Topic
  • 49 replies
  • Latest Post - ‏2017-01-20T14:17:09Z by goodproduct
DSProffitt
DSProffitt
29 Posts

Pinned topic Default TM1 Applix Certs expire on 24th Nov 2016

‏2016-11-10T08:07:33Z | bi cdm controler ssl tm1

Default TM1 Applix Certs expire on 24th Nov 2016 (Replica)

Short link to this blog for easy distribution: http://ibm.biz/TM1SSLCertificate

Video casts: 

TM1 Server 10.2.2 - https://www.youtube.com/watch?v=W5mwwu54I1g
Verify TM1 certificates in Windows Key Store - https://www.youtube.com/watch?v=HGla2ixgnqI
Verify TM1 certificates with IBM Key Management - https://www.youtube.com/watch?v=h3704VSDLKI


All default TM1 Server/Admin Server SSL certificates of all supported TM1 on prem releases will expire on 24th November 2016.

If the TM1 installations of customers have not been updated with new certificates, after 24/11/2016 they will inaccessible:

From the customer's point of view they will have stopped working and TM1 will fail to start.

 

To start the process:

Official Landing Page of the SSL Certificate Expiry announcement

How to update your expiring IBM Cognos TM1 Certificates - Options

IBM Cognos TM1 SSL Expiration - Lookup page

IBM Cognos TM1 SSL Expiration - Manual Fix Approach - Landing Page


Updated TM1 SSL Certificates Download Location


How to Determine the Version of IBM Cognos TM1 in your Environment
 


IBM Cognos TM1 Server Side Updates & Steps:

 

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (NOT Earlier)

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.1.X


How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - WINDOWS

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - WINDOWS

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - UNIX

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - UNIX

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - IBM Cognos Express

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - Cognos Express 10.1 / 10.2.1 Server

 


IBM Cognos TM1 Client Side Updates / Steps

 

How to Update Your TM1 Architect / TM1 Perspectives Client Installations - ALL VERSIONS

How to Update Your IBM Cognos TM1 Performance Modeler / Cognos Insight Provisioning Agent - TM1 10.2.2

How to Update Your Performance Modeler / Cognos Insight Client Installations - ALL VERSIONS

How to Update Your Expiring TM1 SSL Certificates - Manual Steps - Cognos Express 10.1 / 10.2.1 Client Components

How to Update Your Cognos BI TM1 Client Components
 


To update the following

  • Cognos Command Center Components

  • Cognos Controller Installation

  • Cognos TM1 Client Components for CDM

Navigate here


 

 


Please the section below To see which Certificate is current in your installation  for ways to confirm your current certificate. 


 

Updated on 2016-12-02T15:09:52Z at 2016-12-02T15:09:52Z by Gregor Gromer
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:09:16Z  

    To see which Certificate is current in your installation, there are a few ways to check

    1) Navigate to C:\Program Files\ibm\cognos\tm1_64\bin64\ssl
    2) open applixca.pem with a text editor
    3) Copy the contents of the file
    4) Open a browser and input https://www.sslshopper.com/certificate-decoder.html
    5) Paste the contents of the file into the box and you will see something like this


    To verify the SSL certificate update

    1. Verify the timestamps of the certificates, they need to match a 2016 Date modified

      Verify in the following directories 
      1. <tm1_install_dir>\tm1_64\bin\ssl
      2. <tm1_install_dir>\tm1_64\bin64\ssl
      3. <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
    2. Windows only: Verify the certificates to be imported correctly in the Windows keystore 
      1. Open Internet Explorer
      2. Go to Internet Options > Content > Certificates
      3. Go to "Trusted Root Certification Authorities"
      4. Double-click on the Applix, Inc certificate - the certificate should read to be valid until 2026:
    3. Verify the certificates to be imported correctly into the cacerts keystore, of the used jre. 
      1. On Windows go to <tm1_install_dir>\tm1_64\bin64\jre\7.0\bin
        On Unix cd to $JAVA_HOME/bin
      2. Run ikeyman.exe (Windows) / ikeyman (Unix, DISPLAY required)
      3. As Key database type select JKS
        Under Location select the cacerts keystore in <tm1_install_dir>\tm1_64\bin64\jre\7.0\lib\security ($JAVA_HOME/lib/security) 
      4. On prompt enter the password: changeit
      5. Change to Signer certificates:
      6. Double-click the applixca certificate, the validity should read until 2026.
      7. On Unix repeat step 3-6 for the pmpsvcTrustStore located in $TM1_install/bin64

     

    Updated on 2016-11-10T10:22:18Z at 2016-11-10T10:22:18Z by DSProffitt
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:09:32Z  

    IBM Cognos TM1 SSL Expiration - Updater Kits

    While the updater kit simplifies the manual approach, a few additional steps are required in order to ensure that the update takes effect. This document will help you find the right updater and setup steps for your install.

    http://www-01.ibm.com/support/docview.wss?uid=swg21991790

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:09:50Z  

    Controller, BI & CDM - Integrated Solutions.

    Cognos BI

    How to Update Your Cognos BI TM1 Client Components

    http://www-01.ibm.com/support/docview.wss?uid=swg21991658

     

    I use BI to interrogate TM1 as a datasource.  What do I do

    Use this step by step - http://www-01.ibm.com/support/docview.wss?uid=swg27041183


    Controller

    The customer does not need to make any changes to any Controller software component.
    In other words, there is no Controller software 'patch' (or modification) that needs to occur.


    The only changes required are to the TM1 components

    The fix (to allow Controller / FAP to work correctly) is simply to perform either Option #1 or Option #2 here: http://www-01.ibm.com/support/docview.wss?uid=swg21990588
    [If Option #3 or #4 is tried then this will break FAP)

    ALL versions of Controller should work with the new certificate (Option #1). 


    CDM

    1. For all TM1 releases, the client must apply the Interim Fix to both the TM1 Server and the TM1 API (which is installed on our CDM Server) in order to preserve the functionality

    If the Interim Fix is applied on both the TM1 Server and the TM1 API, no additional patch for CDM is necessary.

    2. A CDM APAR (93807) is under work and will ensure compatibility with :
    a) clients that are on TM1 10.2.2 with a 2048-bit certificate and DO NOT apply the TM1 Interim Fix
    b) clients that use TM1 using a non-default, proprietary certificate (bitness not relevant).

     

    Development for CDM are currently working on this and will provide guidance and direction. This note will be kept up to date.

     

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:10:06Z  

    IBM Cognos TM1 SSL Expiration - Manual Approach - Certificates

    https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001&function=fixId&parent=Cognos

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:10:55Z  

    IBM Cognos TM1 SSL Expiration - Manual Fix Approach

    While the manual fix approach is similar across versions, certain streams of TM1 require a slightly different approach for manually updating TM1 Certificates.

     

    If you use CDM or Controller - Please see in the below section for further information

    IBM TM1 Certificate Expiration ALERT:
    http://www-01.ibm.com/support/docview.wss?uid=swg21990869&myns=swgimgmt&mynp=OCSS9RXT&mync=R&cm_sp=swgimgmt-_-OCSS9RXT-_-R

    IBM Cognos TM1 Certificate Expiry FAQ:
    http://www-01.ibm.com/support/docview.wss?uid=swg21990940

    If you have any additional questions or concerns, please open a service request with IBM Cognos TM1 Support.


    Content

    Updated TM1 SSL Certificates Download Location:
    http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001

    How to Determine the Version of IBM Cognos TM1 in your Environment:
    http://www-01.ibm.com/support/docview.wss?uid=swg21964134

     


     

    IBM Cognos TM1 Server Side Updates / Steps

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 9.5.X (or earlier)
    http://www.ibm.com/support/docview.wss?uid=swg21991655

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.1.X
    http://www.ibm.com/support/docview.wss?uid=swg21991547

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - WINDOWS
    http://www.ibm.com/support/docview.wss?uid=swg21991546

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - WINDOWS
    http://www.ibm.com/support/docview.wss?uid=swg21991545

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - UNIX
    http://www.ibm.com/support/docview.wss?uid=swg21991549

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - UNIX
    http://www.ibm.com/support/docview.wss?uid=swg21991550

    How to Update Your Expiring TM1 SSL Certificates - Manual Steps - IBM Cognos Express
    http://www-01.ibm.com/support/docview.wss?uid=swg21991652


     

    IBM Cognos TM1 Client Side Updates / Steps

    How to Update Your TM1 Architect / TM1 Perspectives Client Installations - ALL VERSIONS
    http://www.ibm.com/support/docview.wss?uid=swg21991657

    How to Update Your Performance Modeler / Cognos Insight Client Installations - ALL VERSIONS
    http://www.ibm.com/support/docview.wss?uid=swg21991656

    How to Update Your Cognos BI TM1 Client Components
    http://www.ibm.com/support/docview.wss?uid=swg21991658

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:11:16Z  

    Frequently Asked Questions

    What is happening on 24th November 2016 with my SSL certificates?

    Cognos TM1 uses certificates to encrypt the communication between the admin server and the instances that contain your data.

    This is a security measure to prevent an unauthorised person from intercepting and changing your data.

    To make this system work out of the box, Cognos TM1 uses a default certificate to get customers started. 

    For one reason or another, some customers do not change this default certificate for one of their own to increase their security.  That is their choice.

    All SSL certificates will have an expiry date.  This is also a security measure.

    The default SSL certificate in Cognos TM1, applixca.pem, will expire on 24th November 2016.

     

    So, what does this mean?

    It means, that if you use a version of TM1 or Cognos Express that uses applixca.pem as its SSL certificate, then after 24th November, your TM1 admin server will not start.

    You will have to take measures to replace that certificate.

     

    So, there are 3 options.  Which one is right for me.

    In the blog this will be help you to decide which one will sort this issue out.  But your choice may depend on your Cognos solution and what versions & products they integrate in.  There may be some restrictions due to specific components and their version.  You should also consider your own internal security requirements.

     

    Where do I get guidance about the detailed steps for the implementation of either using the V2 SSL Certificates or about the interim fix?

    The Interim Fix will come with Release Notes.
    If there is anything that has not been addressed there, post your questions as a comment to the blog

     

    Do I need to upgrade the server and the clients?
    This depends entirely on your solution and what clients you use. You may be required to do both.

    Reach out on a PMR to ask your Support team.

     

    What is special about Ops Console, PMHub & CAFE in relation to TM1 10.2.2 FP4 IF1?  Why cant I install v2 certs in anything older than that version?

    The reason that this is in is because of a bug in the application of custom certificates when using SSL and TM1. (with Ops Console, PMHub/tm1/servers &  CAFE)

    Version 2 certificates ARE custom certificates, therefore they will not work with anything that is older than TM1 10.2.2 FP4 IF1 when trying to reach Ops Console, PmHub or CAFE.

     

    Do I have to do any of this?  Can't I just uninstall SSL from TM1?

    We do not support extracting SSL from TM1 and therefore there is no documentation for this. 

    Doing this is theoretically possible, but the complications resulting from it are horrendous if you get it wrong, and that is even if you know SSL and TM1 very well.

    The fact  that you are able to extract SSL from TM1 Server and Admin server is only because former clients did not use SSL.

    So in short: There is no supported way to do this.

     

    By default, the TM1 Admin Server and TM1 Server, are secured using a 1024-bit SSL Certificate. The rootCA of that certificate is the applixca.pem file.

    The steps in this technote describe how to configure the TM1 Admin Server and TM1 Server (as well as the TM1 Client components), to use the provided 2048-bit SSL certificate ( tm1ca_v2.pem ).

     

    Does using 2048bit SSL make it more secure, and why would I want to change it back to 1024bit when the Interim Fix is in?

    2048 is just an encryption method,  think of it as nothing more than a different set of keys.

     

    What do I do with Cognos Express.

    A solution is also being sought for Cognos Express 10.2.1 and earlier. 

    Further details will be published imminently, as soon as any information, relating to the Interim Fix, is known.

     

    What will the updater do?

    The updater replaces the old applixca certificates (expiring in November) with new ones (using the same name) that expire in 2026.


    What will the updater NOT do?

    The updater will NOT apply any new product fixes. These updaters are built only to update the expiring certificates.

     

    I am on an earlier version of TM1 than those covered by the Interim Fix, what do I do?

    Check out the options here

    http://www-01.ibm.com/support/docview.wss?uid=swg21990869

     

    We were wondering what the impact will be of the change in SSL certificates, once the fixpack is released, on our end users.

    The simple answer is absolutely nothing.  They wont even know.

    I would draw the analogy of when you get a new credit card with a new pin. 

    The retailers don't know that you have a new card, and you use the card with them, with your new pin number, without any changes in procedure or action.

    It is the same with the new SSL certs.  As long as you have not created your own custom SSL certificates, then when the Interim Fix updates the certificates, the TM1 admin server will start up and business will continue as usual.
    The only indication that you have changed certificates is if you/the administrator of the system translates the new certs and sees that the date has changed on them.

     


     

    For more FAQs on this item please visit also http://www-01.ibm.com/support/docview.wss?uid=swg21990940

     


     

    Updated on 2016-11-17T12:03:45Z at 2016-11-17T12:03:45Z by KarinC
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T08:11:45Z  

    Please review the Q&A in the next section of this blog, too before you take any action. 


    The Interim Fix details can be accessed via this link How to update your expiring IBM Cognos TM1 Certificates

     

    Instead of waiting for an Interim Fix with a new default set of 1024-bit SSL Certificates to replace the current expiring default set, another possible resolution is to replace it by the optional v2 set of 2048-bit SSL Certificates.

    TM1 v10.2.2 ships with 2 sets of SSL Certificates:
    - The default set of 1024-bit SSL Certificates
    - An optional set of 2048-bit SSL Certificates ( the v2 set )

    The default set of 1024-bit SSL Certificates will expire at 24.11.2016
    The optional v2 set of 2048-bit SSL Certificates will expire at 25.08.2022

    This only applies to the default TM1 10.2.x installation on Windows.

    That is, no custom certificates have been created for this installation and no adjustments have been made to any default directories

    If any enhancements have been made to the default installation, e.g. CAM security or SSO, then alternative arrangements must be made to adjust for any other SSL certificates that exist outside of the TM1 installation.

    Configuring the TM1 Admin Server
    -Stop the TM1 Admin Server
    -Launch IBM Cognos Configuration (from 'Start Menu > All Programs > IBM Cognos TM1 - 64'
    -Under 'Local Configuration > Environment', select 'TM1 Admin Server'.
    -Set the 'TM1 Admin Server Certificate Version' to '2' ( default is 1 )

    Configuring the TM1 Server Instance
    -Stop the TM1 Server
    -Find and edit the tm1s.cfg file for the TM1 Server
    -Add the following parameter: CertificateVersion=2 ( default when not used, is CertificateVersion=1 )
    -Save and close the tm1s.cfg file

    Configuring TM1 Architect
    -Open TM1 Architect
    -Click 'File > Options'
    -Under 'Certificate Authority' click 'Browse…' and select the '..\tm1_64\bin\ssl\tm1ca_v2.pem' file.
    -Ensure the 'Certificate ID' text box contains the value 'tm1adminserver'
    -Press OK

     

    Configuring TM1 Web
    -You should NOT need to do anything with TM1 Web

     



    FOR WINDOWS ONLY - Configuring PMPSVC/PMHub

    If you DO use TM1 Operations Console / PMHub / CAFE, and are NOT using TM1 10.2.2 FP4 IF1+ -then you will have to wait for the updates

    If you are on 10.2.2 FP4 IF1+, the following is available to you

    C:\Program Files\ibm\cognos\tm1_64\bin64\service_pmpsvc.bat around line 280

     

    rem "for machines with 3GB RAM"

    rem set EXTRA_JVM_OPTIONS=-Xmx1536m;-XX:MaxNewSize=768m;-XX:NewSize=384m;-XX:MaxPermSize=128m

    rem Set JVM parameters

    set BASE_JVM_OPTIONS=-Dfile.encoding=UTF-8;-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.endorsed.dirs=%CATALINA_HOME%\common\endorsed;-Djava.io.tmpdir=%CATALINA_TMPDIR%;-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

     

    The location of where you point this switch to depends on the location of directory that holds the TM1 installation (Default installation).  Add this line

    ;-Dcom.ibm.cognos.tm1.certificate.dir=C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\bin64\

     

    The next bit is important that is followed in this order.

    Everything is down in the Cognos Configuration

    Delete the directories that form part of the contents of

    C:\Program Files\ibm\cognos\tm1_64\tomcat\work\Catalina\localhost

    Pmpsvc

    Pmhub

    TM1Web

     

    Then uninstall the service_pmpsvc.bat service.  I use an output file to ensure it has uninstalled properly.

    Open a command window

    cd C:\Program Files\ibm\cognos\tm1_64\bin64

    service_pmpsvc.bat uninstall >> c:\output.txt

     

    You can check the contents of this file and it will report something like this

    Using JVM:              C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin\j9vm\jvm.dll

    Stopping the service "pmpsvc" ...

    Removing the service "pmpsvc" ...

    The service "pmpsvc" has been removed

    errorlevel 0 exit 0

     

    Then save the Cognos configuration

     

    Then we need to install the service_pmpsvc.bat

    Open a command window

    cd C:\Program Files\ibm\cognos\tm1_64\bin64

    service_pmpsvc.bat install >> c:\output.txt

     

    This time you will see keytool errors that look like this in the output.txt file.

    Using JVM:              C:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin\j9vm\jvm.dll

    More help is available by typing NET HELPMSG 2185.

    Installing the service "pmpsvc" ...

    Using CATALINA_HOME:    C:\Program Files\ibm\cognos\tm1_64\tomcat

    Using CATALINA_BASE:    C:\Program Files\ibm\cognos\tm1_64\tomcat

    Using JAVA_HOME:       

            1 file(s) copied.

    keytool error: java.lang.Exception: Certificate not imported, alias <applixca> already exists

    keytool error: java.lang.Exception: Certificate not imported, alias <tm1ca_v2> already exists

    The service "pmpsvc" has been installed.

    errorlevel 0 exit 0

     

    These can safely be ignored as they are certificates that are already installed, and the keytool is complaining about them being there. They are the default certs we use, so that's all good.


     

    FOR Linux/AIX ONLY

    In the startup_pmpsvc.sh file (located in ~/TM1Root/bin64/

    The current line reads

    UDECODER_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

     

    Add

     -Dcom.ibm.cognos.tm1.certificate.dir=$TM1_HOME/webapps/pmpsvc/WEB-INF/bin64"

    Note the space between true and -Dcom.ibm.cognos.tm1.certificate.dir.

    Save the file


    DO NOT START THE APPLICATION SERVER YET

     

    Configuring the TM1 Application Server
    -Open and edit the '..\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml' file
    -Find the TM1 Tags within the file and review. You will need to specify the TM1 Admin Server and TM1 Server if not previously configured, as well as update the file to use the 2048-bit CA files. The modified file should look similar to the below:

     

    I have only configured SData, but if you have more than one server here, you need to add them in as needed.

    This prevents you having to add them in on the TM1 Application's web portal using the

     

    <tm1>
    <gateway uri=""/>
    <alternate_gateway_uris>
    <alternate_gateway uri="*"/>
    </alternate_gateway_uris>
    <dispatcher uri=""/>
    <admin_host name="Admin Server Name">
    <certificate authority="tm1ca_v2.pem" id="tm1adminserver" />
    <servers>
    <certificate authority="tm1ca_v2.pem" id="tm1adminserver" />
    <server name="SData"/>
    </servers>
    </admin_host>
    </tm1>

    Save the file.

    Make a copy of this file and save it in ~TM1ROOT\tm1_64\webapps\pmpsvc\WEB-INF\bin64 (applies both to Windows AND Linux)

     

    Start the TM1 Admin Server

    Start the TM1 Server Instance

     

    Checking Architect, you should see the server you have adjusted the tm1s.cfg file for.

     

    Start the Tm1 Application Server

     

    To make the Ops console work, you need to configure the PM Hub first.

    Enter a value of the fully qualified domain name here of your admin host (same as in your fpmsvc_config.xml)

    Configuring TM1 Operations Console / PMHub

    To test if PMHub can communicate with the TM1 Admin Server the following URL can be used (replace tm1web.domain.com with the name of the system running the PMHub web application).
    http://tm1web.domain.com:9510/pmhub/pm/tm1/servers


    If PMHub is correctly configured to use the 2048 bit certificate this URL should return a list of TM1 server known by TM1 Admin Server. This is an example of the response provided where PMHub could connecto the TM1 Admin Server and saw the SData sample model running.


    {"servers":[{"id":"CO","name":"CO","class":"server","rel":"child","href":"http://tm1web.domain.com:9510/pmhub/pm/tm1/server%28CO%29"},{"id":"SData","name":"SData","class":"server","rel":"child","href":"http://tm1web.domain.com:9510/pmhub/pm/tm1/server%28SData"}],"self":{"name":"servers","class":"servers","rel":"self","href":"https://tm1web.domain.com:9510/pmhub/pm/tm1/servers"}}

     

     

    Having done all that, the following clients should work without any further adjustment

    TM1 Web

    TM1 Application Web

    Perspectives

    Ops Console

    CAFE

     

    Two caveats:
    1) This works only in 10.2.2.4 IF1 and later. Definitely works in all FP5 and FP6 releases.
    2) You should copy fpmsvc_config.xml from .../webapps/pmpsvc/WEB-INF/configuration to location chosen above whenever PMPSVC admin user reconfigures PMPSVC certificates, or the file is edited by hand.

    Updated on 2016-11-17T12:05:37Z at 2016-11-17T12:05:37Z by KarinC
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:29:17Z  

    Dear experts,

    Two important questions for us:

    1. How to test that the manual fix worked without wait till the 24th. Nov. We're in a big house in here and it is impossible to change dates systems because of MS Windows Active Directory synchronicity policies. If date system changes, any authentication process fail.

    2. In the technotes for Cognos BI TM1 Client is said that if TM1 is used with Cognos BI the newest FP MUST be applied, but it is not clear if this is only for Cognos BI installed on UNIX or for all Cognos BI. Could you please clarify ?

    Thanks for your help


    Thank you for the question.

    1. To test this, I would suggest setting up a virtual test environment (I use VMWare) and this way you can change dates on the VM without changing dates on the actual system.

    2.  Whilst the TechNote you are talking about uses Unix as a reference point a couple of time, these references are the exception, rather than the rule and these instructions are for Windows, AIX and Linux/Unix based systems

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:30:24Z  

    Dear experts,

    we followed the instructions for "How to Update Your Expiring TM1 SSL Certificates - Manual Steps - IBM Cognos Express".

    Seems everything is working fine exept of the CX Application Portal.

    When we try to access the portal through the webbrowser we receive a login and after the login an error message.

    See the following screenshot for further information.

     

    Seems that the application service is not able to communicate with the CXMD Server Instance after the update process.

    Are we missing something or is this a known problem?

     

    Thx for your reply and help.

    best regards

    Bernhard


    Thank you for the question.
    The technote 1991652 has been modified with the information below:

    • Navigate to <express_install_dir>\bin64\. Open/edit the bootstrap_winx64.xml file.
    • Look for the following line:
      • <param>"-Dcom.ibm.cognos.disp.useDaemonThreads=true"</param>
    • Under the line found above, add a new line:
      • <param>"-Dcom.ibm.cognos.tm1.bin=${install_path}\bin64"</param>
    • Save and close the bootstrap_winx64.xml file

    Dear Voisin,

    thank you for the instant supply.

    We were able to access the tm1 application portal.

    Right now we are facing the next problem. We tried to configure the Performance Modeler Client according to the "How to Update Your Performance Modeler / Cognos Insight Client Installations - ALL VERSIONS" manual.

    Nevertheless we run into an error when the PM client is trying to access the application service (see screenshot below).

     

    Before applying the certification changes everything worked fine.

    Looking forward for your help - thx in advance.

    Bernhard


    Don't forget to update all SSL folders as indicated in point 8:

    "Copy the contents of the folder you extracted earlier C:\NewSSLCerts\ , and place them inside of ALL \ssl\ folder found in your Performance Modeler or Cognos Insight installation directory. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones."

    Here is the list of SSL folder for

    Performance Modeler:
    "<perfmodeler folder>\bins\bin_10.xxxx\tm1\bin\ssl"
    "<perfmodeler folder>\bins\bin_10.xxxx\tm1\bin\tm1api101\ssl"
    "<perfmodeler folder>\bins\bin_10.xxxx\tm1\bin\tm1api102\ssl"

    "<perfmodeler folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\ssl"
    "<perfmodeler folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\tm1api101\ssl"
    "<perfmodeler folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\tm1api102\ssl"

     

    Cognos Insight:
    "<CI folder>\bin_10.xxxx\tm1\bin\ssl"
    "<CI folder>\bin_10.xxxx\tm1\bin\tm1api101\ssl"
    "<CI folder>\bin_10.xxxx\tm1\bin\tm1api102\ssl"
    "<CI folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\ssl"
    "<CI folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\tm1api101\ssl"
    "<CI folder>\plugins\com.cognos.pmta.tm1.distributed.bin.win32.x86_64_10.xxxx\extract_bin\tm1\bin\tm1api102\ssl"


     

    Hi Voisin,

    I appreciate your instant reply.

    We were not aware of the SSL folders in the plugins folder and will give it a try.

    Furthermore we came up with an additional question.

    What SSL-Certification Files are in use if a customer installs one of the express clients from the express landing page after the update?

    Our tests seem to indicate, that still the old SSL-Files are in use!

     

    best regards

    Bernhard


    Hi Bernhard,

    I am afraid that until such time as a full correction is available for previous versions of Cognos Express,  the .exe installation files for Express clients will still contain previous certificates. This will require executing the manual updates on the client system after each installation.

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:30:38Z  

    Hello,

     

    I have 1 question regarding Manual Fix approach.

    My client is on TM1 10.2.2 FP5. It's not clear What procedure to follow between 2 below :

    • How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - WINDOWS
    • How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.2 FP4 IF1+ - WINDOWS

    IF1+ is related to IF or also to FP ? Can you please clarify this point ? 

    Thank you very much for your answer. 

    Best regards, 

    Sophie B


    Hi Sophie

    TM1 10.2.2 FP5 Windows would come under the TM1 10.2.2 FP4 IF1+ - WINDOWS

     

    The "+" sign indicates that anything including and after 10.2.2 FP4 Interim Fix 1 has that manual procedure.

    Anything from TM1 10.2..0 to TM1 10.2.2 FP4 uses the one above.

    Does that answer your question?

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:34:26Z  

    I tried Step 3:
    Verify the certificates to be imported correctly into the cacerts keystore, of the used jre

    But it does not shown any Applix certs having been imported.

    This was after I ran the last 2 steps of the 10.1.1 Updater ( http://www-01.ibm.com/support/docview.wss?uid=swg21991789 )

    • Execute the uninstallSSL.bat file, to uninstall old keys from the Windows Keystore
    • Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore

    Any ideas?


    OK looks like the Java cert is not used with TM1 10.1.1 as it's still IIS not Tomcat. Thanks Nadine.


    Using a client that requires the new certificate like i.e. Architect will allow for a simple test of the successful certificate deployment:
    -> move the clock on the client beyond 24th of November will show whether the certificate is installed ok on this client
    -> subsequently this client will only work ok with the server(s) if they are equally successfully upgraded to the new certificate

    Updated on 2016-11-10T10:34:56Z at 2016-11-10T10:34:56Z by DSProffitt
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:35:15Z  

    To see which Certificate is current in your installation, there are a few ways to check

    1) Navigate to C:\Program Files\ibm\cognos\tm1_64\bin64\ssl
    2) open applixca.pem with a text editor
    3) Copy the contents of the file
    4) Open a browser and input https://www.sslshopper.com/certificate-decoder.html
    5) Paste the contents of the file into the box and you will see something like this


    To verify the SSL certificate update

    1. Verify the timestamps of the certificates, they need to match a 2016 Date modified

      Verify in the following directories
      1. <tm1_install_dir>\tm1_64\bin\ssl
      2. <tm1_install_dir>\tm1_64\bin64\ssl
      3. <tm1_install_dir>\tm1_64\webapps\pmpsvc\WEB-INF\bin64\ssl
    2. Windows only: Verify the certificates to be imported correctly in the Windows keystore
      1. Open Internet Explorer
      2. Go to Internet Options > Content > Certificates
      3. Go to "Trusted Root Certification Authorities"
      4. Double-click on the Applix, Inc certificate - the certificate should read to be valid until 2026:
    3. Verify the certificates to be imported correctly into the cacerts keystore, of the used jre.
      1. On Windows go to <tm1_install_dir>\tm1_64\bin64\jre\7.0\bin
        On Unix cd to $JAVA_HOME/bin
      2. Run ikeyman.exe (Windows) / ikeyman (Unix, DISPLAY required)
      3. As Key database type select JKS
        Under Location select the cacerts keystore in <tm1_install_dir>\tm1_64\bin64\jre\7.0\lib\security ($JAVA_HOME/lib/security) 
      4. On prompt enter the password: changeit
      5. Change to Signer certificates:
      6. Double-click the applixca certificate, the validity should read until 2026.
      7. On Unix repeat step 3-6 for the pmpsvcTrustStore located in $TM1_install/bin64

     

    I checked whether V2 ist in place of my 10.2.0 installation by taking a look in the cogstartup.xml-file under the folder .\tm1_54\configuration\ which contains these tags:

          <!-- tm1AdminSvrCertificateVersion: Gibt an, welche Version des von TM1 generierten SSL-Zertifikats 
               verwendet werden soll.  -->
          <!-- Standardmäßig wird die 1024-Bit-Verschlüsselungsversion des von TM1 generierten SSL-Zertifikats 
               verwendet. Ändern Sie diesen Parameter nur, wenn Sie die neue 2048-Bit-Verschlüsselungsversion 
               des Standardzertifikats verwenden möchten. Sie können die neue Version mit alten 
               und neuen TM1 Clients verwenden, Sie müssen jedoch die Clients für die Verwendung 
               der neuen Zertifizierungsstellendatei konfigurieren. Dieser Parameter ist nicht anwendbar, 
               wenn Sie eigene SSL-Zertifikate verwenden. Gültige Werte: 1 = Aktivierung der 1024-Bit-Verschlüsselung 
               mit sha-1 (Standardwert) durch die Zertifizierungsstelle; 2 = Aktivierung der 1048-Bit-Verschlüsselung 
               mit sha-256 durch die Zertifizierungsstelle.  -->
          <crn:parameter name="tm1AdminSvrCertificateVersion">
            <crn:value xsi:type="xsd:int">1</crn:value>
          </crn:parameter>

    Actually, I am concerned by the issue, unfortunately. But now it is clear, even if my Cognos Configuration Tool won't start, as its buggy...

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:35:27Z  

    I checked whether V2 ist in place of my 10.2.0 installation by taking a look in the cogstartup.xml-file under the folder .\tm1_54\configuration\ which contains these tags:

          <!-- tm1AdminSvrCertificateVersion: Gibt an, welche Version des von TM1 generierten SSL-Zertifikats 
               verwendet werden soll.  -->
          <!-- Standardmäßig wird die 1024-Bit-Verschlüsselungsversion des von TM1 generierten SSL-Zertifikats 
               verwendet. Ändern Sie diesen Parameter nur, wenn Sie die neue 2048-Bit-Verschlüsselungsversion 
               des Standardzertifikats verwenden möchten. Sie können die neue Version mit alten 
               und neuen TM1 Clients verwenden, Sie müssen jedoch die Clients für die Verwendung 
               der neuen Zertifizierungsstellendatei konfigurieren. Dieser Parameter ist nicht anwendbar, 
               wenn Sie eigene SSL-Zertifikate verwenden. Gültige Werte: 1 = Aktivierung der 1024-Bit-Verschlüsselung 
               mit sha-1 (Standardwert) durch die Zertifizierungsstelle; 2 = Aktivierung der 1048-Bit-Verschlüsselung 
               mit sha-256 durch die Zertifizierungsstelle.  -->
          <crn:parameter name="tm1AdminSvrCertificateVersion">
            <crn:value xsi:type="xsd:int">1</crn:value>
          </crn:parameter>

    Actually, I am concerned by the issue, unfortunately. But now it is clear, even if my Cognos Configuration Tool won't start, as its buggy...

    I followed the steps "FOR WINDOWS ONLY - Configuring PMPSVC/PMHub".

    All the tools (perspectives, perf.modeler, etc) working, but CAFE does not see server list.

    PMHUB control returns no server.

    {"servers":[],"self":{"name":"servers","class":"servers","rel":"self","href":"http://myserver:9510/pmhub/pm/tm1/servers"}}
    

    Is there any comment on the for the problem?

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:55:43Z  

    I checked whether V2 ist in place of my 10.2.0 installation by taking a look in the cogstartup.xml-file under the folder .\tm1_54\configuration\ which contains these tags:

          <!-- tm1AdminSvrCertificateVersion: Gibt an, welche Version des von TM1 generierten SSL-Zertifikats 
               verwendet werden soll.  -->
          <!-- Standardmäßig wird die 1024-Bit-Verschlüsselungsversion des von TM1 generierten SSL-Zertifikats 
               verwendet. Ändern Sie diesen Parameter nur, wenn Sie die neue 2048-Bit-Verschlüsselungsversion 
               des Standardzertifikats verwenden möchten. Sie können die neue Version mit alten 
               und neuen TM1 Clients verwenden, Sie müssen jedoch die Clients für die Verwendung 
               der neuen Zertifizierungsstellendatei konfigurieren. Dieser Parameter ist nicht anwendbar, 
               wenn Sie eigene SSL-Zertifikate verwenden. Gültige Werte: 1 = Aktivierung der 1024-Bit-Verschlüsselung 
               mit sha-1 (Standardwert) durch die Zertifizierungsstelle; 2 = Aktivierung der 1048-Bit-Verschlüsselung 
               mit sha-256 durch die Zertifizierungsstelle.  -->
          <crn:parameter name="tm1AdminSvrCertificateVersion">
            <crn:value xsi:type="xsd:int">1</crn:value>
          </crn:parameter>

    Actually, I am concerned by the issue, unfortunately. But now it is clear, even if my Cognos Configuration Tool won't start, as its buggy...

    I followed the steps "FOR WINDOWS ONLY - Configuring PMPSVC/PMHub".

    All the tools (perspectives, perf.modeler, etc) working, but CAFE does not see server list.

    PMHUB control returns no server.

    <pre dir="ltr" style="color: rgb(0, 0, 0); line-height: normal; white-space: pre-wrap; word-wrap: break-word;">{"servers":[],"self":{"name":"servers","class":"servers","rel":"self","href":"http://myserver:9510/pmhub/pm/tm1/servers"}} </pre>

    Is there any comment on the for the problem?

    In response to 5PN7_Birol_Cavus

    I followed the steps "FOR WINDOWS ONLY - Configuring PMPSVC/PMHub".

    All the tools (perspectives, perf.modeler, etc) working, but CAFE does not see server list.

    PMHUB control returns no server.

    {"servers":[],"self":{"name":"servers","class":"servers","rel":"self","href":"http://myserver:9510/pmhub/pm/tm1/servers"}}
    

    Is there any comment on the for the problem?

     

    Do you use CAM on this system?

    Can you check the pmhub/pm/admin settings to make sure that the tm1.dictionary has a Fully Qualified Domain Name

    Updated on 2016-11-10T10:59:02Z at 2016-11-10T10:59:02Z by DSProffitt
  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:56:10Z  

    I checked whether V2 ist in place of my 10.2.0 installation by taking a look in the cogstartup.xml-file under the folder .\tm1_54\configuration\ which contains these tags:

          <!-- tm1AdminSvrCertificateVersion: Gibt an, welche Version des von TM1 generierten SSL-Zertifikats 
               verwendet werden soll.  -->
          <!-- Standardmäßig wird die 1024-Bit-Verschlüsselungsversion des von TM1 generierten SSL-Zertifikats 
               verwendet. Ändern Sie diesen Parameter nur, wenn Sie die neue 2048-Bit-Verschlüsselungsversion 
               des Standardzertifikats verwenden möchten. Sie können die neue Version mit alten 
               und neuen TM1 Clients verwenden, Sie müssen jedoch die Clients für die Verwendung 
               der neuen Zertifizierungsstellendatei konfigurieren. Dieser Parameter ist nicht anwendbar, 
               wenn Sie eigene SSL-Zertifikate verwenden. Gültige Werte: 1 = Aktivierung der 1024-Bit-Verschlüsselung 
               mit sha-1 (Standardwert) durch die Zertifizierungsstelle; 2 = Aktivierung der 1048-Bit-Verschlüsselung 
               mit sha-256 durch die Zertifizierungsstelle.  -->
          <crn:parameter name="tm1AdminSvrCertificateVersion">
            <crn:value xsi:type="xsd:int">1</crn:value>
          </crn:parameter>

    Actually, I am concerned by the issue, unfortunately. But now it is clear, even if my Cognos Configuration Tool won't start, as its buggy...

    This value confirms that you are using the 1024-bit certificates. You will need to update the SSL certificates or change to the 2048 bit length/custom certificates. If there are further questions, you can again participate in one of the calls, ask your questions here or open a PMR to get it resolved.

     

    Nadine

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T10:56:42Z  

    gives the following information:

     

    FOR Linux/AIX ONLY

    In the startup_pmpsvc.sh file (located in ~/TM1Root/bin64/

    The current line reads

    UDECODER_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

     

    Add

     -Dcom.ibm.cognos.tm1.certificate.dir=$TM1_HOME/webapps/pmpsvc/WEB-INF/bin64"

    Note the space between true and -Dcom.ibm.cognos.tm1.certificate.dir.

    Save the file

     

    But the article How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - UNIX doesn't have any reference to this, and from step 10. states:

     

    Navigate to <tm1_install_dir>/bin64/ and open/edit the startup_pmpsvc.sh file

    • From the top, find the first line beginning with 'CATALINA_OPTS='
    • Append the following to the end of the string, but before the closing double-quote: -Dcom.ibm.cognos.tm1.bin=$TM1_BIN
      ***Use $TM1_BIN as is, you are not expected to modify this variable as it sets itself via the script. Ensure that you have placed a 'space' as the first character before the -Dcom.. string
    • Save your changes and close the startup_pmpsvc.sh file

    We are using AIX 7.1, and the first references to CATALINA_OPTS= in the startup_pmpsvc.sh file look like this

     

    CATALINA_OPTS="$PROTOCOL $JAVA_64BIT_OPTS $JAVA_IBM_OPTS $DISP_OPTS $UDECODER_OPTS $JMX_OPTIONS $KEYSTORE_OPTIONS -Xmx${MEM}m $MAX_NEW_SIZE $NEW_SIZE $MAX_PERM_SIZE"

    if [ "$PLATFORM" = "Linux" ]

    then

    CATALINA_OPTS="$CATALINA_OPTS -Xmso512k"

    fi

    if [ "$PLATFORM" = "OS/390" ]

    then

    CATALINA_OPTS="-Dfile.encoding=ISO8859-1 -Xss512m -Xnoargsconversion $CATALINA_OPTS"

    fi

    export CATALINA_OPTS

    Can anyone advise what needs to be done, should I just follow Gregor Gromer's instructions?

     

    Thanks Stuart

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T11:35:01Z  

    gives the following information:

     

    FOR Linux/AIX ONLY

    In the startup_pmpsvc.sh file (located in ~/TM1Root/bin64/

    The current line reads

    UDECODER_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

     

    Add

     -Dcom.ibm.cognos.tm1.certificate.dir=$TM1_HOME/webapps/pmpsvc/WEB-INF/bin64"

    Note the space between true and -Dcom.ibm.cognos.tm1.certificate.dir.

    Save the file

     

    But the article How to Update Your Expiring TM1 SSL Certificates - Manual Steps - TM1 10.2.X - UNIX doesn't have any reference to this, and from step 10. states:

     

    Navigate to <tm1_install_dir>/bin64/ and open/edit the startup_pmpsvc.sh file

    • From the top, find the first line beginning with 'CATALINA_OPTS='
    • Append the following to the end of the string, but before the closing double-quote: -Dcom.ibm.cognos.tm1.bin=$TM1_BIN
      ***Use $TM1_BIN as is, you are not expected to modify this variable as it sets itself via the script. Ensure that you have placed a 'space' as the first character before the -Dcom.. string
    • Save your changes and close the startup_pmpsvc.sh file

    We are using AIX 7.1, and the first references to CATALINA_OPTS= in the startup_pmpsvc.sh file look like this

     

    CATALINA_OPTS="$PROTOCOL $JAVA_64BIT_OPTS $JAVA_IBM_OPTS $DISP_OPTS $UDECODER_OPTS $JMX_OPTIONS $KEYSTORE_OPTIONS -Xmx${MEM}m $MAX_NEW_SIZE $NEW_SIZE $MAX_PERM_SIZE"

    if [ "$PLATFORM" = "Linux" ]

    then

    CATALINA_OPTS="$CATALINA_OPTS -Xmso512k"

    fi

    if [ "$PLATFORM" = "OS/390" ]

    then

    CATALINA_OPTS="-Dfile.encoding=ISO8859-1 -Xss512m -Xnoargsconversion $CATALINA_OPTS"

    fi

    export CATALINA_OPTS

    Can anyone advise what needs to be done, should I just follow Gregor Gromer's instructions?

     

    Thanks Stuart

    @Stuart

    FOR Linux/AIX ONLY

    In the startup_pmpsvc.sh file (located in ~/TM1Root/bin64/

    The current line reads

    UDECODER_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

     

    Add

     -Dcom.ibm.cognos.tm1.certificate.dir=$TM1_HOME/webapps/pmpsvc/WEB-INF/bin64"

    Note the space between true and -Dcom.ibm.cognos.tm1.certificate.dir.

    Save the file

     

    This bit only applies to using Version 2 certificates.

    This was a backup plan in case of the new version 1 certs not being ready.

     

    This has now been superseded by http://www-01.ibm.com/support/docview.wss?uid=swg21991550

    So, please use these instructions if you are on 10.2.2 FP4 IF1 or higher

     

    Updated on 2016-11-10T11:35:26Z at 2016-11-10T11:35:26Z by DSProffitt
  • Tm1newAdmin
    Tm1newAdmin
    2 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-10T15:02:41Z  

    Hi,

    We ran through the SSL update procedures for TM1 10.2.2 for Windows.  Everything seems to be working, no issues with Architect or Perspectives.  However, the TM1 Web login page is not displaying ANY available instance....just a blank.

    Can you shed some light on what might be causing it?  Which part of the update procedure do you think might have failed..?

    We found a technote that matches our issues exactly (as below).  We ran the fix, but saw no improvement.

    http://www-01.ibm.com/support/docview.wss?uid=swg21978399

    TM1Web does not show any TM1 Servers in the server dropdown

    Thanks for your help in advance,

     

      

  • GKhabou
    GKhabou
    1 Post

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-11T08:29:08Z  

    Hello,

     

    We are going to update our TM1 SSL Certification to avoid the planned expiration for the November 24th 2016.

    IBM recommands to roll ahead the server clock past November 24th 2016 to ensure that the product behaves as expected post expiration date.
    Any ideas about the impact of this action on the users and hosted applications server and client sides ?

     

    Is there any other more sure ways for test ?

     

    Thanks in advance.

     

    Best regards;
    Ghassen KHABOU

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-11T12:18:20Z  

    Hi,

    We ran through the SSL update procedures for TM1 10.2.2 for Windows.  Everything seems to be working, no issues with Architect or Perspectives.  However, the TM1 Web login page is not displaying ANY available instance....just a blank.

    Can you shed some light on what might be causing it?  Which part of the update procedure do you think might have failed..?

    We found a technote that matches our issues exactly (as below).  We ran the fix, but saw no improvement.

    http://www-01.ibm.com/support/docview.wss?uid=swg21978399

    TM1Web does not show any TM1 Servers in the server dropdown

    Thanks for your help in advance,

     

      

    Thank you for your question
    Try this

    Stop the Application Server

    Navigate to TM1Root/Tomcat/work/Catalina/localhost

    Delete the pmhub/pmpsvc/tm1web directories

    Restart the App Server.

    Try TM1 Web

    If you use PMHub/Opsconsole and CAM, then check the settings in the PMHub/pm/admin screen to make sure that if they have been deleted, that you re-enter them

    Then let us know :)

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-11T12:19:35Z  
    • GKhabou
    • ‏2016-11-11T08:29:08Z

    Hello,

     

    We are going to update our TM1 SSL Certification to avoid the planned expiration for the November 24th 2016.

    IBM recommands to roll ahead the server clock past November 24th 2016 to ensure that the product behaves as expected post expiration date.
    Any ideas about the impact of this action on the users and hosted applications server and client sides ?

     

    Is there any other more sure ways for test ?

     

    Thanks in advance.

     

    Best regards;
    Ghassen KHABOU

    Rolling forward is a bad idea.
    This has been suggested in the past as there was no awareness of the issues this could cause. Now there is greater awareness of problems with Active Directory, for example, the recommended way of checking this is to check the certificates themselves as directed by this blog
     

  • Tm1newAdmin
    Tm1newAdmin
    2 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-11T17:02:13Z  

    Thank you for your question
    Try this

    Stop the Application Server

    Navigate to TM1Root/Tomcat/work/Catalina/localhost

    Delete the pmhub/pmpsvc/tm1web directories

    Restart the App Server.

    Try TM1 Web

    If you use PMHub/Opsconsole and CAM, then check the settings in the PMHub/pm/admin screen to make sure that if they have been deleted, that you re-enter them

    Then let us know :)

    Thank you very much for the reply...we just discovered the issue.

    The command below was issued in the \bin\ directory, not \bin64\

    1. 10. Open and run Windows Command Prompt as an Administrator. Navigate to <tm1_install_dir>\tm1_64\bin64\jre\7.0\bin . Execute the following command:
      • keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
      • keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<tm1_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt
  • rambert
    rambert
    1 Post

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-16T10:29:05Z  

    Hello,

     

    we have updated succesfully TM1 SSL Certificates for version 9.5.2. Now we want to schedule a TM1 upgrade  to 10.2.2 version next year. Is necessary to upgrade the TM1 SSL Certificates again?

     

    Regards

    Ramón

  • DSProffitt
    DSProffitt
    29 Posts

    Re: Default TM1 Applix Certs expire on 24th Nov 2016

    ‏2016-11-17T13:10:12Z  
    • rambert
    • ‏2016-11-16T10:29:05Z

    Hello,

     

    we have updated succesfully TM1 SSL Certificates for version 9.5.2. Now we want to schedule a TM1 upgrade  to 10.2.2 version next year. Is necessary to upgrade the TM1 SSL Certificates again?

     

    Regards

    Ramón

    Hi Ramon,

    If you upgrade to 10.2.2 FP7, then no, you will not.

    That is out Q1 of 2017

    Anything else, you will need to update again