TM1 10.2 HTTPS-Problem

[lucas7lhw]

Hi Deadsea

Pls try to execute this command line on Linux (I used on CentOS) installed with OpenSSL:

Code: Select all

openssl x509 -inform der -in myserver.[cer|crt] -out myserver.pem

Then you will get PEM files. After this, pls refer to this tech note: How to enable SSL for IBM Cognos TM1Web 10.2.x

Best Regards,

Lucas

Good Day All:

I read through the thread and it is stated that certs to imported should in PEM or PFX format. However, I am unable to find any documentation from IBM (thus far looked up the packaged install/config guide that comes with 10.2.2 install) that states that authoritatively.

The issue is that I am being given certs in *.CER format and got the following error:

CAM-CRP-1212: Unable to load CA Cert from file 'somecertfile.CER'.

Can anyone point me to any document or a source that authoritatively states that certs must be in PEM or PFX?

Thank you everyone.

[Jim Tran]

Hello All,

I'm getting error Invalid certicate unknown and I attached the error.
I followed the steps that was mentioned my Sebastien, but I'm getting error.

can anyone suggest please? version: Cognos TM1 10.2.2

Thanks
Pranay

[Babandit]

Alright people, hold on to your hats here...
I spent about a month on this issue and have some interesting findings.
I read over 150 SSL articles and tried to understand HTTPS protocols and different types of SSL Certs available.

First off use the referenced "How to enable SSL for IBM Cognos TM1Web 10.2.x" http://www-01.ibm.com/support/docview.w ... wg21902547 to get your CSR files.

You will need to get 2 SSL certificates from your CA. 1 for sign.csr and 1 for the Encryption.csr files (this was a challenging part because you cannot use IP Addresses, you need a name like "IBMTM1Web.DomainName.com" and you must own the domain.

Depending on what software choice you made when you purchased your SSL cert "Jave, IBM, Tomcat, IIS, etc" I chose "Other" you should receive 1 ca Root file 1 intermediate file and 1 for Sign. you should receive the same for encrypt.
If the files are cer files then they should be the same format as PEM files. For more on converting on file type to another look at this link for Open SSL https://support.globalsign.com/customer ... ---openssl

Follow the import steps from the IBM reference above
Step 3: Import certificates
Keystore Signkeypair
cd "C:\Program Files\ibm\cognos\tm1_64\bin"

ThirdPartyCertificateTool.bat -java:local -i -s -r ..\ssl\signing.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -t ..\ssl\CA.pem -p NoPassWordSet

ThirdPartyCertificateTool.bat -java:local -i -T -r ..\ssl\CA.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\signkeypair" -p NoPassWordSet
Keystore Encryptkeypair
ThirdPartyCertificateTool.bat -java:local -i -e -r ..\ssl\encryption.pem -D "C:\Program Files\ibm\cognos\tm1_64\configuration\encryptkeypair" -t ..\ssl\CA.pem -p NoPassWordSet
Keystore Cacerts

cd C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin

keytool -import -trustcacerts -file "C:\Program Files\ibm\cognos\tm1_64\ssl\CA.pem" -keystore ..\lib\security\cacerts -storepass changeit -alias TM1WebCA

Note: The -alias TM1WebCA attribute can be set to any appropriate text value, that references the CA certificate.

Just FYi these steps still did not work for me. I was still getting the not trusted site warning. I had to do the following:
I downloaded a tool called Keystore Explorer: http://www.keystore-explorer.org/
Once this was installed i was able to see exactly what certs were in my cacerts keystore file. and also what was in my signkeypair and encryptkeypair files. I had to manual remove the Camuser from the Encryption and also right click on the encryption and "Import CA Reply /From File" then point to the Encrypt.pem file.
Do the same for the Sign.pem.

Sorry this post got a little sloppy but I just figured this out last week.
Hope this helps.

Bandit

[Babandit]

One more step I didn’t mention is
after completing all the steps in post I also for good measure,
split the RootCA.cer, IntermediateCA.cer, Encrypt.cer and Sign.cer files and imported them to the keystore. I reference them using Keystore explorer , restarted the TM1 App server and now everything works.

Bandit