Configuring Cognos TM1 Applications to use SSL

To configure IBM Cognos TM1 Applications to use SSL, you configure SSL for the other Cognos TM1 components that interact with Cognos TM1 Applications, configure the web servers that support Cognos TM1 Applications, and edit the Cognos TM1 Applications configuration.

1. Configure TM1 Admin Server to use SSL.

   See Configuring the Cognos TM1 Admin Server to use SSL.

2. Configure TM1 Server to use SSL.

   See Configuring the Cognos TM1 Server to use SSL.

3. Configure TM1 Web to use SSL.

   See Configuring Cognos TM1 Web to use SSL.

4. Copy your certificate files into the Cognos TM1 Applications SSL folder:

   Cognos TM1 install location\webapps\pmpsvc\WEB-INF\bin\ssl

5. If you are using your own certificates, import them as follows.
   1. On the computer running Cognos TM1 Admin Server, use IBM Cognos Configuration to update the SSL parameters for the Admin Server.

      See Editing SSL parameters in Cognos Configuration to use independent certificates.

   2. On the computer running Cognos TM1 Server, run the tm1crypt.exe tool

      See Running the TM1Crypt utility.

   3. For Cognos TM1 Applications, see Importing third-party CA SSL certificates into TM1 Application Server.
6. In the Cognos Configuration tool change the TM1 Application Server Gateway URI and External Server URI to use the https prefix.
7. Save the configuration and restart the TM1 Applications Server.
8. On the computer running the Cognos TM1 Application Server, edit the Cognos TM1 Applications configuration file, fpmsvc_config.xml.
   1. Open the fpmsvc_config.xml file:
      • If you deployed Cognos TM1 Applications with the provided Apache Tomcat, look for the file here:

        Cognos TM1 install location\webapps\pmpsvc\WEB-INF\configuration

      • If you deployed with a different web application server, look for the file here:

        program files for web application server\webapps\pmpsvc\WEB-INF\configuration

   2. Edit or add the following entry under the </tm1><servers> section:

      <certificate authority="authority_file_name" id="id_name" />

      where authority_file_name is the name of the certificate file and id_name is the certificate name. This file is expected to be found in the folder:

      Cognos TM1 install location\webapps\pmpsvc\WEB-INF\bin\ssl

      Remember: You must manually copy this file to this location.
   3. To specify an SSL certificate revocation list, use the optional revocationList attribute. If specified, the file with the same name is expected to be in the \pmpsvc\WEB-INF\bin\ssl folder.
   4. To specify authority and certificate id for a Cognos TM1 Admin Server, add the same <certificate authority /> section under the admin_host section. If a certificate is not specified, the default one is used.
9. Update the URL configuration for the Cognos TM1 Application Web client:
   1. Log in to Cognos TM1 Applications.
   2. Click the Administer IBM Cognos TM1 Applications icon on the toolbar of the Cognos TM1 Applications main page.
   3. Click the TM1 Application Web check box and then click Edit.
   4. Update the value in the URL field to the secure URL for your installation of Cognos TM1 Web. For example:

      https://web server name:9510/tm1web/Contributor.jsp

   5. Click OK.
10. Import TM1 Applications SSL certificate to the Java client keystore.
    1. Export the TM1 Applications root SSL certificate:

       Line breaks shown for publishing purposes only.

       cd <install>\tm1_64\bin 
       ThirdPartyCertificateTool.bat -E -T -r 
       c:\tmp\cacert.cer -k 
       "<install>/tm1_64/configuration/signkeypair/jCAKeystore" 
       -p NoPassWordSet

    2. Import the ssl certificate to the Java keystore.

       cd <install>\tm1_64\bin64\jre\7.0\bin
       keytool -import -file c:\tmp\cacert.cer -keystore "
       <install>\tm1_64\bin64\jre\7.0\lib\security\cacerts" 
       -storepass changeit -alias TM1ApplicationsSSL