IBM Support

How to Configure Planning Analytics to Connect to an SSL Secured Cognos Dispatcher

Troubleshooting


Problem

If you intend to use CAM Security (IntegratedSecurityMode=5) for your Planning Analytics authentication and your Cognos Dispatcher is secured with SSL, you must perform additional steps to ensure that the Cognos Dispatcher certificate authorities are trusted by the Planning Analytics keystore.  

Symptom

-If your TM1 Server does not trust the Cognos Dispatcher certificate authorities, you may receive a SystemServerClientNotFound error when logging in to Architect/Perspectives.
-If your Planning Analytics Application Server does not trust the Cognos Dispatcher certificate authorities, you may encounter a logon loop when accessing the PMPSVC page.

Resolving The Problem

In this document, the example given uses the DEFAULT CAMUSER certificate.  The CAMUSER certificate is created when you secure your Cognos Dispatcher(s) by simply changing your configuration from HTTP to HTTPS.  By default, IBM Cognos Analytics components use an internal certificate authority (CA) to establish the root of trust in the IBM Cognos security infrastructure.

If you want to use certificates that are managed by another service, see Configuring IBM Cognos components to use another certificate authority: https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/c_configuringreportnettouseathird-partycertificateauthority.html
 

UPDATE THE TM1S.CFG FILE PARAMETERS TO ALLOW FOR SSL SECURED CAM DISPATCHER

  1. Update the tm1s.cfg file(s) for your environment, to ensure that the following parameter is set:
    CAMUseSSL=T
  2. Save and close the file
     

DOWNLOAD THE COGNOS DISPATCHER CERTIFICATES

  1. In your web browser (this example will use Google Chrome, if using a different browser you will need to adjust accordingly), connect to your Cognos Dispatcher URL (example: https://servername.domain.com:9300/p2pd/servlet/dispatch/)
  2. Click the appropriate button(s) to expose the Certificate properties
    image 1319
  3. Click the Certification Path tab to observe the chain of authority for your certificate.  In this example, we see that there are two certificates securing the Cognos Dispatcher.  You must select each certificate above the last certificate in the chain, and click View Certificate.  In this example, there is only one certificate above the last certificate in the chain...if you have more than one in your implementation, you must repeat these steps for each one.
    image 1321
  4. After clicking View Certificate, click the Details tab of the new Certificate window.  On the details tab click Copy to File...
    image 1322
  5. Follow the Certificate Export Wizard prompts.  Export the certificate using the Base-64 encoded X.509 format.  Then, export the certificate and save it to the <tm1 install dir>\bin64\ssl\ folder of your PA Install, and provide an appropriate name (in this example, we call the certificate caRoot.cer)
    image 1323
  6. Open the exported certificate in the <tm1 install dir>\bin64\ssl\ directory to confirm that the correct certificate had been obtained
    image 1325


IMPORT THE COGNOS DISPATCHER CERTIFICATE(S) TO THE PLANNING ANALYTICS KEYSTORES

  1. First, you must import the certificate(s) to the TM1 Server keystore to allow for authentication (as the TM1 Server must communicate with the Cognos Dispatcher URL during the authentication process).  Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\ directory.
  2. Execute the following command to import/trust the certificate (modify as required for path and filename): gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\ibmtm1.kdb" -stashed -label caRoot -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -format ascii -trust enable
    image 1329
  3. We must also import/trust the certificate(s) to the CAMKeystore, used by TM1Web.  Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\ directory.
  4. Execute the following command to import/trust the certificate (modify as required for path and filename): gsk8capicmd_64 -cert -add -db "C:\Program Files\ibm\cognos\tm1_64\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -label caRoot -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -format ascii -trust enable
    image 1330
  5. Lastly, the JAVA Keystore used by PMPSVC.  Open Command Prompt as an Administrator and navigate to the <tm1 install dir>\bin64\jre\bin\ directory.
  6. Execute the following command to import/trust the certificate (modify as required for path and filename): keytool.exe -import -trustcacerts -file "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\caRoot.cer" -keystore "C:\Program Files\ibm\cognos\tm1_64\bin64\ssl\tm1store" -alias caRoot -storepass applix
    **When prompted, type yes
    image 1331
After having completed all of the above steps, you must recycle all of your Planning Analytics services.  Note that in distributed environments, the above steps must be followed on the appropriate servers/tiers.
Once the services have been recycled, you should now be able to log in to Planning Analytics successfully.



 

    Related Information

    Document Location

    Worldwide

    [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

    Document Information

    Modified date:
    19 July 2019

    UID

    ibm10959835