With SSL is enabled on the Gateway, in addition to changing the gateway URL to secure HTTPS, you must set up trust between the web server and IBM Cognos Business Intelligence
One symptom being pictures don't show up in PDF outputs when using SSL, they do appear in other output formats though. Another symptom could be Transformer or Framework Manager are unable to read their data sources.
To set up trust, the Cognos administrator must import all the certificates making up the chain of trust for the web server's certificate into IBM Cognos BI's trust store. This chain is made up of all possible intermediate CA certificates and the root CA certificate.
Example: Server Certificate S was signed by Intermediate CA C1, whose certificate in turn was signed by root CA C2.
The administrator would have to import the certificates from C1 and C2, but not S.
The process is as follows:
- Configure your Web server for SSL and start it.
- Obtain the certificates that make up the chain of trust for the Web server's certificate,
(i.e. all intermediate CA certificates and the trusted root's certificate).
The certificates must be either in Base64 encoded ASCII (PEM) or DER format to be
readable by ThirdPartyCertificateTool.
You must not use a self-signed server certificate; only CA certificates are valid.
Resolving The Problem
For every installation running (Batch) Report Service that uses the Gateway that is enabled for SSL apply the following steps:
- Stop the product
- Open Cognos Configuration and change the Gateway URL
to use HTTPS instead of HTTP
- Save configuration but don't start yet
- Using the ThirdPartyCertificateTool from the /bin directory of your IBM Cognos installation, import all the certificates from the chain of trust into the IBM Cognos truststore.
Start with the root CA certificate and work your way down to the last possible intermediate CA certificate.
For Windows, repeat the following command for each certificate:
ThirdPartyCertificateTool.bat -T -i -r CA_certificate_fileName -D ../configuration/signkeypair -p password
For UNIX and Linux repeat the following command for each certificate:
ThirdPartyCertificateTool.sh -T -i -r CA_certificate_fileName -D ../configuration/signkeypair -p password
Tip: The password is generally set by your administrator, the default is "NoPassWordSet".
- Note: In version Cognos Business Intelligence version 10.2.2, you can no longer use the -D flag to specify a key store location. For example, the following command:
In version 10.2.2 the command should be:
ThirdPartyCertificateTool.sh -c -s -d "CN=SignCert,O=MyCompany,C=CA" -r signRequest.csr -p NoPassWordSet
The -D flag is no longer used.
- Start your IBM Cognos BI system
- Access the Gateway and import the presented certificate into your browser to avoid getting reprompted on every new session. Follow
To verify the trust, create and run a report containing pictures that are fetched via the Gateway (not local File system) in PDF output format. If they appear trust is established.
the previous steps for all client components on Windows (FM, Transformer, PowerPlay client, Cube Designer, etc....). For Transformer on Linux or UNIX use ThirdPartyCertificateTool.sh.
Tip: Tools such as these can be used to verify the import into the truststore. IKeyMan, OpenSSL, KeyStoreExplorer, or Portecle.
Note that keytool (part of SUN JREs) won't show the signer certificates in a PKCS12 keystore!
choose to open a PKCS12 type file, find <COG_INSTALL>/configuration/signkeypair/jCAKeystore. Make sure you select "Signer Certificates" from the drop down for viewing the imported CA certificates instead of the ca Keypair contained in this file.
use a command like like:
OpenSSL pkcs12 -info -in <COG_INSTALL>/configuration/signkeypair/jCAKeystore
For KeyStoreExplorer or Portecle, o
15 June 2018