IBM Support

Configuring SSL/https for Cognos portal running on Apache server

Technical Blog Post


Abstract

Configuring SSL/https for Cognos portal running on Apache server

Body

Authors: Santosh Manakdass and Syed Moinudeen

Overview

 SSL, known as Secure Socket Layer, is a security protocol that provides a secure channel between two machines operating over network be it the Internet or local access network. SSL is mainly used when a web browser needs to securely connect to a web server over the insecure network to remove any security issues.

 Http is insecure and is subject to attacks which can let attackers gain access to critical information such as bank details and so on whereas

Https makes sure that data being sent on the Internet is encrypted and hence secure.

Configuring https for Cognos is a fairly complex task which means you must have a pretty good level of understanding of various technologies. Even though there are steps in Internet to configure https for Cognos, but still these steps do not work correctly. This article will help readers to get rid of small issues occurring here and there while configuring https.

Using the configuration steps described in this article, readers can save time by not getting into additional issues usually faced while configuring https.

 This article is targeted for Cognos administrators and Cognos users who work with Cognos configuration.     

 Configuring Apache server for https on Windows Server

1.Creating a self-signed SSL certificate using OpenSSL:

Open the command prompt and cd to your Apache installations bin directory. Usually it would be:

cd "C:\Program Files\Apache Software Foundation\Apache2.2\bin"

To create the SSL certificate, you will need the openssl.cnf files location, but the default location set by OpenSSL for this file is setup according to a Linux distribution, so you need to fix it for Windows. You need to setup the Windows environment variable OPENSSL_CONF to point to the openssl.cnf files location. It is usually located in C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf directory.

So you can set it

 by the following command, or through the GUI interface:

set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf

All files generated from the following commands will reside in "C:\Program Files\Apache Software Foundation\Apache2.2\bin" folder.

Now that you have the environment variable set, you need to create a new OpenSSL certificate request using the following command:

openssl req -new -out server.csr

It will ask you many questions and you can safely ignore them and just answer the following questions:
PEM pass phrase. Password associated with the private key you are generating; it could be anything of your choice. 
Common name. The fully-qualified domain name associated with this certificate that is. www.your-domain.com.

Now you need to remove the passphrase from the private key. The file server.key created from the following command should be only readable by the apache server and the administrator. You should also delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl rsa -in privkey.pem -out server.key

Now you need to setup an expiry date, it could be at any time of your choice;commonly used are the 365 days below:

openssl x509 -in server.csr -out server.cert -req -signkey server.key -days 365 You have the self-signed SSL certificates ready now. Then you need to move the server.cert and server.key file to the C:\Program Files\Apache Software Foundation\Apache2.2\conf location.

2.Configuring Apache to run SSL/HTTPS server:

Now that you have the self-signed SSL certificate ready, all you need is to configure Apache to start the SSL server.

First you have to modify the C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf file.

Open up conf\httpd.conf in a text editor and look for the line:

            LoadModule ssl_module modules/mod_ssl.so and remove any pound sign(#) characters preceding it.

Include conf/extra/httpd-ssl.conf and remove any pound sign (#) characters preceding it. Next, you need to modify the C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf. Let all the default options remain as it is, but  modify the following section according to your need:

    <VirtualHost _default_:443>
    ServerAdmin [email protected]
    DocumentRoot "Your Root folder location"
    ServerName www.domain.com:443
    ServerAlias domain.com:443
    ErrorLog "logs/anyFile-error.log"
    CustomLog "logs/anyFile-access.log" common
    SSLEngine on

    SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.cert"

    SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"
    </VirtualHost> Ensure that SSLCertificateFile and SSLCertificateKeyFile are properly located.

For better organizing you can also put the whole <VirtualHost></VirtualHost> section in the C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-vhosts.conf along with your other Virtual Host settings there, but you need to take off the comment Include conf/extra/httpd-vhosts.conf in your conf\httpd.conf file to use that.

3.Opening SSL/HTTPS port on Windows:

Now you need to open an exception in Windows Firewall for TCP port 443. You can do that by going to Windows Firewall settings in Control Panel and adding a port in the exception section.

 Now restart your server and test: https://localhost

 

Configuring Cognos Portal for https

 Now that you have Apache server running with SSL, the next step is to install Cognos BI server following the steps in the installation guide:

http://www-01.ibm.com/support/docview.wss?uid=swg27037021

 Ensure that Cognos is up and running:

http://localhost/ibmcognos/

 Next, to configure Cognos server for SSL, you need to make the following two changes in the IBM Cognos configuration:

 

Go to Environment and change the port number for Dispatcher URIs gateway, External Dispatcher URI, Internal Dispatcher URI, Dispatcher URI for external applications and Content Manager URIs from 80 to 9343.

Make sure to use your server IP Address for all the URI settings as shown here:

 

 I have used IP Address in my screenshot as 127.0.0.1; use IP Address of your Cognos server.

 Under Cryptography -> Cognos change the server common name to your Cognos server IP address as shown.

 

Now save the settings and restart the IBM Cognos Configuration and test Cognos portal for https.

https://localhost/ibmcognos/

 

 NOTE: While accessing the Cognos portal, you might get the following error:

 https://localhost/ibmcognos/

 

To fix the above error make sure your JAVA_HOME is referring to IBM JRE.

 

About the Authors:

Name: Santosh Manakdass and Syed Moinudeen

Job Title: Developer

Email: [email protected], [email protected]

Bio: We are working as a developer for the Atlas suite of products under ECM. Our daily work involves handling customer PMRs, contributing to product releases in various technologies such as Java, JavaScript, JSF, GWT, Oracle, DB2 Cognos Reporting and so on.

Company: IBM

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCTJ4","label":"IBM Case Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11281070