IBM Support

How to Configure SSL for IBM Planning Analytics Spreadsheet Services (Using Existing Keystore)

How To


Summary

In 2020, IBM released Planning Analytics Spreadsheet Services (TM1Web). See https://www.ibm.com/support/pages/download-ibm-planning-analytics-local-v20-planning-analytics-spreadsheet-services-release-55-fix-central

The steps in the document will guide you in securing your IBM Planning Analytics Spreadsheet Services using a custom keystore.

Steps

*Before you begin, your keystore/certificate file must already be in PKCS12/PFX format and contain the complete certificate chain
**You will also need the password for the PKCS12/PFX file you are using
***In this document the file name 'customKeystore.pfx' will be used
****The file must be placed in the '<install_dir>\tm1web\bin64\ssl\' directory

CONFIGURE PA SPREADSHEET SERVICES APPLICATION SERVER WITH CUSTOM KEYSTORE

  1. Ensure that your IBM Planning Analytics Spreadsheet Service is not running, stop the serviceimage 5711
  2. Open the following file with your text editor: <install_dir>\tm1web\wlp\usr\servers\tm1web\server.xml
    *Ensure the file is backed up prior to making any changes
  3. Update the httpPort and httpsPort to reflect the ports you would like to use.  To disable http altogether, set httpPort to httpPort="-1".  For example:
    image 5723
  4. Remove the following lines from the server.xml file:
    image 5724
  5. Still within the server.xml file, add the following under the last <application> tag:  <keyStore id="defaultKeyStore" location="${wlp.user.dir}/../../bin64/ssl/customKeystore.pfx" password="admin1234EXPORT" />
    image 5727
  6. Save and close the server.xml file
  7.  Open Command Prompt as an Administrator.  Navigate to <install_dir>\tm1web\jre\bin\
    image 5728
  8. As TM1Web is using a new keystore, you must include the TM1 Server certificates in the keystore file or you will be unable to see your TM1 Servers.  Execute the following command: keytool -importcert -keystore ..\..\bin64\ssl\customKeystore.pfx -storepass admin1234EXPORT -storetype pkcs12 -noprompt -alias ibmtm1 -file ..\..\bin64\ssl\ibmtm1.arm
    image 5729
  9. If you communicate with any other TM1 Servers or Applications that use different certificates, you must repeat the previous step - importing any additional certificates you require.
  10. Planning Analytics Spreadsheet Service also requires that you update the tm1store keystore file to include the Root and Intermediate CA.  Copy your Root and Intermediate certificate files to your \tm1web\bin64\ssl\ directory.  In this technote the Root and Intermediate CA files are named ca.cert.pem and intermediate.cert.pem.
  11. Within the \tm1web\jre\bin\ directory, in Command Prompt, run the following commands to update the tm1store file with your certificates:
    keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ca.cert.pem" -keystore "..\..\bin64\ssl\tm1store" -alias ca -storepass applix
    keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\intermediate.cert.pem" -keystore "..\..\bin64\ssl\tm1store" -alias intca -storepass applix
  12. In Windows Services, start your IBM Planning Analytics Spreadsheet Service
    image 5730



VALIDATE YOUR PLANNING ANALYTICS SSL CONFIGURATION

The following validation steps use the Chrome web browser.  If you are using another browser, you will need to adjust the steps as required.

  1. After the service has started, access your TM1Web URL using Chrome, for example:  https://fish2k16.canlab.ibm.com:9510/tm1web
  2. You may encounter a warning.  If you do, it is likely because you have not yet told your computer to trust the Root Certificate Authority and Intermediate Certificate Authority used to sign the Planning Analytics certificate.  Otherwise, there may be problem with your certificate.  To resolve the untrusted certificate warning, see the following technote: http://www.ibm.com/support/docview.wss?uid=ibm10879929
    image 1151
  3. Assuming your certificates are valid and trusted, you should see the following:
    image 1152
  4. Should you not see any TM1 Servers appear in your list of servers, you may not have imported the TM1 Server certificate in to your keystore.  Please see step 8 in the CONFIGURE PA SPREADSHEET SERVICES APPLICATION SERVER WITH CUSTOM KEYSTORE section of this document.


ADDITIONAL CONSIDERATIONS

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000cwgYAAQ","label":"How to"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
17 February 2021

UID

ibm16323649