Configuring IBM HTTP Server V9 with SSL

If you use Secure Sockets Layer (SSL) on IBM® Cognos® Analytics with Watson with IBM HTTP Server V9 as your web server, you must set up SSL between WAS Web Server Plug-ins and the Cognos Analytics application server by extracting the IBM Cognos certificate and adding it to the WAS Web Server Plug-ins trust store.

If you use SSL on IBM HTTP Server V9, configure your environment as documented in the article Configuring IBM HTTP Server with SSL.

Procedure

  1. Start the IBM Cognos Analytics with Watson application server that is configured to use SSL.
  2. Copy the Server section from the Cognos_Analytics_applicaton_server_install_root/wlp/usr/servers/cognosserver/logs/state/plugin-cfg.xml file to the plug-in/config/webserver1/plugin-cfg.xml file. Ensure that the Cognos Analytics https entry point is specified, as shown in the following example:
    <Server CloneID="a4949c5e-cb36-40dd-9f43-58702daf7b1a" ConnectTimeout="5" 
    ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" 
    Name="default_node_cognosserver" ServerIOTimeout="900" WaitForContinue="false">
       <Transport Hostname=“hostname” Port=“xxx” Protocol="https">
       <Property Name="keyring" Value="D:\install\IBM\WebSphere\Plugins\config\
             webserver1\plugin-key.kdb"/>
       <Property Name="stashfile" Value="D:\install\IBM\WebSphere\Plugins\config\
             webserver1\plugin-key.sth"/>
       </Transport>
    </Server>
  3. In the Plug-in/config/webserver1/plugin-cfg.xml file, add the following attribute to the Config section:
    AutoSecurity="false"
  4. Obtain the IBM Cognos certificate by using the following steps:
    1. Go to the Cognos Analytics applicaton_server_install_root/bin directory.
    2. Extract the certificate by typing a command that is appropriate for your operating system.

      On UNIX or Linux® operating systems, type

      ThirdPartyCertificateTool.sh -E -T -r destination file -p NoPassWordSet

      On Windows operating systems, type

      ThirdPartyCertificateTool.bat -E -T -r destination file -p NoPassWordSet
  5. Copy the .cert file, for example ca-host1.cert, that was generated in step 4 to WAS Web Server Plug-ins host.
  6. Add the Cognos Analytics .cert file to the WAS Web Server Plug-ins key store plugin-key.kdb. If the plugin-key.kdb file does not exist, create one as described in step 7.

    You can use different methods to add the .cert file to the key store. The following steps describe how to do that by using the gskcapicmd tool that is shipped with IHS V9.

    1. Go to the IHS9 ROOT folder.
    2. Type a command that is appropriate for your operating system.

      On UNIX or Linux operating systems, type

      bin/gskcapicmd -cert -add -db WAS_Plugin_root/config/webserver1/plugin-key.kdb 
      -stashed -label ca-host1 -file ca-host1.cert

      On Windows operating systems, type

      bin\gskcapicmd.bat -cert -add -db WAS_Plugin_root\config\webserver1\plugin-key.kdb 
      -stashed -label ca-host1 -file ca-host1.cert

      For information about other methods of adding certificate files to the key store, search IBM Knowledge Center (www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0).

  7. Create an empty key store for WAS Web Server Plug-ins:
    1. Go to the IHS9 ROOT folder.
    2. Type a command that is appropriate for your operating system.

      On UNIX or Linux operating systems, type

      bin/gskcapicmd -keydb -create -db WAS_Plugin_root/config/webserver1
        /plugin-key.kdb -pw xxx -stash

      On Windows operating systems, type

      bin\gskcapicmd.bat -keydb -create -db WAS_Plugin_root\config\webserver1
         \plugin-key.kdb -pw xxx -stash