Configuring Cognos TM1 Web to use SSL

To enable SSL in IBM® Cognos® TM1® Web, you must add a certificate in the Java™ Runtime Environment (JRE) keystore.

Before you begin

By default, Cognos TM1 Web uses the standard, default SSL certificates that are included as part of your Cognos TM1 installation. To use your own custom SSL certificates, add your certificate in the Java Runtime Environment (JRE) keystore.

Procedure

  1. Open IBM Cognos Configuration and enter the secure HTTPS URL for the following parameters:
    • TM1 Application Server Gateway URI - For example, http://system_name:9514/pmpsvc
    • External server URI - For example, http://system_name:9514

    Enter the system name and port numbers for your specific configuration.

  2. For 32-bit installations:
    1. Open a command prompt and change directory to the JRE location that was provided with the Cognos TM1 installation.

      tm1_location\bin\jre\7.0\bin

      For example:

      C:\Program Files\IBM\cognos\tm1\bin\jre\7.0\bin>

    2. Run the Java keytool command to import the certificate into the keystore.
      Note: For formatting purposes the command is shown here with line breaks but you should enter the command all on one line.
      keytool.exe -import -trustcacerts -file 
"c:\Program Files\ibm\cognos\tm1\bin\ssl\your_certificate.pem"
-alias your_certificate -keystore 
"c:\Program Files\ibm\cognos\tm1\bin\jre\7.0\lib\security\cacerts"

      Replace your_certificate.pem and your_certificate with the file name and name of your own certificate.

    3. Enter yes when prompted to trust or add the certificate.
    The following message displays: Certificate was added to keystore.
  3. For 64-bit installations:
    Attention: On 64-bit computers, be sure to add the certificates to the bin64 folder.
    1. Open a command prompt and change directory to the JRE location that was provided with the Cognos TM1 installation.

      C:\Program Files\ibm\cognos\TM1_64\bin64\jre\7.0\bin

    2. Run the Java keytool command to import the certificate into the keystore.

      For 64-bit installations, target the 64-bit folder when dealing with the certificates. If you do not correctly target the 64-bit locations for certificates when running a 64-bit installation, you receive a warning message indicating that you cannot contact the servers.

      Note: For formatting purposes this command is shown with line breaks but you should enter the command all on one line.
      keytool.exe -import -trustcacerts -file 
"c:\Program Files\ibm\cognos\TM1_64\bin64\ssl\your_certificate.pem"
-alias your_certificate -keystore 
"c:\Program Files\ibm\cognos\TM1_64\bin64\jre\7.0\lib\security\cacerts"

      Replace your_certificate.pem and your_certificate with the file name and name of your own certificate.

    3. Enter yes when prompted to trust or add the certificate.
    The following message displays: Certificate was added to keystore.
  4. Use IBM Cognos Configuration to restart the TM1 Application Server and have the change take effect.
    1. In Cognos Configuration, expand the Environment node, right-click TM1 Application Server, and select Stop.
    2. Right-click TM1 Application Server, and select Start.
    Remember: Re-add certificates any time you reinstall Cognos TM1.

Results

Log in to Cognos TM1 Web using the secure HTTPS URL to confirm that you can connect to Cognos TM1 using this configuration.

For this example, log in using https://system_name:9514/tm1web.

Parent topic: Using SSL for data transmission security