Local server not working after SSL certificate change

[bshaver]

I cannot get my local server to work after changing to the v2 SSL certificate. Remote server connection works fine.
We are running version 10.2.2 FP4 and are configured to use the 2048-bit certificates via the tm1ca_v2 file method.
Does anyone have any ideas?

Thank you.

[tomok]

Are you talking about Architect or Perspectives, or both? What do you mean when you say "local server". Do you mean the in-process local server that comes as a part of Perspectives (and which you run as stand-alone on your own workstation)? I'm pretty sure that doesn't use SSL because there is no Admin Host as part of that setup. If you are just talking remoting to the server box with RDP and running Architect or Perspectives there did you update the SSL in bin folder too (not just the bin_64 folder) in the event you are trying to connect with 32-bit client?

BTW, I'm building a new house. Can you get me a deal on carpet?

[bshaver]

I am talking about launching a local server using Perspectives by clicking the "start local server" item on the File menu of Server Explorer and pointing to a database directory that is on my local C drive. And a local server actually does launch a local Admin Server as an application, but it is trying to use the old certificate file applixca.pem. I tried putting a stripped down version of a tm1s.cfg file in the local database directory that includes the path to the new certificate file and the CertificateVersion=2 parameter. After that, it DID point to the correct certificate file, but it returns an error saying it cannot connect to the admin server. I have attached a pic of the load screen that opens when a local server is launch.

[tomok]

I followed the steps listed here:

http://www-01.ibm.com/support/docview.w ... wg21991657

to update my 10.2.2 FP4 client and I can run a local server fine. I did not use the V2 certs, I used the ones from IBM found here:

https://www-945.ibm.com/support/fixcent ... ent=Cognos

[bshaver]

Thanks Tom. That's what I was afraid of. There were several ways to handle the SSL certificate expiration and we chose the v2 option. I support about 130 TM1 Perspectives/Client users and this was the easiest approach for all of them to implement. I may have to revisit at a later time if a local server is not possible with the v2 certificate.

[Edward Stuart]

You have to stick with one update method in your estate,

Either:

- Update all the applixca.pem certs from version 1 to version 2
or
- Update the tm1s.cfg file with CertificateVersion=2 and amend the Admin Host version, then amend the Client Certificate to tm1_ca_v2.pem

You cannot connect to a 'standard' tm1s.cfg 'CertificateVersion=1' server with an explicit Version 2 certificate (tm1_cav2.pem)

Try amending the certificate in your client and see if you can now see your 'local' server

[lotsaram]

I am pretty sure that for local server any tm1s.cfg file is ignored. That is one of the limitations of local server. At least this was always the case with the "in process local server" of versions past, maybe it has changed ...

[Edward Stuart]

My guess is that it uses the default tm1s.cfg which would be generated with a new TM1 server, at present this new server would implicitly refer to CertificateVersion=1 as there is no CertificateVersion parameter in the tm1s.cfg file

If the user is using the Version 2 Certificate in their client, then the Server will not be available. Which is expected behavior

If the user is using a Version 1 Certificate and Admin Server, then the Server should be available

Re-reading the post:

BShaver as I interpret, has changed the Admin Server to Version 2 and all TM1 Servers to CertificateVersion = 2
He is now trying to start the Local Server which I anticipate is using the 'default' settings for a tm1s.cfg which requires Admin Server set to Certificate 1 and client certificate set for between Nov 2006 and Nov 2016 (i.e. NOT the applixca.pem updated via .bat scripts)

If you still wish to utilise the Local Server then you would (presumably) need to only update your environment via the .bat script overwrite process. This also assumes that the Local Server picks up this updated applixca.pem file

The shorter answer is don't use the Local Server!

[tomok]

This also assumes that the Local Server picks up this updated applixca.pem file.

It must because after I updated my certs with the new ones provided by IBM my local server option works and it didn't before I updated them. FWIW, I can't even remember the last time I actually ran a local server.

[Wim Gielis]

I am pretty sure that for local server any tm1s.cfg file is ignored. That is one of the limitations of local server. At least this was always the case with the "in process local server" of versions past, maybe it has changed ...

Hello,

If I start a local server with a cfg file where IntegratedSecurityMode=5, I get prompted that I cannot log in.
I have to change it to IntegratedSecurityMode=1 and use the standard login-password combination.
How can we explain this behaviour ?

[lotsaram]

If I start a local server with a cfg file where IntegratedSecurityMode=5, I get prompted that I cannot log in.
I have to change it to IntegratedSecurityMode=1 and use the standard login-password combination.
How can we explain this behaviour ?

I guess they changed it.
... the the local server is no longer an "in process server" but is a proper TM1 instance.

[BrianL]

If I'm understanding correctly, you've updated your local instance tm1s.cfg to use the V2 certificates, but NOT the admin server.

Unfortunately, the IBM documentation only describes how to change the certificate version via Cognos Config. If you're not using that, you'll need to edit the cogstartup.xml file which *should* be in the the "configuration" directory (next to "bin" or "bin64").

Change these lines from inside the "tm1AdminServer" tag to version 2:

Code: Select all

<crn:parameter name="tm1AdminSvrCertificateVersion">
        <crn:value xsi:type="xsd:int">2</crn:value>
</crn:parameter>

[bshaver]

Thanks BrianL, that WORKED!!! Apparently this cogstartup.xml file is only used by a local server. Our "remote" TM1 server and admin server are configured to use the v2 certificate. I just couldn't figure out how to get a "local" admin server to use it. Thanks again. I would have never found that on my own.

[bshaver]

Thanks to everyone who tried to help. It's nice to have a forum like this to go to for advice.

[BrianL]

Thanks BrianL, that WORKED!!! Apparently this cogstartup.xml file is only used by a local server. Our "remote" TM1 server and admin server are configured to use the v2 certificate. I just couldn't figure out how to get a "local" admin server to use it. Thanks again. I would have never found that on my own.

Glad it worked.

Just to clarify, cogstartup.xml is the only configuration file for the admin server. Your "remote" admin server was already configured (probably using Cognos Config) with this setting in the cogstartup.xml on that remote machine. When using a local server, it defaults to a local admin server and will start one if it's not found. It was the local admin server on your machine that wasn't already configured to use the V2 certificates.