Configuring IBM HTTP Server V9 with SSL

If you use Secure Sockets Layer (SSL) on IBM® Cognos® Analytics with IBM HTTP Server (IHS) V9 as your web server, you must set up SSL between WAS Web Server Plug-ins and the Cognos Analytics application server by extracting the IBM Cognos certificate and adding it to the WAS Web Server Plug-ins trust store.

If you use SSL on IBM HTTP Server, configure your environment as documented in the topic Configuring IBM HTTP Server with SSL.

Procedure

  1. Start the IBM Cognos Analytics application server that is configured to use SSL.
  2. Copy the Server section from the Cognos_Analytics_applicaton_server_install_root/wlp/usr/servers/cognosserver/logs/state/plugin-cfg.xml file to the plug-in/config/webserver1/plugin-cfg.xml file. Ensure that the Cognos Analytics https entry point is specified, as shown in the following example:
    <Server CloneID="a4949c5e-cb36-40dd-9f43-58702daf7b1a" ConnectTimeout="5" 
    ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" 
    Name="default_node_cognosserver" ServerIOTimeout="900" WaitForContinue="false">
       <Transport Hostname=“hostname” Port=“xxx” Protocol="https">
       <Property Name="keyring" Value="D:\install\IBM\WebSphere\Plugins\config\
             webserver1\plugin-key.kdb"/>
       <Property Name="stashfile" Value="D:\install\IBM\WebSphere\Plugins\config\
             webserver1\plugin-key.sth"/>
       </Transport>
    </Server>
  3. In the Plug-in/config/webserver1/plugin-cfg.xml file, add the following attribute to the Config section:
    AutoSecurity="false"
    Note: If SSL is enabled on IHS and Cognos Analytics is using the HTTP protocol (the dispatcher URIs are HTTP), you might also need to add the UseInsecure=true setting to the Config section. For more information, see the WebSphere IHS plug-in documentation.
  4. Obtain the IBM Cognos certificate by using the following steps:
    1. Go to the Cognos Analytics applicaton_server_install_root/bin directory.
    2. Extract the certificate by typing a command that is appropriate for your operating system.

      On UNIX or Linux® operating systems, type

      ThirdPartyCertificateTool.sh -E -T -r destination file -p NoPassWordSet

      On Windows operating systems, type

      ThirdPartyCertificateTool.bat -E -T -r destination file -p NoPassWordSet
  5. Copy the .cert file, for example ca-host1.cert, that was generated in step 4 to WAS Web Server Plug-ins host.
  6. Add the Cognos Analytics .cert file to the WAS Web Server Plug-ins keystore plugin-key.kdb. If the plugin-key.kdb file does not exist, create one as described in step 7.

    You can use different methods to add the .cert file to the keystore. The following steps describe how to do that by using the gskcapicmd tool that is shipped with IHS V9.

    1. Go to the IHS9 ROOT folder.
    2. Type a command that is appropriate for your operating system.

      On UNIX or Linux operating systems, type

      bin/gskcapicmd -cert -add -db WAS_Plugin_root/config/webserver1/plugin-key.kdb 
      -stashed -label ca-host1 -file ca-host1.cert

      On Windows operating systems, type

      bin\gskcapicmd.bat -cert -add -db WAS_Plugin_root\config\webserver1\plugin-key.kdb 
      -stashed -label ca-host1 -file ca-host1.cert
  7. Create an empty keystore for WAS Web Server Plug-ins:
    1. Go to the IHS9 ROOT folder.
    2. Type a command that is appropriate for your operating system.

      On UNIX or Linux operating systems, type

      bin/gskcapicmd -keydb -create -db WAS_Plugin_root/config/webserver1
        /plugin-key.kdb -pw xxx -stash

      On Windows operating systems, type

      bin\gskcapicmd.bat -keydb -create -db WAS_Plugin_root\config\webserver1
         \plugin-key.kdb -pw xxx -stash