Configuring SSL for Cognos Analytics components
For IBM® Cognos® components, you can use SSL for internal connections, external connections, or both.
If you configure SSL for internal connections only, IBM Cognos components on the local computer communicate using this protocol. The dispatcher listens for secure connections on a different port than for remote HTTP requests. Therefore, you must configure two dispatcher URIs.
If you configure SSL for external connections only, communications from remote IBM Cognos components to the local computer use the SSL protocol. You must configure the dispatcher to listen for secure remote requests on a different port than local HTTP requests. You must also configure the Content Manager URIs and the dispatcher URI for external applications to use the same protocol and port as the external dispatcher.
If you configure SSL for all connections, the dispatcher can use the same port for internal and external connections. Similarly, if you do not use SSL for local or remote communication, the dispatcher can use the same port for all communications.
By default, IBM Cognos Analytics components use an internal certificate authority (CA) to establish the root of trust in the IBM Cognos security infrastructure. This applies to both SSL and non-SSL connections. If you want to use certificates that are managed by another service, see the topic Configuring Cognos Analytics components to use another certificate authority.
If you use an optional gateway (either HTTP or HTTPS), you must configure the web server to trust Cognos Analytics certificates. For more information, see Copying the Cognos Analytics certificate to another server.
In a distributed installation, you must first configure the default active Content Manager computer to use the SSL protocol, and start the services on that computer before you configure the Application Tier Components computer.
Before you begin
Starting with Cognos Analytics 11.1.7, it is recommended to configure dispatcher URIs to use https with fully qualified domain host name.
- Search for
httpEndpoint
withid = “defaultHttpEndpoint”
, andhost=“localhost”
.For example, if port 9400 was configured for Internal dispatcher URI in Configuration Manager, locate the following lines of code:
<httpEndpoint id=“defaultHttpEndpoint” httpPort=“9400” host=“localhost”> <httpOptions CookiesConfigureNoCache=“false” AutoDecompression=“false” removeServerHeader=“true” persistTimeout=“${persist.timeout}“/> </httpEndpoint>
- Change
localhost
to*
, as shown in the following line of code:<httpEndpoint id=“*defaultHttpEndpoint” httpPort=“9400" host=“*”/>
- Save the server.xml file.
- Ask your IT services to disable external access to the port that you used, 9400 in this example, if you want to do so.
About this task
- Gateway URI
- External dispatcher URI
- Internal dispatcher URI
- Dispatcher URI for external applications
- Content Manager URIs
- Group contact host
- Member coordination host
- Server common name