IBM Support

How to Configure SSL on Planning Analytics Web Tier using GSKit (Using Existing Signed Certificate)

How To


Summary

The steps in the document will guide you in using the IBM Global Security Kit (GSKit) to secure your Planning Analytics Web Tier, using a certificate that has already been signed.

Steps

*Before you begin, your certificate file must already be in PKCS12/PFX format
 

CREATE A NEW KEYSTORE AND IMPORT ALREADY SIGNED CERTIFICATE

  1. Ensure that your Web Tier is not running, stop the IBM Cognos TM1 service
    image 888
  2. In Windows Explorer, navigate to <install_dir>\tm1_64\configuration\certs\.  
    Backup or remove the CAMKeystore and CAMKeystore.lock files if they exist.  If they do not exist, skip to the next step.
  3. Open Command Prompt as an Administrator.  Navigate to <install_dir>\tm1_64\bin64\
    image 869
  4. Execute the following command to create a new CAMKeystore:  gsk8capicmd_64 -keydb -create -db "..\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -type pkcs12
    image 870
  5. As the GSKit does not allow us to create a file without an extension, it adds one for us which we need to remove manually (because Planning Analytics looks only for a keystore with the name 'CAMKeystore').  You can rename the CAMKeystore.p12 file to CAMKeystore using the following command:  rename "..\configuration\certs\CAMKeystore.p12" "CAMKeystore"
    image 884
  6. In this next step, you will be importing the already signed certificate from a different Keystore.  They keystore you are importing from must be in PKCS12/PFX format.  The command you run will look like: gsk8capicmd_64 -cert -import -db "..\configuration\certs\canlabWC.pfx" -pw admin1234EXPORT -target "..\configuration\certs\CAMKeystore" -target_pw NoPassWordSet
    *Prior to running this step, ensure that you copy your .PFX file in to the \configuration\certs\ folder of your Planning Analytics install
    image 1140
      **The -db parameter should reflect your PKCS12/PFX file that contains your signed certificate
      **The -pw parameter should reflect the password to your PKCS12/PFX file
      **The -target parameter should reflect the CAMKeystore keystore in your PA install
      **The -target_pw should reflect the password of the CAMKeystore keystore in your PA install
  7. After importing your certificate to the CAMKeystore, list the contents of the CAMKeystore to review using the following command: gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
    image 1141
  8. The TM1 Application server is hardcoded to look for a certificate with the name 'encryption'.  Run the following command to change the name/label of your certificate: gsk8capicmd_64 -cert -rename -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet -label CN=*.canlab.ibm.com,OU=Support,O=IBM,L=Ottawa,ST=Ontario,C=CA -new_label encryption
    image 1142
  9. Because we are using a new keystore, we must also import the default TM1 certificates so that the Web Tier can communicate with the TM1 Admin Host / TM1 Server.  Execute the following command:  gsk8capicmd_64 -cert -add -db "..\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -label tm1 -file "..\bin64\ssl\ibmtm1.arm" -format ascii -trust enable
    image 1143
  10. Run the following command to list out all of the certificates in your CAMKeystore file to ensure all is correct: gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
    image 1144
 

UPDATE COGNOS CONFIGURATION FOR CUSTOM SSL CERTIFICATES

  1. Open Cognos Configuration for Planning Analytics, as an Administrator
  2. Edit the TM1 Applications Properties.  Update all URI references to contain your fully qualified address, as well as change the http to https.image 1145
  3. Edit the Local Configuration properties.  Add the property StandaloneCertificateAuthority and set it to True.image 1146
  4. Edit the Cryptography > Cognos properties.  Change the Use third party CA? to True.image 1147
  5. Click the Save button to save the changes.
    image 1149
  6. Start the IBM Cognos TM1 service, and close Cognos Configuration
    .image 1150
 

VALIDATE YOUR PLANNING ANALYTICS SSL CONFIGURATION

The following validation steps use the Chrome web browser.  If you are using another browser, you will need to adjust the steps as required.

  1. After the service has started, access your TM1Web URL using Chrome, for example:  https://fish2k16.canlab.ibm.com:9510/tm1web
  2. You may encounter a warning.  If you do, it is likely because you have not yet told your computer to trust the Root Certificate Authority and Intermediate Certificate Authority used to sign the Planning Analytics certificate.  Otherwise, there may be problem with your certificate.  To resolve the untrusted certificate warning, see the following technote: http://www.ibm.com/support/docview.wss?uid=ibm10879929
    image 1151
  3. Assuming your certificates are valid and trusted, you should see the following:
    image 1152
  4. Should you not see any TM1 Servers appear in your list of servers, you may not have imported the TM1 Server certificate in to your new CAMKeystore.  Please see step 9 in the CREATE A NEW KEYSTORE AND IMPORT ALREADY SIGNED CERTIFICATE section of this document.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 August 2020

UID

ibm10886173