This document describes the steps and scenarios for TLS configurations and migrating IBM Cognos Analysis for Microsoft Excel ® (CAFE) clients from Fix Pack 5 (10.2.2.5) to Fix Pack 6 (10.2.2.6).
Connection process overview
It is important to understand that communications security protocols exist between CAFE, PM Hub (Tomcat servers) and TM1 servers. These parties communicate over TLS protocols.
The communication between CAFE and TM1 servers is brokered by PM Hub. In order for CAFE to communicate with the TM1 servers, CAFE must first connect to PM Hub which then uses JRE to broker the data to the TM1 servers. Therefore, two secured connections are made:
- CAFE to PM Hub
- PM Hub to the TM1 servers
In order for a connection to be made between two parties, there must be an agreement on a single TLS version.
Note: TLS configurations only apply to connections made over HTTPS.
Default communications security protocols
If either party is using a different TLS version, a connection will not be made.
The default communications security protocol for CAFE, PM Hub and TM1 servers may differ depending on the fix pack (FP) version installed on each:
- Fix Pack 6 enables only TLS v1.2 as the default communications security protocols in PM Hub, TM1 servers and CAFE.
- Fix Pack 6 can be configured to enable TLS v1.0 in PM Hub and TM1 servers.
- Fix Pack 6 CAFE cannot be configured to communicate over any TLS version other than v1.2.
- Fix Pack 5 enables only TLS v1.0 as the default communications security protocol in PM Hub, TM1 servers and CAFE.
Note: If both connecting parties have the same fix pack version installed, no configurations are necessary as they will both be using the same communications security protocol. Fix packs for TM1 servers will update PM Hub as well, therefore, TM1 servers and PM Hub should always have compatible TLS versions.
The following scenarios exist due to these restrictions:
- A user running CAFE FP5 may connect to PM Hub FP6 if PM Hub FP6 is configured to enable TLS v.1.0.
- A user running CAFE FP6 may not connect to PM Hub FP5 as CAFE FP6 is strictly TLS v1.2 and PM Hub FP5 is strictly TLS v1.0.
Recommended migration process
- Upgrade PM Hub and TM1 servers to FP6.
- Enable TLS v1.0 in PM Hub (see below for instructions).
- Begin upgrading CAFE to FP6.
Reminder: CAFE FP5 and CAFE FP6 will both be able to connect to PM Hub FP6 servers if TLS v1.0 has been enabled.
- Once all CAFE clients are migrated to FP6, disable TLS v1.0 in PM Hub in order to only enable the more secure TLS v1.2 communication.
Enabling TLS v1.0 in PM Hub FP6 JRE
- Stop the TM1 Application Server service
- Edit the
...\bin\jre\7.0\lib\security\java.securityfile in a text editor
- Locate the
- If the
jdk.tls.disabledAlgorithmsproperty contains the
TLSv1value, remove the value
- Save the file
- Restart the TM1 Applications Server service
Was this topic helpful?
15 June 2018