posted here,Could be useful

https://www.ibm.com/developerworks/comm ... c94f&ps=25 Thanks

[MSidat]

Has anyone successfully completed the manual steps for a cx installation?

I have just done it in a dev environment and connecting to the CXMD Instance works fine via Architect/Xcelerator.

However I can't connect via the link in the CX Managers Welcome Page ("Contribute to planning activities" link), Performance Manager cant connect and nor can I login via the standard tm1web url (although the login page does appear on the tm1web page but comes up with a "login does not work" message).

[kangkc]

I patched up a CX 9.5 today. All components are working, Xcelerator as well as Web (.NET based).

I believe your setup is a CX 10.1 as 10.2.2 is based on TM1 Enterprise image and no longer using CX manager etc.

Manual steps for 10.1 should be the same as 9.5 as both TM1Web are .NET based. I suspect the problem has to do with the Windows Cert store. Did you perform the importsslcert steps ?

[MSidat]

I patched up a CX 9.5 today. All components are working, Xcelerator as well as Web (.NET based).

I believe your setup is a CX 10.1 as 10.2.2 is based on TM1 Enterprise image and no longer using CX manager etc.

Manual steps for 10.1 should be the same as 9.5 as both TM1Web are .NET based. I suspect the problem has to do with the Windows Cert store. Did you perform the importsslcert steps ?

Yes - performed the importsslcert steps (although did find that the actual importsslcert.exe didnt exists in the directory they referred to so had to copy it in from another folder) I am pretty sure this stage worked fine as I can see the new cert in the windows cert store when I look via the Management Console.

The only weird thing I did notice was the step around copying all the NGTM1* files from one location to another. I didn't understand why this step had to be undertaken as these files didnt show as being recently updated by any of the previous steps. Unless of course I have missed some steps which does results in these files being updated..

[prasad]

Hi

Thanks in advance

We have successfully updated for TM1 SSL Certificates for application server .

We need to update same for webserver and Bi server
Can you please share Expiring TM1 SSL Certificates for web server and BI server docuent - Manual Steps - TM1 10.2.2 FP1 - WINDOWS?



Thanks
Prasad.

[dsproffitt]

Can you please share Expiring TM1 SSL Certificates for web server and BI server docuent - Manual Steps - TM1 10.2.2 FP1 - WINDOWS?

http://ibm.biz/TM1SSLCertificate

[prasad]

thanks for help




As I have mentioned before we have updated the SSL certificates in the TM1 application server ,Now It shows up expiry date 17 June 2016 to 15th Jun,2024 by following steps given by below link.

Link: http://www-01.ibm.com/support/docview.w ... wg21991546

Our users use Cognos TM1 web ,Now we are at loss to how to update SSL certificate at Web Server. Do we need to follow the same steps provided in above link or it is different.

IBM documentation doesn’t give clarity anywhere. Please provide steps or any relevant document. We also need to update Cognos BI server component also.


Thanks
Prasad.

[dsproffitt]

As I have mentioned before we have updated the SSL certificates in the TM1 application server ,Now It shows up expiry date 17 June 2016 to 15th Jun,2024 by following steps given by below link.
Link: http://www-01.ibm.com/support/docview.w ... wg21991546

Good.

Our users use Cognos TM1 web ,Now we are at loss to how to update SSL certificate at Web Server. Do we need to follow the same steps provided in above link or it is different.

I dont understand your question.
The instructions are clearly marked as server and client.
Do you use the Applications Server from TM1?

IBM documentation doesn’t give clarity anywhere.

You need to give more information. The documentation has assisted many customers to achieve this aim. It is clearly laid out and covers server and clients

Please provide steps or any relevant document. We also need to update Cognos BI server component also.

What steps do you need?
In the blog, you would see that there is a section on how to deal with BI

[prasad]

Thanks for your reply
As I have mentioned before we have updated the SSL certificates in the TM1 application server ,Now It shows up expiry date 17 June 2016 to 15th Jun,2024 by following steps given by below link.
Link: http://www-01.ibm.com/support/docview.w ... wg21991546



Same steps we are following for web server update. but am stucked at step no 10
Update Java keystore
Open Command Prompt as Administrator
cd C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin
keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\applixca.der" -storepass changeit -noprompt


for more information, I have attached the screen shot for the same...

Can you please look in to it and give me the suggession.

Thanks in advance

[vovanenok]

Thanks for your reply
As I have mentioned before we have updated the SSL certificates in the TM1 application server ,Now It shows up expiry date 17 June 2016 to 15th Jun,2024 by following steps given by below link.
Link: http://www-01.ibm.com/support/docview.w ... wg21991546



Same steps we are following for web server update. but am stucked at step no 10
Update Java keystore
Open Command Prompt as Administrator
cd C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin
keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\applixca.der" -storepass changeit -noprompt


for more information, I have attached the screen shot for the same...

Can you please look in to it and give me the suggession.

Thanks in advance

you have to execute this first:
keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit

[prasad]

Thanks for your reply.


Thanks Dsproffitt and vovanenok.According to your suggestions we have updated the certificates both at TM1 application server as well as TM1 web server. Now, we are facing another issue. TM1 support team mainly use Architect whereas business uses TM1 web. Now, the client team is unable to connect to perspectives with a client configured with the old certificates, this way they want to connect by using either an old or new Perspective client. One of the client team has admin access for TM1.
We have followed the step mentioned here for 10.2.2 FP1 :
http://www-01.ibm.com/support/docview.w ... wg21991546 which I think replace new certificates with old certificates.
According to this post old and new certificates exists till 24th Nov, 2016:
Top
dsproffitt
Posts: 46
Joined: Wed Jul 16, 2014 9:20 am
OLAP Product: All of them
Version: All of them
Excel Version: 2003 -2013
Re: SSL breaks on Nov 24
•
Postby dsproffitt » Mon Oct 03, 2016 12:39 pm
kaazimraza wrote:only question now, is, I have now got two certs from Applix installed on my server. One of them is expiring in 2016, and the other one is expiring in 2026. Does having two certs make a difference? Ideally, I'd like to have only one of them listed there.
TM1-SSL-Certs-Old-New.png


Thanks
Kaz

You will need them both until 24th November when one expires and the other takes over.
Why do you feel the desire to only have one

We have installation directory backup. My question is do we need to restore all over again and install new certificates again or could we simply copy paste the old certificates from this back up ,could both certificates exists simultaneously or we don’t have to do anything as according to above post the old certificates would be there till 24 Nov,2016 anyway. We are really confused here
We certainly don’t want to go backup restore route. Could experts please suggest an approach how to deal with it?

[vovanenok]

did you upgrade certificates on the client machine?

[gtonkin]

Whilst testing the 9.5.2 update path, I had my new certificates in a folder extracted from the zip file. Proceeded to rename the old SSL file, move the new certificates in, install them etc. etc. Restarted services and nothing. Took a while before I realised the error of my way so posting this in case others take a detour.
You need to ensure you keep both TM1Cipher.dat and TM1key.dat in the SSL folder.

The documentation does say copy and over-write but I wanted to keep the old folder for roll-back.

p.s. by not being able to register correctly, I had all sorts of issues of inexplicable (now obvious) errors:

• TM1Server.log
• errors - E15), E4), unable to register server - reminiscent of port in use but actually not available
• shutting down but never actually getting there

• EventVwr-Application
• Various related to tm1sdx64 - these related to the services not actually accepting connections-5495/5498 were not listening when using netstat -a

• Other
• tm1admsvr.log empty-nothing was written to help debug
• TM1 instance service had to be termnated.

Hope this helps if you mangle something along the way.

[kaazimraza]

Hi all,

We updated all of our environments (development, UAT, production, end users, admins & developer machines) this past weekend. Here are some observations; Maybe some/or all of below is well known by now, so apoligies if it is redundant.

Version: TM1 10.1.1
Authentication: Cognos (CAM)

Edited:

- I used the SSL versions that come with the SSL Updater Kit which are in the file shown in the image attached. As we'd know by now, all .tar and .gz files can be opened using 7Zip or any other file compression utility.

SSL_-_Certs_-_Compressed_-_folder_-_IBM_SSL_Updater_Kit.png (20.97 KiB) Viewed 17606 times

- If you are going to update client (Perspectives and/or Architect), you have to update all your environments otherwise the serves with old certs will not be displayed in the client after you have applied the updated certs.

- After applying the new SSL certs, all components are running (TM1 admin server, server, tm1 web) and these are displaying in the clients that have the new certs. Ops Console however is an exception. Though I've updated the certs in the "<tm1_install>\webapps\pmpsvc\WEB-INF\bin64\ssl" folder as well, but no luck.

- We have NOT updated any certs in Cognos, as we are moving away from Cognos BI, and will leave the basic Cognos installation for the sake of CAM authentication in TM1. Not sure if the above Ops Console issue is somehow related to it.

- For rolling out to end user machines ,we engaged IT to come up with a PowerShell script and cater for 32 bit & 64 bit environments (program files (x86) on 64 bit and program files on 32 bit). Also if you have users with Surface Pro running Windows 10, there's an odd error that Power Shell scripts run into, something related to Printers. If you want I can get you the details from our IT guy.

All in all, we are now waiting for the 'Day day', i.e. 25 Nov 2016 to see how it goes. Hopefully no surprises then.

Hope the above helps.

Thanks

Kaz

[gtonkin]

Hi Kaz, thanks for the update and info.

Did you notice if your Enable support for non-ssl clients got set to True in Cognos Configuration-I have done two 10.2.2 manually and this seems to get changed from false to true somewhere along the lines.