IBM Support

XTR-ERR-0005 error when testing IBM Planning Analytics 2.0.x datasource from IBM Cognos Analytics 11.1.2

Troubleshooting


Problem

When testing IBM Planning Analytics 2.0.x data source from IBM Cognos Analytics 11.1.2 the following message is displayed :
XTR-ERR-0005 A request to TM1 resulted in error: "[400] javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target".

Cause

In the Tm1s.cfg file UseSSL parameter is set to T and the TM1 Server certificate has not been imported into the Cognos Analytics keystore

Resolving The Problem

Solution from https://www-01.ibm.com/support/docview.wss?uid=swg22000885 document

Note: If Use HTTPS is checked, the tm1server certificate needs to be imported into the appropriate keystore of the used jre in Cognos Analytics. Depending on the configuration of Planning Analytics there might be different certificates per TM1 Server, as well as depending on the configuration of Cognos Analytics, there might be different keystores to import the certificate to.

By default the used keystore for the Query Service is cacerts.

  1. Locate the tm1server certificate in the Planning Analytics installation. By default the certificate file is ibmtm1.arm located in <Planning Analytics Install>\bin64\ssl.
    If custom internal SSL is configured, the file name and location is defined as SSLCertificate parameter in tm1s.cfg.
    Copy the file to the Cognos Analytics installation
  2. There are multiple ways to import the certificate in the cacerts keystore. This document will describe a way through command line and through ikeyman.
  • Option 1: Command line
      • cd <Cognos Analytics installation>\jre\7.0\bin
        (Note: For Linux/Unix): cd $JAVA_HOME/bin)
      • keytool -import -trustcacerts -file "<path to the certificate>\ibmtm1.arm" -keystore ..\lib\security\cacerts -storepass changeit -alias TM1ServerCert
        (Note: The -alias TM1ServerCert can be any given text to identify the certificate in the keystore)
    Option 2: ikeyman
      • Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe
        (Note: For Linux/Unix): cd $JAVA_HOME/bin)
      • Select Open a key database file, and navigate to the cacerts keystore located in <Cognos Analytics installation>\jre\lib\security. As type select JKS
      • On prompt enter password changeit
      • In the drop down switch from Personal Certificates to Signer Certificates
      • On the right select Add
      • Browse for the copied certificate
      • On prompt enter an alias for the certificate in the keystore, ie. TM1ServerCert. This can be any given text to identify the certificate in the keystore.
    • PLEASE NOTE: As of Cognos Analytics 11.1.5+ release, the default shipped IBM JRE location <Cognos Analytics installation>\jre no longer exists. IBM JRE changed to new location <Cognos Analytics installation>\ibm-jre\jre.
  •        Refer to Changed location of JRE files documentation.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
25 November 2020

UID

ibm10888083