Troubleshooting
Problem
When testing IBM Planning Analytics 2.0.x data source from IBM Cognos Analytics 11.1.2 the following message is displayed :
| XTR-ERR-0005 A request to TM1 resulted in error: "[400] javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target". |
Cause
In the Tm1s.cfg file the "UseSSL" parameter is set to T and the TM1 Server certificate has not been imported into the Cognos Analytics keystore.
The "Use SSL" checkbox is also checked in the Data Server configuration for the TM1 server parameters.
Resolving The Problem
Solution taken from technote: https://www.ibm.com/support/pages/node/295051
Note: If "Use SSL" is checked in the Data Server configuration, the tm1server certificate needs to be imported into the appropriate keystore of JRE in Cognos Analytics.
Depending on the configuration of Planning Analytics, there might be different certificates per TM1 Server, as well as depending on the configuration of Cognos Analytics, there might be different keystores to import the certificate to.
By default, the used keystore for the Query Service is cacerts.
- Locate the tm1server certificate in the Planning Analytics installation. By default the certificate file is ibmtm1.arm located in <Planning Analytics Install>\bin64\ssl.
If custom internal SSL is configured, the file name and location is defined as SSLCertificate parameter in tm1s.cfg. - Copy the file to the Cognos Analytics installation.
- There are multiple ways to import the certificate in the cacerts keystore. This document will describe a way through command line and through ikeyman.
- Option 1: Command Line
-
-
(Note: For Linux/Unix): cd $JAVA_HOME/bin)cd <Cognos Analytics installation>\jre\7.0\bin -
(Note: The -alias TM1ServerCert can be any given text to identify the certificate in the keystore)keytool -import -trustcacerts -file "<path to the certificate>\ibmtm1.arm" -keystore ..\lib\security\cacerts -storepass changeit -alias TM1ServerCert
-
-
- Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe
(Note: For Linux/Unix): cd $JAVA_HOME/bin) - Select Open a key database file, and navigate to the cacerts keystore located in <Cognos Analytics installation>\jre\lib\security. As type select JKS

- On prompt, enter default password of "changeit", unless it has been changed to something different.
- In the drop down switch from Personal Certificates to Signer Certificates

- On the right, select Add
- Browse for the copied certificate

- On prompt enter an alias for the certificate in the keystore (ie. "TM1ServerCert"). This can be any given text to identify the certificate in the keystore.
- PLEASE NOTE: As of Cognos Analytics 11.1.5+ release, the default shipped IBM JRE location <Cognos Analytics installation>\jre no longer exists. IBM JRE changed to new location <Cognos Analytics installation>\ibm-jre\jre.
- Refer to Changed location of JRE files documentation.
- Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe
-
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m50000000Cl6nAAC","label":"Data Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1.2;12.0.4"},{"Product":{"code":"SS6G84","label":"IBM Cognos Analytics on Cloud"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}}]
Was this topic helpful?
Document Information
Modified date:
01 May 2025
UID
ibm10888083