SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[kaazimraza]

Hi Kaz, thanks for the update and info.

Did you notice if your Enable support for non-ssl clients got set to True in Cognos Configuration-I have done two 10.2.2 manually and this seems to get changed from false to true somewhere along the lines.

Hi gtonkin,

I didn't change it as such especially in the actual roll out. I did tinker with it in my test bed about 3 weeks ago, and didn't notice any benefits with respect to SSL certs. I am about to push a change to production, in about an hour, I'll change it to true and see if that makes any difference or sets it back to true. so stay tuned

Thanks

Kaz

[gtonkin]

Hi Kaz, It is not so much about the benefits or otherwise of using SSL - my concern was that we do not use it at many clients and after going through the manual steps, somewhere along the line, the setting in Cognos Config. is changed from False to True. Let me know if you pick this up-Thanks.

[kaazimraza]

Hi Kaz, It is not so much about the benefits or otherwise of using SSL - my concern was that we do not use it at many clients and after going through the manual steps, somewhere along the line, the setting in Cognos Config. is changed from False to True. Let me know if you pick this up-Thanks.

Hi gtonkin,

I got what you're saying, I guess I just over elaborated my thought . Anyway, here's what I did.

- Stopped all TM1 servers and Admin Host
- Changed Support non SSL option to True
- Restarted Admin Host and TM1 servers
- About 3 minutes later, checked back and support non SSL client was still set to True

Do you recall doing any other activity in your environment where you expected it to be set to True while it is actually set to False? Maybe you changed this option while Admin Host was still up ?

Thanks

Kaz

[gtonkin]

Hi Kaz, Thanks for the feedback. Will have to watch on the next one-I did not make any changes before the update but we have been allowing non-SSL clients forever.

[upali]

Hi all,

I've got a question on the SSL fix that IBM has released. We've used it successfully and have no issues with it.

However, my question is: Since the fix is only available from FC, does that mean any user who doesn't have the IBM maintenance agreement cannot use the fix? Is their only option now is to use the v2 certificate? I'm trying to understand the entitlements of getting the fix from IBM FC.

[kangkc]

Generate your own certs. This to me is the best solution to break the dependency.

[daemonview]

Hi Guys,

Anyone successfully tried installing your own certificate (not the IBM one) on 9.5.2 FP3? I have my own cert which is already being trusted by clients.

If so, can you please advice the steps?

[kangkc]

Yes, done that for 9.5, 9.4, 9.1. Can't find anyone using 8.x to test

Follow the steps in 9.5:
http://www.ibm.com/support/knowledgecen ... es_N1207C4

I choose the file system method but you will still need to run the TM1Crypt to generate the password files.
My advise is to keep the default cert name so that you do not need to update all the cfg, ini files.

[dsproffitt]

Generate your own certs. This to me is the best solution to break the dependency.

Good idea.

But people need to learn exactly what is happening when they do, or the amount of issues that will occur will be horrendous.

I get cases every month where people have made a half-arsed attempt at this and they dont have the first clue about what the mechanics of PKI are.

[kaazimraza]

Hi Kaz, Thanks for the feedback. Will have to watch on the next one-I did not make any changes before the update but we have been allowing non-SSL clients forever.

Hey bud, still set to true

[gtonkin]

Thanks for the feedback Kaz- I have updated another 4 servers and it remains True too-not sure about the 1st two updates. At least I now have batch files that can run the update process on V95 and V10.2 and Clients-takes less than a minute to update servers now.

[vladkon]

It seems that provided certificates do not work for older combination of TM1 and Controller. We have TM1 9.5.2 and Controller 10.1 IF4, after certificate upgrade TM1 works fine (Architect and Perspective), while FAP publish constantly fails.
As IBM states that it breaks FAP using any other certificate (v2 or private) it seems there is no solution for it now. Does any one has experience with older combinations of TM1 + FAP?

[Willi]

Hi,

I also have an issue with 9.5.2 FP3 clients and 10.2.2 FP3 server. After installing the clients exactly done like IBM mentioned in the documentation I cannot connect to the server with the 9.5.2 clients. Any hints.

Best regards

[kaazimraza]

Hi,

I also have an issue with 9.5.2 FP3 clients and 10.2.2 FP3 server. After installing the clients exactly done like IBM mentioned in the documentation I cannot connect to the server with the 9.5.2 clients. Any hints.

Best regards

Have you updated the client & servers (including pmpsvc folder), restarted admin servers, tm1 servers and the clients?

[Willi]

Have you updated the client & servers (including pmpsvc folder), restarted admin servers, tm1 servers and the clients?

Yes, I did.

[kaazimraza]

Have you updated the client & servers (including pmpsvc folder), restarted admin servers, tm1 servers and the clients?

Yes, I did.

Okay good, As I have mentioned in my post earlier, I actually used the certs that came with Updater Kit instead of the ones that are available through the download link. In other words, I downloaded the updater kit and then extracted the SSL certs out of it and patched manually.

Having said that, in my environment, we have server & client on 10.1.1, while in your case, you have different versions. Not sure if this could be one the issues, hopefully not.

Thanks

Kaz

[gtonkin]

Just tested on my Dev servers-Client 952 FP3, connected to another server running 10.2.2 FP4 - both patched with new certs, client also patched, no issue.
May be worthwhile confirming that relevant certs are correctly registered through certmgr.msc and double-checking that the client is also pointing to the new version.
Have you checked for any errors/warnings logged in your admin server log?

[Willi]

The connection from 9.5.2-Clients to 9.5.2-Server works. Even the connection from 10.2.2-Clients to 10.2.2-Server. But only 9.5.2-Clients to 10.2.2-Server does not. No entries in log-files.

[gtonkin]

-Just throwing out a whole lot of ideas here:
Do you see any 10.2.2 instances in Server Explorer from 9.5.2 or just -TM1?
Are any of the servers running SSL? Check netstat -a to see if listening on 5495 and 5498 if you are
Have you checked CognosConfig on the 10.2.2 server to ensure that EnableNonSSL clients is set appropriately?
Can you telnet from the 952 client machine to port 5495/5498 on the 10.2.2 server?

[Willi]

-Just throwing out a whole lot of ideas here:

Thx. I really appriciate. It's likely that I overlooked a point.

Do you see any 10.2.2 instances in Server Explorer from 9.5.2 or just -TM1?

Just -TM1

Are any of the servers running SSL? Check netstat -a to see if listening on 5495 and 5498 if you are

Yes, both ports are available and the Admin-Host is listening to them.

Have you checked CognosConfig on the 10.2.2 server to ensure that EnableNonSSL clients is set appropriately?

That maybe a good one. I tested both. TRUE and FALSE. With FALSE the port 5495 is not available.

Can you telnet from the 952 client machine to port 5495/5498 on the 10.2.2 server?

If the port is open I can reach it ba telnet