Question & Answer
This Technote provdies guidelines for configuring custom SSL certificates for the TM1 Server and TM1 Admin Server components for Planning Analytics 2.0 and 2.0.1. These steps are specific to Planning Analytics 2.0 and 2.0.1 only. To configure custom SSL certificates for the TM1 Admin Server and TM1 Server in version 10.2.2 and lower please see: http://www-01.ibm.com/support/docview.wss?uid=swg21998260.
Generate the Custom SSL Keystore and Certificate
Planning Analytics 2.0 and 2.0.1 includes the gsk8capicmd_64.exe program in the .\tm1_64\bin64\ directory that can be used to create and populate a keystore database that will be used by the TM1 Admin Server and TM1 Server.
The following commands and run from the D:\Program Files\ibm\cognos\tm1_64\bin64\ directory. In this example assume Planning Analytics 2.0 is installed to D:\Program Files\ibm\cognos\tm1_64\
1 - Create a new keystore database file
gsk8capicmd_64 -keydb -create -populate -db D:\Program Files\ibm\cognos\tm1_64\bin64\\ssl\custom.kdb -type cms -pw changeit -stash
2 - Request a certificate from the keystore database created in step 1
gsk8capicmd_64 -certreq -create -db D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\custom.kdb -stashed -label tm1server -dn "CN=tm1server.canlab.ibm.com,O=IBM" -file D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\cert_request.arm –size 2048
The CN value should match the fully qualified domain name of the system where the TM1 Server is installed.
3 - Provide the certificate request (cert_request.arm file) to the Certificate Authority for signing. The Certificate Authority will provide both an issued cert (tm1server.cer in this example) and a CA certificate (ca.cer in this example). Multiple CA certs will typically be stored in a single file. It is common for a Certificate Authority to provide both the issued cert and CA certs in a single file.
4 - Add the CA certs into the keystore
gsk8capicmd_64 -cert -add -db D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\custom.kdb -stashed -label tm1serverca -file D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer -format ascii -trust enable
5 - Receive the issued cert into the keystore
gsk8capicmd_64 -cert -receive -db D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\custom.kdb -stashed -file .\ssl\tm1server.cer -default_cert yes
Additional steps for UNIX and Linux environments:
1 - Add the Planning Analytics bin64 directory to the library path environment variable (LD_LIBRARY_PATH on Linux and LIBPATH on AIX) before running gsk8capicmd_64. For example:
The gsk8capicmd_64 program will fail to run with a missing lib error if the library path variable is not set correctly.
2 - The gsk8capicmd_64 file in the bin64 is missing the execute permission by default. To add the missing execute permissions run the following command from the bin64 directory.
chmod +x gsk8capicmd_64
Configure the TM1 Admin Server to use the Custom SSL Certificate
Point the following TM1 Admin Server settings to the custom.kdb and custom.sth in Cognos Configuration.
Restart the TM1 Admin Server service.
* There is a known defect in the PA 2.0 release where the Server certificate parameter in the above settings is incorrectly referenced in the .\tm1_64\configuration\cogstartup.xml file. To correct this problem the cogstartup.xml file must be manually updated to change this line:
Note that saving from Cognos Configuration will reset the above line to the incorrect value. For this reason it's recommended to make sure the certificate being used is the default certificate in the key database, and leave the Server certificate parameter empty in Cognos Configuration.
Configure the TM1 Server to use the Custom SSL Certificate
Edit the tm1s.cfg file to include the following lines.
Restart the TM1 Server service.
Configure TM1 Architect and TM1 Perspectives to use the Custom SSL Certificate
Create a file named tm1api.config in the <TM1 Client>\bin\ or <TM1 Client>\bin64\ directory of the TM1 client install depending on the bit variant of the TM1 Client install.
Update the contents of the tm1api.config file with the following line:
No changes in the options for Cognos TM1 Architect or Perspectives are required.
Configure TM1Web to use the Custom SSL Certificate
The CA certs must be imported into the .\tm1_64\bin64\ssl\ttm1store certificate store file in the TM1Web installation. To import the CA certs the Java keytool command found in the D:\Program Files\ibm\cognos\tm1_64\bin64\jre\7.0\bin\ directory can be used as follows.
keytool.exe -import -trustcacerts file "D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ca.cer" -keystore "D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store" -alias tm1cacert -storepass applix
The above command assumes all CA certs are contained in a file named ca.cer that is already copied into the D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ directory.
Restart the IBM Cognos TM1 service from the Windows services list or Cognos Configuration after making the above changes.
Configure TM1 Applications (pmpsvc) to use the Custom SSL Certificate
Make sure the custom.kdb and custom.sth file are copied into the D:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ directory of the TM1 Server install that includes the pmpsvc web application.
Create a file named tm1api.config in the D:\Program Files\ibm\cognos\tm1_64\bin64\ directory of the TM1 Server install containing the pmpsvc web applications.
Update the contents of the tm1api.config file similar to this:
Update the D:\Program Files\ibm\cognos\tm1_64\wlp\usr\servers\tm1\jvm.options file to include the following line:
Restart the IBM Cognos TM1 service (WebSphere Liberty Profile).
15 June 2018