Configuring SSL for Cognos Analytics components

For IBM® Cognos® components, you can use SSL for internal connections, external connections, or both.

If you configure SSL for internal connections only, IBM Cognos components on the local computer communicate using this protocol. The dispatcher listens for secure connections on a different port than for remote HTTP requests. Therefore, you must configure two dispatcher URIs.

If you configure SSL for external connections only, communications from remote IBM Cognos components to the local computer use the SSL protocol. You must configure the dispatcher to listen for secure remote requests on a different port than local HTTP requests. You must also configure the Content Manager URIs and the dispatcher URI for external applications to use the same protocol and port as the external dispatcher.

If you configure SSL for all connections, the dispatcher can use the same port for internal and external connections. Similarly, if you do not use SSL for local or remote communication, the dispatcher can use the same port for all communications.

By default, IBM Cognos Analytics components use an internal certificate authority (CA) to establish the root of trust in the IBM Cognos security infrastructure. This applies to both SSL and non-SSL connections. If you want to use certificates that are managed by another service, see the topic Configuring Cognos Analytics components to use another certificate authority.

If you use an optional gateway (either HTTP or HTTPS), you must configure the web server to trust Cognos Analytics certificates. For more information, see Copying the Cognos Analytics certificate to another server.

In a distributed installation, you must first configure the default active Content Manager computer to use the SSL protocol, and start the services on that computer before you configure the Application Tier Components computer.

Before you begin

Starting with Cognos Analytics 11.1.7, it is recommended to configure dispatcher URIs to use https with fully qualified domain host name.

If for some reason you want to configure the external dispatcher and internal dispatcher to use different http schemas and ports, you need to update the wlp/usr/servers/cognos/server.xml file to open the internal dispatcher port to listen on all interfaces. Edit the server.xml file in the following way:
  1. Search for httpEndpoint with id = “defaultHttpEndpoint”, and host=“localhost”.

    For example, if port 9400 was configured for Internal dispatcher URI in Configuration Manager, locate the following lines of code:

    <httpEndpoint id=“defaultHttpEndpoint” httpPort=“9400” host=“localhost”>
<httpOptions CookiesConfigureNoCache=“false” AutoDecompression=“false” removeServerHeader=“true” 
persistTimeout=“${persist.timeout}“/>  
</httpEndpoint>
  2. Change localhost to *, as shown in the following line of code: 
    <httpEndpoint id=“*defaultHttpEndpoint” httpPort=“9400" host=“*”/>
  3. Save the server.xml file.
  4. Ask your IT services to disable external access to the port that you used, 9400 in this example, if you want to do so.

About this task

Important: You must specify fully-qualified host names in the values for the following Cognos Configuration fields. Each value that you specify must also appear in either the Subject Alternative Name > DNS names field, or the Subject Alternative Name > IP addresses field.
  • Environment
    • Gateway URI
    • External dispatcher URI
    • Internal dispatcher URI
    • Dispatcher URI for external applications
    • Content Manager URIs
  • Environment > Configuration Group
    • Group contact host
    • Member coordination host
  • Security > Cryptography > Cognos
    • Server common name
    • Subject Alternative Name > DNS names
    • Subject Alternative Name > IP addresses

Procedure

  1. Start IBM Cognos Configuration.
  2. In the Explorer pane, click Environment.

    In the Environment - Group Properties pane, configure all the URIs with the fully-qualified domain name of the server, as required for the following SSL connection scenarios:

    SSL is used for all connections

    Enter the same URI for Internal dispatcher URI, External dispatcher URI, and Dispatcher URI for external applications for external applications properties. Enter https and a port number for SSL communication.

    Additionally, if Content Manager is also installed and enabled on the same instance, enter https and a port number for SSL communication in the Content Manager URIs property.

    Gateway is installed on a separate computer, and SSL is used for external connections on Application Tier dispatcher

    Start IBM Cognos Configuration on the gateway computer. Enter https and the port number for SSL communication in the Dispatcher URIs for gateway property that points to the Application Tier dispatcher.

  3. In the Explorer pane, click Environment > Configuration Group. Then, in the Configuration Group - Component Properties pane, do the following:
    1. Set Group contact host to the fully-qualified domain name of the computer where your primary Content Manager is installed.
      Important: Every computer, whether in the application tier or the data tier, should use the same value that is specified on the primary Content Manager computer.

      If you are configuring the primary node for the configuration group, the value in this field must match the DNS name or IP address specified for the Subject Alternative Name in step 4b.

    2. Set Member coordination host to the same fully-qualified domain name that you set in step 2.
  4. In the Explorer pane, click Security > Cryptography > Cognos. Then, in the Cognos - Provider - Resource Properties pane, do the following:
    1. Ensure that the Server common name value is the fully-qualified domain name of the server.
    2. Under Subject Alternative Name, specify DNS names, IP addresses, and Email addresses (optional) that are associated with the server certificate.
      Important: The DNS names and IP addresses must match the fully-qualified domain name in the environment URIs in step 2. If the server has multiple DNS names, you must enter each name, separated by a space. If the server has multiple IP addresses, you must enter each address, separated by a space.
  5. From the File menu, click Save.
  6. Restart your services.

    In a distributed environment, start the services on the Content Manager computer first, followed by the services on the Application Tier Components computers.