IBM Support

How to Update Your Expiring TM1 SSL Certificates - Updater Kit - TM1 10.2.0 - UNIX

Fix Readme


*This document is applicable to all TM1 10.2.0 on UNIX, regardless of FixPack or InterimFix level*

If you have already implemented Custom SSL Certificates or the TM1 v2 SSL Certificates, across all TM1 Components - then no action is required. It is still suggested that you roll your test environment clock to a date beyond November 24th 2016 - and verify that all connectivity/components functions as expected.

Your TM1 SSL Certificates will expire on November 24th. If you use TM1 10.2.0 on UNIX, follow these steps to ensure you do not experience an outage! Failure to take action will result in your TM1 Environment being completely inaccessible November 24 2016.



-Please ensure that you have already reviewed all of the relevant detail on the following page before you proceed: IBM Cognos TM1 SSL Expiration - Updater Kit - Landing Page

-Do NOT confuse having custom certificates in your WebTier, as the solution. It is very possible that your WebTier had been configured for custom FRONT END / WEB certificates - and is still relying on the default TM1/APPLIX certificates for TM1 Server communication

-If your IBM Cognos TM1 environment uses a custom application server (such as Websphere), you will want to ensure you inquire with your AppServer Administrator to ensure all keystores are updated accordingly. And that new WAR files are generated and deployed.

-If your IBM Cognos TM1 environment is distributed (server components residing on different servers), be sure to follow the appropriate steps for the appropriate components.

-If your IBM Cognos TM1 environment communicates with any other services secured by SSL (for example but not limited to, an SSL Secured Cognos BI Dispatcher for CAM Authentication) you will be required to re-import all required certificates in to the tm1store using the keytool commands found in Step10.

-It is advised that all customers verify not only that these steps work in a test environment (prior to any production changes), but that the server clocks be rolled ahead past November 24th 2016 to ensure that the product behaves as expected post expiration date.

-If you have questions, please log a service request with TM1 Support so that the problem can be addressed.

-If using LINUX, only Steps 1-5 are required. As TM1 10.2.0 on Linux did not yet include an Application Server component

  1. Download the appropriate up_plananalytics TM1 10.2.0 Updater Kit from the following URL:
  2. Extract and copy the installation files to all TM1 Server install locations
  3. Stop all IBM Cognos TM1 Services in the environment you are updating
  4. Run the installer as an Administrator
  5. Click your way through the installer, ensuring that the updater is being applied over top of the correct TM1 install directory
  6. After the installation has finished, the following directories will contain the updated TM1 Certificate files:
    • <tm1_install_dir>/tm1_64/bin64/ssl
    • <tm1_install_dir>/tm1_64/webapps/pmpsvc/WEB-INF/bin64/ssl
  7. Navigate to <path_to_your_jre>/bin . Execute the following command:
    • ./keytool -delete -alias applixca -keystore ../lib/security/cacerts -storepass changeit
      **If you have not previously added the applixca certificate to the keystore, then you may get an error indicating that the alias does not exist. This is OK as the next step will perform the import.
    • ./keytool -import -trustcacerts -file <tm1_install_dir>/bin64/ssl/applixca.pem -alias applixca -keystore ../lib/security/cacerts -storepass changeit -v -noprompt
    • ./keytool -delete -alias applixca -keystore <tm1_install_dir>/bin64/pmpsvcTrustStore -storepass changeit
      **This file only exists if your TM1 Application Server had been started previously. If it had not, then this file does not exist - therefore the certificate can not be removed. If this file does not exist, skip this step - AND - skip the next step (the import will not be required, and will be performed automatically once you start your TM1 Application Server for the first time)
    • ./keytool -import -trustcacerts -file <tm1_install_dir>/bin64/ssl/applixca.pem -alias applixca -keystore <tm1_install_dir>\bin64\pmpsvcTrustStore -storepass changeit -v -noprompt

      *Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
  8. Navigate to <tm1_install_dir>/tm1_64/bin64/
  9. Start your IBM Cognos TM1 Services

At this stage, all IBM Cognos TM1 Server-side components have been updated to use the new TM1 Certificates - and are no longer are risk of ticket expiration. If you wish to confirm, you may roll ahead your computer date/time, and recycle your TM1 Services - to know for sure that you are able to function on a date post November 24 2016.

[{"Product":{"code":"SS9RXT","label":"Cognos TM1"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"TM1","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"10.2","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

