Configuring IBM HTTP Server V9 with SSL
If you use Secure Sockets Layer (SSL) on IBM® Cognos® Analytics with IBM HTTP Server (IHS) V9 as your web server, you must set up SSL between WAS Web Server Plug-ins and the Cognos Analytics application server by extracting the IBM Cognos certificate and adding it to the WAS Web Server Plug-ins trust store.
If you use SSL on IBM HTTP Server, configure your environment as documented in the topic Configuring IBM HTTP Server with SSL.
Procedure
- Start the IBM Cognos Analytics application server that is configured to use SSL.
-
Copy the
Server
section from the Cognos_Analytics_applicaton_server_install_root/wlp/usr/servers/cognosserver/logs/state/plugin-cfg.xml file to the plug-in/config/webserver1/plugin-cfg.xml file. Ensure that the Cognos Analyticshttps
entry point is specified, as shown in the following example:<Server CloneID="a4949c5e-cb36-40dd-9f43-58702daf7b1a" ConnectTimeout="5" ExtendedHandshake="false" LoadBalanceWeight="20" MaxConnections="-1" Name="default_node_cognosserver" ServerIOTimeout="900" WaitForContinue="false"> <Transport Hostname=“hostname” Port=“xxx” Protocol="https"> <Property Name="keyring" Value="D:\install\IBM\WebSphere\Plugins\config\ webserver1\plugin-key.kdb"/> <Property Name="stashfile" Value="D:\install\IBM\WebSphere\Plugins\config\ webserver1\plugin-key.sth"/> </Transport> </Server>
-
In the Plug-in/config/webserver1/plugin-cfg.xml file, add the following
attribute to the
Config
section:AutoSecurity="false"
Note: If SSL is enabled on IHS and Cognos Analytics is using the HTTP protocol (the dispatcher URIs are HTTP), you might also need to add the UseInsecure=true setting to theConfig
section. For more information, see the WebSphere IHS plug-in documentation. -
Obtain the IBM Cognos certificate by using the following steps:
- Go to the Cognos Analytics applicaton_server_install_root/bin directory.
-
Extract the certificate by typing a command that is appropriate for your operating system.
On UNIX or Linux® operating systems, type
ThirdPartyCertificateTool.sh -E -T -r destination file -p NoPassWordSet
On Windows operating systems, type
ThirdPartyCertificateTool.bat -E -T -r destination file -p NoPassWordSet
- Copy the .cert file, for example ca-host1.cert, that was generated in step 4 to WAS Web Server Plug-ins host.
-
Add the Cognos
Analytics
.cert file to the WAS Web Server Plug-ins keystore
plugin-key.kdb. If the plugin-key.kdb file does not exist,
create one as described in step 7.
You can use different methods to add the .cert file to the keystore. The following steps describe how to do that by using the
gskcapicmd
tool that is shipped with IHS V9.- Go to the IHS9 ROOT folder.
-
Type a command that is appropriate for your operating system.
On UNIX or Linux operating systems, type
bin/gskcapicmd -cert -add -db WAS_Plugin_root/config/webserver1/plugin-key.kdb -stashed -label ca-host1 -file ca-host1.cert
On Windows operating systems, type
bin\gskcapicmd.bat -cert -add -db WAS_Plugin_root\config\webserver1\plugin-key.kdb -stashed -label ca-host1 -file ca-host1.cert
-
Create an empty keystore for WAS Web Server Plug-ins:
- Go to the IHS9 ROOT folder.
-
Type a command that is appropriate for your operating system.
On UNIX or Linux operating systems, type
bin/gskcapicmd -keydb -create -db WAS_Plugin_root/config/webserver1 /plugin-key.kdb -pw xxx -stash
On Windows operating systems, type
bin\gskcapicmd.bat -keydb -create -db WAS_Plugin_root\config\webserver1 \plugin-key.kdb -pw xxx -stash