How to Update Your Expiring TM1 SSL Certificates - Manual Steps - Cognos Express 10.1 / 10.2.1 Server

Content

BEFORE YOU BEGIN:

-Do NOT confuse having custom certificates in your WebTier, as the solution. It is very possible that your WebTier had been configured for custom FRONT END / WEB certificates - and is still relying on the default TM1/APPLIX certificates for TM1 Server communication

-It is advised that all customers verify not only that these steps work in a test environment (prior to any production changes), but that the server clocks be rolled ahead past November 24th 2016 to ensure that the product behaves as expected post expiration date.

-If you have questions, please log a service request with TM1 Support so that the problem can be addressed.

1. Download the updated TM1 SSL Certificates from the following location: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FCognos+TM1&fixids=BA-CTM1-SSL-ZIP-IF001
2. Stop all IBM Cognos Express Services in the environment you are updating:
• IBM Cognos Analytic Server - CXMD
• IBM Cognos Analytic Server Admin Service
• IBM Cognos Express
• IBM Cognos Express Advisor
• IBM Cognos TM1 Server x64 / <any other TM1 server registered>
3. Extract the downloaded file/archive and extract it to any directory. For the purpose of this document, our files will be extracted in to <express_install_dir>\NewSSLCerts\
4. After extracting the files, look inside of your extracted folder <express_install_dir>\NewSSLCerts\ . The following files should be present.
• applixca.der
• applixca.pem
• applixcacrl.p7b
• applixcacrl.pem
• tm1admsvrcert.pem
• tm1store
• tm1svrcert.pem
5. Back up the following directories in your <express_install_dir>
• <express_install_dir>\bin\ssl
• <express_install_dir>\bin64\ssl
• <express_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ssl
  If you do not have a pmpsvc folder, this is not applicable. Ignore any future reference to pmpsvc in this document if it is not part of your install.
6. Copy the contents of the folder you extracted earlier <express_install_dir>\NewSSLCerts\ , and place them inside of the 3 directories listed above in Step 5. During this process, you will be required to REPLACE all conflicting files as we must replace the old certificate files with new ones.
7. After all files have been copied successfully, navigate to <express_install_dir>\bin64\ssl\ using Windows Command Prompt
8. Execute the following command to uninstall old keys from the Windows Keystore
• importsslcert.exe -remove
  If you do not have this file, you will want to ensure that the old/expiring certificate is removed from the Windows Keystore via Microsoft Management Console. For more detail see the following: http://www-01.ibm.com/support/docview.wss?uid=swg21992572
9. Execute the importsslcert.exe file, to install the new keys in to the Windows Keystore
• importsslcert.exe
  If you do not have this file, you will need to add the APPLIX certificate to the Windows Keystore manually. Doubleclick the applixca.der file and install the certificate.
10. Open and run Windows Command Prompt as an Administrator. Navigate to <express_install_dir>\bin64\jre\#.#\bin . Execute the following command:
• keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
• keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<express_install_dir>\bin64\ssl\applixca.der" -storepass changeit -noprompt
  
  *Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
11. Open and run Windows Command Prompt as an Administrator. Navigate to <express_install_dir>\bin\jre\#.#\bin . Execute the following command:
• keytool -delete -alias applixca -keystore ..\lib\security\cacerts -storepass changeit
• keytool -keystore ..\lib\security\cacerts -alias applixca -import -file "<express_install_dir>\bin\ssl\applixca.der" -storepass changeit -noprompt
  
  *Note that your JRE location or password may have been changed during your installation and configuration. If the above does not work you will want to consult with whomever may have performed the installation and configuration of your environment.
12. Navigate to and copy all NGTM1*.dll files from your <express_install_dir>\webapps\pmpsvc\WEB-INF\bin64\ directory
13. Paste the NGTM1*.dll files on your clipboard, and paste in to your <express_install_dir>\bin64\ directory. If prompted, REPLACE/OVERWRITE any conflicting files (specifically the NGTM1API.DLL file)
14. Navigate to <express_install_dir>\bin64\. Open/edit the bootstrap_winx64.xml file.
15. Look for the following line:
• <param>"-Dcom.ibm.cognos.disp.useDaemonThreads=true"</param>
16. Under the line found above, add a new line:
• <param>"-Dcom.ibm.cognos.tm1.bin=${install_path}\bin64"</param>
17. Save and close the bootstrap_winx64.xml file
18. Start your IBM Cognos TM1 Services
• IBM Cognos Analytic Server - CXMD
• IBM Cognos Analytic Server Admin Service
• IBM Cognos Express
• IBM Cognos Express Advisor
• IBM Cognos TM1 Server x64 / <any other TM1 server registered>

At this stage, all IBM Cognos Express Server-side components have been updated to use the new TM1 Certificates - and are no longer are risk of ticket expiration. If you wish to confirm, you may roll ahead your computer date/time, and recycle your TM1 Services - to know for sure that you are able to function on a date post November 24 2016.