The steps in the document will guide you in using the IBM Global Security Kit (GSKit) to secure your Planning Analytics Web Tier, using a certificate that has already been signed.
CREATE A NEW KEYSTORE AND IMPORT ALREADY SIGNED CERTIFICATE
- Ensure that your Web Tier is not running, stop the IBM Cognos TM1 service
- In Windows Explorer, navigate to <install_dir>\tm1_64\configuration\certs\.
Backup or remove the CAMKeystore and CAMKeystore.lock files if they exist. If they do not exist, skip to the next step.
- Open Command Prompt as an Administrator. Navigate to <install_dir>\tm1_64\bin64\
- Execute the following command to create a new CAMKeystore: gsk8capicmd_64 -keydb -create -db "..\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -type pkcs12
- As the GSKit does not allow us to create a file without an extension, it adds one for us which we need to remove manually (because Planning Analytics looks only for a keystore with the name 'CAMKeystore'). You can rename the CAMKeystore.p12 file to CAMKeystore using the following command: rename "..\configuration\certs\CAMKeystore.p12" "CAMKeystore"
- In this next step, you will be importing the already signed certificate from a different Keystore. They keystore you are importing from must be in PKCS12/PFX format. The command you run will look like: gsk8capicmd_64 -cert -import -db "..\configuration\certs\canlabWC.pfx" -pw admin1234EXPORT -target "..\configuration\certs\CAMKeystore" -target_pw NoPassWordSet
*Prior to running this step, ensure that you copy your .PFX file in to the \configuration\certs\ folder of your Planning Analytics install
**The -db parameter should reflect your PKCS12/PFX file that contains your signed certificate
**The -pw parameter should reflect the password to your PKCS12/PFX file
**The -target parameter should reflect the CAMKeystore keystore in your PA install
**The -target_pw should reflect the password of the CAMKeystore keystore in your PA install
- After importing your certificate to the CAMKeystore, list the contents of the CAMKeystore to review using the following command: gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
- The TM1 Application server is hardcoded to look for a certificate with the name 'encryption'. Run the following command to change the name/label of your certificate: gsk8capicmd_64 -cert -rename -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet -label CN=*.canlab.ibm.com,OU=Support,O=IBM,L=Ottawa,ST=Ontario,C=CA -new_label encryption
- Because we are using a new keystore, we must also import the default TM1 certificates so that the Web Tier can communicate with the TM1 Admin Host / TM1 Server. Execute the following command: gsk8capicmd_64 -cert -add -db "..\configuration\certs\CAMKeystore" -pw "NoPassWordSet" -label tm1 -file "..\bin64\ssl\ibmtm1.arm" -format ascii -trust enable
- Run the following command to list out all of the certificates in your CAMKeystore file to ensure all is correct: gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
UPDATE COGNOS CONFIGURATION FOR CUSTOM SSL CERTIFICATES
- Open Cognos Configuration for Planning Analytics, as an Administrator
- Edit the TM1 Applications Properties. Update all URI references to contain your fully qualified address, as well as change the http to https.
- Edit the Local Configuration properties. Add the property StandaloneCertificateAuthority and set it to True.
- Edit the Cryptography > Cognos properties. Change the Use third party CA? to True.
- Click the Save button to save the changes.
- Start the IBM Cognos TM1 service, and close Cognos Configuration
VALIDATE YOUR PLANNING ANALYTICS SSL CONFIGURATION
The following validation steps use the Chrome web browser. If you are using another browser, you will need to adjust the steps as required.
- After the service has started, access your TM1Web URL using Chrome, for example: https://fish2k16.canlab.ibm.com:9510/tm1web
- You may encounter a warning. If you do, it is likely because you have not yet told your computer to trust the Root Certificate Authority and Intermediate Certificate Authority used to sign the Planning Analytics certificate. Otherwise, there may be problem with your certificate. To resolve the untrusted certificate warning, see the following technote: http://www.ibm.com/support/docview.wss?uid=ibm10879929
- Assuming your certificates are valid and trusted, you should see the following:
- Should you not see any TM1 Servers appear in your list of servers, you may not have imported the TM1 Server certificate in to your new CAMKeystore. Please see step 9 in the CREATE A NEW KEYSTORE AND IMPORT ALREADY SIGNED CERTIFICATE section of this document.
27 August 2020