Add CA certificates to the JRE keystore

If the virtual application instance uses SSL communication, you must add a certificate to the Java™ Runtime Environment (JRE) keystore on each of the workstations that have the client tools installed.

Before you begin

The CA certificate is created during the pattern deployment. You must have a functioning virtual application instance and you must download the certificate from the DownloadClient pattern endpoint.

About this task

Use the Java keytool command to import the certificate into the keystore.

You must target the correct location of the binary files, depending on whether you are adding certificates for either a 32-bit or a 64-bit application.

  • If you are adding a certificate for IBM® Cognos® Dynamic Query Analyzer, target the bin64 directory.
  • If you are adding a certificate for IBM Cognos Cube Designer, target the bin directory.


  1. Open a command prompt and change to the Java bin directory in the location where the client tool is installed:
    • For IBM Cognos Dynamic Query Analyzer, change directory to installation_location \bin64\jre\7.0\bin
    • For IBM Cognos Cube Designer, change directory to installation_location \bin\jre\7.0\bin
  2. Run the following command from the command line. For formatting purposes the command is shown here with line breaks but you should enter the command all on one line.
    keytool -import -file "C:\CA_certificate_location" -keystore 
    "C:\Program Files\install_location\bin_directory\jre\7.0\lib\security\cacerts" 
    -storepass "changeit"
    • CA_certificate_location is the location of the certificate that was downloaded from the pattern endpoint
    • client_install_location is the location of the installed client tool, either IBM Cognos Dynamic Query Analyzer or IBM Cognos Cube Designer
    • bin_directory is the location of the binary files, depending on whether the application is 32-bit or 64-bit installation.
    Remember: Ensure that you target the correct bin directory.
    For example, this sample command targets the 64-bit JRE for Cognos Dynamic Query Analyzer.
    keytool -import -file "C:\User\Downloads\cacert.cer"
    " -keystore "C:\Program Files\ibm\cognos\DQA_64\bin64\
    jre\7.0\lib\security\cacerts" -storepass "changeit"

    If you do not correctly target the bin locations for certificates when running a 32-bit and 64-bit installations, you will receive a warning message indicating that you cannot contact the servers.

  3. Enter yes when prompted to trust or add the certificate.


The following message displays: Certificate was added to keystore.