Troubleshooting
Problem
When testing IBM Planning Analytics 2.0.x data source from IBM Cognos Analytics 11.1.2 the following message is displayed :
XTR-ERR-0005 A request to TM1 resulted in error: "[400] javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target".
Cause
In the Tm1s.cfg file UseSSL parameter is set to T and the TM1 Server certificate has not been imported into the Cognos Analytics keystore
Resolving The Problem
Solution from https://www-01.ibm.com/support/docview.wss?uid=swg22000885 document
Note: If Use HTTPS is checked, the tm1server certificate needs to be imported into the appropriate keystore of the used jre in Cognos Analytics. Depending on the configuration of Planning Analytics there might be different certificates per TM1 Server, as well as depending on the configuration of Cognos Analytics, there might be different keystores to import the certificate to.
By default the used keystore for the Query Service is cacerts.
- Locate the tm1server certificate in the Planning Analytics installation. By default the certificate file is ibmtm1.arm located in <Planning Analytics Install>\bin64\ssl.
If custom internal SSL is configured, the file name and location is defined as SSLCertificate parameter in tm1s.cfg.
Copy the file to the Cognos Analytics installation - There are multiple ways to import the certificate in the cacerts keystore. This document will describe a way through command line and through ikeyman.
- Option 1: Command line
-
- cd <Cognos Analytics installation>\jre\7.0\bin
(Note: For Linux/Unix): cd $JAVA_HOME/bin) - keytool -import -trustcacerts -file "<path to the certificate>\ibmtm1.arm" -keystore ..\lib\security\cacerts -storepass changeit -alias TM1ServerCert
(Note: The -alias TM1ServerCert can be any given text to identify the certificate in the keystore)
- cd <Cognos Analytics installation>\jre\7.0\bin
-
- Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe
(Note: For Linux/Unix): cd $JAVA_HOME/bin) - Select Open a key database file, and navigate to the cacerts keystore located in <Cognos Analytics installation>\jre\lib\security. As type select JKS
- On prompt enter password changeit
- In the drop down switch from Personal Certificates to Signer Certificates
- On the right select Add
- Browse for the copied certificate
- On prompt enter an alias for the certificate in the keystore, ie. TM1ServerCert. This can be any given text to identify the certificate in the keystore.
- Go to <Cognos Analytics installation>\jre\bin and execute ikeyman.exe
- PLEASE NOTE: As of Cognos Analytics 11.1.5+ release, the default shipped IBM JRE location <Cognos Analytics installation>\jre no longer exists. IBM JRE changed to new location <Cognos Analytics installation>\ibm-jre\jre.
-
- Refer to Changed location of JRE files documentation.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.1.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
25 November 2020
UID
ibm10888083