Question & Answer
On November 24th 2016 the bundled/default/pre-configured TM1 SSL certificate will expire (APPLIX certificates). This means all connections to the TM1 Server will be refused hence causing a perceived major outage. TM1 has historically bundled certificates to make certain every client has SSL enabled and communication between clients and the data server are secured. This is against the norm in that most vendors have transferred ownership of SSL Configuration to their customer base. The TM1 team has taken a different view of simplifying the ability to have secured communication while allowing for customer owned custom certificates to be used as well. This ensures all of our customer regardless of skill level and understanding will achieve secure communication. While this is a very good thing, once every 10 years the certificates expire and we are forced to react quickly to prevent a mass outage. The team has been working hard to ensure the best possible experience for customers prior to certificates expiration. This FAQ has been compiled with anticipated questions and answers, to help customers understand, resolve and prevent expiring certificate issues.
IBM Cognos TM1 Certificate Expiry Alert:
How to Update your expiring IBM Cognos TM1 Certificates:
IBM Cognos TM1 SSL Expiration - Manual Fix Approach - Landing Page
IBM Cognos TM1 SSL Expiration - Updater Kits - Landing Page
**TM1 on Cloud and Planning Analytics customers are not required to do anything**
- IBM Operations will be performing the necessary patch management and will notify with at least one (1) week's notice
- The update is included in a wider update for the TM1 components tentatively targeted for late October / early November
---------------------------------- FAQ ----------------------------------
What are you doing to make sure everyone is aware of this important change?
- We are using all available channels to ensure our customers and partners are aware of the required changes, and understand the approach they can take
- All possible solutions have been documented and options provided to avoid any rejected connections in TM1 once certificates expire on November 24 2016
- This document will continue to be updated to allow for a one-stop-shop of Q&A
When do the TM1 Certificate expire?
- The default TM1 (APPLIX) certificates expire on November 24 2016
Why are the TM1 Certificates expiring?
- Certificates are created with an expiration in mind. They may be due to policy, standards changing, or simply the license authority wanting fees to renew. The pre-contained certificates provided by IBM are self-signed, typically with a 10yr life span. As SSL encryption evolves so to does the need to update certificates to ensure the latest encryption methods are adhered to. The APPLIX certificate was created on Nov 27, 2006 whereas encryption methods have evolved greatly since that time
Who is affected by TM1 Certificate expiration?
- All non-cloud TM1 Customers who are NOT using custom certificates or have NOT updated to the TM1 v2 certificates WILL be affected. If you rely on the bundled/default/pre-configured APPLIX certificates - they WILL expire November 24 2016
What TM1 Versions will be affected?
- All versions of TM1 are affected by the certificate expiry. See 'How do I know if this affects my organization?' to determine if / how you need to react
How do I know if this affects my organization?
- The easiest way to check if you will be affected:
- Log on to the box where your TM1 Admin Server is running
- Open Cognos Configuration (for TM1)
- Click on the 'TM1 Admin Server' entry and in Explorer pane
- Look at the 'Certificate File Location' parameter
- If blank, you have NOT configured TM1 for Option 3 (Custom Certificates)
- If blank, you WILL be affected by the SSL certificate expiry
- Look at the 'TM1 Admin Server Certificate Version'
- If '1', you have NOT configured TM1 for Option 4 (v2 Certificates)
- If '1', you WILL be affect be the SSL certificate expiry
- Additional ways to confirm:
- If you have configured TM1 for Option 3 (Custom Certificates) you will have the following entries in your tm1s.cfg file
- If you have configured TM1 for Option 4 (v2 Certificates) you will have the following entry in your tm1s.cfg file
Can the Certificate Expiration be delayed?
- No! Once a certificate expiration date has been defined and built into a certificate, the date cannot change or be extended without invalidating the certificate
Can old and new certificates be used?
- No! The certificates must remain consistent and trusted in order to achieve secured communication.
To avoid a November 24 2016 TM1 outage, what do I need to do?
- Please see the referenced material throughout this FAQ.
- Review the following How to Update Your Expiring TM1 Certificates technote here: http://www-01.ibm.com/support/docview.wss?uid=swg21990588
What needs to be updated?
- All Server Components
- The TM1 Server, Admin Host, and the TM1 Application Server will all require updates
- All TM1 Client Components
- Architect, Perspectives, Performance Modeler, Cognos Insight and TM1Top will all required a new certificate to communicate with TM1
- Cognos Analysis for Excel (CAFE), does not require any specific client updates/changes. CAFE communicates directly with PMHub - which is configured server-side.
- IBM Cognos BI
- If using IBM Cognos BI to report on TM1, the IBM Cognos TM1 client used by Cognos BI will need to be updated
What will the updater do?
- The updater replaces the old applixca certificates (expiring in November) with new ones (using the same name) that expire in 2026.
What will the updater NOT do?
- The updater will NOT apply any new product fixes. These updaters are built only to update the expiring certificates.
15 June 2018