IBM Support

Steps to set up SSL in Cognos Analytics Configuration

How To


Summary

How to set up SSL for the gateway or the dispatcher and content manager URI in Cognos Configuration.

Objective

Guidance to understand what directions need to be followed to set up SSL in Cognos Configuration.
The steps you need to follow to set up SSL on the gateway, or dispatcher and content manager URIs differ depending on your requirements.

Steps

Identify where SSL is required. 
Is SSL only required at the web server level or do you require secure communication between all components?
The steps to set up SSL for the gateway URL when you are using a web server differ from the steps to set up SSL when there is no web server.
The steps to set up SSL on the dispatcher and content manager URI are different for using the built-in Cognos certificate authority to sign the certificates versus a third-party certificate authority.  The third-party certificate authority could be one you pay for such as DigiCert, GoDaddy, or a certificate authority that is internal to your own company.
Steps to enable SSL on the Gateway URI when you are using web server:
1. Follow the web server vendors (Microsoft IIS, Apache, IBM HTTP Server) documentation to set up the web server correctly with SSL before you make any changes in Cognos Analytics.
2. Confirm SSL is working on the web server.  SSL must be working directly on the web server before it works with Cognos Analytics.  In, the browser confirm you can successfully access web server by using the URL to access the web server default page.
Example:
https://<webserver fully qualified domain name> 
3. Get a copy of the web server certificate and import all levels that make up the full certificate chain into the Cognos keystore on all application tier installs.  Importing the certificate ensures there is full chain of trust between web server and the application tier installs that web server routes requests to.
a. To import the certificate, you need to run the ThirdPartyCertificateTool from the <Cognos application tier install>\bin directory for each level in the chain.
Example syntax:
ThirdPartyCertificateTool.(bat|sh) -i -T [-p keystore_password] -r path_to_cert_or_csr
Example on windows:
ThirdPartyCertificateTool.bat -i -T -p NoPassWordSet -r C:/certs/mywebserverRoot.ca
ThirdPartyCertificateTool.bat -i -T -p NoPassWordSet -r C:/certs/mywebserverIntermediate.ca
ThirdPartyCertificateTool.bat -i -T -p NoPassWordSet -r C:/certs/mywebserverServer.ca
Example on UNIX:
ThirdPartyCertificateTool.sh -i -T -p NoPassWordSet -r opt/ibm/certs/mywebserverRoot.ca
ThirdPartyCertificateTool.sh -i -T -p NoPassWordSet -r opt/ibm/certs/mywebserverIntermediate.ca
ThirdPartyCertificateTool.sh -i -T -p NoPassWordSet -r opt/ibm/certs/mywebserverServer.ca
4. Launch Cognos Configuration on each application tier and correct the gateway url to be https and the secure port the web server is listening on and restart Cognos service.
Example:
https:<webserver fully qualified domain name>:443/ibmcognos/bi/v1/disp
Steps to enable SSL on the dispatcher and content manager URIs:
If you are not using a web server and want to enable SSL on the dispatcher URI, follow these steps.
If you already enabled SSL on the web server and want SSL enabled on the dispatcher and content manager URIs for full SSL communication between components, follow these steps.
1. Determine whether you use the Cognos Analytics built-in functionality to create and sign the certificates or if you have a requirement to use third-party signed certificates.
a. To use the built-in product functionality to create and sign the certificates, follow this technote.
Important note:
If you are using IIS web server and enabled https on the dispatcher, you must export the Cognos root certificate from the Cognos keystore.  The certificate is then imported into the trusted root certificate authorities on the server where IIS web server is running. This step ensures that IIS trusts the Cognos certificate authority that signed the certificate.
a. Launch a command prompt window selecting 'Run as Administrator'.
b. Enter command: cd <installation directory>\bin
c. Execute command
ThirdPartyCertificateTool.bat|sh) -E -T [-p keystore_password] -r path_to_cert_or_csr
Example:
ThirdPartyCertificateTool.bat -E -T -p NoPassWordSet -r CognosCAroot.cer
d. Copy the certificate to the IIS server.
e. Right-click on the certificate, select 'Install Certificate'.
f. Select 'Local Machine' for the Store Location.
g. Select 'Place all certificates in the following store'.
h. Select Browse button and select 'trusted root certification authorities'
i. Select Next and Finish
b. To use a third-party certificate authority or a certificate authority own by your company, follow the steps outlined in the following technote.
Don't forget to change web server settings to reference https in the dispatcher url in the cognos.conf file or the Reverse Proxy rewrite rule under the bi folder in IIS.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"ARM Category":[{"code":"a8m0z0000001jkWAAQ","label":"Security"}],"ARM Case Number":"TS005880943","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.0.0;and future releases"}]

Document Information

Modified date:
05 July 2021

UID

ibm16469769