IBM Support

How to configure TM1 to use the bundled 2048-bit SSL certificate

Technote (FAQ)


Question

*If you were directed here due to TM1 Certificate Expiry - please ensure you have read the following Alert! http://www.ibm.com/support/docview.wss?uid=swg21990869

By default, the TM1 Admin Server and TM1 Server, are secured using a 1024-bit SSL Certificate. The rootCA of that certificate is the applixca.pem file. The steps in this technote describe how to configure the TM1 Admin Server and TM1 Server (as well as the TM1 Client components), to use the provided 2048-bit SSL certificate ( tm1ca_v2.pem ).

Answer

Configuring the TM1 Admin Server
-Stop the TM1 Admin Server
-Launch IBM Cognos Configuration (from 'Start Menu > All Programs > IBM Cognos TM1 - 64'
-Under ‘Local Configuration > Environment’, select ‘TM1 Admin Server’.
-Set the ‘TM1 Admin Server Certificate Version’ to ‘2’ ( default is 1 )
-Save the configuration, and start the TM1 Admin Server
-Start the TM1 Admin Server

Configuring the TM1 Server
-Stop the TM1 Server
-Find and edit the tm1s.cfg file for the TM1 Server
-Add the following parameter: CertificateVersion=2 ( default when not used, is CertificateVersion=1 )
-Save and close the tm1s.cfg file
-Start the TM1 Server

Configuring TM1 Architect
-Open TM1 Architect
-Click ‘File > Options’
-Under ‘Certificate Authority’ click ‘Browse…’ and select the ‘..\tm1_64\bin\ssl\tm1ca_v2.pem’ file.
-Ensure the ‘Certificate ID’ text box contains the value ‘tm1adminserver’
-Press OK

Configuring TM1RunTi.exe


    - Add '-certversion 2' as a parameter in the TM1RunTi.exe command line or certversion=2 to the ini file being used with the TM1RunTi.exe command line.



At this stage in the steps, you should be able to see and connect to your TM1 Server via TM1 Architect. If you can, please continue to the 'Configuration the TM1 Application Server' section. Otherwise, you will need to troubleshoot your configuration up to this point - using TM1 Admin Server and TM1 Server DEBUG logging.
-Enabling TM1 Admin Server DEBUG logging
-Open and edit the '..\tm1_64\bin64\tm1admsrv-log.properties' file
-Change 'log4j.logger.TM1=INFO' to 'log4j.logger.TM1=DEBUG'
-Save the file, and restart the TM1 Admin Server
-Review the '..\tm1_64\bin64\tm1admsrv.log' file
-Enabling TM1 Server DEBUG logging
-Open and edit the '..\path_to_your_tm1s_cfg_file\tm1s-log.properties' file
-If this does not exist, get it from the '..\tm1_64\samples\tm1\PlanSamp' directory
-Change 'log4j.logger.TM1=INFO, S1' to 'log4j.logger.TM1=DEBUG, S1'
-Save the file, and restart the TM1 Server
-Review the '..\tm1_64\bin64\tm1server.log' file

-You will ultimately need to review both files at the same time, to understand the problems with traffic between the two components

Configuring TM1 Web
-You should NOT need to do anything with TM1 Web

Configuring the TM1 Application Server
-Open and edit the '..\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml' file
-Find the TM1 Tags within the file and review. You will need to specify the TM1 Admin Server and TM1 Server if not previously configured, as well as update the file to use the 2048-bit CA files. The modified file should look similar to the below:

<tm1>
<gateway uri=""/>
<alternate_gateway_uris>
<alternate_gateway uri="*"/>
</alternate_gateway_uris>
<dispatcher uri=""/>
<admin_host name="vottfish">
<certificate authority="tm1ca_v2.pem" id="tm1adminserver" />
<servers>
<certificate authority="tm1ca_v2.pem" id="tm1adminserver" />
<server name="Planning Sample"/>
</servers>
</admin_host>
</tm1>

-Save the file, and restart the TM1 Application Server


Configuring TM1 Operations Console / PMHub

To test if PMHub can communicate with the TM1 Admin Server the following URL can be used (replace tm1web.domain.com with the name of the system running the PMHub web application).
https://tm1web.domain.com:9510/pmhub/pm/tm1/servers


If PMHub is correctly configured to use the 2048 bit certificate this URL should return a list of TM1 server known by TM1 Admin Server. This is an example of the response provided where PMHub could connect to the TM1 Admin Server and saw the SData sample model running.
{"servers":[{"id":"CO","name":"CO","class":"server","rel":"child","href":"http://tm1web.domain.com:9510/pmhub/pm/tm1/server%28CO%29"},{"id":"SData","name":"SData","class":"server","rel":"child","href":"http://tm1web.domain.com:9510/pmhub/pm/tm1/server%28SData"}],"self":{"name":"servers","class":"servers","rel":"self","href":"https://tm1web.domain.com:9510/pmhub/pm/tm1/servers"}}

To configure PMHub for use with the 2048 bit cert the Tomcat Java Options must be updated.

In Windows environments update the Tomcat JVM settings:
1) Open Command Prompt
2) Navigate to <tm1_install>\tm1_64\tomcat\bin
3) Execute the following: tomcat6w //ES//PMPSVC
***If the above does not, verify the 'Service Name' of your service, via Windows Services
4) Click the 'JAVA' tab
5) In the Java Options list, scroll to the bottom
6) Append the following to lines, to the bottom of the Java Options list:
-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
-Dcom.ibm.cognos.tm1.certificate.dir=%PMPSVC_ROOT%\webapps\pmpsvc\WEB-INF\bin64"
***Note that the dash is required. Look at the rest of the settings to understand the format
7) Stop and start the TM1 Application Server


For AIX and Linux TM1 environment the following should be used:

UDECODER_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dcom.ibm.cognos.tm1.certificate.dir=${TM1_HOME}/webapps/pmpsvc/WEB-INF/bin64

Note the space between true and -Dcom.ibm.cognos.tm1.certificate.dir.

The 2048 bit CA certificate files (tm1ca_v2.pem and tm1ca_v2.der) must also by copied to the ../tm1_64/webapps/pmpsvc/WEB-INF/bin64 directory along with the properly configured fmpsvc_config.xml file

Restart the IBM Cognos TM1 Applications server service after making these changes.


Document information

More support for: Cognos TM1
TM1

Software version: 10.2.2

Operating system(s): AIX, Linux, Windows

Software edition: All Editions

Reference #: 1697266

Modified date: 17 April 2017


Translate this page: