Flashes (Alerts)
Abstract
This notice does not apply to Planning Analytics on Cloud.
This notice applies only to Planning Analytics Local environments configured with use the v2 SSL certificate. By default the v1 SSL certificate is used for encryption in transit for the TM1 Admin Server and TM1 databases.
The default v2 SSL certificates provided with TM1 Server will expire on 25 August 2022. Planning Analytics environments that have been configured to use the v2 SSL certificates must be switched to the v1 certificates before 25 August 2022. The certificate expiry will cause client tools including Planning Analytics Workspace, TM1Web, Architect, TM1 Perspectives to no longer connect to the TM1 Admin Server and TM1 databases.
The v2 SSL certificates are an artifact from the IBM Cognos TM110.2.2. They were originally introduced as a more secure alternative (2048 bit) to original default SSL certificates. The v1 and v2 SSL certificates in current versions of IBM Planning Analytics offer the same level of security.
Content
To determine which SSL certificate is being used the following command can be run from the TM1 server bin64 directory:
gsk8capicmd_64.exe -cert -list -db "<tm1_64>\bin64\ssl\ibmtm1.kdb" -stashed
The output of this file should appear similar to this:
Certificates found
* default, - personal, ! trusted, # secret key
! tm1ca_v2
! applixca
*- ibmtm1_server
- tm1svr_v2
- tm1adminsvr_v2
- tm1svr
- tm1adminsvr
The * character is used to indicate which certificate is being used. The default v1 certificate is labeled ibmtm1_server.
To switch the keystore database to the default v1 SSL certificate run the following command:
gsk8capicmd_64.exe -cert -setdefault -label ibmtm1_server -db "<tm1_64>\bin64\ssl\ibmtm1.kdb" -stashed
This assumes the TM1 Server and TM1 Admin Server are using the default keystore database. The keystore database being used by the TM1 Admin Server can be determined by examining Cognos Configuration where the TM1 Admin Server is deployed. In the following screenshot, the default keystore database (ibmtm1.kdb) is being used.
The value of the TM1 Admin Server Certificate Version property in the above screenshot does not impact which certificate is used by the TM1 Admin Server or TM1 databases.
To determine which keystore database a TM1 database is using the tm1s.cfg must be examined. If the TM1 database is not using the default keystore the keyfile and keystashfile parameters must be listed in the tm1s.cfg file. In this example, the keystore database is a file named custom.kdb.
keyfile=<tm1_64>\bin64\ssl\custom.kdb
keystashfile=<tm1_64>\bin64\ssl\custom.sth
If the keyfile and keystashfile parameters are not found in the tm1s.cfg file then the default keystore file (<tm1_64>\bin64\ssl\ibmtm1.kdb) is used by the TM1 database.
Additional details about the default configuration TM1 Admin Server and TM1 database encryption in transit can be found here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=security-default-configuration
Architect and TM1 Perspectives
In most cases a configuration change is not be required for Architect and TM1 Perspectives to continue to work after the TM1 Admin Server and TM1 databases have been configured to use the v1 certificates.
The Architect and TM1 Perspectives client tools also use the keystore database in current versions of IBM Planning Analytics. The SSL options in these client tools should be left blank as follows:
Architect and TM1 Perspectives only require the default v1 SSL certificate to be in keystore database as a trusted certificate. It is not required to remove other certificates or change the default certificate in the keystore in order for Architect or TM1 Perspectives to connect to a TM1 database.
Planning Analytics Workspace
Planning Analytics Workspace includes both the v1 and v2 default SSL certificates. These certificates are found in the <Planning Analytics Workspace>\config\certs directory. For Planning Analytics Workspace to continue to connect to the TM1 Admin Server and TM1 databases using the default v1 SSL certificate the ibmtm1.pem file must be present in the <Planning Analytics Workspace>\config\certs directory. If this certificate file was removed it must be added back to the <Planning Analytics Workspace>\config\certs directory and the paw.sh (paw.ps1 on Windows) script should be run.
Additional details about configuration of encryption between Planning Analytics Workspace and TM1 databases can be found here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=ctas-configure-tls-between-planning-analytics-workspace-local-other-servers
Planning Analytics Spreadsheet Service (TM1Web)
By default Planning Analytics Spreadsheet Service is provided with both the v1 and v2 default SSL certificates. In most cases no changes are required to Planning Analytics Spreadsheet Services after switching the TM1 Admin Server and TM1 database to the v1 SSL certificates.
The file that containing trusted certificates for Planning Analytics Spreadsheet Service can be identified by examining the <tm1web>\wlp\usr\servers\tm1web\jvm.options file. The exact location of the file containing the trusted certificates may vary depending on the original version of TM1Web and upgrade history.
The jvm.options file should include the following lines:
# Changed to relative path
-Djavax.net.ssl.trustStore=../../../../bin64/ssl/tm1store
-Djavax.net.ssl.trustStorePassword=applix
This indicates the trusted certificates are stored in the <tm1web>\bin64\ssl\tm1store file.
Run the following command from the <tm1web>\jre\bin directory to list the trusted certificates in the tm1store file.
keytool -list -keystore "C:\ibm\tm1web\bin64\ssl\tm1store" -storepass applix
This should produce the following output:
Your keystore contains 3 entries
applixca, Nov 30, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): DD:82:A3:8B:D7:4E:04:AE:04:F9:F8:AC:9A:A7:D8:71:0E:31:7C:0D
tm1ca_v2, Sep 6, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): EF:09:0A:B9:8A:4E:14:8D:BB:A7:5A:3E:8D:27:27:91:3E:20:8D:DC
ibmtm1, May 19, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): FD:A0:15:A9:A3:DE:43:22:A4:20:AA:F1:E1:80:50:83:1D:EA:02:2C
Validate the ibmtm1 certificate is included. If the default v1 SSL certificate is not found in the output it must be imported using the following command:
keytool.exe -import -trustcacerts -file "<tm1web>\bin64\ssl\ibmtm1.arm" -keystore "<tm1web>\ssl\tm1store" -alias ibmtm1 -storepass applix
Additional details about the Planning Analytics Spreadsheet Service default SSL configuration can be found here: https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=tls-use-default-configuration
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m50000000KzK7AAK","label":"Planning Analytics-\u003ESecurity-\u003ESSL"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 August 2022
UID
ibm16613269