Additional configuration steps needed to monitor the TM1 Applications Server in the 10.1.1 TM1 Operations Console

Content

The IBM Cognos TM1 Operations Console can monitor the activity of the TM1 Applications Server. You can also use SSL to ensure that this activity is monitored securely however SSL is not required..

Without SSL security

Follow these steps to configure the TM1 Operations Console to monitor a TM1 Applications Server:

1. Install and run the TM1 Operations Console and the TM1 Applications Server you want to monitor. This step requires the introduction of a security certificate into the Java store. See the IBM Cognos TM1 Operations Console Guide for details on how to install that certificate. You need that certificate regards of whether you choose to take the additional steps required to use SSL.


2. As of TM1 10.1.1, when you add a new Operations Group in the TM1 Operations Console, two server objects get added: an Applications Server and a server.




3. 


4. Right-click the Applications Server and select Add machine.
5. Enter a name to use to identify this TM1 Application Server.
6. Right-click the machine that you just added and select Configure.
7. Complete the fields on that dialog box as described here:

IP: enter the IP address for the Applications Server. The IP field can also be the fully-qualified domain name or the NetBIOS name.
Context: enter the name of the planning service, for example, pmpsvc
Port number: enter the port number specified in the JVM for TM1. This port number is the jmx port number that you have specified in the applications server JRE options.
Top Refresh period (sec): enter 2
Top Tolerance Factor (sec):enter 0
Top Time Out (sec): enter 1

7. Click OK.

If the TM1 Applications Server is running, the health status becomes green and the activity is being monitored. If the TM1 Application Server status is not green, ensure that the service is running using IBM Cognos Configuration.

Using SSL to monitor TM1 Application Server

In order to use SSL, you need to create a security certificate on the machine where the TM1 Applications Server is running, then export that certificate to the TM1 Operations Console machine and configure the TM1 Operations Console machine so that it uses that new certificate store.

Depending on whether you are on a 32-bit or 64-bit system, the install location is either c:\Program Files\ibm\cognos\tm1_64 or c:\Program Files\ibm\cognos\tm1

The location where the jre store is located is either:

c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\bin

or

c:\Program Files\ibm\cognos\tm1\bin\jre\6.0\bin

The java certificate store location is either:

c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts

or

c:\Program Files\ibm\cognos\tm1\bin\jre\6.0\lib\security\cacerts

The certificate store has a default password of changeit. If you have secured your certificate store with another password, use that instead.

These instructions assume you have already imported the applixca.pem certificate into the Java store using the 64-bit command (no line breaks):

( keytool -import -file "c:\Program Files\ibm\cognos\tm1_64\bin64\ssl\applixca.pem" -keystore "c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts" )

or

the 32-bit command:

( keytool -import -file "c:\Program Files\ibm\cognos\tm1\bin\ssl\applixca.pem" -keystore "c:\Program Files\ibm\cognos\tm1\bin\jre\6.0\lib\security\cacerts" )

On a 64-bit machine there are two JREs shipped with IBM Cognos TM1:

o install_location\bin\jre\6.0\bin

o install_locatio\bin64\jre\6.0\bin

This is why there are two cacert stores on 64-bit machines.

The 64-bit installation by default runs Apache Tomcat using the jre in the bin64 directory (install_location\bin64\jre\6.0\bin ) and the instructions therefore add the certificate to the certificate store in the bin64 directory installation_location\bin64\jre\6.0\lib\security\cacerts.

You can create the certificate in a different location as long as the TM1 Application is configured to use that certificate store as described here.

Creating the SSL certificates

1. Stop Apache Tomcat if it is running.

2. Use the following command to create a self-signed certificate into your Java store (no line breaks and replace tm1_64 with tm1 if you are on a 32-bit machine):

keytool -keystore "c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts" -alias jmx -genkey -keyalg RSA -dname "CN=${pki-cn}, OU=${pki-ou}, O=${pki-o}, L=${pki-l}, S=${pki-s}, C=${pki-c}"

-storepass changeit -keypass changeit

3. To configure your TM1 Application service to use this certificate store add or modify the following Java Version Management (JVM) parameters as appropriate for your installation:

-Dcom.sun.management.jmxremote.port=7999
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.password=false
-Djavax.net.ssl.keyStore=jre\6.0\lib\security\cacerts

Note: The port number set here is used later in the process when you configure the TM1 Applications Server in the TM1 Operations Console: -Dcom.sun.management.jmxremote.port=7999

To use the Tomcat service helper to make these changes use a command prompt to go to c:\Program Files\ibm\cognos\tm1_64\tomcat\bin and enter

run tomcat6w.exe //ES//pmpsvc

3. Restart Apache Tomcat to pick up these changes.

4. Export the certificate from this server store to the machine running TM1 Operations Console (client) Replace tm1_64 with tm1 if needed.:

keytool -export -alias "jmx" -file jmx -keystore “c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts”

5. Enter the keystore password: changeit

to create a cert file called "jmx" in the current directory.

6. Copy the certificate from the server jvm to the client jvm

7. Use the following command to import ssl to the client (machine running the TM1 Operations Console) cacert store (replace tm1_64 with tm1 if needed)..

keytool -import -file "jmx" -alias jmx -keystore “c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts”

8. To configure your TM1 Application service to use this certificate store,
add or modify the following jvm parameter as appropriate for your installation:

-Djavax.net.ssl.keyStore=jre\6.0\lib\security\cacerts

or if you want to use full path (replace tm1_64 as needed)

-Djavax.net.ssl.keyStore=c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts

9. Restart Apache Tomcat to pick up the new certificate.

Configure the TM1 Application Server in the TM1 Operations Console

1. Run the TM1 Operations Console.

2. Create an Operation Group.

As of TM1 10.1.1, this adds 2 entries into the console: Application Server and Server.

3. Right-click the Application Server entry and select Add machine.

4. Enter a name to use to identify this TM1 Applications Server and click Create. This adds that machine to the Application node in the TM1 Operations Console.

5. Right-click the machine you just added and select Configure.

Complete the fields:

IP: enter the fully-qualified or host name of the machine where the TM1 Application Server is running. You can instead enter the IP address.

Context: enter pmpsvrc
Port Number: enter the port number you entered as part of the jvm parameters.
Top Refresh Period (sec): enter 2
Top Tolerance Factor (sec): enter 0
Top Time Out (sec):enter 1

You can adjust these values as appropriate for your installation.

Click OK.

If the connection was successful the View Menu items are enabled.
If they remain disabled check to ensure that the TM1 Applications service is running.

Click the Monitors tab to see the monitoring report. Right-click the TM1 Applications machine name and select View Statistics to populate Apache Tomcat statistics as shown in this sample:

Additional configuration information

TM1 Application Server and TM1 Operations Console on the same Apache Tomcat

If TM1 Application Server and TM1 Operations Console are on the same Tomcat, you do not need to export and import into the certificate store. The certificate just needs to be created.

Using a user-supplied Tomcat

The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file ".keystore" in the operating system home directory of the user that is running Tomcat.

This is the default store if you run TM1 Operations Console from a "vanilla" Tomcat.
Use the JVM parameter -Djavax.net.ssl.keyStore=path to the cert with the jmx cert imported

Set this path for each TM1 Application Server you want to monitor. Use a different alias for the certificate each time, for example jmx-frink.

Running from command line

Warning: Not recommended

It is possible to run Tomcat by running file startup.bat from install_location\tomcat\bin\startup.bat
However, in order to enable monitoring of the TM1 Application Server using TM1 Operations Console, edit the startup.bat file and add the following to the start of the file (replace tm1_64 with tm1 if needed):

set CATALINA_OPTS=-Dcom.sun.management.jmxremote.port=7999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.password=false -Djavax.net.ssl.keyStore=c:\Program Files\ibm\cognos\tm1_64\bin64\jre\6.0\lib\security\cacerts