Configure Cognos TM1 Architect or Perspectives to use custom certificates

To configure IBM® Cognos® TM1® Architect or TM1 Perspectives clients to use custom certificates, you must set several options on the Cognos TM1 Options dialog box.

TM1 Architect and TM1 Perspectives communicate with the Data Tier only.

The tm1p.ini file

  1. Open Cognos TM1 Architect or Cognos TM1 Perspectives, Server Explorer.
  2. In Server Explorer, click File > Options.
  3. Edit the following options in the Admin Server Secure Socket Layer (SSL) section.

The following table describes all options that can be set in the TM1 Options dialog box and lists the corresponding Tm1p.ini parameters.

Table 1. Option names and corresponding parameters

Option Name

Corresponding Tm1p.ini Parameter

Description

Certificate Authority

AdminSvrSSLCertAuthority

The full path of the certificate authority file that issued the Cognos TM1 Admin Server's certificate.

Certificate Revocation List

AdminSvrSSLCertRevList

The full path of the certificate revocation file issued by the certificate authority that originally issued the Cognos TM1 Admin Server's certificate. A certificate revocation file will only exist in the event a certificate had been revoked.

Certificate ID

AdminSvrSSLCertID
Note: The name of the principal to whom the Cognos TM1 Admin Server's certificate is issued.

The value of this parameter should be identical to the SSLCertificateID parameter for the IBM Cognos TM1 Admin Server as set in IBM Cognos Configuration.

Use Certificate Store

ExportAdminSvrSSLCert

Select this option if you want the certificate authority certificate that originally issued the Cognos TM1 Admin Server's certificate to be exported from the Microsoft Windows certificate store at runtime.

Selecting this option in the Cognos TM1 Options dialog box is equivalent to setting ExportAdminSvrSSLCert=T in the Tm1p.ini file.

When this option is selected, you must also set a value for Export Certificate ID in the Cognos TM1 Options dialog box.

Export Certificate ID

AdminSvrSSLExportKeyID

The identity key used to export the certificate authority certificate, which originally issued the Cognos TM1 Admin Server's certificate, from the certificate store.

This parameter is required only if you choose to use the certificate store by setting ExportAdminSvrSSLCert=T.

The tm1api.config file

Create a configuration file named tm1api.config with the following format:

[tm1api]
### Path to GSKit store
#keystorefile=

### Path to GSKit stash file
#keystashfile=

### Comma delimited string of TLS ciphers
#tlsCipherList=

### FIPS_MODE = 1 (default), FIPS_APPROVED = 2, FIPS_NONE = 3
#FIPSOperationMode=1

#NIST_SP800_131A_MODE=T

This configuration file allows TM1 Architect or Perspectives clients to configure the GSKit options. The file contains a section named tm1api and supports comments using the # character. The file must reside where the tm1api.dll resides. For example, place tm1api.config under C:\Program Files\IBM\cognos\tm1_64\webapps\pmpsvc\WEB-INF\bin64 then restart the Application Server.

The following is a sample configuration file.

[tm1api]
keystorefile=C:\TM1Install_Dir\x64\Debug\ssl\ibmtm1.kdb
keystashfile=C:TM1Install_Dir\x64\Debug\ssl\ibmtm1.sth
tlsCipherList=TLS_RSA_WITH_AES_128_CBC_SHA, 
    TLS_RSA_WITH_RC4_128_MD5, 
    TLS_RSA_WITH_AES_128_CBC_SHA256
keylabel=ibmtm1_client
FIPSOperationMode=1
NIST_SP800_131A_MODE=T